PRESS RELEASE

TAMPA BAY, Fla., June 12, 2024 /PRNewswire-PRWeb/ -- KnowBe4, provider of security awareness training and simulated phishing platform, today announced its new Risk & Insurance Partner Program. This strategic program empowers partners to reduce their overall risk posture by referring their clients to the award-winning KnowBe4 platform, which addresses the human element of cybersecurity.

According to Coalition's 2024 Cyber Claims Report, the frequency of claims from 2021 through 2023 has increased 13% year-over-year with the average claim increasing 10% over the same period. KnowBe4 has partnered closely with cyber risk market leaders for years to raise awareness for the critical human layer in a defense-in-depth strategy. This new program will strengthen our collective efforts, scale the number of partners KnowBe4 has in the risk space, and further reward these partners for their investment.

Key benefits of the program include:   
Exclusive Discounts: Partners can gain a competitive edge by accessing exclusive KnowBe4 pricing for the customers they refer.

"Cyberattacks are increasing in both severity and frequency, impacting organizations of all sizes across all sectors," said Stu Sjouwerman, CEO, KnowBe4. "We are excited to announce this new partnership framework to combine KnowBe4's best-in-class platform with partners' cyber risk and insurance expertise to help better protect customers against these attacks."

"Our cyber insurance partners bring deep expertise in assessing and managing cyber risk," said Prashant Pai, EVP, global head of business development, KnowBe4. "Our ability to monitor and measure detailed human risk information aligns perfectly with our partners' underwriting approach. KnowBe4 leads the market in mitigating the human element associated with cyber risk. These partnerships are a natural fit to better protect customers from rapidly evolving cyber threats."

The KnowBe4 Risk & Insurance Partner Program is open to insurance agencies, brokers, risk pools and other risk management providers globally. For more information or to connect with the partnership team, please visit https://www.knowbe4.com/partners/cyber-risk.

About KnowBe4

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 65,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organizations rely on KnowBe4 to mobilize their end users as their last line of defense and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

You May Also Like

KnowBe4 Launches Risk &amp; Insurance Partner Program

PRESS RELEASE

MINNEAPOLIS, June 13, 2024 /PRNewswire/ -- NetSPI, the proactive security solution, today announced its acquisition of Hubble Technology Inc. ("Hubble"), a Northern Virginia-based cyber asset attack surface management (CAASM) and cybersecurity posture management solution. The integration of Hubble's Asset Intelligence™ and CAASM product, Aurora™, into The NetSPI Platform will empower security teams to achieve complete visibility of their rapidly evolving attack surfaces and tackle asset and exposure management challenges.

Hubble's agentless CAASM platform enables organizations to continuously identify new assets and risks, remediate security control blind spots, and gain a holistic view of their security posture by providing an accurate inventory of cyber assets, both external and internal. Hubble was founded in 2020 with the backing of Accel, CrowdStrike Falcon Fund, and Paladin Capital. The company's Founder, Tom Parker, will join NetSPI as Chief Technology Officer (CTO).

According to Forrester's The Attack Surface Management Solutions Landscape, Q2 2024, "External attack surface management (EASM) vendors tend to use the external discovery scans as a jumping-off point for managing exposures, while CAASM vendors provide more context on the asset and its controls. Both are crucial foundations for teams to better prioritize and remediate security gaps."

With the acquisition of Hubble, NetSPI will deliver both EASM and CAASM capabilities within The NetSPI Platform to continuously discover, prioritize, and remediate vulnerabilities and exposures across the entire IT asset estate – from the cloud to bring-your-own-device (BOYD) and industrial control environments. This will also significantly enhance and accelerate NetSPI's ability to accurately prioritize risk associated with assets and vulnerabilities in customer networks and help them assess the exposure to their most important assets relative to these risks.

"This acquisition is one of the most notable milestones on our journey from point-in-time pentesting to technology-enabled proactive security," said Aaron Shilts, CEO at NetSPI. "You can't secure what you don't have visibility into. We support the most trusted brands on Earth giving them visibility into external/cloud assets and exposures. With Hubble's CAASM solution, we can provide comprehensive, 360-degree visibility while delivering telemetry and insights across the entire IT estate. We are thrilled to welcome Tom and Hubble to team NetSPI and look forward to the expertise he will bring as our new CTO driving innovation across our products."

As CTO, Tom will drive business growth through innovation across NetSPI's proactive security solutions and partner with customers to keep pace with the ever-changing technology and threat landscapes. Prior to forming Hubble, Tom was CTO at Accenture Security, leading growth strategy and M&A. He joined Accenture Security through the sale of his prior startup, FusionX, which was an early pioneer in commercial cybersecurity red teaming.

"The security industry notoriously creates siloed solutions that only address a small part of the problem. That's not the case with NetSPI," shared Tom Parker, Founder of Hubble and NetSPI CTO. "For the first time, with the introduction of CAASM, security leaders will have a holistic end-to-end view of their security posture in a single platform. I am delighted to join this proactive security powerhouse as their new CTO, helping customers reduce risk, drive efficiency, and strengthen the confidence that their security platforms represent a full picture of their environment."

NetSPI customers can expect to see CAASM within The NetSPI Platform later this year. To learn more about the CAASM solution, reach out at www.netspi.com/contact or visit www.netspi.com/caasm.

Join Aaron and Tom on July 17 for a live webcast where they will showcase Hubble's technology and discuss the importance of bringing EASM and CAASM together to achieve holistic attack surface management. Register today.

About NetSPI  
NetSPI is the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance, so businesses can protect what matters most.  

Leveraging a unique combination of dedicated security experts, intelligent process, and advanced technology, NetSPI helps security teams take a proactive approach to cybersecurity with more clarity, speed, and scale than ever before.

By continually advancing solutions such as Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS), NetSPI goes beyond the noise to deliver high impact results and recommendations based on business needs, so customers can protect their priorities, perform better, and innovate with confidence.

NetSPI secures the most trusted brands on Earth, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, three of the five largest healthcare companies, four MAMAA Big Tech companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500.

NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. Follow NetSPI on LinkedIn and X.

About Hubble   
Hubble is a technology asset visibility and cyber posture management solution that provides a complete and continually updated map of your entire technology environment and the state of your most critical security controls. Whether you operate in the cloud, are a heavy user of industrial control systems and IoT or operate a hybrid IT environment – Hubble has you covered.

Hubble is completely agentless, leveraging your existing IT stack to build a knowledge graph of your environment, allowing you to better understand your assets, and their relative risk, and prioritize triage of security events and posture gaps. Backed by Paladin Capital, Accel, and CrowdStrike Falcon Fund, Hubble has won numerous awards for its market-defining solution, including the prestigious 2022 World Economic Forum Technology Pioneer.

NetSPI Acquires Hubble, Adds CAASM to Complement its IEASM

Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.

Ken Deitz, CSO/CISO, Secureworks

June 13, 2024

5 Min Read

Source: Washington Imaging via Alamy Stock Photo

COMMENTARY

"Underneath every simple, obvious story about 'human error,' there is a deeper, more complex story about organization."  
— Sidney Dekker, The Field Guide to Understanding Human Error

In my experience, culture trumps strategy when building and maintaining robust cyber defenses. It's a self-evident truth that in cybersecurity, all roads lead back to people. At its heart, security is a human problem — one that needs a human-centric solution. That's what makes culture so crucial.

It's often said that it's not the situation that defines us but how we respond. If the worst happens and your company suffers a breach, your security culture will be on the global stage. It will be your north star guiding how you communicate, engage, and respond to all stakeholders. If your culture is lacking, it will inhibit your long-term cyber maturity and fracture trusted relationships. Trust and security exist in a delicate balance, and culture is the glue that binds them together.

During my career I've learned valuable lessons about the core pillars of security culture and how to not only create a good one, but nurture it as well.

**1\. Establish the Right Mindset**

First, mindset matters. I've worked with organizations where the focus has been on everything that an employee can't or shouldn't do. Let's be honest: That's an overwhelming list that, even with the best of intentions, people aren't going to remember or be able to practically integrate into their working days. Instead, I suggest flipping the script — what are the positive actions people can and should take?

For example, if someone at Secureworks gets an email that they are unsure about, they can just send it over to our designated threat team for investigation. The threat team then comes back to let our teammate know whether it's OK. Regardless, the threat team always starts their response with the same two words: "thank you." Cybersecurity is a team sport, and each of us plays a part. It's important to recognize that in all of its forms. That "thank you" also provides encouragement to remain curious and vigilant.

**2\. Engage With Empathy**

A productive and inclusive security culture is one that shuns blame. A culture of blame is counterproductive and makes your teammates feel powerless — the exact opposite of how you want them to feel. If someone clicks, scans, or interacts with something they shouldn't, you need to know as soon as possible. If your culture points fingers and makes people feel shame, the chances are they'll either procrastinate about telling you or not tell you at all, and the first you'll know about it is when red lights start flashing. Cybercriminals take advantage of people, so don't double the impact with victim-shaming or making an example of the person. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.

**3\. Communicate, Communicate, Communicate**

When it comes to cybersecurity, there's no such thing as too much communication. Just because you've sent an email or mentioned something in a company all-hands meeting doesn't mean that the message has gotten across. People have a lot going on in their jobs and lives. Meet people where they are, and you'll have much better results.

First, do an audit of the communication channels that your business has — intranet, Viva Engage, Slack, Teams, email, team and company meetings, etc. — and devise a communications strategy. Which messages resonate best across which channels? If you're giving an update on a strategic initiative, a 10-minute slot in the company all-hands could be the appropriate forum. But if you're aware of an active QR phishing email campaign, you likely want to reach all employees as quickly as possible, so you might use a combination of email and internal message boards.

It's not just about matching the right message to the right channel, but the person as well. If I were the only person to talk to our Secureworks teammates about cybersecurity, it would be easy to zone me out. That's why we empower all leaders to talk about security in their team meetings and why our CEO underscores our investments in this area during company meetings. Different people bring different perspectives, and that's crucial to conveying the importance of cybersecurity.

**4\. Stay on Your Toes**

New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains. But if you don't create a safe playground for them, they'll develop their own ways to access and engage with these tools. This, again, comes back to meeting people where they are. We've made it easy to interact with and use AI within a safe environment that we've built. It's a win-win situation.

The threat landscape evolves rapidly. Deepfakes, for example, are becoming more advanced and therefore have the potential to cause damage. Typically, they cultivate a false sense of urgency aimed at panicking people into taking action, such as transferring a large volume of money. Cybercriminals are looking to manipulate the dynamic between the executive they are impersonating and the employee. That's why it's so important we encourage people to question the situation and give them access to simple tools that let them validate the identity of the person they're talking to.

**Cybersecurity Is a Team Sport**

What I've outlined above doesn't happen in isolation. You need to work across many different functions within the business — from HR and communications through to legal and beyond. Be clear about your shared objective with these teams: why you would like their support and the impact you believe working together will have. Share your plans and show them why their teams are so integral to the plan's success. A shared goal galvanizes the whole business.

And so we find ourselves back at the beginning, with trust and security. A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.

**About the Author(s)**

CSO/CISO, Secureworks

Ken Deitz serves as chief security officer and CISO at Secureworks, working his way up from director of corporate incident response team. He served in the US Navy as a lead analyst in global network exploitation, then became a senior information security analyst at Advanced Concepts, Inc. He worked as branch chief of fusion cell at United States Cyber Command until he joined Secureworks in 2011.

4 Ways to Help a Security Culture Thrive

More claims are being made across the US and Canada compared with previous years, with healthcare organizations leading the way.

Source: Sarayut Thaneerat via Alamy Stock Photo

According to insurance broker Marsh, cyber-insurance claims reached record highs in 2023 with over 1,800 cyber claims sent in from the US and Canada.

The uptick is reportedly due to the sophistication of cyberattacks, privacy claims, a growing number of organizations purchasing cyber insurance, and the scope of the MOVEit file transfer supply chain breach.

Of all the claims made, healthcare came out on top with 17%, followed closely by communications (16%), education (9%), retail/wholesale (8%), and lastly financial institutions (8%).

Some 282 clients reported experiencing at least one cyber-extortion event in 2023, an increase from 2022, when only 172 clients reported these kinds of activities. Median extortion payments went up in tandem in 2023 compared with 2022, rising from $335,000 to around $6.5 million. Extortion demands made by the threat actors rose from $1.4 million to $20 million during this same time period.

Overall, Marsh reports of worsening cyber conditions due to the increasing activity of threat actors, but it did note that negotiating extortion payments proved to be effective in reducing the final ransom payment and the percentage of companies that paid a ransom at all fell to 23% in 2023 from 30% in 2022. 

**About the Author(s)**

Volume of Cyber-Insurance Claims Reaches New Heights

A new month, a new high-risk Ivanti bug for attackers to exploit — this time, an SQL injection issue in its centralized endpoint manager.

Source: Phichak via Alamy Stock Photo

Researchers have developed a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed — potentially setting the stage for mass exploitation of the devices.

CVE-2024-29824, an SQL injection bug, was first discovered by an independent researcher and sold to Trend Micro's Zero Day Initiative (ZDI). ZDI informed Ivanti of the issue on April 3.

It affects the company's centralized endpoint management solution, an attractive target for any hacker interested in compromising many devices across an organization from one launch point. The issue allows unauthenticated attackers to perform remote code execution (RCE) in the program, earning it a critical 9.8 out of 10 CVSS score.

"Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system," says Dustin Childs, head of threat awareness at ZDI. "From there, they would be able to affect other systems and do whatever you're using the Endpoint Manager to do."

The specific flaw lay in "RecordGoodApp," a method within a dynamic link library (DLL) file called "PatchBiz," contained within the program's core server. As outlined in a new blog post from Horizon3.ai, which published the PoC on GitHub, an attacker can take advantage of RecordGoodApp's very first string, which does not sufficiently validate user input data before constructing SQL queries. They demonstrated as much by sending a "fairly trivial" request to an endpoint handling events, convincing it to run Windows Notepad.

**Ivanti's Response**

Few organizations in cybersecurity history have been taken to task like Ivanti this year. Initially there were a couple of zero-day vulnerabilities, then another, then a whole lot more. Patches rolled in slowly and exploits skyrocketed, including some especially high-profile cases. Then, just as the bad press was finally starting to die down, this latest vulnerability arrived, equal in posing risk to corporations as any that had come before.

The good news: Childs emphasizes that, despite Ivanti's recent troubles, it handled this latest vulnerability by the book.

"It's not like we had to convince them \[to patch\]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That's about as good as you're going to see," he says. "So yes, they've had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner."

Ivanti published a patch for CVE-2024-29824 alongside its disclosure on May 24. Customers who haven't yet would be well advised to implement it as soon as possible, since threat actors have a history of piling on Ivanti vulnerabilities anyway, and an available, working PoC will likely spur them on further.

Besides patching, organizations can also focus on keeping their management interfaces protected from the wider Web. "Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are \[trusted\]," Childs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Moonstone Sleet Widens Distribution of Malicious Code

Experiment demonstrates how AI can turn the tables on cybercriminals, capturing bank account details of how scammers move stolen funds around the world.

Source: tanit boonruen via Alamy Stock Photo

Responding to scammers' emails and text messages typically has been the fodder of threat researchers, YouTube stunts, and even comedians.

Yet one experiment using conversational AI to answer spam messages and engage fraudsters in conversations has shown that large language models (LLMs) can interact with cybercriminals, gleaning threat intelligence by diving down the rabbit hole of financial fraud — an effort that usually requires a human threat analyst.

Over the past two years, researchers at UK-based fraud-defense firm Netcraft used a chatbot based on Open AI's ChatGPT to respond to scams and convince cybercriminals to part with sensitive information: specifically, banks account numbers at more than 600 financial institutions spanning 73 different countries that are used to transfer stolen money.

Overall, the technique allows threat analysts to extract more details about the infrastructure used by cybercriminals to con people out of their money, says Robert Duncan, vice president of product strategy for Netcraft.

