The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.

Source: RooM the Agency via Alamy Stock Photo

An advanced persistent threat (APT) group known as ToddyCat is collecting data on an industrial scale from government and defense targets in the Asia-Pacific region.

Researchers from Kaspersky tracking the campaign described the threat actor this week as using multiple simultaneous connections into victim environments to maintain persistence and to steal data from them. They also discovered a set of new tools that ToddyCat (which is a common name for the Asian palm civet) is using to enable data collection from victim systems and browsers.

**Multiple Traffic Tunnels in ToddyCat Cyberattacks**

"Having several tunnels to the infected infrastructure implemented with different tools allow \[the\] attackers to maintain access to systems even if one of the tunnels is discovered and eliminated," Kaspersky security researchers said in a blog post this week. "By securing constant access to the infrastructure, \[the\] attackers are able to perform reconnaissance and connect to remote hosts."

ToddyCat is a likely Chinese-language speaking threat actor that Kaspersky has been able to link to attacks going back to at least December 2020. In its initial stages, the group appeared focused on just a small number of organizations in Taiwan and Vietnam. But the threat actor quickly ramped up attacks following the public disclosure of the so-called ProxyLogon vulnerabilities in Microsoft Exchange Server in February 2021. Kaspersky believes ToddyCat might have been among a group of threat actors that targeted the ProxyLogon vulnerabilities even prior to February 2021, but says it has not found evidence yet to back up that conjecture.  

In 2022, Kaspersky reported finding ToddyCat actors using two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper — a well-known commodity Web shell used in the Microsoft Exchange Server attacks — on systems belonging to victims in Asia and Europe.

**Maintaining Persistent Access, Fresh Malware**

Kaspersky's latest investigation into ToddyCat's activities showed the threat actor's tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command-and-control from an attacker-controlled cloud infrastructure to target hosts in the victim environment.

In addition, Kaspersky researchers found ToddyCat actors to be using a fast reverse proxy client to enable access from the Internet to servers behind a firewall or network address translation (NAT) mechanism.

Kaspersky's investigation also showed the threat actor using at least three new tools in its data-collection campaign. One of them is malware that Kaspersky had dubbed "Cuthead" that allows ToddyCat to search for files with specific extensions or words on the victim network, and to store them in an archive.

Another new tool that Kaspersky found ToddyCat using is "WAExp." The malware's task is to search for and collect browser data from the Web version of WhatsApp. 

"For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data," Kaspersky researchers said. WAExp allows the attacks to gain access to this data by copying the browser's local storage files, the security vendor noted.  

The third tool meanwhile is dubbed "TomBerBil," and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.

"We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest," Kaspersky said. "The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system."

The security vendor recommends that organizations block IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations also need to either remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

ToddyCat APT Is Stealing Data on 'Industrial Scale'

An open direct vulnerability in the Nespresso Web domain lets attackers bypass detection as they attempt to steal victims' Microsoft credentials.

Source: GOIMAGES via Alamy Stock Photo

A phishing campaign exploiting a bug in Nespresso's website has been able to evade detection by taking advantage of security tools that fail to look for malicious nested or hidden links.

The campaign starts with a phishing email that appears to have been sent from an employee with Bank of America, with a message to "please check your recent \[Microsoft\] sign-in activity." If a target clicks, they are then directed to a legitimate but infected URL controlled by Nespresso. according to research today from Perception Point.

Because the address is legitimate, the hijacked Nespresso site triggers no security warnings, the report explained. The Nespresso URL then delivers a malicious .html file doctored up to look like a Microsoft login page, intended to capture the victim's credentials, the Perception Point team added.

The attackers are making use of an open redirect vulnerability in the coffee giant's webpage, the researchers explained: "Open redirect vulnerabilities occur when an attacker manages to redirect users to an external, untrusted URL through a trusted domain. This is possible when a website or URL allows data to be controlled from an external source."

Attackers know that some security vendors "only inspect the initial link, not digging further to discover any hidden or embedded links," they added. "With this knowledge, it makes sense that the attacker would host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors, detecting only the reputable URL and not the subsequent malicious ones."

This particular campaign has been launched from several different sender domains, but it consistently uses the infected Nespresso URL and the fake Bank of America email in the cyberattacks, the report added. According to Perception Point, the redirect has not yet been fixed.

“We were alerted of a phishing attempt, where a modified redirection website link disguised as a Nespresso address was used to try to obtain personal credentials from people (not necessarily Nespresso customers)," a spokesperson tells Dark Reading. "We can confirm that our customers’ data has not been compromised in any way. We ask everyone to be aware and vigilant of emails that redirect them to unknown websites.”

Nespresso Domain Serves Up Steamy Cup of Phish, No Cream or Sugar

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Though organizations are increasingly incorporating zero-trust strategies, for many, these strategies fail to address the entirety of an operation, according to Gartner.

Source: Artemis Diana via Alamy Stock Photo

According to the latest research by Gartner Inc., 63% of organizations globally have implemented a zero-trust strategy into their operations, whether that be partially or fully. 

More than half (56%) of that group said they were doing so because a zero-trust approach is considered to be "an industry best practice." However, a zero-trust strategy often addresses only half of an organization's environment, at most, in many cases, said John Watts, vice president analyst and KI leader at Gartner. 

"Enterprises are not sure what top practices are for zero-trust implementations," he noted in the firm's announcement on the survey, which was conducted in the fourth quarter of 2023.

Gartner has three recommendations for security leaders looking to implement a zero-trust strategy: recognize the scope of what it can reasonably cover (which usually is not the entirety of an organization); incorporate metrics to measure success and risk, and keep your audience in mind when communicating such information; and prepare for an increase in staffing and costs.

These practices potentially can make the transition to zero trust more successful and beneficial to organizations. While 35% of organizations reported failures that interrupted their implementation of zero-trust strategies, Watts added that "organizations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies in order to minimize delays."

**About the Author(s)**

Zero Trust Takes Over: 63% of Orgs Implementing Globally

The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

SecOps highlights this week include the executive role in "cyber readiness;" Cisco's Hypershield promise; and Middle East cyber ops heat up.

Source: Panther Media GmbH via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In This Issue of CISO Corner:**

*   GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories
    
*   Break Security Burnout: Combining Leadership With Neuroscience
    
*   Global: Cyber Operations Intensify in Middle East, With Israel the Main Target
    
*   Cisco's Complex Road to Deliver on Its Hypershield Promise
    
*   Rebalancing NIST: Why 'Recovery' Can't Stand Alone
    
*   3 Steps Executives and Boards Should Take to Ensure Cyber Readiness
    
*   Rethinking How You Work With Detection and Response Metrics
    

**GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories**

By Nate Nelson, Contributing Writer, Dark Reading

A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that's about to change, according to a team of academics.

Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren't as effective.

Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.

Read more: GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Related: First Step in Securing AI/ML Tools Is Locating Them

**Break Security Burnout: Combining Leadership With Neuroscience**

By Elizabeth Montalbano, Contributing Writer, Dark Reading

Widely reported burnout among cybersecurity professionals is only getting worse. It starts at the top with pressure on CISOs mounting from all sides — regulators, boards, shareholders, and customers — to assume all the responsibility for an entire organization's security, without much control of budgeting or priorities. Wider enterprise cybersecurity teams are wearing down too under the weight of putting in long, stressful hours to prevent seemingly inevitable cyberattacks.

Certainly awareness of the stress and strain driving talent away from the cybersecurity profession is widely acknowledged, but workable solutions have been elusive.

Now two professionals looking to break what they call the "security fatigue cycle" say leaning on neuroscience can help. Peter Coroneros, founder of Cybermindz and Kayla Williams, CISO of Devo, have come together to advocate for more empathetic leadership informed by a better understanding of mental health, and will be presenting their ideas in more detail at this year's RSA Conference.

For example, they found tools like iRest (Integrative Restoration) attention training techniques, which have been used for 40 years by US and Australian militaries help people under chronic stress get out of the "flight-or-flight" state and relax. iRest could also be a useful tool for frazzled cybersecurity teams, they said.

Read more: Break Security Burnout: Combining Leadership With Neuroscience

**Global: Cyber Operations Intensify in Middle East, With Israel the Main Target**

By Robert Lemos, Contributing Writer, Dark Reading

The unraveling crisis in the Middle East continues to produce historic volumes of cyberattacks to support military operations.

There are two categories of adversary groups at work, according to experts — nation-state threat actors working as an arm of a military operation and hacktivist groups attacking willy-nilly based on opportunity and a victim's perceived proximity to the group's enemies.

Israel's National Cyber Directive boss said Iranian- and Hezbollah-affiliated groups have been trying to take down the country's networks "around the clock."

Cybersecurity experts warns Israel should prepare for destructive cyberattacks to continue as the Iran-Israel cyber conflict escalates.

Read more: Cyber Operations Intensify in Middle East, With Israel the Main Target

Related: Iran-Backed Hackers Blast Out Threatening Texts to Israelis

**Cisco's Complex Road to Deliver on Its Hypershield Promise**

By Robert Lemos, Contributing Writer

Cisco's big reveal of its AI-powered cloud security platform Hypershield was big on buzzwords and left industry watchers with questions about how the tool is going to deliver on its pitch.

Automated patching, anomalous behavior detection and blocking, AI-agents maintaining real-time security controls around every workload, and a new "digital twin" approach are all touted as Hypershield features.

The modern approach would be a major step forward "If they pull it off," David Holmes, a principal analyst with Forrester Research said.

Jon Oltisk, analyst emeritus at Enterprise Strategy Group, compared Hypershield's ambitions to the development of driver-assist features in cars, "The trick is how it comes together."

Cisco Hypershield is scheduled for release in August.

Read more: Cisco's Complex Road to Deliver on Its Hypershield Promise

Related: First Wave of Vulnerability-Fixing AIs Available for Developers

**Rebalancing NIST: Why 'Recovery' Can't Stand Alone**

Commentary By Alex Janas, Field Chief Technology Officer, Commvault

Although NIST's new guidance on data security is an important basic overview, but falls short on offering best practices for how to recover from a cyberattack once it's already happened.

Today, organizations need to assume they have been, or will be, breached and plan accordingly. That advice is perhaps even more important than the other elements of the new NIST framework, this commentary argues.

Companies should immediately work to address any gaps in cybersecurity preparedness and response playbooks.

Read more: Rebalancing NIST: Why 'Recovery' Can't Stand Alone

Related: NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

**3 Steps Executives and Boards Should Take to Ensure Cyber Readiness**

Commentary By Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

Working to develop an effective and tested incident response plan is the best thing executives can do to prepare their organization for a cyber incident. Most major mistakes happen in the first "golden hour" of a cyber incident response, the commentary explains. That means ensuring every member of the team has a well-defined role and can get to work quickly on finding the best path forward, and crucially, not making remediation errors that can upend recovery timelines.

Read more: 3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Related: 7 Things Your Ransomware Response Playbook Is Likely Missing

**Rethinking How You Work With Detection and Response Metrics**

By Jeffrey Schwartz, Contributing Writer, Dark Reading

During the recent Black Hat Asia conference Allyn Stott, senior staff engineer with Airbnb challenged every security professional to rethink the role metrics play in their organization's threat detection and response.

Metrics drive better performance and help cybersecurity managers demonstrate how detection and response program investment translates into less business risk to leadership.

The single most important security operations center metric: alert volume, Stott explained. He added looking back over his past work, he regrets how much he leaned on the MITRE ATT&CK framework. He recommends incorporating others including SANS SABRE framework and Hunting Maturity Model.

Read more: Rethinking How You Work With Detection and Response Metrics

Related: SANS Institute Research Shows What Frameworks, Benchmarks, and Techniques Organizations Use on their Path to Security Maturity

CISO Corner: Breaking Staff Burnout, GPT-4 Exploits, Rebalancing NIST

PRESS RELEASE

TEL AVIV, Israel -- (BUSINESS WIRE)-- Miggo, a cybersecurity startup introducing the first Application Detection and Response (ADR) platform, announced today $7.5 million in seed funding led by global cybersecurity VC firm YL Ventures with the participation of CCL (Cyber Club London), cybersecurity leaders from Elastic and Everon and former CISOs of Google, Zscaler and Nike. Miggo's ADR platform addresses a critical gap in application security by enabling security teams to detect and respond to targeted application attacks in real-time.

2023 saw a rise in high-profile application attacks that went undetected by traditional tools. The MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere breaches highlight critical AppSec blind spots of application behavior in runtime and how attackers are hedging their bets on this well-known, ongoing security gap. According to Justin Somaini, Partner at YL Ventures and former CISO of Unity, SAP and Yahoo!, “Applications in production constitute one of the few true blind spots of today’s security programs. Last year’s incidents alone underscore how critically we need to secure the application layer. This is a space that still needs a lot of innovation to address what traditional tools cannot.”

Today, applications are the primary target of nearly 80% of data attacks, according to Verizon’s 2023 Data Breach Investigations Report. More recent shifts to distributed application architecture, which requires multiple chains of trust between different services, have further broadened the domain’s threat landscape. Attackers can manipulate flows between services without detecting existing security sensors like EDR, WAF and CNAPP tools. The only way to identify such malicious activity is with direct views into applications while they're running.

Under the leadership of Daniel Shechter, CEO and co-founder, and Itai Goldman, CTO and co-founder, Miggo developed a platform that analyzes interactions and data flows within applications to detect and mitigate attacks before they can escalate into breaches. "We need to proactively tackle this massive and largely unseen attack surface. Not only do we need precise detection and response for unexpected behaviors directly in live application environments, but also insight and understanding into the inner workings of today’s distributed applications as they run," explained Shechter.

Miggo's technology precisely discovers and maps the architecture of distributed applications to establish behavioral baselines and monitor for deviations from intended design or code execution flows. Leveraging live in-application context, Miggo determines if a deviation indicates that the application is exploitable, under active exploitation or backdoored, and initiates targeted mitigations to contain breaches by pinpointing the offender and affected areas to recommend precise remediation strategies.

The combined ability to detect live threats to applications and respond within the applications themselves are key innovations, according to CISO Mike Melo. “Miggo is finally providing transparency for our most significant attack vector with the exact tools each stakeholder requires to protect and defend mission-critical assets. ADR is the unified solution we need to not only give us application-layer visibility and control but also dramatically lower our mean time to detect and respond to application attacks,” he said.

Discover how Miggo can safeguard your applications against the next generation of cyber threats. Visit miggo.io for more information and to schedule a demo.

About Miggo  
Miggo is the first Application Detection and Response platform, providing the visibility, response and understanding you need to prevent application breaches. Using in-application context to shed light on your biggest attack surface, Miggo’s ADR enables businesses to monitor how applications behave in runtime and stop attackers from manipulating chains of trust between distributed services. With Miggo, monitor application weak spots and identify and mitigate attacks in real-time. Visit miggo.io for more information.

About YL Ventures  
YL Ventures funds and supports visionary cybersecurity entrepreneurs from seed to scale to help them evolve transformative ideas into market-leading companies. The firm accelerates company growth with tailored support through its powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of multidisciplinary experts. Based in Silicon Valley, New York and Tel Aviv, YL Ventures manages five funds with $800M in total AUM. The firm has a track record of seeding cybersecurity unicorns such as Axonius and Orca Security and its portfolio companies have been successfully acquired by high-profile, global industry leaders including Palo Alto Networks, Microsoft, Okta and Proofpoint. In 2022, YL Ventures ranked 8th out of over 250 venture capital firms in PitchBook’s prestigious Global Manager Performance Score League Tables and was the only cybersecurity-focused VC to secure a top 10 spot.

Miggo Launches Application Detection and Response (ADR) Solution

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading