Request Information
Ready to find out what MSU Denver can do for you? We’ve got you covered.
Highlights
Apply for an ISSA Education Foundation Scholarship
Multiple scholarships are being offered by the ISSA Education Foundation for current and future Cybersecurity professionals.
Scholarships for undergraduate studies range from $2,000 to $3,500 and the window for applications closes June 15th, at the latest.
Upcoming CMUTE Live-Fire Event
The Cybersecurity Center is hosting our next live-fire training event in June.
If you are interested in the opportunity to experience a virtual hack in a live environment please fill out our contact form and be sure the reference “June Live-Fire” in your message. Final dates will be shared with qualified candidates.
We will not be able to respond to each application individually but appreciate your interest if you decide to apply!
Kickstart Your Cybersecurity Career with Centurion Secured
Dive into the thrilling world of cybersecurity and build skills that will set you apart in the tech industry with Centurion Secured.
Responsibilities:
- Monitor and Defend: Gain invaluable experience by providing essential cybersecurity monitoring services for real-world customers.
- Analyze and Act: Work with streaming data, evaluate alerts, and develop critical skills as you investigate and respond to potential security threats.
- Ticketing and Escalation: Master the art of writing and escalating tickets for alerts that demand further action, honing your analytical and problem-solving skills.
Outcomes:
- Real-World Impact: Contribute to protecting real-world systems and networks, making a difference for customers.
- Skill Development: Sharpen your technical skills and gain a deep understanding of security operations.
- Resume Boost: Stand out to future employers with hands-on experience and demonstrated expertise in a high-demand field.
To get started, email your interest to [email protected]
Dive into the thrilling world of cybersecurity and build skills that will set you apart in the tech industry with Centurion
Current Events
ResolverRAT Targeting Pharmaceutical and Healthcare Organizations
Cybersecurity firm Morphisec has issued a warning about a new malware strain called ResolverRAT, which has been seen recently in attacks on healthcare and pharmaceutical organizations.
Remote Access Trojans [RATs] are a type of malware disguised as legitimate software designed to give hackers unauthorized access to a victim’s computer. This access can take the form of viewing, modifying, deleting files; monitoring device activity such as keystrokes, screen content, webcam, or mic; and installing more malware to further compromise the system.
ResolverRAT is very advanced, using in-memory execution, layered evasion techniques, and runtime resolution mechanisms. It spreads through phishing emails, often referencing legal or copyright issues.
Once a user clicks the link and downloads the file, ResolverRAT runs through a process called DLL hijacking to infect the system. It’s payload is compressed and encrypted with AES-256. One decrypted, it stays hidden by existing only in memory
Learn more about how ResolverRAT works and what it’s being used to do Here.
CVE Program Cuts; MITRE Extended 11 Months
The Cybersecurity and Infrastructure Security Agency [CISA] has extended its government contract with MITRE for another 11 months, after nearly allowing its contract with MITRE to maintain the Common Vulnerabilities and Exposures [CVE] and related programs to expire on April 16th.
One such related program includes the Common Weakness Enumeration [CWE] program, that lists software and hardware weaknesses, helping organizations and individuals understand and address vulnerabilities at a deeper, structural level. The CWE program highlights known flaws in software design, implementation, and configuration, and presents it all to create a roadmap for improving security practices and reducing or mitigating future risk.
Meanwhile, the CVE program focuses on identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities. Each CVE entry contains standardized information on a specific vulnerability including its severity, affected systems, and mitigation strategies. This allows for professionals to assess the relevance of known vulnerabilities in their environment, prioritize patching and updates, and stay informed of the latest disclosed threats.
Both of these programs make it easier to manage and understand vulnerabilities, facilitating faster identification of weaknesses, improved risk management, and contributes immensely to broader cybersecurity community by sharing this important knowledge. The widespread use of these programs underscore their importance, described in a LinkedIn post by former CISA director Jen Easterly as the “Dewey Decimal System for cybersecurity.”
Moving forward, MITRE may need to get funding from the private sector, a possibility the CVE board has already been working on for over a year—starting a new CVE Foundation to supply it.
AI Facilitates More Believable Scams, Some Tips from ZDNET to Avoid Them
Generative AI has made it much easier to create convincing text and images, which threat actors have been able to successfully leverage in their workflows.
Microsoft’s Cyber Signals Report discloses a sharp rise in AI-powered scams, identifying two major attack vectors:
- E-commerce fraud: fake websites that are eerily similar to legitimate ones, featuring AI-generated content such as images, product descriptions, and reviews.
- Job and employment fraud: fake listings across job platforms use generated content, with some also using phishing campaigns facilitated by AI.
Featured Exploit
DKIM Replay Attack Used to Spoof Google
Threat actors have pulled off a convincing scam by spoofing Google using a DKIM Replay Attack. DomainKeys Identified Mail [DKIM] is an email security standard designed to prove that an email comes from the claimed sender’s domain and hasn’t been tampered with. It works by giving specific headers and the body of the message a digital signature- generated with the sender’s private key- at the time it’s sent.
The malicious email came from a real Google address, passed the standard DKIM, DMARC, and SPF security checks, had no typos, and contained no suspicious links. The email claimed a law enforcement subpoena needed access to the user’s Google Account, linking to a Google Sites page designed to mimic a Google support portal. This Sites page is where they were able to harvest credentials—if their target clicked a button, waited to be redirected to a fake Google login page, and entered their Google Account credentials to log in when prompted.
How the Attack Worked
- Create Google account and a Google OAuth Application
The threat actor created a new Google account “me@<domain>” and used it to register a Google OAuth account—naming the app with the full phishing message itself.
Next, they granted their OAuth app access to their new account—which generated the ‘Security Alert’ message from Google. This system-generated email came from Google and was DKIM-signed. - Copy a legitimate Google email
The threat actor saved the headers and content of the email they generated. Since they didn’t modify anything signed by the DKIM, it remained intact. - Forward the email from Outlook
The threat actor replays the signed message by forwarding the same email from Outlook. Forwarding a message doesn’t change the DKIM signature, allowing it to bypass security filters, and creating the appearance that the email comes from the real Google email address “[email protected]”. It also still passed DMARC checks—making it look legitimate to filters. - Relay message through Jellyfish SMTP
The email passed through Microsoft and was relayed to Jellyfish SMTP [Simple Mail Transfer Protocol], helping to further obscure its true origin. - Forward message through Namecheap’s PrivateEmail
The email passed to Namecheap’s PrivateEmail, making use of their mail forwarding service. A new DKIM signature is added to the email. This is likely why the email will have a “Signed by” header from Google, but a “Mailed by” header from “fwd-04-1.fwd.privateemail[.]com”. - Deliver email to target Google Account user through Gmail
The spoofed email is delivered to the target’s Gmailinbox, put in the same conversation as other- real- security alerts, and is shown in Gmail without any warnings.
As a result of the threat actor naming their account “me@<domain>”, they manage to trick Gmail into showing that the message was sent to “me” at the top of the message. - Leverage sites.google[.]com to harvest credentials
The email contained a link to a sites.google[.]com page that imitated the actual Google Support page. Clicking any button on the page redirected the user to a fake Google Account sign-in page. This fraudulent sign-in page was used to harvest credentials to real Google Accounts. If the user “signed in”, they inadvertently gave their Google Account credentials to the threat actor.
Lessons Learned
Phishing attempts often create urgency, fear, or appeal to authority to seem more credible. If an email seems unusual or triggers a strong emotional response, don’t click any links—pause, review it carefully, verify the source, or report it.
Contact Us
Get in TouchFor any inquires, please reach out to the Cybersecurity Center using our contact form and we will respond as quickly as we are able