"We're effectively using AI to emulate a victim, so we play along with the scam to get to the ultimate goal, which typically \[for the scammer\] is to receive money in some form," he says. "It's proven remarkably robust at adapting to different types of criminal activity ... changing behavior between something like a romance scam, which might last months, \[and\] advanced fee fraud — where you get to the end of it very quickly."

As international fraud rings are profiting from scams — especially romance and investment fraud operating out of cyber-scam centers in Southeast Asia — defenders are searching for ways to expose cybercriminals' financial and infrastructure components and shut them down. Countries, such as the United Arab Emirates, have embarked on partnerships to develop AI in ways that can improve cybersecurity. Using AI chatbots could shift the technological advantage from attackers back to defenders, a form of proactive cyber defense.

**Personas With Local Languages**

Netcraft's research shows that AI chatbots could help curb cybercrime by forcing cybercriminals to work harder. Currently, cybercriminals and fraudsters use mass email and text-messaging campaigns to cast a wide net, hoping to catch a few credulous victims from which to steal money.

The two-year research project uncovered thousands of accounts linked to fraudsters. While Duncan would not reveal the name of the banks, the scammers' accounts were mainly in the United States and the United Kingdom — likely because the personas donned by the AI chatbots were from those regions as well. Financial fraud works better when using bank accounts in the same country as the victim, he says.

The company is already seeing that distribution change, however, as it adds more languages to its chatbot's capabilities.

"When we spin up some new personas in Italy, we're now seeing more Italian accounts coming in, so it's really a function of where we're running these personas and what language we're having them speak in," he says.

The promise of using AI chatbots to engage with scammers and cybercriminals is that machines can conduct such conversations at scale. Netcraft has bet on the technology as a way to acquire threat intelligence that would not otherwise be available, announcing its Conversational Scam Intelligence service at the RSA Conference in May.

**AI on AI**

Typically, scammers attempt to convince the victims to buy cryptocurrency or gift cards as the preferred way of payment, but eventually hand over bank account information, according to Netcraft. The goal in using an AI chatbot is to keep the conversation going long enough to reach those milestones. The average conversation results in cybercriminals sending 32 messages and the chatbot issuing 15 replies.

When the AI chatbot system succeeds, it can harvest important threat data from cybercriminals. In one case, a scammer promising an inheritance of $5 million to the "victim" sent information on 17 different accounts at 12 different banks in an attempt to complete the transfer of an initial fee. Other fraudsters have impersonated specific banks, such as Deutsche Bank and the Central Bank of Nigeria, to convince the "victim" to transfer money. The chatbot duly collected all the information. 

While Netcraft's current focus with the experiment is to gain in-depth threat intelligence, the platform could be operationalized to engage fraudsters on a larger scale, flipping the current asymmetry between attackers and defenders. Rather than attackers using automation to increase the workload on defenders, a conversational system could widely engage cybercriminals, forcing them to have to figure out which conversations are real and which are not.

Such an approach holds promise, especially since attackers are starting to adopt AI in new ways as well, Duncan says.

"We've definitely seen indicators that attackers are sending texts that resemble the type of texts that ChatGPT puts out," he says. "Again, it's very hard to be certain, but we would be very surprised if we weren't already talking back to AI, and essentially we have an AI-on-AI conversation."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI Chatbot Fools Scammers &amp; Scores Money-Laundering Intel

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

Source: Robert K. Chin via Alamy Stock Photo

Among the more dangerous of the flaws for which Microsoft released a patch this week on Patch Tuesday is a denial-of-service (DoS) vulnerability publicly disclosed back in February in the Domain Name System Security Extensions (DNSSEC) protocol.

The vulnerability, identified as CVE-2023-50868 exists in a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3) for proving that a non-existent domain truly doesn't exist, thereby protecting against malicious cataloging of signed DNS zones. The vulnerability gives attackers a way to craft DNS packets that would cause the DNS resolver to essentially exhaust its computing resources in trying to respond.

It affects several different vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, who released patches well before Microsoft did. A list of advisories can be found here.

**DNSSEC Resource Exhaustion Flaws**

CVE-2023-50868 is actually one of two serious DNSSEC flaws that researchers from the German National Research Center for Applied Cybersecurity ATHENE quietly informed industry stakeholders about last year.

The other is CVE-2023-50387, or "KeyTrap," a similar though more serious DNSSEC resource exhaustion bug that researchers believed would have allowed attackers to bring down large swathes of the Internet had it remained unmitigated. What made KeyTrap so dangerous is that it gave attackers a way to use a single packet to exhaust the processing capacity of a vulnerable DNS Server, essentially rendering it offline says Tom Marsland, vice president of technology at Cloud Range. "It does this by tricking those servers into performing extra calculations that overload their CPU." He estimates that some 31% of all DNS servers were vulnerable to the attack.

CVE-2023-50868 is similar in that it gives attackers a way to exhaust a DNS resolvers CPU cycles and cause it to become unresponsive.

Tyler Reguly, associate director, security R&D at Fortra says one of the biggest problems with protocol-level flaws such as CVE-2023-50868 is that they give attackers a way to tie up the server and get it to slow down or stop responding altogether.

"Once the denial-of-service slows down the DNS server's responsiveness, the amount of time that an attacker has to perform DNS cache poisoning increases drastically," he says. "What's interesting with this flaw is that the very technology designed to make DNS cache poisoning for non-existent domains harder has made cache poisoning easier for attackers."

**Microsoft's Lonely Zero-Day World**

Several major providers of DNS resolution services publicly released details of both DNSSEC flaws in a coordinated disclosure in February after they had developed mitigations for the threat. Microsoft too issued a patch for KeyTrap at the time, but waited till this week to announce a fix for CVE-2023-50868 — making the bug a zero-day threat at least from a Microsoft standpoint.

And indeed, it's somewhat surprising that Microsoft took so long to get to it, Reguly notes. He suspects one reason could be that most organizations rely on other services for external DNS, and Microsoft felt the risk associated with Microsoft's DNS resolution services wasn't all that significant.

 "We've seen vendors work together on big ticket items in the past when protocol flaws are in the mix, and it always impresses me that the vendor community is able to come together and work so well to fix these issues without any major leaks," Reguly says. "Why Microsoft dropped the ball on this CVE is unknown to me, but I'd love to see them address why it took them so much longer than the other vendors to release this fix."

Lionel Litty, chief security architect at Menlo Security, says another issue is that algorithmic complex vulnerability such as the two DNSSEC resource exhaustion flaws can be challenging to fix.

"Fixing this type of issue may require rethinking how algorithms are implemented and deciding when not to adhere to the specification because doing so would require an unreasonable amount of computation," Litty says. "It can also lead to more fundamental redesigns of how requests are prioritized by the server so that no one client can prevent others from getting their requests answered in a timely manner." In this light, it is not surprising that fixing this issue might have taken some vendors more time, he says.

**Cross-Industry Collaboration**

CVE-2023-50868 and CVE-2023-50387 are among several bugs in recent years that have forced an industry-wide response because they have existed at the protocol level or in foundational Internet technologies. The so-called Heartbleed vulnerability in the OpenSSL protocol from 2014 remains one of the most notable. But there have been others as well.

Relatively recent examples include one in the Bluetooth protocol (CVE-2023-45866), another in the UPnP Plug and Play protocol dubbed CallStranger and a vulnerability in the GTP protocol that threatened mobile networks.

Jason Soroko, senior vice president at Sectigo, sees a mixed record in the patching of such cross-vendor issues.

"While some vendors have improved their responsiveness and coordination, others have lagged behind," he says. "The coordination between different vendors and security researchers has generally improved, with more collaborative efforts to address and mitigate vulnerabilities promptly. However, the speed and efficiency of patching still vary significantly across the industry."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Strong partnerships and collaborations between industry and law enforcement are the most critical ways to take down cybercrime groups before they grow.

Sean M. McNee, Vice President of Research & Data, DomainTools

June 13, 2024

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

It appears that 2024 could be the year of the cybercrime takedown. The most high-profile takedown so far this year, LockBit, was an international news story that broke the back of the so-called "most harmful cybercrime group." This was followed up shortly by the takedown of ALPHV/BlackCat.

However, for every takedown, there is an equivalent cybercrime "startup." Here's how such organizations emerge and function. 

**Developing a Business Model **

When viewed through a dispassionate lens, cybercrime groups aren't that dissimilar from startups. The successful ones stay keenly focused on what their customers want and which markets and trends are ripe for disruption, and move fast to secure their advantages — even though these groups operate within a shadow economy that, despite being presumably hidden and illegal, is still an economy. It has all of the same financial dynamics, complex business interactions, and market forces as any other economy. 

Since these cybercrime groups operate outside the law, they are able to "innovate'' independent of any external regulations. They can pivot to target new industries rapidly, or pivot technologies or processes when they determine the financial payout is worth it. This freedom allows a highly motivated group to remain ahead of law enforcement and their targets. The savviest cybercrime groups don't change their technology because they want to, however, they change in response to market forces.

**The Manipulaters: A Case Study **

The maturation of a cybercrime gang and its associated crimeware tools does not happen in a vacuum. It happens in the context of a community of financially motivated individuals. In the case of the recently documented recently documented Manipulaters, the group leveraged the variety of unmet needs by their customers to move laterally into different markets. The storefronts that the Manipulaters created demonstrated "social proof" of their value and followed a predictable pattern: A store would start with spam tooling and services, move to phishing kits, and eventually expand into off-the-shelf malware. Each time, the Manipulaters would refine its business models: who it sold to, what its pricing model was, and the specific services it offered. Even with these innovations, spam services remained its core business, with the most consistent profits, especially from West African clientele.

The considerable scale of its operation is nothing compared to its position as one of the "innovators'' in the cybercrime space. Its now defunct primary shop, Fresh Spam Tools, was one of the earliest large spam- and phishing-focused cybercrime marketplaces. The cybercrime marketplaces online today are a result of this "innovation" — there's good money to be made enabling others to perform cybercrime. By pioneering this business model, the Manipulaters lowered technical barriers to entry and expanded Internet crime. What this group may lack in technical talent, it more than makes up for in opportunism and business savvy, leading to its financial success.

**Shifting Response Strategies **

Groups like LockBit, the Manipulaters, and others may find themselves battling changing strategies from law enforcement disrupting their activities. Recent amendments to the US Federal Rules of Criminal Procedure, including a specific change to Rule 41, broadens courts' jurisdictions to issue remote search warrants when the location of a sought-after device or data has been concealed due to technological means. This change, in alignment with the provisions of the Budapest Convention, has created the legal framework and tools required for international law enforcement coalitions to go after and take down cybercrime groups. The LockBit and ALPHV/BlackCat takedowns were enabled by these changes.

While this helps curtail illegal activity online, some privacy advocates are concerned. "Hard cases make bad law," so these takedown precedents should be considered carefully. There appears to be an operational delineation between "illegal code" placed into US-owned hardware by foreign actors, for example, compared to similar actions undertaken by domestic actors. Ultimately, Congress will need to step in and provide additional rules and guidelines for how to align potential domestic takedown cases with Fourth Amendment rights. 

**Tracking Infrastructure to Prevent Empires**

Law enforcement takedowns depend on timely, accurate, and actionable information, both on who the actors are and where their infrastructure is located. Internet infrastructure — IP addresses, email, and especially DNS — is key, as bad actors must be online to cause harm, thus we can track them. The research and knowledge generated by the security industry builds up a clear picture of the activities of cybercriminal networks. Therefore, ensuring a strong partnership and collaboration between industry and law enforcement is the most critical way to identify, mitigate, and take down cybercrime groups such as LockBit and ALPHV/BlackCat before they have a chance to become an empire. 

**About the Author(s)**

Vice President of Research & Data, DomainTools

Sean M. McNee is Vice President of Research and Data at DomainTools. Over his career, Sean has harnessed the power of machine learning and visual analytics to help people — including academics, lawyers, and threat hunters — find the information they need to make better decisions. He looks for ways to make the Internet a better place, with a focus on Internet infrastructure, such as domain registration and DNS data analysis. A winner of the 2010 ACM Software Systems Award, Sean received his doctoral degree from the University of Minnesota, where he researched personalization and recommender systems.

How Cybercrime Empires Are Built

Against a backdrop of political conflict, a years-long cyber-espionage campaign in South Asia is coming to light.

Source: Frank Nowikowski via Alamy Stock Photo

A Pakistani threat actor has been spying on Indian government-associated entities for at least six years now.

A new report from Cisco Talos has collated years of cyber espionage by a group it calls "Cosmic Leopard," under the umbrella title "Operation Celestial Force." The Pakistan-based Cosmic Leopard overlaps with but as yet remains distinct from the threat actor known as Transparent Tribe. Cosmic Leopard's attacks focus on espionage and surveillance against individuals and organizations associated with India's government and defense sectors, as well as related technology companies.

"What we're seeing is constant, persistent efforts to infect targets of interest, and establish long-term access," says Asheer Malhotra, Cisco outreach researcher. "I'm pretty sure that the threat actors themselves don't know specifically what they're looking for. The intention here is to get as much data as they can, so that they can analyze it and then figure it out at a later stage."

**Operation Celestial Force**

Signs of Cosmic Leopard activity date back to 2016, when it created a Windows version of its GravityRAT Trojan.

Since then, Malhotra says, "We've seen a constant evolution in everything they do, basically."

In 2019, for example, the group developed its HeavyLift malware loader, and Android versions of GravityRAT for targeting mobile devices. MacOS, too. "We've also seen a constant evolution in the TTPs \[tactics, techniques, and procedures\] used by the threat actor. They used to send out phishing messages; now they establish conversations with victims over social media channels. At the same time, they're setting up new infrastructure which they can use to outrun detection," he explains.

In all, a current Celestial Force attack will look something like this:

First, a spear-phishing email or social media message arrives, containing a malicious document or, more often, a link. The link will seem like a website for downloading a legitimate Android application that, in fact, masks GravityRAT or HeavyLift.

GravityRAT is a fairly standard but powerful mobile Trojan. It can read and delete SMS messages, call logs, and files as well as other device information — about the SIM card, phone number, IMEI, manufacturer, network operator, location, and more.

HeavyLift is an executable masked as a legitimate installer. Typically, it installs both a harmless decoy application and a malicious one on the device. The malicious component can gather and exfiltrate a variety of system data, download further payloads, and check if it's running in a virtual machine.

It doesn't have to do any of that, however, to be effective.

"HeavyLift has a component that can download and run additional malware on the victim system, but it also gives the victim the ability to upload data to the threat actors' cloud," Malhotra explains. In some scenarios, the threat actor simply tells a target over social media about their cloud storage application. "The threat actor is being upfront about it. They say this is a cloud storage application, you can store all of your data in it. And once the target starts uploading all of their data, they have access to it, so they don't need to go in and steal from them."

It works so well, says Cisco lead security researcher Vltor Ventura, because "If you go to the site, if you go through the UI, it's really, really well done. Even while we were investigating the malware, it seemed almost like a legitimate application. It started a discussion between us — like, OK, is this really malicious or not?"

**Preventing Infections**

Luckily, steering clear of these attacks on mobile devices is simple: only download software from authorized app stores (for Android, that's Google Play). "Unless the attacker uses a zero-day, or n-day if the system is not updated, that's pretty much the only way they can get into the Android ecosystem," Ventura notes.

Windows computers lack this simple fix, but they have an advantage all their own.

"When you think about Android, organizations don't have that much visibility to what's going on these devices. It's a harder environment for organizations to control. With laptops, there is better visibility," Ventura explains.

With that extra visibility, organizations can apply layered security to prevent one employee's wayward click from becoming an organizationwide issue.

"When people get a link or when they get a file, they want to see what's inside," he says. Rather than denying reality, "we need to go to the next level, and prevent that \[decision\] from becoming something much worse."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading