The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.

Using Telegram as its command-and-control (C2) mechanism, a new strain of malware, a bot dubbed Zaraza, is capable of extracting login credentials from a victim's open browser and saving them to a file, as well as taking screenshots of open windows to be saved in a JPG file.

First identified by the Uptycs threat research team, the new bot is capable of stealing credentials from 38 Web browsers, including Google Chrome, Microsoft Edge, and Opera, among others. Once it successfully infects a victim's computer, it sends the information to a Telegram server, where it becomes accessible to potential threat actors. It's believed that the Zaraza bot is linked to Russian hackers, evidenced by the use of the name "Zaraza" which means "infection" in Russian, the researchers said in their report outlining the malware.

The type of login credentials that it steals range from bank accounts to email accounts to online wallets, as well as other sensitive and valuable website targets. This information can provide attackers with the opportunity to commit severe crimes such as identity theft and financial fraud, as well as grant access to personal identifiable information (PII) and, especially in the era of remote work, business accounts. This variant of malware and what it allows attackers to do potentially opens the floodgates to financial loss and "reputational damage," according to the analysis.

"To protect yourself against this malware," the Uptycs researchers wrote, "you should update your passwords regularly, follow online security best practices such as using strong passwords and multi-factor authentication, and ensure regular software and security system updates."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Zaraza' Bot Targets Google Chrome to Extract Login Credentials

The infamous Trojan's operators are switching up tactics with the use of simulated business correspondence, which helps instill trust with intended victims, and a stealthier payload.

A recent surge in QBot Trojan attacks has been observed, spreading via malicious emails written in various languages, including English, German, Italian, and French. The emails are crafted using genuine business letters obtained by the attackers and urge the recipient to open an attached PDF file, which contains several layers of obfuscation that make its maliciousness less detectable by security tools.

According to an analysis by Kaspersky this week, the campaign also uses the method of using reply-chain emails to make it more difficult for soon-to-be-victims to flag as malicious. As the name suggests, reply chain is the practice of accessing existing email exchanges from a listserv (or any location) and replying to them, making the interloping messages look legit, less suspicious, and believable.

The campaign represents a change in tactics for the operators of QBot (aka QakBot or Pinkslipbot), who maintain an access-as-a-service offering that other cybercriminals use to deliver a range of second-stage malware to already-compromised targets. Initially discovered in 2007, QBot has undergone numerous modifications and enhancements over the years, resulting in its widespread distribution as one of the most actively propagated malware strains in 2020. 

These latest improvements help boost stealth and legitimacy, according to security researchers. For instance, the emails are crafted to change only minimal parts of the stolen documents; they may contain links or attachments that contain links to malicious sites.

"The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own," the Kaspersky report noted.

**QBot's Many Layers of Obfuscation**

As for attack flow, the PDF file contains a Windows Script File (WSF) that harbors an obfuscated PowerShell script encoded into a Base64 line. Once the PowerShell script is covertly executed on the computer, it utilizes the wget utility to retrieve a DLL file from a remote server, which is used to deliver the QBot malware to the victim's computer. This is an existing tactic: Last year, QBot operators began using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection. 

The group has recently ramped up its operations and improved their offerings, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

"The WSF is obfuscated to evade detection which will download further payloads," explains Timothy Morris, chief security adviser at Tanium. "The attack 'chaining', or using multiple steps, helps get past some protections since the full context of the nefarious behavior can't be observed as a single activity."

**How to Protect the Business From QBot Attacks**

Morris notes that the multiple phases in the attack flow, from the initial emails to payloads being downloaded to data exfiltration and theft requires a range of cybersecurity strategies to defend against.

"It is important to have a defense-in-depth strategy that includes detection, monitoring, and protection technologies at the endpoint, as well as Web, network, and email security that is up to date," he says. "Also, training users to these types of threats is important."

Darren Guccione, CEO and co-founder at Keeper Security, says potential targets should also be trained to recognize that, unlike phishing attempts that appear to come from random businesses or the government, the malicious file containing malware will appear to come from someone you've had past email conversations with.

"The threat actors hope to piggyback on your relationship and level of trust to get these contacts to download the files," he explains. "Employees should avoid making risky clicks. Suspicious links should not be clicked and untrusted software should not be installed."

Other email security best practices include verifying the email sender and content before downloading attachments, and hovering over embedded links to see the actual target URL. Also, defenders also should focus on making sure antivirus and anti-malware solutions are deployed and up to date, and secure endpoints, including PCs, servers, routers, and so on, keeping them patched.

Guccione says the latest resurgence of QBot, along with new modules and evasion techniques being added, indicates active development of the malware, so companies should be vigilant when it comes to being prepared for the latest changes.

"It’s still a very capable adversary tool that defenders need to protect against," Guccione explains.

QBot Expands Initial Access Malware Strategy With PDF-WSF Combo

In targeting Apple users, LockBit is going where no major ransomware gang has gone before. But it's a warning shot, and Mac users need not worry yet.

The infamous LockBit ransomware gang has developed a version of their malware for macOS devices — the first ever foray into Apple's territory by a major ransomware group.

LockBit is one of the world's most prolific ransomware-as-a-service (RaaS) operations, known for its ivolvement in high-profile attacks, sophisticated malicious offerings, and some grade-A PR.

The first evidence that the gang has been experimenting with macOS was published by the MalwareHunterTeam ransomware repository on April 15. "As much as I can tell," a tweet read, "this is the first Apple's Mac devices-targeting build of LockBit ransomware sample seen ... Also is this a first for the 'big name' gangs?"

Shortly thereafter, vx-underground — a malware research site — added a wrinkle to the story. "It appears we are late to the game," it tweeted. "The macOS variant has been available since November 11th, 2022."

Ransomware for Mac may raise alarm bells, though a closer examination of the binary reveals that it's not quite ready for prime time.

"For now, the impact to the average Mac user in the enterprise is essentially zero," Patrick Wardle, founder of the Objective-See Foundation, tells Dark Reading. He pulled a sample apart in an analysis published April 16.

However, he adds, "I think this should be looked at as a harbinger of things to come. You have a very well funded and motivated, large ransomware group that's saying: 'Hey, we're setting our sights on on macOS.'"

Will Mac users be ready when ransomware finally comes for them?

**LockBit on Mac**

Saturday's discovery may be best characterized as Windows malware with macOS lipstick.

In unpacking the code, Wardle discovered multiple strings related to Windows artifacts — like autorun.inf, ntuser.dat.log, and so on. The lone component indicating its OS intentions was a variable called "apple\_config."

"This is the only instance (I found) of any macOS specific references/customizations," Wardle noted in the analysis, appending that "(The rest of the malware's binary simply looks like Linux code, compiled for macOS)."

There were other signs, too, that the developers hadn't yet completed their project. For example, the code was signed "ad-hoc" — a stand-in for, say, a stolen Apple Developer ID. This could be a placeholder for future RaaS customers, but for now, Wardle explains, "this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS won't let it run."

Suffice it to say: LockBit hasn't breached the Apple dam just yet. But that doesn't mean Mac users can relax.

**Ransomware Is Headed for Macs**

Never before has one of the big name ransomware outfits — Conti, Clop, Hive, et al — developed ransomware for Mac computers. There may be one reason, above all, for why that is.

"Look at, traditionally, who the targets are for large ransomware attacks. It's the enterprises: hospitals, packaging facilities, these more traditional companies," Wardle points out. "They are generally Windows-based."

Slowly, though, Apple devices have been spreading in enterprise environments. A 2021 survey data from JAMF indicated that Apple's tablets are the go-to choice for businesses, iPhones represent about half of all smartphones in business settings, and the "average penetration" of macOS devices in the enterprise was around 23%, as compared with 17% two years prior.

"The pandemic and the work from home really spurred that," Wardle postulates. "A lot of people have Mac computers. And as the younger generation enters the workforce — they are more comfortable with the Apple ecosystem."

Following from that, he adds, "hackers who are very opportunistic are realizing that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations."

So the question may not be whether ransomware groups will jump into macOS, but how soon. "This," Wardle thinks, "is really the million-dollar question."

**Are Apple Devices Prepared for Ransomware?**

Luckily for Mac users, Apple has anticipated this ransomware D-Day, and has proactively gotten ahead of it. Wardle points to two primary defenses already built into the operating system.

Firstly, he says, "system files are under read-only conditions. So even if ransomware gets root access on a computer, it's still not going to be able to modify those critical files and lock or render the system inoperable."

Second is TCC — short for Transparency, Consent, and Control.

"The idea is that certain directories — for example, the user's document directory, desktop, downloads, their browser folders, and cookies — are actually protected by the operating system," Wardle explains. If ransomware finds its way onto the system, "it's going to run into TCC and it's not going to be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access."

There's a caveat to that happy news though. "Apple has done a great job implementing security mechanisms, but," Wardle warns, "these features haven't been really tried and tested yet. Maybe hackers will start poking and find some flaws. TCC, for example, has been riddled with bypasses basically since day one."

"It would be naive to think that the attackers aren't going to improve their techniques and create more effective ransomware," he concludes. "So, I think it's really great to be talking about this now."

Researchers Discover First-Ever Major Ransomware Targeting macOS

How can we build security back into software development in a low-code/no-code environment?

