norm. threat bulletin: 15th November 2023

Norm threat bulletin

A precedented rise in “Quishing”

The world of cyber security has a way of taking something as simple as a QR code and turning it into a sneaky weapon of choice for cyber criminals. Yes, you heard that right, we are talking about “quishing” – a term that is as playful as it is sinister, blending the worlds of QR codes and phishing.

QR (Quick Response) codes, those little pixelated boxes that seem harmless, have been all the rage for a while now. They are like the celebrities of the tech world, showing up on posters, restaurant menus, and even business cards. They are magic portals to information, and all you need to do is whip out your smartphone, aim its camera at the code, and voila! You are taken to a website, shown a fascinating video, or even logged into your favourite instant messaging application – ready to send a message.

The most common use of QR codes is to link people to websites, making it simple for companies to share their online presence with the world. Want to check out the blog on explaining cyber threats on our website? Just scan this code below!

Figure 1: QR code leading to Norm’s Cyber Threats blog post.

As we have all come to learn from spy movies and cyberthrillers, anything innocent can be exploited. That is where the quishing adventure begins. We at norm. have been on the case, and we have come across a whole new layer to phishing attempts. In these campaigns, malicious actors use QR codes to lure you into their web of deception. They might send you an email that promises you something enticing – like a government grant or a reward for your patience in waiting for your long-lost Royal Mail parcel to arrive. Tempting, right? They are aware that curiosity killed the cat, and they are anticipating it. You get the email; your eyes widen and your heart races at the thought of free money or the satisfaction of a package finally reaching its destination. You reach for your smartphone eager to scan that mysterious QR code that promises so much.

But little do you know, the QR code is not your golden ticket; it is a one-way portal into the adversary’s playground. Once scanned, your mobile device becomes a window to their nefarious plans. Your personal information is suddenly at risk, and you have been tricked without even realising it. In a world where even the humble QR code can be weaponised, it is essential to approach these with caution. They might lead you to interesting places, but they could also take you down the rabbit hole of your personal information being compromised. Even official documentation can be altered by a simple sticker placed over an existing QR code. In the end, the lesson here is simple: when it comes to QR codes, a little scepticism can go a long way. Stay curious, but not too curious.

By utilising norm.’s Cyber Safety and Phishing module, you can help protect yourself and your organisations data by being aware of the tactics used by malicious actors to gain your trust and ultimately your data.

Explained: Quishing (MalwareBytes Lab)
New Parking QR Scam (Staffordshire County Council).
How to Stop Scammers from Skimming Parking Payments with Fake QR Codes (PremiumParking)

FIRST announces new CVSS 4.0 scoring system

After eight long years of solid work, CVSS 3.0 has a successor, and its name is CVSS 4.0. The longstanding scoring system CVSS has been a mainstay for vulnerability assessment since its inception in 2005, and with 4.0, this is unlikely to change. This was first announced and released on 1st November 2023 by the Forum of Incident Response and Security Teams (FIRST), along with a full specification document for the newly announced version.

The Critical Vulnerability Scoring System (CVSS) is an immensely powerful methodology that allows for the assessment and scoring of security vulnerabilities while providing an easy-to-understand value denoting the severity of said vulnerability. The CVSS asks for multiple inputs including the attack vector, the complexity, the availability, the scope, etc. which it will use to assign a numerical value to the vulnerability out of 10. This numerical value can also be used to translate the severity into multiple categories (low, medium, high, critical). Essentially, this system can allow organisations to easily determine which vulnerabilities to prioritise in their vulnerability management process using numerical values and categories.

In 2019, CVSS 3.0 received a core update to 3.1, a first for the CVSS throughout all its iterations. This update aimed to emphasize and clarify that the CVSS is a system designed to measure vulnerability severity in conjunction with other methods rather than something to be used standalone. This update however attracted criticism regarding its granularity in the scale, and also due to the lack of representation for industrial, human safety, and health control systems it contained.

CVSS version 4.0 aims to address these criticisms head-on by providing several new sub-metrics for vulnerability assessment including Safety, Automatable, Recovery, Value Density, Vulnerable Response Effort, and Provider Urgency. The new system also introduces new ways to enumerate CVSS scores using a combination of Base, Base and Threat, Base and Threat and Environment.

In the initial announcement, FIRST stated that this new CVSS 4.0 version is to “reinforce the concept that CVSS is not just the Base score.” They also stated that “The CVSS Base Score should be supplemented with an analysis of the environment (Environmental Metrics), and with attributes that may change over time (Threat Metrics).”

CVSS Version 4.0 has officially launched into General Availability (GA) as of 1st November 2023 following public preview and feedback collection.

By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.

First Announces CVSS 4.0 – TheHackerNews
CVSS 4.0 Specification Document (FIRST)
CVSS V4 Is Now Live and What Do You Need to Know (Qualys)u-need-to-know
CVSS 4.0 What You Need to Know (

LockBit ransomware hits large airline

Boeing, a major aerospace company, fell victim to the LockBit ransomware group, leading to the exposure of over 43GB of files. Prior warnings from LockBit about the data release, including a threat to disclose a 4GB sample, went unheeded by Boeing.

Following Boeing’s refusal to pay the ransom, LockBit released a trove of data on November 10. This included configuration backups, monitoring tool logs, and Citrix appliance backups, raising concerns about potential exploitation of the Citrix Bleed vulnerability.

Despite acknowledging the cyber attack, Boeing remained tight-lipped about the breach details. LockBit, a persistent ransomware-as-a-service operation with a history of over four years, has targeted various sectors globally, extorting around $91 million in the U.S. alone, according to government reports. The group’s international reach was underscored by a phishing campaign in Spain, targeting architecture firms.

Last year, LockBit emerged as the most widespread ransomware variant globally, maintaining its prolific activity into 2023. Since January 2020, LockBit affiliates have targeted organisations of diverse sizes in critical infrastructure sectors such as finance, agriculture, education, energy, government, healthcare, manufacturing, and transportation.

Operating under a Ransomware-as-a-Service (RaaS) model, the LockBit ransomware operation recruits affiliates to execute attacks using its tools and infrastructure. The decentralised nature of this operation results in significant variations in tactics, techniques, and procedures (TTPs) among different affiliates, posing a substantial challenge for organisations striving to secure their networks against ransomware threats.

LockBit claimed the title of the most active global ransomware group and RaaS provider, boasting the highest number of victims on its data leak site. An RaaS cyber crime group, LockBit maintains a specific ransomware variant’s functionality, sells access to it, and supports affiliates in deploying the ransomware, typically in exchange for upfront payments, subscription fees, a share of profits, or a combination of these.

norm. recommends that organisations utilize a robust endpoint protection solution that includes advanced malware detection and prevention features. EDR solutions, like Threat Detection & Response from norm. fall into this category, providing real-time monitoring and response capabilities.

Boeing Data being Leaked by Lockbit Ransomware Gang (Dig)
Boeing confirms cyberattack amid LockBit ransomware claims (Bleeping Computer)
Understanding Ransomware Threat Actors: LockBit (CISA)

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: