PRESS RELEASE

CAMBRIDGE, Mass., June 25, 2024 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, announces the company has completed its acquisition of application programming interface (API) security company, Noname Security. On May 7, Akamai announced an agreement between the two parties for Akamai to acquire the company in exchange for approximately $450 million.

Noname, one of the top API security vendors in the market, is expected to accelerate Akamai's ability to meet growing customer demand and market requirements as the use of APIs continues to expand. Specifically, Akamai will be able to extend protection across all API traffic locations, no matter the business, integration, or deployment requirements customers may have. Akamai also expects to gain greater scale with Noname's additional sales and marketing resources, and established channel and alliance relationships.

For more information, visit the Akamai application and API security page and the Akamai blog.

About Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's cloud computing, security, and content delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on X, formerly known as Twitter, and LinkedIn.

You May Also Like

Akamai Completes Acquisition of API Security Company Noname

Microsoft, OpenAI, Google, Meta genAI models could be convinced to ditch their guardrails, opening the door to chatbots giving unfettered answers on building bombs, creating malware, and much more.

Source: jefftakespics2 via Alamy Stock Photo

A new type of direct prompt injection attack dubbed "Skeleton Key" could allow users to bypass the ethical and safety guardrails built into generative AI models like ChatGPT, Microsoft is warning. It works by providing context around normally forbidden chatbot requests, allowing users to access offensive, harmful, or illegal content.

For instance, if a user asked for instructions on how to make a dangerous wiper malware that could bring down power plants, most commercial chatbots would first refuse. But, after revising the prompt to note that the request is for "a safe education context with advanced researchers trained on ethics and safety" and to provide the requested information with a "warning" disclaimer, then it's very likely that the AI would then provide the uncensored content.

In other words, Microsoft found it was possible to convince most top AIs that a malicious request is for perfectly legal, if not noble, causes — just by telling them that the information is for "research purposes."

"Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other," explained Mark Russinovich, CTO for Microsoft Azure, in a post today on the tactic. "Because of its full bypass abilities, we have named this jailbreak technique Skeleton Key."

He added, "Further, the model's output appears to be completely unfiltered and reveals the extent of a model's knowledge or ability to produce the requested content."

**Remediation for Skeleton Key**

The technique affects multiple genAI models that Microsoft researchers tested, including Microsoft Azure AI-managed models, and those from Meta, Google Gemini, Open AI, Mistral, Anthropic, and Cohere.

"All the affected models complied fully and without censorship for \[multiple forbidden\] tasks," Russinovich noted.

The computing giant fixed the problem in Azure by introducing new prompt shields to detect and block the tactic, and making a few software updates to the large language model (LLM) that powers Azure AI. It also disclosed the issue to the other vendors affected.

Admins still need to update their models to implement any fixes that those vendors may have rolled out. And those who are building their own AI models can also use the following mitigations, according to Microsoft:

*   Input filtering to identify any requests that contain harmful or malicious intent, regardless of any disclaimers that accompany them.
    
*   An additional guardrail that specifies that any attempts to undermine safety guardrail instructions should be prevented.
    
*   And output filtering that identifies and prevents responses that breach safety criteria.
    

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Dangerous AI Workaround: 'Skeleton Key' Unlocks Malicious Content

The vulnerability affects not only AirPods, but also AirPods Max, Powerbeats Pro, Beats Fit Pro, and all models of AirPods Pro.

Source: Hoor Aloraidh via Alamy Stock Photo

Apple released its latest firmware update for its AirPods products to address a vulnerability that could give a threat actor unauthorized access.

The vulnerability is tracked as CVE-2024-27867 and affects AirPods (second generation and later) and AirPods Pro (all models), as well as AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," reported Apple in an advisory.

To fix for the issue, Apple said that an "authentication issue was addressed with improved state management" in AirPods firmware update 6A326, AirPods firmware update 6F8, and Beats firmware update 6F8. These firmware updates are automatically delivered to a user's device while the headphones or AirPods are in Bluetooth range of an iPhone, iPad, or Mac.

Apple credited Jonas Dreßler for the discovery of the flaw as with well as reporting the bug to the company.

**About the Author(s)**

Apple AirPods Bug Allows Eavesdropping

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

Source: Bleakstar via Shutterstock

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill\[.\]io to a Chinese organization earlier this year.

Security researchers are warning that the cdn\[.\]polyfill\[.\]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser.

Researchers from security monitoring firm c/side sounded the alarm about the attack in an advisory by founder Simon Wijckmans warning website owners to "check your code for any use of the polyfill\[.\]io domain and remove it from your applications."

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."

**Dynamically Generated Payloads**

Specifically, researchers discovered malicious, obfuscated code that "dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution" being injected into devices via websites using cdn\[.\]polyfill\[.\]io, Wijckmans wrote.

"In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link," he wrote. "This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region."

Given that the malicious code is JavaScript, it also could "at any moment introduce new attacks like formjacking, clickjacking, and broader data theft," Wijkmans noted.

**Polyfill Users Were Forewarned**

Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill\[.\]io domain after it was purchased by Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users in a post on X to remove references to the content delivery network (CDN), in part because he never owned the site.

"I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale," he wrote.

A site called Pollykill was even created on Feb. 27 "to bring awareness to a major JavaScript supply chain vulnerability," since Polyfill was sold and all Polyfill traffic was pointed "to the Baishan Cloud CDN."

Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the "many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application."

"They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser," according to the site.

**Immediate Action Required**

Supply chain attacks that compromise website scripts and other code that's used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.

"Third-party resources are in a very powerful position and thus a high value target for bad actors," he wrote, adding that CDNs hosting third-party scripts are especially subject to attack.

However, one thing that's important to note is that "the Polyfill service itself is still solid," Wijkmans said. "You can host your own version in a safe and controlled environment without issue."

As the problem lies in the domain cdn\[.\]polyfill\[.\]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty don't flag the domain, so administrators should not rely on that, Wijkmans added.

The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the developer community Fastly Connect that also can help them secure websites that use Polyfill; these include polyfill-fastly\[.\]net and polyfill-fastly\[.\]io, which are free drop-in replacements for polyfill\[.\]io in a website's code.

Fastly’s fork of the open source code 223 also can be used to self-host the service to maintain full control over the code delivered to users, according to Fastly.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

The high-end retailer is the latest company to confirm it was affected by the wide-ranging Snowflake data breach, which impacted more than 165 organizations.

Source: mauritius images GmbH via Alamy Stock Photo

Luxury department store chain Neiman Marcus confirmed that nearly 65,000 customers were impacted by the theft of its database during recent attacks on the cloud-based data warehousing platform Snowflake.

In a notification filed with the Office of the Maine Attorney General, Neiman Marcus revealed it learned in May of the attack, part of a series of attacks on the data platform between April and May.

"Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform," Neiman Marcus cautioned in the statement.

As reported by Hackmanac, the attacker known as "Sp1d3r" allegedly sold the stolen information for $150,000 after accessing the company's Snowflake account credentials.  

"The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs)," the statement continued.

Overall, more than 70 million transactions, 50 million customer emails, and 12 million gift card numbers were up for sale, along with employee info, and customer shopping data.

With the Dallas-based department store catering to high-end customers, "Sp1d3r" was quick to mention the data included "High Value Rich Targets! Big Spenders!"

This is not the first time the company has been victim of a data breach. In an attack in May 2020, the personal information of around 4.6 million online customers was exposed.

Neiman Marcus became aware of the breach — and then notified those affected — only more than a year later.

**Strengthening MFA a Must**

The admission by Neiman Marcus is the latest fallout from the Snowflake breach reported earlier this month, which impacted data belonging to at least 165 organizations, including Ticketmaster and Santander Bank.

A Mandiant investigation into the account compromises revealed the breaches occurred due to customers failing to implement multifactor authentication (MFA) and proper access control.

The financially motivated threat actor was identified as UNC5537 and accessed accounts using valid credentials obtained from other sources.

Dirk Schrader, vice president of security research at Netwrix, says organizations should embrace the use of MFA and password management solutions, implement a just-in-time privilege approach to identity security, and ensure detailed monitoring.

"MFA ensures another level of identification between a malicious actor and access to an organization's system, making it much more difficult to compromise identities," he explains.

A password-management solution helps ensure the use of complex, hard-to-crack passwords in place, restricts reusing passwords for multiple accounts, and relieves users from the burden of remembering them.

"For sensitive systems, organizations should go for just-in-time access management so that accounts only exist as long as they are needed, drastically reducing an attacker's options for credential abuse," Schrader adds.

Gunnar Braun, technical manager at Synopsys Software Integrity Group, says the incident demonstrates that literally every company is a potential target for an attack, and every organization that stores data in any shape or form must take measures to protect that data.

"Retailers are likely an easier target, as they are not subject to strict security regulations and often have a lower IT investment," he says.

He says for Neiman Marcus — and all other Snowflake customers — it comes down to protecting their credentials, like everyone should do for their PayPal, Gmail, and any other accounts.

Darren Williams, CEO and founder of BlackFog, warns the long-term effects of the breaches is unfortunate for customers, given how data is often leveraged for many years to come and sold on the Dark Web.

"The fact that Neimans failed to pay the ransom, while a good approach, has forced the attackers to make revenue other ways by selling the data online and targeting individuals," he says. "Unfortunately, most organizations are still unprepared to deal with these types of attacks."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Neiman Marcus Customers Impacted by Snowflake Data Breach

Our adversaries certainly have diversity — so cybersecurity teams need it, too.

Lynn Dohm, Executive Director, Women in Cybersecurity

June 26, 2024

4 Min Read

Source: Kjetil Kolbjørnsrud via Alamy Stock Photo

COMMENTARY

While some may consider the Diverse Cybersecurity Workforce Act as intended primarily to improve diversity in a workforce dominated by white men, that attitude ignores the real security risk that exists due to the lack of different perspectives brought by women and underrepresented communities. The lack of diversity creates a groupthink mindset, causing people to set aside personal beliefs and/or simply adopt the opinion of the group, which creates the illusion of invulnerability. We need to solve challenges that have never previously existed; to do that, we not only need all genders, but identities, ethnicities, races, cultures, ages, backgrounds, and experiences. The adversaries certainly have diversity — and cybersecurity teams need it, too.

**Building a Pipeline of Diverse Skills**

Ensuring the cybersecurity workforce becomes more diverse isn't possible without building a talent pipeline that looks like the world around us. That pipeline must be created by tapping into underrepresented communities. The Diverse Cybersecurity Workforce Act offers the Cybersecurity and Infrastructure Security Agency (CISA) a way to create a structure that supports these efforts through intentional resources and programming designed to empower individuals to:

*   Explore cybersecurity careers
    

*   Elevate those with aptitude, grit, and determination
    
*   Build real-world cyber skills and launch careers
    

The next step is to create inclusive spaces for cybersecurity training and offer services that champion and drive impactful programming efforts, including incentives for students/career changers, mentorship, and career placement. This act presents an opportunity to bring underrepresented individuals into lucrative, life-changing careers, and it's our best chance at mitigating current and future security risks, as well as ensuring the cyber workforce achieves greater diversity across sectors. 

**Timeline and Funding**

Last year, Gartner predicted that nearly half of cybersecurity leaders would change jobs by 2025, and 25% of those leaving would find different roles due to the stress of working in cyber. Meanwhile, ISC2's 2023 Cybersecurity Workforce Study showed the industry was already struggling with a record workforce gap of 4 million. Adding new talent to the cybersecurity workforce has never been more urgent. CISA must create very intentional programming that provides accessibility programs and opportunities for disadvantaged communities. By including mentorship, peer support, community engagement, check-in calls, career services, and "ask me anything" sessions, alongside high-quality skills training, it is achievable to lift people from zero cybersecurity skills into careers in a year and a half or less. 

These efforts must be started immediately, ideally by using a turn-key programming effort that has already been shown to make a strong jobs impact on employers and career changers. The $20 million per year budget is enough to make an impact; Women in Cybersecurity (WiCyS) invested $1.8 million to allow 2,900 women to explore cybersecurity careers and enabled 181 to achieve multiple advanced SANS GIAC certifications with career placement services that positioned them for success in the workforce on day one at their new cyber job. WiCyS has supported career changers in pivoting from teaching to pen testing, physical therapy to cloud security, and so much more. While WiCyS focuses on the recruitment, retention, and advancement of women, our experience shows these efforts successfully increase diversity, equity, and inclusion in the workforce. 

**Barriers to Retention**

The act is focused on getting diverse talent into cybersecurity, but what about getting them to stay? Any effort by government agencies and organizations to hire a diverse workforce must address the barriers to retention and overcome them. The "2023 State of Inclusion Benchmark in Cybersecurity" report, conducted by WiCyS in collaboration with DEI firm Aleria, showed that workplace experiences are dramatically worse for women than for men. 

Across all experience categories, women were excluded at a rate two times higher than men, citing their direct managers and peers as sources of experiences that interfered with their job satisfaction and ability to perform their best work. Women's second source of exclusion was the lack of career growth and advancement, contributing to them experiencing a glass ceiling just six to 10 years into their career, despite 46% of women in the field holding advanced degrees. Given these challenges, it's not surprising that an Accenture report showed that half of young women in tech leave the field by 35. 

**Retention Is Driven by Inclusion **

When diverse talent joins the cyber workforce, there must be programs in place that create more inclusive communities. That means looking at common ways that underrepresented individuals are excluded and addressing those issues openly, including: 

*   Underappreciating skills and experience from underrepresented groups
    
*   Failing to recognize the contributions of individuals appropriately
    
*   Requesting or expecting disadvantaged individuals to do menial tasks unrelated to their role
    
*   Assuming underrepresented individuals were only hired, promoted, or included in a project to give the appearance of equality
    
*   Generally disrespectful and sexually inappropriate behaviors
    
*   Social exclusion activities
    
*   Lack of career growth and advancement opportunities
    

To create an inclusive culture, organizations must ensure that diverse talent has a community and support structures within the organization designed to promote learning and career growth. Without a plan to create this inclusion and growth, organizations lose their diversity hires, leading to higher recruitment expenses and ongoing cyber-workforce gaps. Inclusion, quite simply, is vital for building and retaining a diverse workforce and addressing evolving cybersecurity risks.

**About the Author(s)**

Executive Director, Women in Cybersecurity

Lynn Dohm brings more than 25 years of organizational and leadership experience to the Women in CyberSecurity (WiCyS) team. Lynn is passionate about the need for diverse mindsets, skill sets, and perspectives. She aims to facilitate learning opportunities and discussions on leading with inclusion, equity, and allyship. She has collaborated with businesses, nonprofits, grants, and philanthropies to help produce outcomes aligned with cybersecurity workforce initiatives.

Diverse Cybersecurity Workforce Act Offers More Than Diversity Benefits

As cybersecurity's cat-and-mouse game starts to look more like Tom and Jerry, attackers develop a method for undermining Android app security with no obvious fix.

Source: Frank Herholdt via Alamy Stock Photo

Hackers from Southeast Asia have turned Android's own best application security mechanism against itself, severing the link between kernel and application in order to perform any kind of tampering they wish.

This method is being employed by new malware called "Snowblind," which targets at least one banking app in Southeast Asia. Snowblind works by abusing the ubiquitous and otherwise sterling Linux security feature "seccomp" — short for "secure computing" — in order to trap and modify system calls in transit, in effect isolating an application from the protocols and information it needs to detect malicious tampering.

"In security, nothing is bulletproof," says Jan Vidar Krey, vice president of engineering at Promon, lamenting the weaponization of such a core Android security feature. "Everything can be circumvented to some extent, which is a harsh, brutal way of looking at it, but that's the reality."

**The Android Anti-Tampering Cat & Mouse Game**

As Promon describes in its report on Snowblind, the most common way hackers undermine Android devices is by tricking users into granting them accessibility permissions, which they can use to various malicious ends.

Because this is so common, though, experienced developers already know how to account for it. For example, apps can query the operating system to check for untrusted accessibility services, and then react accordingly, as Promon discusses in its report.

Attackers, for their part, can try to identify and sabotage the parts of an app's code that do that job by "repackaging" them — downloading, modifying, and re-uploading malicious versions of legitimate apps.

To prevent repackaging, developers can be proactive by protecting their code with obfuscation, or they can be reactive by opening an app's Android package (APK) file on disk and reviewing its contents.

Attackers have their own methods for concealing their malicious repackaging, though. For example, they can hook into that anti-tampering file reading process and redirect it to an unmodified version of the same app. But developers know about and can account for that as well by implementing the necessary system calls in native libraries rather than the C standard library.

So at this point, forced into a corner, attackers needed a new way of preventing secured apps from detecting their tampering.

**Snowblind's Anti- Anti-Tampering**

Snowblind — the next evolution in this grand game — tries something new. It puts its focus not on accessibility services per se, or the app's code, but the seccomp security feature in between.

"This seccomp mechanism is the foundation of everything that you're seeing in the cloud today," Krey notes. In addition to Android — since version 8.0 Oreo — it's used by containerization technologies like Docker (by default) and Kubernetes, Chromium browsers, and more.

It works by sandboxing applications, allowing or blocking calls they might make to the operating system as defined by a system administrator. But these days, Krey explains, "What we're seeing with Android is that malware is using these same security tricks to prevent an application from seeing what's actually going on on the rest of the system. And basically just showing it what the attacker wants it to see."

First, Snowblind repackages an app with a library that will be loaded before any anti-tampering mechanisms can run. This library includes a seccomp "filter," which looks out for a very select few system calls — like "open()", used for opening files or other resources — and traps them. Before allowing the call to be executed, it uses a signal handler to modify it, pointing it to a file that's the original, unmodified version of the app.

In other words, like a little man in the middle of the device, the malware traps and misdirects the signals an app needs to know whether it has been tampered with.

**No Perfect Solutions**

Having fully isolated an app, a banking Trojan can freely use accessibility services to perform any number of malicious actions on a device: steal and exfiltrate credentials, intercept two-factor authentication (2FA) codes, and disable further application security features, among other functions.

And, Promon noted, Snowblind's strategy can be used to do more than just defeat anti-tampering on Android phones. In cloud or containerized environments, Chromium browsers, or any other type of system relying on seccomp, it can, in theory, be used to trace and manipulate any code that relies on system calls, for whatever reason.

How will defenders respond, then? For Krey, there isn't any obvious seccomp-oriented fix, as it's so crucial to protecting these systems in the first place. "Seccomp is an integral part of lots of different applications," he explains, "so I don't really know how they would fix it. And I don't really see that they should fix it, to be honest. It's kind of a paradoxical thing."

Instead, Google and its customers can focus on shunning maliciously repackaged apps before they're downloaded. "In Southeast Asia, we believe these types of apps have likely spread outside of the official app stores. This has almost certainly been achieved via social engineering attacks, a still very prevalent and widely reported method of duping less tech-savvy users. And fake malicious apps still make their way onto major app stores," he explains. "With this in mind, a stronger policing of the Play Store and tighter verification process for uploaded apps would mitigate the spread of Snowblind."

Google, for its part, appears unfazed. In a statement to Dark Reading, a company spokesperson claimed that the company already knew about Snowblind before Promon's report. "Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play," Google said in its statement.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Snowblind' Tampering Technique May Drive Android Users Adrift

The China-nexus cyber-threat actor has been operating since at least 2019 and has notched victims in multiple countries.

Source: Herr Loeffler va Shutterstock

A likely China-backed advanced persistent threat (APT) group has been systematically using ransomware to disguise its relatively prolific cyber-espionage operations for the past three years, at least.

The threat actor, who researchers at SentinelOne are tracking as ChamelGang (aka CamoFei), has recently targeted critical infrastructure organizations in East Asia and India.  

**Ransomware as a Distraction**

Some of ChamelGang's victims in that region include an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences (AIIMS). But the group's previous victims include government and private sector organizations — including those in critical infrastructure sectors — in the US, Russia, Taiwan, and Japan.

According to SentinelOne, what makes ChamelGang's operations noteworthy is its regular use of a ransomware tool called CatB to distract from and conceal its cyber-espionage focus.

"Cyberespionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities," the security vendor said in a report shared with Dark Reading. "Furthermore, misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations."

Significantly, ransomware also gives cyber-espionage actors a way to conveniently cover their tracks by destroying artifacts and evidence that would have pointed to their data theft activities, SentineOne said.

ChamelGang is not the first China-nexus cyberespionage player to use ransomware in this manner. Other examples include APT41 — an umbrella group of multiple smaller subgroups — and Bronze Starlight, whose victims include organizations in the US and multiple other countries.

"Current and historical evidence suggests that cyberespionage clusters use ransomware primarily for disruption or financial gain," says Aleksandar Milenkoski, senior threat researcher at SentinelOne's SentinelLabs.

In ChamelGang's case, the threat actor has typically tended to deploy its ransomware toward the end of its missions where covertness is no longer an operational objective, Milenkoski says. Ransomware can be used as a cover for exfiltrating intelligence-relevant data and deflecting blame, so victims of a ransomware attack should not ignore this aspect when responding to an attack, he says: "Depending on the potential value of the targeted organization to adversaries from an intelligence perspective, these dimensions of ransomware activities should be considered when assessing the situation."

**Data Espionage & Theft**

ChamelGang is a threat actor that others such as Positive Technologies and Team5 have previously identified as focused on data theft and cyber espionage. Positive Technologies reported on the group's activities in September 2021 following a breach investigation at an energy company where the threat actor disguised its malware and infrastructure to look like legitimate Microsoft, Google, IBM, TrendMicro, and McAfee services.

Team5, which tracks the group as Camo Fei, has assessed the threat actor as having been active since at least 2019 and using a variety of malware tools in its campaigns, including Cobalt Strike, DoorMe, IISBeacon, MGDrive, and the CatB ransomware tool. Team5's research showed the threat actor is primarily focused on targets in the government sector and, to a lesser extent, the healthcare, telecommunications, energy, water, and high-tech sectors as well.

SentinelOne itself has assessed ChamelGang's current focus on East Asia and the Indian subcontinent as resulting from geopolitical tensions, regional rivalries and a race for technological and economic superiority. The company's investigations showed the group deployed CatB ransomware in its 2022 attacks on India's AIIMS and against the Brazilian government after using tools such as BeaconLoader and Cobalt Strike during earlier phases of the intrusion.

The interest of threat actors in conducting both cyber espionage and financially motivated activities to actually collect a ransom depends on their objectives when targeting an organization, Milenkoski says. "Historically, a common case where threat actors have shown no interest in collecting ransom is when deploying ransomware for disruptive purposes," he says. "But we note that interest in ransom payment may represent a cover by itself."

'ChamelGang' APT Disguises Espionage Activities With Ransomware

The high-severity CVE-2024-5806 allows cyberattackers to authenticate to the file-transfer platform as any valid user, with accompanying privileges.

A high-severity security vulnerability in Progress Software's MOVEit Transfer software could allow cyberattackers to get around the platform's authentication mechanisms — and it's being actively exploited in the wild just hours after it was made public.

MOVEit Transfer is an application for file sharing and collaboration in large-scale enterprises; it was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, UCLA, and more. The level of mass exploitation was such that it materially affected the results of this year's "Data Breach Investigations Report" (DBIR) from Verizon.

The new bug (CVE-2024-5806, CVSS: 7.4) is an improper authentication vulnerability in MOVEit's SFTP module that "can lead to authentication bypass in limited scenarios," according to Progress' security advisory on the issue today, which also includes patching information. It affects versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 of MOVEit Transfer.

Admins should patch the issue immediately — not only is MOVEit on cybercriminals' radar screens after the events of last year, but the ability to access internal files at Fortune 1000 companies is a juicy plum for any espionage-minded advanced persistent threat (APT). And, according to a short note from the nonprofit Shadowserver Foundation, "very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts." It also reported that there are at least 1,800 exposed instances online (though not all of them are vulnerable).

Progress didn't provide any details on the bug, but researchers at watchTowr, who called the vulnerability "truly bizarre," have been able to determine two attack scenarios. In one case, an attacker could perform "forced authentication" using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).

In another, more dangerous attack, a threat actor could impersonate any user on the system. "\[We can\] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want," according to watchTowr's post. "From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fresh MOVEit Bug Under Attack Mere Hours After Disclosure

More than 200 regional and national government agencies have been impacted by the ransomware attack, and few of them are once again operational.

Source: Peter Treanor via Alamy Stock Photo

A cybercrime group is demanding $8 million after compromising Indonesia's national data center — an amount the government is refusing to pay.

More than 200 government agencies have been disrupted by the cyberattack since June 20, according to Samuel Abrijani Pangerapan, director general of informatics applications with the Communications and Informatics Ministry. He told the Associated Press that these agencies are at both the regional and national levels, and though some of them have returned to operations (such as immigration at airports), others are still not yet operational. 

According to Herlan Wijanarko, Indonesia's director of network and IT solutions, the threat actors are holding data hostage and offering a key to access the information in exchange for the $8 million ransom.

Communication and Informatics Minister Budi Arie Setiadi, however, told the AP that the government will not pay the ransom. Instead the National Cyber and Crypto Agency is carrying out forensics as the center does its best to recover from the attack.

The head of the crypto agency also noted that it detected a sample of LockBit 3.0 ransomware.

"The disruption to the national data center and days-long needed to recover the system means this ransomware attack was extraordinary," said Pratama Persadha, Indonesia's Cybersecurity Research Institute chairman. "It shows that our cyber infrastructure and its server systems were not being handled well."

This is the most severe cyberattack on the country's government agencies and companies since 2017.

**About the Author(s)**

Source

DARKReading