We’ve come to rely heavily on the software development life cycle (SDLC) as the go-to method for getting security ingrained into development processes. In fact, the assumption of a comprehensive continuous integration/continuous delivery (CI/CD) has become so fundamental that we as an industry spent most of last year focused on addressing one of its derivatives: security of the CI/CD pipeline as the centerpiece of the software supply chain. This is good news, of course. A proper SDLC and its operational manifestation, the CI/CD, has allowed us to embed security controls where they are most useful — while developers are building and testing their software.

With the continued soar of low-code/no-code and citizen development in the enterprise, many AppSec teams have been occupied with creating secure development guidelines for these new business applications. Cross-industry collaborations have emerged to provide a security risk framework. The real challenge, however, is bringing this new wave of business users becoming developers under the security umbrella.

Business users are best at knowing what the business needs, and so they are best positioned to address those needs when empowered with low-code/no-code tools that allow them to build their own applications. On the other hand, trying to discuss security risks or development practices with business users can prove challenging.

Embedding security in the SDLC works because it is where it is more comfortable for developers to consume it, making it less costly to fix a security vulnerability. In order to do the same for business users, we must understand how their process for building applications works.

**R.I.P. to the SDLC**

A boilerplate version of the SDLC shows how software goes from articulating a need by the business; to planning, development, and testing by engineering and Q&A teams; to deployment, monitoring, and management by the operations teams. This, of course, varies widely across organizations. The important point for our discussion is that the responsibility is shifted among different teams and perhaps different departments throughout the development life cycle. Every transition can also be harnessed as a quality or security assurance gate, whether automated, like SAST/DAST/IAST tools, or manually, like threat modeling or security review.

In contrast, consider the low-code/no-code development process. A business user articulates their needs, moves on to creating their application or automation with an intuitive drag and drop interface, clicks save, and ... that’s it! Sometimes even the save step is skipped with a helpful autosave. Although not all low-code/no-code applications are built this way by the person who envisioned them, many are. Note how much faster the development process can be now — no exchange of responsibility or convincing someone else to align with your goals, and everyone can address their own business needs as they are spotted, on their own. This is the power of business-led development and mature citizen-development initiatives.

Unfortunately, it comes at the cost of skipping those security and quality gates we’ve baked into the development life cycle. These gates were critical, especially in an enterprise that needs to enforce values that are just as important as business productivity: security, compliance, and privacy, to name a few.

**Meeting Developers Where They Are**

Business users are building and will continue to build more applications than we’ve ever seen before. To bring them under the security umbrella, we must meet them where they are and speak their language. Instead of relying on the existence of a CI/CD pipeline and introducing business users to concepts like production versus test environments, we should accept reality and focus on making it easy to create secure applications and difficult to create risky ones.

To do this, we must understand the low-code/no-code platforms they use to build applications and the ways in which these applications are built and adopted by others. We must embrace our responsibility to guide these new developers, apply security best practices to the applications they create according to our organization's risk appetite, and take a retroactive approach to address critical issues swiftly.

Where There's No Code, There's No SDLC

China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy.

The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.

According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.

When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victim's system.

APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.

TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media.

**Using Publicly Available Tools**

Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; there's also been a shift to using lesser-known red teaming tools such as Brute Ratel and Sliver to evade detection during their attacks.

The use of such "living off the land" tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is "only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems."

He adds, "A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: "Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control."

**Who Is APT41?**

The group's activities illustrate the "continued overlap of public sector threat actors targeting private sector organizations with limited government ties," according to the TAG analysis.

Last year the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability.

Bronze Atlas is "one of the most prolific groups we have been tracking for a long time," says Marc Burnard, senior security researcher for Secureworks' Counter Threat Unit, having tracked it since at least 2007. And during that time, the group "has been very prolific," he says.

Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China's political and economic interests.

"They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well," he notes.

Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a "destructive element" too.

**APT41 Quiets Down Its Wall of Noise**

As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don't set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.

However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.

APT41 Taps Google Red-Teaming Tool in Targeted Info-Stealing Attacks

To address the rising risk of online fraud, stolen identities, and cyberattacks, innovative organizations have begun converging their security functions — here's how yours can prepare.

Across early-stage startups and mature public companies alike, we're seeing a convergence of fraud prevention, identity and access management (IAM), and cybersecurity.

It's time for businesses to take notice and break down these walls.

During my 20 years of experience building and scaling cybersecurity solutions, I've witnessed a slow shift that's finally picking up speed and becoming essential for businesses as they seek to reduce operational overhead and streamline security operations.

**A Silo-Breaking Moment**

To improve an organization's overall security posture, business, IT, and fraud leaders must realize that their areas shouldn't be treated as separate line items. Ultimately, these three disciplines serve the same purpose — protecting the business — and they must converge. This is a simple statement, but complex in practice, due mainly to the array of people, strategies, and tooling today's organizations have built.

The convergence of these three functions comes at a seminal moment, as global threats are heightened due to several factors: geopolitical tensions like the war on Ukraine, the economic downturn, and a never-ending barrage of sophisticated attacks on businesses and consumers.

At the same time, companies are facing slowing revenues, rising inflation, and increased pressure from investors, causing layoffs and budget reductions in the name of optimization. Cutting back in the wrong areas, however, increases risk.

**Pay Attention to the Warning Signs**

Every business unit that participates in the security ecosystem is stressed, but if there's one thing I know about operational pain points, it's that they have great potential to inspire change across industries and business units.

Consider these questions in the context of your organization:

*   Are you failing to achieve secure online experiences despite employing security policies, zero-trust models, multifactor authentication (MFA), and other tactics?
*   Is the friction you've added to online digital experiences hampering your revenue growth?
*   Are you limited in your ability to launch or grow your business in new markets due to heightened fraud risks?
*   Are you seeing continual scams and fraud attacks with little to no prevention progress?
*   Do you feel you have blind spots in your security visibility due to disparate tooling, data, and teams?
*   Is your understanding of how the fraud ecosystem thrives underground comprehensive enough?
*   Is the level of burnout across your security-focused teams at its peak?

If you answered yes to even one of these questions, it's time to start reimagining how the three above-mentioned areas can work together to break the forced compromise between security and revenue growth.

Many forward-looking companies have already aligned these teams under the common goal of creating safer digital experiences. Here are a few tips for how you can do the same.

**Take inventory:** First things first — take a look at your cybersecurity, IAM, and fraud prevention approaches. 

Many organizations have amassed loads of technical debt due to the accelerated threat landscape, which pushed them to adopt technologies without comprehensive strategies. These might include security and compliance, bot detection, identity and access functionality (authentication, MFA, and identity verification), anti-risk and anti-fraud solutions, orchestration, and case management.

Ask yourself:

*   What are my business goals and priorities? What measures, metrics, and objectives must be set?
*   What do my budget and my spending look like? What should they look like?
*   Where are my gaps in staffing?
*   What business-critical tools are we using? Do we need any tool changes?

This inventory is key to gathering a single source of truth that builds the case for convergence and highlights what's truly important to secure your business. 

This step is especially important because fraudsters like to hide in the cracks. Organizational silos allow those cracks to proliferate.

**Get a quick win:** Even if your three teams sit in different departments, align around a common goal and develop an annual plan. Knowing the basics from your inventory pull, have each team share about their individual objectives, priorities, tooling, signals, and processes. You may find some easy-win opportunities by standardizing vendor technology or introducing a joint initiative.

For example, you could build a joint account takeover metric that quantifies the number of fraud attacks you can successfully thwart by pairing an IAM initiative with a fraud initiative.

**Go big:** Pull together a joint business case for your CEO. Along with a general manager or chief operation officer who owns revenue, customer adoption, and customer experience, document and define what these three domain areas can do together to accelerate security and fraud prevention. Be sure to highlight how this approach enables you to take in more business without introducing customer friction.

Once key stakeholders see how the strategic value of a unified fraud detection, IAM, and cybersecurity approach enables the best possible user experience, creative ideation and strategic conversation should follow.

At this point, you're no longer reviewing fraud signals to merely solve a fraud problem. Rather, you're reviewing fraud signals to simultaneously strengthen the posture of your IAM solution and provide friction-free experiences for your users. You will find that you can accept more orders and reduce friction when you're more certain of your customers' identities and your own fraud posture.

As your work unites, measure against these goals and keep your teams honest.

Fraud and identity naturally align on user experience (UX), and putting them under one owner is certainly a step toward convergence, but don't stop there. Regularly brainstorm ways of bringing cybersecurity functions into your strategy. Cyber has great insights and domain expertise in malware, network security, and bots — all signals you should bring together alongside fraud signals for the most powerful coverage.

**Develop your strategy and your workforce.** Over time, you should iterate on processes and build a customized security convergence framework for your organization. Don't be afraid to get creative. Begin leveraging technologies like machine learning and AI to build context between teams, automate workflows, and improve efficiency and visibility across teams. Meanwhile, prepare to upskill and reskill your teams.

We're embarking on uncharted territory here, but keep the goal in sight: Safer digital experiences for all.

Why Your Anti-Fraud, Identity & Cybersecurity Efforts Should Be Merged

Malware that can steal data, track location, and perform click fraud was inadvertently built into apps via an infected third-party library, highlighting supply chain risk.

Malware that can steal data and commit click fraud has hitched a ride into 60 mobile apps, via an infected third-party library. The infected apps have logged more than 100 million downloads from the official Google Play store and are available in other app stores in South Korea, researchers have found.

Goldoson, discovered and named by researchers at McAfee Labs, can perform a variety of nefarious activities on Android-based devices, they said in a blog post. The malware can collect lists of applications installed, as well as sniff out the location of nearby devices via Wi-Fi and Bluetooth. It also can perform ad fraud by clicking advertisements in the background without the user's consent or knowledge, the researchers said.

Some of the popular apps affected by Goldoson include L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, Lotte Cinema, Live Score, and GOM. The researchers found more than 100 million downloads of infected apps on Google Play, and 8 million on ONE, South Korea's leading mobile app store, they said.

McAfee reported the infected apps to Google, which quickly notified developers that their apps were in violation of Google Play policies and that they needed to fix their apps, the researchers said. They do not mention in their post if they contacted the ONE app store.

Some apps were removed from Google Play outright while others were updated by the official developers. McAfee is encouraging users of any of the affected apps — a list of which is in the post — to update them to the latest version to remove any trace of Goldoson from their devices.

"While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains," SangRyol Ryu of McAfee's mobile research team wrote in the post.

**How Goldoson Works**

The Goldoson library registers a device right after it infects it, acquiring remote configurations from a command-and-control server (C2) as the app runs simultaneously. It evades detection by both varying and obfuscating the library name and the remote server domain with each application; developers dubbed it "Goldoson," because this is the first domain name they found, they said.

A remote configuration contains the parameters for each of the app's functionalities and specifies how often it runs the components.

"Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers," Ryu wrote.

Goldoson's ability to collect data from all the apps on the device comes from a permission called "QUERY\_ALL\_PACKAGES," that it requests from the device. Users of devices with Android version 11 or above installed appear to be more protected from this query, with only about 10 percent of the cases observed by McAfee demonstrating vulnerability, the researchers said.

The malware requests permissions to access location, storage, or the camera at runtime from devices running Android 6.0 or higher. If location permission is allowed, the infected app can access not only GPS data but also Wi-Fi and Bluetooth info from devices nearby, which gives them more accuracy in locating the infected device, especially indoors, the researchers noted, adding that the ability to identify or discover the location of users puts them at risk for further malicious activity.

Goldoson can also load Web pages without the user knowing — a functionality that attackers can abuse to load ads for financial gain, the researchers said. In technical terms, this works because the library loads HTML code and injects it into a customized and hidden WebView, then produces hidden traffic by visiting the URLs recursively, they explained.

Goldoson sends data it collects from devices out every two days to the attackers, who can change this cycle using remote configuration.

**Third-Party Mobile App Component Risk**

The existence of Goldoson demonstrates once again how swiftly malicious activity can spread when it's a part of third-party or open source components that developers build into applications without knowing that they are infected, the researchers noted.

This was well documented in the Apache Log4j debacle — in which a logging library used in nearly all Java environments was found to contain an easily exploitable vulnerability. The repercussions of Log4j — which has been declared an endemic cyberthreat by the Department of Homeland Security because of how many existing applications remain vulnerable — likely will be felt for years to come.

Indeed, this ability to gain a large malicious footprint quickly and without organizations or developers knowing — and thus before they can react — has not been lost on attackers. In response, they increasingly are targeting the software supply chain with malware or exploits for Log4j and other known vulnerabilities — and will continue to do so as their successes mount, observes a security expert.

"Attackers are becoming more sophisticated in their attempts to infect otherwise legitimate applications across platforms," says Kern Smith, vice president for the Americas for sales engineering at mobile security firm Zimperium.

**Demand for Transparency**

Transparency across organizations and developers' teams appears to be the best way to mitigate software supply chain issues, experts said.

Both developers and organizations using applications that include open source or third-party components "need to assess the risks of these applications and their components, especially as it pertains to a software bill of materials (SBOM)," which provides an inventory of what comprises software components, Smith says.

Indeed, developers should be willing to reveal what libraries and other components are used in applications they develop and deliver to protect users and prevent compromise via infected or vulnerable components, McAfee researchers said.

Developers of external libraries also need to be transparent about their code so organizations and developers leveraging them can understand their behavior and thus be aware quickly of any issue that may arise, they said.

'Goldoson' Malware Sneaks into Google Play Apps, Racks Up 100M Downloads

Use ongoing exposure management to parse the riskiest exposures and probable attack paths, then identify and plug the choke points.

In 2022, the National Institute of Standards and Technology reported more than 23,000 new vulnerabilities, the largest spike ever recorded within one calendar year. Alarmingly, this upward trend is anticipated to continue, with recent research suggesting that we may see more than 1,900 new common vulnerabilities and exposures (CVEs) _per month_ on average this year, including 270 rated high-severity and 155 rated critical-severity.

As CISOs and security teams grapple with reduced security budgets and the perpetual scarcity of cyber talent, patching this veritable tidal wave of new vulnerabilities every year is simply an unattainable and ludicrous task.

Out of the hundreds of thousands of registered CVEs, only 2% to 7% are ever seen exploited in the wild. Thus, mindless patching is rarely a fruitful activity. With expanded attack surfaces, the threat landscape isn't as siloed as we often treat it. Attackers aren't executing an attack on an individual vulnerability because it almost never leads to critical assets. Vulnerabilities, in most instances, do not equal exposures and aren't rewarding enough for an attacker looking to penetrate organizational systems.

Instead of concentrating on vulnerabilities, malicious actors are leveraging a combination of exposures, such as credential and misconfigurations, to discreetly attack critical assets and steal company data. Let's explore some of these prominent, and often overlooked, exposures that organizations should be most concerned about.

**The Discarded Environment: On-Premises**

While we cannot discredit the need for robust cloud protections, its dominance over the past decade has caused many to overlook their investment in building effective and agile on-premises controls. Make no mistake, malicious actors continue to actively exploit on-premises exposures to gain access to critical assets and systems, even if they are in cloud environments.

Earlier this year, Microsoft urged users to secure their on-prem Exchange servers in response to several instances where security flaws within the software were weaponized to hack into systems. With all the focus on cloud security, many organizations have become blind to the hybrid attack surface and how attackers can move between the two environments.

**Overly Permissive Identities, Privileged Access**

With convenience in mind, cloud users, roles and services accounts continue to grant excessive permissions. This can make things easier to manage and it avoids having to deal with employees constantly asking for access to various environments, but it also allows attackers to expand their foothold and attack paths after successfully cracking through the first layer of defense.

A balance must be struck because right now, many organizations lack strong governance in relation to identity, resulting in excess access to those who don't require such abilities to perform their tasks.

While securing identities is highly complex in hybrid and multicloud environments, operating on the philosophy that every user is a privileged user makes lateral spread far harder to stop. It could also be the difference between a minor attack and a weeks-long project to try and contain the damage. Our recent research showed that 73% of top attack techniques involve mismanaged or stolen credentials.

**The Human Glitch**

Let us not forget about one of the most common, yet detrimental, mistakes: improper deployment and utilization of security controls. You make the investment, but you also must ensure that you reap the benefits. Despite being a widely communicated issue, security control misconfigurations are still highly prevalent. While no threat detection and response or endpoint solution is bulletproof to begin with, many are also misconfigured, not deployed across the entire environment, or inactive even when deployed.

We are operating in a world of hypervisibility, where diagnostic fatigue is prevalent and security teams are inundated with too many benign and unrelated vulnerabilities. CISOs and security teams seem to be on a quest to see everything. But exhaustingly long lists of exposures and technical weaknesses prioritized based on CVSS or other scoring mechanisms don't make their organizations safer. The key is to see what is important and not lose the critical in the sea of the benign.

Instead of trying to fix _everything_, organizations must work to identify their chokepoints, the areas where exposures commonly converge on an attack path. Doing this requires diligent evaluation of your exposure landscape and grasping how attackers can navigate through your environment to reach critical assets. Once these choke points are identified and remediated, it will make the other exposures irrelevant, not only saving an enormous amount of time, but potentially the sanity of your security team as well.

Additionally, this can have the added benefit of mobilizing your IT teams because it gives them a clear view into the significance of certain patches, and they no longer feel as though they're wasting their time.

**Keeping Ahead of Threat Landscape**

As Henry Ford once said, "If you always do what you've always done, you'll always get what you've always got." While most organizations have robust vulnerability management programs in place, vulnerabilities are only a small portion of risk.

Keeping ahead of the volatile threat landscape requires ongoing exposure management mechanisms. Understanding which exposures present the most risk to your organization and critical assets — and how an attacker may leverage these exposures on an attack path — will significantly help plug gaps and improve overall security posture.

Beyond CVEs: The Key to Mitigating High-Risk Security Exposures

Researchers explore a love-hate relationship with AI tools like ChatGPT, which can be used to both attack and defend more efficiently.

Generative AI tools are already being used to penetrate systems, and the damage will get worse, panelists said last week at a technology conference. But those same tools, enhanced with standard zero-trust practices, can counteract such attacks.

"We're definitely seeing generative AI being used to produce content that would make it more likely for an unwitting partner to click on a link ... \[and\] do something that they shouldn't have to give access to the system," said Kathleen Fisher, director of DARPA's Information Innovation Office, during a breakout session at Nvidia's GPU Technology Conference earlier this month.

A good chunk of the AI infrastructure has been built on Nvidia's GPUs, which is why the company's virtual developer conference has become a watering hole to discuss AI development and techniques. The show's focus is on providing swift and ethical responses to AI requests.

Nvidia CEO Jensen Huang declared ChatGPT's introduction in November 2022 to be the "iPhone moment" for AI. However, there are also concerns about generative AI being used to write malware, craft convincing business email compromise (BEC) messages, and create deepfake video and audio.

"I think we are just seeing the tip of the iceberg of these kinds of attacks. But given how easy that capability is to use and how it's only available as a service these days, we will see a lot more of that in the future," Fisher said.

**AI Deserves Zero Trust**

Perhaps the best-known generative AI system is OpenAI's ChatGPT, which is a chatbot from OpenAI that uses AI to produce coherent answers to user queries. It can write reports and generate code. Other prominent efforts include Microsoft's BingGPT (which is based on ChatGPT) and Google's Bard.

Organizations are eager to try ChatGPT and its competitors, but cybersecurity teams shouldn't be complacent as AI widens the overall attack surfaces and opportunities for hackers to break in, said Kim Crider, managing director for AI Innovation for National Security and Defense at Deloitte, during the panel.

"We should approach our AI from the perspective of 'it is vulnerable, it has already some potential to be exploited against us,'" she said.

Companies need to take a zero-trust approach to AI models and data used to train models. Crider talked about a concept called model drift, where bad data could be fed into an AI model, which could lead to a system acting unreliably.

The zero-trust approach will help put in place investments, systems, and personnel for continuous verification and validation of AI models before and after it is put into use, Crider said.

**Department of Defense's AI Defenses**

DARPA is testing AI cyber agents to enhance its digital defenses. The Cyber Agents for Security Testing and Learning Environments (CASTLE) program simulates a "blue" defensive agent to protect systems against a malicious "red" agent. The blue agent takes actions such as turning off access from a certain source, like an Internet address associated with domain fronting being used to stage an attack.

"The technology is using reinforcement learning, so you have a blue agent that is learning how to protect the system, and its reward is keeping up the mission readiness of the system," Fisher said.

Another defense program, Cyber-Hunting at Scale (CHASE), uses machine learning to analyze information from telemetry, data logs, and other sources to help track down security vulnerabilities in DoD's IT infrastructure. In a retrospective experiment, CHASE found 13 security incidents about 21 days earlier than the standard technique.

"It was very smart about the data management that it then fed into other machine learning algorithms that were in fact much more able to identify the threats really quickly," Fisher said.

Finally, Fisher talked about Guaranteeing AI Robustness Against Deception (GUARD), which uses machine learning to prevent data poisoning, which could potentially affect the effectiveness of AI systems.

**Civilian Use of AI-Based Cybersecurity**

The panelists also suggested supplementing standard security approaches, like running security drills to minimize phishing, with multiple security layers to make sure systems are safe.

Some AI-based defense tools are entering the commercial market. Microsoft introduced Security Copilot, an AI assistant that can help security teams triage threats by actively monitoring internal networks and comparing it to Microsoft's existing security knowledge base.

Microsoft runs all of its AI operations on GPUs from Nvidia. That's partly to take advantage of Nvidia's AI-based security algorithm Morpheus, which can diagnose threats and abnormal activity by analyzing system logs and user log-in patterns.

AI provides many benefits, but there needs to be a human at the wheel for security, Fisher said, giving the example of an autonomous car where a human is ready to take over if something goes wrong with a car's AI system.

Fisher said, "In a way, that takes the psychology of people seriously in terms of what we can do right now to improve the cyber system while we're waiting for these more enhanced agents" that can defend against cyberweapons more quickly than people typing on keyboards can.

"I think 2023 is going to be a major turning point in the generative AI space," Deloitte's Crider said. "It terrifies the heck out of me."

How Zero Trust Can Protect Systems Against Generative AI Agents

Researchers are warning about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.

Cameron Camp had purchased a Juniper SRX240H router last year on eBay, to use in a honeypot network he was building to study remote desktop protocol (RDP) exploits, and attacks on Microsoft Exchange and industrial control systems (ICS) devices. When the longtime security researcher at Eset booted up the secondhand Juniper router, to his surprise it displayed a hostname.

After taking a closer look at the device, Camp contacted Tony Anscombe, Eset's chief security evangelist, to alert him to what he found on the router. "This thing has a whole treasure trove of Silicon Valley A-list software company information on it," Camp recalls telling Anscombe.

"We got very, very concerned," Camp says.

Camp and Anscombe decided to test their theory that this could be the tip of the iceberg for other decommissioned routers still harboring information from their previous owners' networks. They purchased several more decommissioned core routers — four Cisco Systems ASA 5500, three Fortinet FortiGate, and 11 Juniper Networks SRX Series Services Gateway routers.

After dropping a few from the mix after one failed to power up and another two were actually mirrored routers from a former cluster, they found that nine of the remaining 16 held sensitive core networking configuration information, corporate credentials, and data on corporate applications, customers, vendors, and partners. The applications exposed on the routers were from big-name software vendors used in many enterprises: Microsoft Exchange, Lync/Skype, PeopleSoft, Salesforce, Microsoft SharePoint, Spiceworks, SQL, VMWare Horizon View, voice over IP apps, File Transfer Protocol (FTP), and Lightweight Directory Access Protocol (LDAP) applications.

These network backbone devices in essence contained digital blueprints of the previous owner organizations' networks, including Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Open Shortest Path First (OSPF) routing information. The researchers "found complete layouts of various organizations' inner workings" that, in the hands of threat actors, would provide a network topology map for attack, according to the Eset researchers' white paper on the router research, released Tuesday.

The routers contained one or more set of IPSec or VPN credentials, or hashed root passwords, and each had sufficient data for the researchers to identify the actual previous owner/operator of the device. Nearly 90% included router-to-router authentication keys and details on applications connected to the networks, some 44% had network credentials to other networks (such as a supplier or partner), 33% included third-party connections to the network, and 22% harbored customer information.

"I have the entire network topology of their core infrastructure, both internal and external, like cloud assets," for example, Camp says.

Camp says the discovery was a far cry from the malware he typically studies, and a lot less work for an attacker who happened upon one of these unwiped routers. "I don't need a zero day, I have your router," quips Camp.

Abscombe and Camp say they hope to alert enterprises on the proper disposal of critical network routers when they present their findings at the RSA Conference next week.

"They are the intersection upon everything that happens in your organization," Camp says of core routers. "Everything touches the router," including many cloud services, he adds.

Recycled and repurposed computing equipment traditionally has been a fraught area. Hard drives, mobile devices, and printers over the years have been found improperly cleansed of sensitive data. In 2019, a study conducted by Rapid7 found just two out of 85 devices had been properly wiped before they were handed off to secondhand sellers or recycling services. But decommissioned and unwiped routers pose a deeper level of security risk due to the vast amount of infrastructure information they hold.

**'Creepy' Interface**

Among the organizations whose information was exposed were a manufacturing company, a US law firm, managed services providers, an open source software firm, an events company, a telecommunications equipment supplier, a global data company, and a creative services company. Eset did not disclose the names of the organizations, but the researchers confirmed that they contacted all of them.

The Silicon Valley software vendor was quick to respond, even awarding Camp a bug bounty that he then donated to the Electronic Freedom Foundation and the Tor Project. But that was the researchers' easiest disclosure.

"Once we stepped outside of the tech \[sector\], it was incredibly different" and harder to disclose our findings, Anscombe notes. The other organizations didn't have processes or even people available to handle the disclosure information, he says.

Meanwhile, one of the unwiped routers contained what Camp describes as a "creepy" remote administration interface.

"I was never sure if it was on purpose, but it was creepy, very low-level access, and from one of the countries with flags that we're \[the US\] not happy with right now," he says. "It could be totally legit or that could be really bad. It was a little edgy to me."

**How to Securely Dispose of a Core Router**

So how do you wipe a router that you want to retire? The good news is most routers are fairly easy to securely decommission, and the big three — Cisco, Fortinet, and Juniper — on their websites provide detailed guidelines for restoring devices to their factory default settings.

With Juniper routers, for example, wiping the device is simple: "Going to config setting and type 'delete,' hit 'Y' \[to confirm\] and now that router doesn't know who it is anymore," Camp says. The entire wiping process takes less than five minutes, including the post-deletion reboot.

And if your organization already had disposed of routers that weren't properly wiped, Eset recommends rotating cryptographic keys in case an attacker were to get their hands on your old router and attempt to gain trusted access to your network. Zero trust can help here as well, they say.

But that's still no guarantee that a malicious actor who buys your old router still couldn't use it to target your organization. "Even if somebody goes and changes the credentials of the accounts being cached in router, potentially \[the attacker has\] got the app lists, so \[they\] can tell what apps are run internally locally or in the cloud," Abscombe says.

That gives the attacker just enough intel to plan a targeted attack, according to Abscombe. "If I know they're running \[a specific version of\] Exchange and that version had a CVE and they had not applied the patch … I suddenly know things about their network that can make them vulnerable," he says.

If you buy a secondhand core router, and, like the researchers, find that it still contains the previous owner's information, Eset recommends disconnecting the router and moving it to a secured area and contacting your regional CISA office. They also say it's best to document your purchase process as a precaution for insurance or legal purposes.

Source

DARKReading