Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

Airbnb's Allyn Stott recommends adding the Human Maturity Model (HMM) and the SABRE framework to complement MITRE ATT&CK to improve security metrics analysis.

Source: Dzmitry Skazau via Alamy Stock Photo

Sorting the false positives from the true positives: Ask any security operations center professional, and they'll tell you it's one of the most challenging aspects of developing a detection and response program.

As the volume of threats continues to rise, having an effective approach to measuring and analyzing this kind of performance data has become more critical to an organization's detection and response program. On Friday at the Black Hat Asia conference in Singapore, Allyn Stott, senior staff engineer at Airbnb, encouraged security professionals to reconsider how they use such metrics in their detection and response programs — a topic he broached last year's Black Hat Europe.

"At the end of that talk, a lot of the feedback I received was, 'This is great, but we really want to know how we can get better at metrics,'" Stott tells Dark Reading. "That's an area where I've seen a lot of struggles."

**The Importance of Metrics**

Metrics are critical in assessing the effectiveness of a detection and response program because they drive improvement, reduce the impact of threats, and validate investment by demonstrating how the program lowers risk to the business, Stott says.

"Metrics help us communicate what we do and why people should care," Stott says. "That's especially important in detection and response because it's very difficult to understand from a business perspective.”

The most critical area for delivering effective metrics is alert volume: "Every security operations center I've ever worked in or ever walked foot in, it's their primary metric," Stott says.

Knowing how many alerts are coming in is important but, by itself, is still not enough, he adds.

"The question is always, 'How many alerts are we seeing?'" Stott says. "And that doesn't tell you anything. I mean, it tells you how many alerts the organization receives. But it doesn't actually tell you if your detection and response program is catching more things."

Effectively leveraging metrics can be complex and labor-intensive, adding to the challenge of effectively measuring threat data, Stott says. He acknowledges that he has made his share of mistakes when it comes to engineering metrics to assess the effectiveness of security operations.

As an engineer, Stott routinely evaluates the effectiveness of the searches he conducts and the tools he uses, seeking to get accurate true- and false-positive rates for detected threats. The challenge for him and most security professionals is connecting that information to the business.

**Implementing Frameworks Properly Is Critical **

One of his biggest mistakes was his approach in focusing too much on the MITRE ATT&CK framework. While Stott says he believes it provides critical details on threat actors' different threat techniques and activities and organizations should use it, that doesn't mean they should apply it to everything.

"Every technique can have 10, 15, 20, or 100 different variations," he says. "And so having 100% coverage is kind of a crazy endeavor."

Besides MITRE ATT&CK, Stott recommends using the SANS Institute's Hunting Maturity Model (HMM), which helps describe an organization's existing threat-hunting capability and provides a blueprint for improving it.

"It gives you the ability to, as a metric, say where you're at as far as your maturity today and how the investments you're planning to make or the projects you're planning to do will increase your maturity," Stott says.

He also recommends using the Security Institute's SABRE framework, which provides risk management and security performance metrics validated with third-party certifications.

"Rather than test across all of the MITRE ATT&CK framework, you're actually working on a prioritized list of techniques, which includes using MITRE ATT&CK as a tool," he says. "That way, you're not just looking at your threat intel but also at security incidents and threats that would be critical risks for the organization."

Use of these guidelines for metrics requires buy-in from CISOs, since it means gaining organizational adherence to these different maturity models. Nevertheless, it tends to be driven by a bottom-up approach, where threat intelligence engineers are the early drivers.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Rethinking How You Work With Detection and Response Metrics

Securing the presidential election requires vigilance and hardened cybersecurity defenses.

Shawn Henry, Chief Security Officer, CrowdStrike

April 19, 2024

3 Min Read

Source: thinkx2 via Alamy Stock Photo

COMMENTARY

Foreign adversaries have attempted to disrupt the US elections for years through various methods. This includes espionage and "hack and leak" campaigns that steal sensitive data and later amplify it in public forums. Today, generative AI (GenAI) is altering the battlefield for attacks, and in the modern information ecosystem where misinformation and disinformation can spread rapidly, it has the potential to transform geopolitics.

Throughout my 24-year career with the FBI, I witnessed sophisticated adversaries attempt to sow confusion and cripple networks, as cyber-threat actors developed tools and tactics to disrupt businesses, governments, and more. The malicious use and proliferation of GenAI in 2024 presents one of the toughest challenges we'll face in an election year. 

**Adversaries Continue on Their Path to Disrupt and Dismantle**

Nation-state adversaries affiliated with and tied to the motivations of foreign governments have the resources to scale operations, and pose a constant threat to democracy. As we've seen previously, it's likely that threat actors from China, Russia, and Iran (charged for sending fake, intimidating emails to US voters in 2020) will seek to interfere with the 2024 US election.

Adversaries may seek to target actual election infrastructure itself, including the hardware and software used to tally and transmit votes, as well as political campaign assets. While some actors have leveraged information operations, generative AI is poised to increase the attractiveness of this malicious activity. With GenAI, it is easier than ever for threat actors to create content and influence narratives that support their underlying goals and objectives. This, in turn, can undermine public confidence and perceptions of political issues, parties, and candidates.

In fact, we're already starting to see the impacts. Threat actors from China recently weaponized deepfakes ahead of Taiwan's election, aiming to increase the voting public's confidence in candidates more diplomatic to China. Fabricated information campaigns stemming from state-nexus entities will not be novel in 2024; however, generative AI will make deciphering what is real or not infinitely more difficult. 

The rise of GenAI has also lowered the barrier of entry for virtually anyone to interfere with elections. Less sophisticated hackers or hacktivists with a specific geopolitical goal may be able to create high-quality disinformation campaigns with relative ease. We've already seen a local magician make global headlines this year by using AI to create fake robocalls, and it's only April.

**Countering These Growing Threats**

So, what can be done? When it comes to protecting the disparate election systems, it is critical to apply a risk-informed approach. At the heart of this is hardening environments to protect systems and stop breaches, 24/7 continuous monitoring of systems, and deep visibility into critical areas of risk, including endpoints, cloud, and identity. Employing both threat hunting and threat intelligence is equally as important, as these tools help to proactively protect against adversaries who may attempt to penetrate networks.

State and local elections administration entities have improved their security over the past several election cycles. So too have political parties and campaign entities. But additional attention and investment is warranted.

With respect to information operations, we must continue to raise awareness. Defending against this threat starts with vigilance from everyone. Citizens must be on alert and validate the origin of information they are consuming, consider the source's political stance and objective, and attempt to validate information through trusted sources prior to amplifying it. All Americans have a crucial role to play in critically analyzing the information they are getting and, more importantly, sharing 

Social media companies and GenAI companies should work to detect and prevent threat actors' use of their tools and platform. At a minimum this means cooperating with each other where appropriate and collaborating with cybersecurity companies and IT providers that have experience tracking these groups.

In 2024, voters in all 50 states and across 55 countries will participate in elections, providing numerous opportunities for adversaries with various motivations to disrupt and dismantle confidence in democracy. With proper awareness, preparation, and cybersecurity best practices in place, we can take a big step forward in defending democracy in the digital age. Failure to do so could be catastrophic.

**About the Author(s)**

Chief Security Officer, CrowdStrike

Shawn Henry serves as chief security officer and is one of the company's longest tenured executive leaders, having joined in 2012 after retiring from the FBI senior executive service. In Henry’s role, he oversees all security aspects of CrowdStrike, including the company's information security, business continuity and resiliency, and risk reduction programs, as well as the physical security of CrowdStrike's global facilities, personnel, executive protection, and corporate events. Prior to joining CrowdStrike, Shawn oversaw half of the FBI's investigative operations as Executive Assistant Director, including all FBI criminal and cyber investigations worldwide, international operations, and the FBI's critical incident response to major investigations and disasters.

AI Lowers Barrier for Cyber-Adversary Manipulation in 2024 Election

Malformed DOS paths in file-naming nomenclature in Windows could be used to conceal malicious content, files, and processes.

Source: Robert Adrian Hillman via Alamy Stock Vector

BLACK HAT ASIA – Singapore – A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.

That's according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session here this week. He also detailed four different vulnerabilities related to the issue, which he dubbed "MagicDot" - including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.

**Dots & Spaces in DOS-to-NT Path Conversion**

The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to NT paths.

When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that's a DOS path that follows the "C:\\Users\\User\\Documents\\example.txt" format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.

The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:

*   C:\\example\\example<space>    
    

are all converted to "\\??\\C:\\example\\example" as an NT path.

Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.

**Simulating an Unprivileged Rootkit**

The MagicDot issues first and foremost create the opportunity for a number of post-exploitation techniques that help attackers on a machine maintain stealth.

For instance, it's possible to lock up malicious content and prevent users, even admins, from examining it. "By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them ... users would not be able to read, write, delete, or do anything else with them," Yair explained in the session.

Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.

"I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it," Yair said. "As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside."

A third attack method involves masking malicious content by impersonating legitimate file paths.

"If there was a harmless file called 'benign,' I was able to \[use DOS-to-NT path conversion\] to create a malicious file in the same directory \[also named\] benign," he explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. "As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead," leaving the victim none the wiser that they were actually opening malicious content.

Taken together, manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges, explained Yair, who published detailed technical notes on the attack methods in tandem with the session.

"I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more," he said — all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.

"It's important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules," he warned.

**A Series of "MagicDot" Vulnerabilities**

During his research into the MagicDot paths, Yair also managed to uncover four different vulnerabilities related to the underlying issue, three of them since patched by Microsoft.

One remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Windows's new extraction logic for all newly supported archive types allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution.

"Basically, let's say you upload an archive to your GitHub repository advertising it as a cool tool available for download," Yair tells Dark Reading. "And when the user downloads it, it's not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous."

A second bug is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy.

The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to "unexpected behavior" but hasn't yet issued a CVE or a fix for it.

"I create a folder inside the demo folder called …<space> and inside, I write a file named c.txt," Yair explained. "Then when an administrator attempts to delete the …<space> folder, the entire demo folder is deleted instead."

**Potentially Wider "MagicDot" Ramifications**

While Microsoft addressed Yair's specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists, even though that's the root cause of the vulnerabilities.

"That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue," the researcher tells Dark Reading. "This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about."

He adds that the problem has ramifications beyond Microsoft.

"We believe the implications are relevant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software," he warned in his presentation.

Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.

"Most high-level API calls in Windows support NT paths," Yair said in his presentation. "Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on."

For businesses, security teams should create detections that look for rogue periods and spaces within file paths.

"There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it's not that easy to do," Yair tells Dark Reading. "Normal users can't just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a lower API that is closer to the kernel, and will need some expertise to accomplish this."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'MagicDot' Windows Weakness Allows Unprivileged Rootkit Activity

The local phone and business communications company said that attackers accessed unspecified PII, after infiltrating its internal networks.

A blue whale breaching out of the oceanSource: Kerry Hargrove via Alamy Stock Photo

Texas-based Frontier Communications, which provides local residential and business telecom services in 25 states, has shut down its operations in the wake of a cyberattack that resulted in the theft of personally identifiable information (PII).

The breach occurred four days ago on April 14, when it detected a breach by an unauthorized third party who had gained access to "portions of its information technology environment," according to an incident filing with the US Securities & Exchange Commission (SEC).

As part of its containment efforts, Frontier took "certain of the company's systems \[offline, which\] resulted in an operational disruption that could be considered material." It reported that while its core IT environment is up and running, normal business operations have yet to resume; and as of this writing, the telco's website was still offline.

Frontier didn't disclose what PII the cyberattacker accessed or who's affected, nor the suspected nature of the adversary. Telecom companies are a popular target for both financially motivated attackers as well as advanced persistent threats (APT), given the rich data repositories they hold. For instance, the Sandman APT was behind a prolific string of attacks last fall bent on stealing call-data records, mobile subscriber identity data, and metadata from carrier networks.

"The company continues to investigate the incident, has engaged cybersecurity experts, and has notified law enforcement authorities," according to the SEC filing. "The company does not believe the incident is reasonably likely to materially impact the company's financial condition or results of operations."

**About the Author(s)**

Cyberattack Takes Frontier Communications Offline

It turns out that a powerful security solution can double as even more powerful malware, capable of granting comprehensive access over a targeted machine.

Source: Maurice Norbert via Alamy Stock Photo

A creative exploit of Palo Alto Networks' extended detection and response (XDR) software could have allowed attackers to puppet it like a malicious multitool.

In a briefing at Black Hat Asia this week, Shmuel Cohen, security researcher at SafeBreach, described how he not only reverse-engineered and cracked into the company's signature Cortex product but also weaponized it to deploy a reverse shell and ransomware.

All but one of the weaknesses associated with his exploit have since been mended by Palo Alto. Whether other, similar XDR solutions are vulnerable to a similar attack is as yet unclear.

**A Devil's Bargain in Cybersecurity**

There is an inescapable devil's bargain when it comes to using certain kinds of far-reaching security tools. In order for these platforms to do their jobs, they must be granted highly privileged carte blanche access over every nook and cranny in a system.

For instance, to perform real-time monitoring and threat detection across IT ecosystems, XDR demands the highest possible permissions, and access to very sensitive information. And, to boot, it can't be easily removed. It was this immense power wielded by these programs that inspired in Cohen a twisted idea.

"I thought to myself: Would it be possible to turn an EDR solution itself into malware?" Cohen tells Dark Reading. "I'd take all these things that the XDR has and use them against the user."

After picking a laboratory subject — Cortex — he began reverse-engineering its various components, trying to figure out how it defined what is and isn't malicious.

A lightbulb switched on when he discovered a series of plaintext files the program relied on more than most.

**How to Turn XDR Evil**

"But those rules are inside my computer," Cohen thought. "What would happen if I manually removed them?"

It turned out that Palo Alto had thought of this already. An anti-tampering mechanism prevented any user from touching those precious Lua files — except the mechanism had an Achilles' heel. It worked by protecting not each individual Lua file by name, but the folder that encapsulated them all. To reach the files he wanted, then, he wouldn't have to undo the anti-tampering mechanism, if he could just reorient the path used to reach them and bypass the mechanism altogether.

A simple shortcut probably wouldn't have sufficed, so he used a hard link: the computer's way of connecting a filename with the actual data stored on a hard drive. This allowed him to point his own new file to the same location on the drive as the Lua files.

"The program was not aware that this file was pointing to the same location in the hard disk as the original Lua file, and this allowed me to edit the original content file," he explains. "So I created a hard link to the files, edited and removed some rules. And I saw that as I removed them — and did another little thing that caused the app to load new rules—I could load a vulnerable driver. And from there, the whole computer was mine."

After taking complete control in his proof of concept attack, Cohen recalls, "What I did first was change the protection password on the XDR so it cannot be removed. I also blocked any communication to its servers."

Meanwhile, "Everything seems like it's working. I can hide the malicious activities from the user. Even for an action which would've been prevented, the XDR won't provide a notification. The endpoint user will see the green marks that indicate everything is OK, while underneath I'm running my malware."

The malware he decided to run was, first, a reverse shell, enabling full control over the targeted machine. Then he successfully deployed ransomware, right under the program's nose.

**The Fix Palo Alto Didn't Make**

Palo Alto Networks was receptive to Cohen's research, working closely with him to understand the exploit and develop fixes.

There was one vulnerability in his attack chain, however, that they chose to leave as is: the fact that Cortex's Lua files are stored entirely in plaintext, with no encryption whatsoever, despite their highly sensitive nature.

That seems alarming, but the reality is that encryption wouldn't be much of a deterrent for attackers, so after discussing the matter, he and the security company agreed that they didn't need to change that. As he notes, "The XDR eventually needs to understand what to do. So even if it's encrypted, at some point in its operation it will need to decrypt those files in order to read them. So attackers could just catch the content of the files then. It would be one more step for me in order to read those files, but I can still read them."

He also says that other XDR platforms are likely susceptible to the same kind of attack.

"Other XDRs will implement this differently, maybe," he says. "Maybe the files will be encrypted. But no matter what they will do, I can always bypass it."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware

The tech giant tosses together a word salad of today's business drivers — AI, cloud-native, digital twins — and describes a comprehensive security strategy for the future, but can the company build the promised platform?

Source: Peach Shutterstock via Shutterstock

The cybersecurity industry has no shortage of problems: Attackers are using automation to shorten their time to exploit, patching software is burdensome, establishing defenses such as segmentation remains difficult, and a shortage of cybersecurity-skilled workers holds back efforts in all of these areas.

No wonder, then, that Cisco has decided to launch an AI-powered, distributed security platform for protecting cloud workloads and artificial intelligence (AI) systems from cybersecurity threats. Dubbed Hypershield, the platform will push security out to the edge, using AI-augmented agents to maintain security controls around every workload in the data center and even distributed, connected devices. Cisco says the platform will be able to patch environments automatically, test software updates within the environment using simulated systems known as digital twins, and block attacks by detecting anomalous behavior.

Hyperbole was not in short supply, and "reimagined" seemed to be the word of the day.

Jeetu Patel, executive vice president and general manager of Cisco's security and collaboration division, called it "one of the largest platform shifts that we've experienced during our lifetimes."

"For the past gazillion years, when we've looked at security, the advantage has always been on the side of the adversary," Patel said during a press conference announcing Hypershield. "We are now approaching an era ... where ... because \[of this platform\], you might have a world where you might have an advantage as a defender, and wouldn't that be a wonderful world to live in."

Cybersecurity is certainly a field that could benefit from using AI for augmentation or as an assistant, and pushing security to the distributed edge — closer to the devices to be secured — can help simplify some aspects of vast networks that need to be secured.

The company's choice of technologies makes sense, says David Holmes, a principal analyst with Forrester Research. By using eBPF, a technology that allows sandboxed programs to run in a privileged context, pieces of the workload can be instrumented, and data processing units (DPUs) allow efficient processing of data using high-bandwidth network interfaces.

"They are describing a more modern approach to building a private cloud data center architecture, and that’s good," Holmes says. "eBPF for automation \[and\] security, container-like workloads — their DPUs — overall, this is good for the industry if they pull it off."

**Digital Twins Allow Automated Patching**

Craig Connors, chief technology officer of Cisco's security business group, demonstrated how a workload or application could be automatically patched and run in parallel using digital-twin technology to test the stability and correctness of the updated software. Digital twins are simulations — originally used in product development and manufacturing — that allow software engineers to test and observe a version of a device or application.

If patched code passes all tests and satisfies policies, then it can be promoted to production, Connors said during the demonstration.

"What we've done is we've essentially introduced the digital twin into every enforcement point that we deploy," Connors stated. "So we're actually bringing CI/CD \[continuous integration and continuous delivery\] to the embedded world by running the end-of-the-promotion pipeline as a digital twin on every single enforcement point for every single customer in the world in a transparent way. That allows us to test every possible combination that could happen in your real environment everywhere."

While the company will start with Linux environments, Cisco hinted at future plans to support other operating systems.

The same digital-twin approach can be applied to developing segmentation policies for networks of devices and workloads, according to Connors. The AI assistant built into the Hypershield platform could recommend microsegmentation policies and give a confidence score that each policy would behave well inside a given environment.

"Imagine if AI wasn't just recommending microsegmentation policies, but it was modeling them in a digital twin of your environment, and telling you exactly how it tested those policies to make sure they were correct before it recommended them to you," Connors said. "So we're really trying to bring that trust aspect in and not just 'AI bomb' you with recommendations."

**Distributed Exploit Protection**

Cisco says the platform will also protect against exploits in real time by using threat intelligence to inform anomaly detection and response. Because companies never know which vulnerabilities will be picked up by an attacker, the system allows all high-impact vulnerabilities to be treated the same.

This approach benefits companies with legacy hardware and software that has reached end of life and is no longer receiving updates, according to Connors.

"There are cases where we can never patch. ... Let's say the software's end of life, but my business still relies on it and a critical vulnerability exists," Connors said. "So while these are intended to be short-lived patches to bridge that gap between that availability and patch deployment and then we'll automatically pull back these distributed shields, it is potentially feasible that you may want to run this for the life of the application to continue protecting you against \[exploitation\]."

Having the vision and individual technologies is a good first step, but like the platform managing driver-assist features in cars, the trick is how it all comes together, says Jon Oltsik, analyst emeritus at Enterprise Strategy Group. Coordinating the pieces across multiple systems, rather than looking at each one in isolation — as well as figuring out "normal" activity — and then responding will be tricky.

"It's a good goal, but a lot of things need to come together to make it happen, including user buy-in," he says. "AI-based security must go through rigorous testing and be proven in the field before security professionals will trust it."

Cisco has promised the platform will be generally available by August.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cisco's Complex Road to Deliver on Its Hypershield Promise

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading