**PRESS RELEASE**

**(Lehi, UT) Oct. 12, 2023 —** DigiCert, a leading global provider of digital trust, today announced its next generation Discovery, a set of key capabilities in DigiCert® Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats.

"The majority of organizations have not yet implemented a centralized crypto-management solution," said DigiCert Chief Product Officer Deepika Chauhan. "This is becoming critical now, as IT leaders consider how to transition their cryptographic algorithms and certificates to quantum-safe standards in order to protect their organizations against 'harvest now, decrypt later' strategies."

In a recent Gartner® report1, Senior Director Analyst Brian Lowans wrote, "All cryptographic technologies will need to evolve to cope with the future threat of quantum computing, which is increasing the need for innovative technologies such as crypto-agility, postquantum cryptography and quantum key distribution."

Trust Lifecycle Manager Discovery employs a broad set of methods for finding certificates within an organization, including integration with private CAs, such as AWS Private CA and Microsoft CA, integration with vulnerability management solutions such as Qualys and Tenable, integrations with web servers and load balancers, and port-based scanning. 

"The integration of Qualys Vulnerability Management, Discovery and Response (VMDR) and DigiCert products enables our customers to manage and automate the cryptographic assets that they discover in their vulnerability scans," said Pinkesh Shah, Chief Product Officer, Qualys. "This seamless integration enables companies to tightly couple their vulnerability management and cryptoagility strategies, improving their security posture and agility while reducing their cyber risk."

Learn more about Trust Lifecycle Manager Discovery here. 

1.  Gartner, Hype Cycle™ for Data Security, 2023, Brian Lowans, 14 July 2023

GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.

**About DigiCert, Inc.**  
DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

DigiCert Announces Comprehensive Discovery of Cryptographic Assets

**PRESS RELEASE**

**REDWOOD CITY, Calif., October 11, 2023 –** Appdome, the mobile one-stop shop for mobile app defense, today released new threat evaluation tools inside ThreatScope™ Mobile XDR to deliver enhanced monitoring, investigation and threat evaluation for mobile apps and brands globally. Among the new tools is Threat-Inspect™, a powerful new ability to investigate, drill down, share and report on defenses, attacks and threats in the production environment. 

Appdome's ThreatScope™ Mobile XDR gathers thousands of threat signals from mobile app security, hacking, fraud, malware, cheat, and bot attacks from inside deployed mobile apps, and translates that data into brand relevant views that cyber, fraud and business teams can use to evaluate and respond to mobile threats and attacks in real time. The new evaluation tools include: (1) Threat-Inspect, for deep threat inspection, (2) Threat-Views™, for creating savable monitoring perspectives by app, device, OS, attacks and other parameters, and (3) Threat-Snapshots for ease of reporting and collaboration. ThreatScope Mobile XDR is pre-integrated with Appdome’s Cyber Defense Automation platform for Android & iOS apps for instant response to any cyber or fraud attack. 

"Real-time attack data from the native mobile app channel is full of surprises," said Tom Tovar, co-creator and CEO of Appdome. "Our new evaluation tools, including Threat-Inspect, allow even faster and deeper investigation into cyber and fraud data from the mobile channel and empower mobile brands to view this data from a business context."

The new threat evaluation features in ThreatScope Mobile XDR provide mobile businesses and brands: 

**Threat-Inspect™** allows cyber teams to pivot between "All" and “Unique” attacks as well as between attacks and “Impacted Devices,” to see the number of unique devices experiencing each attack. This new capability allows cyber responses to be tailored to the specific threat(s) in the production environment while also easing the remediation burden for mobile users and brands globally. 

A unique feature of Threat-Inspect is that it also can be used in conjunction with Appdome’s recently released Build-to-Test automated testing capability. Build2Test allows Appdome-protected mobile apps to be used inside automated mobile app testing suites, logging all security events for the developer to track and monitor. These logged security events are now visualized inside Threat-Inspect.  

**Threat-Views™** allows security teams to zoom in and monitor specific aspects of the mobile app defense, attack and threat data shown on ThreatScope. Create and save any number of Threat-Views to monitor one or more mobile applications, OS, OS Version, attack vector, mobile app release, Fusion Set (defense model), geographic region or other parameter. Threat-Views enable persistent business level viewing and analysis, which is essential for demonstrating ROI and keeping the overall mobile business safe. 

**ThreatScope Snapshots™**allow cyber teams to export and share real-time mobile app defense and attack snapshots from ThreatScope, Threat-Views or Threat-Inspect data. Use ThreatScope Snapshots to keep cyber, fraud, and business teams informed on progress in stopping security, fraud, malware, and other attacks, demonstrate compliance, or collaborate with other teams internally. 

Powering these features are new levels of metadata now available in ThreatScope. These include enhanced attack, threat and fraud metadata including geo-location, unique identifiers for threats and impacted installations as well as new options such as IP address and more. This metadata allows mobile brands to click to see all the in-production mobile apps and installations impacted by each attack or threat. Simply click on a specific attack or threat and choose the impact view needed by each business line. IP address and unique device data can now also be downloaded for offline analysis. 

"These enhancements to ThreatScope really raise the bar on actionable, interactive risk and threat intelligence for mobile apps," said Eric Newcomer, CTO and Principal Analyst at Intellyx. "You can drill down on device data to see which devices are impacted, and explore different views by geo-location, threat ID, and IP address – all in real time. And you can now capture and export the data for internal distribution."

Appdome's Threat-Scope Mobile XDR is the only XDR solution offering consolidated, real-time, cyber security, fraud, malware, cheat and bot attack and threat intelligence from in-production Android & iOS apps. With ThreatScope Mobile XDR, mobile brands, developers, cyber and fraud teams can immediately respond with updated security models, build-by-build and release-by-release and prioritize protections that have a real impact on the mobile business and users. The entire ThreatScope Mobile XDR capability inside Android & iOS apps without any burden on mobile dev teams, including no code, no SDK and no servers to deploy and, most importantly, no separate agent installed on the mobile device. 

"Once you see the data in ThreatScope Mobile XDR, you can't live without it," said Chris Roeckl, Chief Product Officer at Appdome. "Combining real-time data with instant action is the only way to combat the huge diversity, sophistication and relentlessness hackers, attackers and fraudsters use to compromise mobile apps, brands, and users globally."

For more information about ThreatScope™ Mobile XDR visit: www.appdome.com 

**About Appdome**  

Appdome, the mobile app economy’s one-stop-shop for mobile app defense, is on a mission to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry’s only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, MOBILEBot™ Defense, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, all inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, mobile games, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Appdome Announces Attack Evaluation Tools in Digital Economy's Mobile XDR

A plurality of the targets in the ongoing campaign have been based in the Americas.

A threat actor is using compromised Skype and Microsoft Teams accounts to distribute DarkGate, a troublesome loader associated with multiple malicious activities, including information theft, keylogging, cryptocurrency miners, and ransomware such as Black Basta.

Forty-one percent of the targets of the campaign — which appears to have begun in August — are organizations in the Americas, according to researchers at Trend Micro who are tracking the activity.

In a report this week, Trend Micro also said its researchers had observed the developer of DarkGate begin to advertise the malware on underground forums and renting it out on a malware-as-a-service basis to affiliate threat actors. The pivot, after years of going it alone, has resulted in a recent surge in DarkGate activity after a relative lull.

**Microsoft Phishing Via Skype and Teams**

The operator of the DarkGate campaign that Trend Micro is currently tracking is using both Skype and Teams to distribute the malware. In one of the attacks, the threat actor took control of a Skype account belonging to an individual at an organization with whom the target recipient's organization had a trusted relationship. The adversary basically used the compromised Skype account to hijack an existing message thread and send a message that appeared to contain a PDF file but was actually a malicious VBS script. When the recipient executed the file, it initiated a sequence of steps to download and install DarkGate on the target computer.

In another attack that Trend Micro analyzed, the threat actor attempted to achieve the same outcome using a Teams account to send a message with a malicious .LNK file, to a target recipient. Unlike the Skype caper, where the threat actor purported to be someone belonging to a trusted third party, in the Teams variation, the recipient received the malicious message from an unknown, external entity. 

"In this case, the organization’s system allowed the victim to receive messages from external users, which resulted in them becoming a potential target of spam," Trend Micro said.

"We also observed a tertiary delivery method of using a VBA script wherein a .LNK file arrives in a compressed file from the originators' SharePoint site," the security vendor said. In this attack variation, the threat actor attempts to lure the victim to a specific SharePoint site, to download a file named "Significant company changes September.zip."

**DarkGate: A Potent Threat**

DarkGate is malware that has targeted users in various regions around the world since at least 2017. It integrates multiple relatively potent functions; for instance, the malware can execute commands for gathering system information, mapping networks, and doing directory traversal. It also implements remote desktop protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software. Other "features" include ones related to cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers.

For payload delivery and execution, DarkGate uses AutoIT, a legitimate Windows automation and scripting tool that authors of other malware families have used for obfuscation and defense evasion.

**DarkGate Offers Multiple Potential Payloads**

Trend Micro's analysis showed that once DarkGate is installed on a system, it drops additional payloads. Sometimes those are variants of DarkGate itself or of Remcos, a remote access Trojan (RAT) that attackers previously haveused for cyber-espionage surveillance and for stealing tax-related information.

Trend Micro said it was able to contain the DarkGate attacks it observed before any actual harm came to pass. But given the developer's apparent pivot to a new malware leasing model, enterprise security teams can expect more attacks from varied threat actors. The objectives of these adversaries could vary, meaning organizations need to keep an eye out for threat actors using DarkGate to infect systems with different kinds of malware.

While the attacks that Trend Micro observed targeted individual Skype and Teams recipients, the attacker's goal clearly was to use their systems as an initial foothold on the target organization's networks. "The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining," according to Trend Micro.

The security firm recommends that organizations enforce rules around the use of instant messaging applications such as Skype and Teams. These rules should include blocking external domains, controlling the use of attachments and implementing scanning measures if possible. Multifactor authentication is also crucial to prevent threat actors from misusing illegally obtained credentials to hijack IM accounts, Trend Micro said.

DarkGate Operator Uses Skype, Teams Messages to Distribute Malware

Scammers have targeted the vaunted blue check marks on the platform formerly known as Twitter, smearing individuals and brands alike.

Fraudsters are taking advantage of the new verification system implemented by X, formerly known as Twitter, in order to impersonate brands and steal personal information.

The infamous blue checkmark used to be reserved for verified companies and influencers. But after purchasing the microblogging giant, and following a period of rapidly declining users and revenue, Elon Musk changed the rules, enabling anybody to obtain one simply by paying a monthly fee.

The site's new, liberal approach to authentication has opened the door for scammers, while the introduction of other tiers of "authentication" — gold and gray badges, for instance — has created confusion for brands and users alike.

Dark Reading was unable to reach X for comment on this story.

**How Blue Check Scams Work**

In July, the budget British airline easyJet canceled over 1,700 summer flights from Gatwick Airport in London.

Anticipating a wave of angry customers, scammers filled in the void.

According to the UK nonprofit Which?, a bevy of copycat easyJet accounts were created in the hours thereafter, with at least five surviving an initial sweep of account shutdowns. Their usernames mimicked the company's legitimate username, and in their bios they linked to "Online Help Hubs," which were actually just phishing pages designed to harvest personal information. The scammers also engaged angry customers over direct messages, and occasionally intervened in conversations they were having with the actual company.

_Source: Which?_

Not all of the blame lies with X, though. Companies that shirk on customer service often direct angry customers to social media instead, since it's allegedly faster (read: more cost-effective).

One UK resident told The Guardian in August how, after months of fruitlessly attempting to get a refund on a canceled holiday flight, he finally conceded to engage with Booking.com over X.

Booking.com asked him to send them his phone number via DM. After a call over WhatsApp, they agreed to refund his payment, but he would first need to download an app.

Only then, with his suspicion aroused, did the man realize the company's account handle had an unexpected hyphen in it, and their WhatsApp caller ID traced to Kenya.

"I've since come across other fake Booking.com Twitter accounts which are following customers who are at their wits' end trying to get a refund and have resorted to X to air their grievance with the company,” he recalled to reporters.

**Reckoning With the New Check Mark System**

Rather than just the blue check mark, X currently offers four tiers for accounts:

*   The blue check now only reflects that a user pays for an "X Premium" monthly subscription.
*   Gray check marks are reserved for government bodies and officials.
*   Gold check marks replace the blue, to authenticate official corporate accounts.
*   Individuals associated with organizations may also have a logo next to their names.

A gold badge costs $1,000 per month (plus $50 for additional affiliates), meaning that small businesses may not be able to afford authentication, and larger ones may not want to pay. And it's even led to inconsistencies within organizations. In a blog published Thursday, Kaspersky highlighted how Microsoft's presence on X is a mess of accounts with and without gold check marks, some affiliated with the organization and some not.

**What Companies Can Do About X Brand Impersonation**

Companies unable (or unwilling) to shell out the cash and organize around X's new rules — and companies like easyJet, for whom even doing everything right isn't enough to fend off copycats — will need other means of protecting their customers and their brand names. Because like any typosquatting endeavor, a diligent phishing campaign can erode consumer trust.

"For sensitive communication or support," says Callie Guenther, senior manager of threat research at Critical Start, "directing customers back to the official website or a recognized customer service number can be effective. And a consistent online presence, characterized by regular updates and engagement, can deter impersonators and give customers confidence in the brand's authenticity."

However, she cautions, "any system that implies trust through verification can be exploited, so users should always be cautious. LinkedIn, for example, doesn't have a checkmark system similar to Twitter, but fake profiles or impersonators can still exist."

Brands Beware: X's New Badge System Is a Ripe Cyber-Target

Popular malware like QakBot and DarkGate rely on VBScript, which dates back to 1996 — but their days are numbered now that Microsoft is finally deprecating the Windows programming language.

Microsoft announced this week that it's deprecating the timeworn VBScript — bad news for cybercriminals, for whom it's a favorite tool.

In future releases of Windows, VBScript will be available only as a feature on demand; and eventually, it will be removed from the operating system altogether.

The VBScript programming language, short for Visual Basic Script, is nearly 30 years old, having been introduced in the mid-90s as a lightweight way to natively generate programming scripts. But like grunge fashion and Neve Campbell movies, its pre-Y2K moment in the sun is long past.

Yet cybercriminals continue to use it as an avenue for initial access to targets, especially since Microsoft started blocking macros by default. Threat actors quickly discovered after its release that they could create malicious VBScripts that would run natively and unquestioned on Windows machines, which could help them smuggle in any number of remote access Trojans, downloaders, and more.

An early example of this was the "ILoveYou" worm from 2000, but more recent malware "gettin' VBS-y wit' it" (to malaprop another mid-90s sensation) include Emotet, QakBot, and DarkGate.

That class of malware's days now appear to be numbered.

"Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript," according to the official announcement from Redmond. In other words, for the interim period before full discontinuation, it will be disabled by default, but users can choose to turn it on if they wish.

Microsoft didn't provide a timeline for when it plans full removal of the tool.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Set to Retire Grunge-Era VBScript, to Cybercrime's Chagrin

**PRESS RELEASE**

**WATERLOO, ON, Oct. 10,2023 / PRNewswire/--** BlackBerry Limited (NYSE: BB; TSX: BB), the pioneer of enterprise mobility management, today announced two major new Unified Endpoint Management (UEM) innovations — BlackBerry UEM at the edge and BlackBerry UEM for the IoT.

BlackBerry® UEM software is used for managing, monitoring, and securing all of an organization's end-user devices. Taking BlackBerry UEM to the edge will enhance enterprise productivity and employee experience by placing workloads close to the end user and their device for ultra-low latency connectivity, while maintaining the highest security standards that customers rely on and trust BlackBerry to deliver – in testing users saw up to 87% decrease in latency. The solution brings the BlackBerry Network Operations Center (NOC), the company's unique secure connectivity infrastructure, to the edge and integrates with AWS Local Zones and Availability Zones to securely place compute, storage, and other services where data is being generated and consumed. BlackBerry UEM at the edge is compatible with BlackBerry UEM on-prem and cloud.

BlackBerry UEM for the Internet of Things (IoT) will expand unified endpoint management to IoT devices enabling organizations to realize the vast benefits of the IoT and reduce unknown risks in their environment. The solution integrates BlackBerry UEM with AWS IoT Greengrass, an open source edge runtime and cloud service used on millions of IoT endpoints across the connected world – in factories, vehicles, healthcare, enterprises – to provide IoT endpoint visibility and management and empower IT teams. Advancing the company's convergence vision, this new addition to BlackBerry UEM will enable organizations to seamlessly and securely inventory and manage their IT and IoT endpoints from a single console.

"BlackBerry founded and has been a leader in the enterprise mobility management market for over twenty years. We are once again revolutionizing the market, by leapfrogging the industry in endpoint management innovation and paving the way for convergence," said Neelam Sandhu, Chief Elite Customer Success Officer, BlackBerry. "It has been wonderful to collaborate with AWS to develop BlackBerry UEM at the edge and BlackBerry UEM for the IoT, to enable our customers to unlock new business value through digital technologies, which offer the potential to transform and advance every aspect of the connected world, spanning how we live and work." 

"IoT has advanced over the past years across different industries – automotive, enterprise, medical, manufacturing. The convergence of the IoT with security at the forefront of the conversation is now emerging as a must-have for the connected world. Bridging systems in the cloud provides scale, consistency, and flexibility to organizations to access data across the IoT and developers to innovate to deliver new value. AWS is delighted to collaborate with BlackBerry on UEM edge and IoT solutions to deliver unified and innovative endpoint management solution for the future of the connected world," said Dr. Sarah Cooper, General Manager for Industry Products at AWS.

The IoT is a foundational pillar of the future of digital transformation and unlocks new business opportunities for organizations by dramatically extending the reach of information technology. The value of enterprise IoT is largely untapped today due to the heavy compute requirements of the IoT and the complexity of the IoT network. Edge computing addresses the increasing demand for real-time data processing and analysis, and increased endpoint visibility provides valuable situational awareness and security benefits, enabling organizations to easily integrate IoT into their IT strategies. 

BlackBerry UEM holds the most security certifications in the industry and is the only UEM product to be named 2023 Customers Choice by Gartner® Peer Insights™.

AWS provides reliable, scalable, and inexpensive cloud computing services to organizations around the world. For more information on AWS products click here.

For more information on BlackBerry UEM at the edge or BlackBerry UEM for the IoT, including general availability dates, register for BlackBerry Summit, taking place on October 17, where speakers from industry, enterprise and BlackBerry will reveal the future of IoT, IT and Cybersecurity and showcase the latest BlackBerry innovations.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust.

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services._

BlackBerry Unveils Next-Generation UEM Redefining the Endpoint Management Market

The company has taken down its systems in an effort to determine the scope of the attack.

Simpson Manufacturing filed an 8-K form with the Securities and Exchange Commission (SEC), stating that it experienced disruptions in its IT infrastructure and applications due to a cyberattack on Oct. 10.

Simpson Manufacturing, an engineering, manufacturing, and building products company based in California, employs more than 5,000 people worldwide.

Due to the attack, the company has taken certain systems offline to mitigate the issue; operations are expected to be disrupted until the incident is fully resolved. An investigation has been launched to determine the nature of the attack as well as the scope of its effect.

The company has also enlisted the help of third-party cybersecurity experts to assist in the ongoing investigation as well as the recovery efforts.

It is possible that the cyberattack Simpson Manufacturing experienced deals with ransomware, given that the company's response method to the incident is typical for a ransomware attack, though Simpson Manufacturing provided no information as to the type of attack it experienced. 

This incident came just after the company announced it would report its third-quarter financial results later this month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Simpson Manufacturing Launches Investigation After Cyberattack

By working cooperatively, the West and Africa can mobilize to tackle nation-state-backed cyber threats.

Nation-state hackers are a potent weapon in the hands of countries. The days a war starts by someone pulling a trigger are gone: It has been replaced by the Enter key.

To gain the best possible insights into global threat landscapes, who is attacking who, why they're attacking, and how the West and Africa can mobilize to tackle nation-backed cyber threats, it's crucial to understand the geopolitical dynamics of cyber warfare. Only by gaining a thorough context of the situation can governments, businesses, and cybersecurity providers effectively reduce nation-backed cyberattacks.

**The Role of Africa in Global Cyber Warfare**

Africa, and South Africa in particular, forms a delicate bridge between the East and the West. On one hand, Africa has economically benefited from the East; Eastern mining, infrastructure, and private-sector companies all have roots in the continent. At the same time, Africa increasingly seeks trade deals with the West.

Careful balancing of economic ties with Eastern and Western nations has enabled Africa to accelerate its export trade in the last decade, with the continent's average GDP growth expected to rise from 3.8% in 2022 to 4.1% in 2023–2024.

However, as large Western organizations conduct business with African nations, they become vulnerable to the threat of cyberattacks coordinated across the continent. Many of these attacks are perpetrated by attackers based in or backed by the BRICS nations (Brazil, Russia, India, China, and South Africa).

Cyberattacks have proliferated over the last decade, particularly in Africa. In Kenya and Nigeria, Kaspersky reports a large increase in financial and banking Trojans in the second quarter of 2021 compared with the first quarter of 2021: a 59% increase in Kenya, and a 32% increase in Nigeria.

A 10-year review of the cyber-threat landscape in South Africa finds that the most prevalent perpetrators of cybercrime were trained hackers, and the most common motivation was criminal.

Countries spanning the continent are targeted on a mass scale, often using the same threat methodologies. At Performanta, we've seen attack methodologies repeated by actors across various countries: we discovered a Lazarus Group cyberattack network operating in Zambia and tracked the same attack tools and methodologies to activity in Uganda.

We've also seen APT40, also known as Kryptonite Panda, an advanced persistent threat (APT) located in Haikou, Hainan Province, People's Republic of China, target government organizations, companies, and universities in a wide range of industries via Africa and across the United States, Canada, Europe, and the Middle East. APT40 counterparties, China-based Phantom Panda and Wet Panda, have similarly targeted these regions over telecommunications networks.

Why are Eastern APT groups attacking via Africa? There are a few motivations: Attackers may perceive attacking Africa to have fewer risks; they're aiming to access Western assets via Africa; or they are testing attack methodologies on Africa to later use in the West on home soil. The big picture is dangerously murky, but all these reasons enter into the equation.

**Where Does the West Come in?**

The West and Africa are intrinsically linked as they both fall afoul of the East and BRICS attacks. To counter this, both must implement long-term collaborative efforts to turn the cyberwars in their favor. Any short-term partnership fails to consider the aggressively innovating threat landscape, where insights are outdated almost as soon as they are collected.

Working cooperatively, the West and Africa can share knowledge of APT threats, attack success rates, emerging methodologies, and the strategies deployed by specific nations, sponsored groups, or ransomware-as-a-service (RaaS) brokers. Managed security service providers possess deep knowledge of regional threat landscapes in Africa, and this could prove pivotal in deciphering the severity of threat data and data loss, allowing more efficient threat categorization.

With this information, the right combat tools can be put into place and attacks can be thwarted more successfully. Both parties can gain visibility into new threat-prevention methods, big data sets, and powerful cybersecurity tools that can help them fight the threat of BRICS-backed actors on all fronts.

In the pursuit of global cyber safety, immediate, direct cooperation is the only way that Africa's unique placement as a bridge between East and West can transform from a vulnerability to an advantage.

The Cyberwar Between the East and the West Goes Through Africa

Evasive malware disguised as a caching plug-in allows attackers to create an admin account on a WordPress site, then take over and monetize sites at the expense of legitimate SEO and user privacy.

Sophisticated malware capable of creating an administration account for a website is lurking behind an authentic-looking WordPress caching plug-in, giving threat actors a way to completely hijack infected websites at will.

Researchers from Wordfence discovered the plug-in, which can perform a variety of malicious tasks while masquerading as legitimate add-on software for the WordPress platform, they revealed in a blog post Oct. 11. Chief among this activity is the ability to create an admin account and remotely activate plug-ins — basically giving threat actors free rein over infected sites.

The backdoor can work both as a standalone script and also as a plug-in, with features like remote plug-in activation and conditional content filtering that give it evasion capabilities difficult for inexperienced users to detect.

Other capabilities include the ability to add filters to prevent the malware from being included in the list of activated plug-ins, pinging functionality that allows a malicious actor to check if the script is still operational, and file-modification capabilities. Further, the backdoor can activate or deactivate arbitrary plug-ins remotely, which is "useful to disable unwanted plug-ins and also to activate this malicious plug-in as needed," Wotschka wrote.

"Since the malicious file runs as a plug-in within the context of WordPress, it does have access to normal WordPress functionality just like other plug-ins do," Wordfence vulnerability researcher Marco Wotschka wrote in the post. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy."

A Wordfence analyst discovered a sample of the malware during a site clean on July 18, and created a signature the following day, which was subsequently tested and released to Wordfence customers on Sept. 1.

**Malicious Plug-in: A Hidden but Detectable Malware Enemy**

The researchers broke down some of the key functionality of the malicious plug-in, including features that are most likely to arise suspicion among current site administrators or users.

One of those is to use wp\_create\_user function to create a new user account with the username superadminand a hardcoded password to set up an attacker as a website administrator. This account is removed once a victim has been successfully compromised as a way to remove traces and thus reduce changes of detection, according to Wordfence.

"While often seen in test code, user creation with hardcoded passwords should be considered a red flag, and the elevation of this user to an administrator is certainly reason enough for suspicion," Wotschka wrote.

The malicious plug-in also includes bot detection code, which is often present in malware on a website that serves normal content to some users while redirecting or presenting malicious content to others.

"One common thread shared by these infection scenarios is that site owners find their site looks fine to them, but their visitors have reported issues such as seeing spam or being redirected to dubious sites," Wotschka explained.

Further, since this kind of malware wants search engines to find the malicious content, it is usually served to them as they index a site, he said. Threat actors use keyword stuffing to help increase traffic sent to infected sites, with administrators often reporting a sudden, unexpected surge in site traffic when their sites are hit by an infection.

While the presence of bot detection code on its own is not enough to verify that malicious activity is present on a website, it does stand out as suspicious activity, Wotschka added.

**Securing WordPress Sites**

Plug-ins remain an exposed and sizeable attack surface for WordPress and the millions of sites built on it, an endemic issue that remains a persistent threat. Threat actors have targeted WordPress sites via both malicious and vulnerable plug-ins, with both issues often going unnoticed by site operators until after a website is already under active attack.

Overall, anyone building websites using WordPress should follow security best practices in how they configure the sites to ensure they remain as protected as possible. Wordfence advised that they should also include some type of security monitoring on the site in case of compromise even after following these practices.

Backdoor Lurks Behind WordPress Caching Plug-in to Hijack Websites

Government security processes are often viewed as tedious and burdensome — but applying the lessons learned from them is imperative for private industry to counter a nation-state threat.

The private sector's utility, telecom, banking, transportation, and medical networks have become a part of physical, mental, and economic well-being in the modern world. They are also under unprecedented threat from state actors — recently underscored by the unclassified summary of the Department of Defense's cybersecurity strategy, which stated that China "steals technology secrets and undermines the DIB \[defense industrial base\]," and that, in the event of conflict, China "likely intends to launch destructive cyber attacks against the U.S. Homeland." The Director of National Intelligence's assessment further elaborated that "China is almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."

The DIB and critical infrastructure are under clear threat from our near-peer competitors and would do well to apply select best practices from US government classified systems to protect their own crown jewels.

**Understand Where and How Protected Enclaves and the Internet Intersect**

Whether in the operational technology (OT) networks of utilities, the research and development enclaves of pharmaceutical networks, or the medical equipment networks of hospitals, some parts of networks need to be more secure than others. But even in utilities' OT networks, which contain a critical mass of potentially vulnerable legacy technology, total segmentation is a myth, and for good reason: Companies increasingly require the power of big data analytics, integrations with Internet-connected financial systems, and similar services to operate an effective business.

A sound approach to risk management in connecting protected enclaves to broader IT networks can be found in a relatively obscure section of National Security Memorandum 8 (NSM-8): Cultivate visibility and rigor around the areas in which the networks overlap. By declaring that cross-domain systems — the systems responsible for connecting classified networks to unclassified networks — are "vital \[national security systems\] that require centralized visibility" and establishing the NSA's Raise the Bar program to oversee them, the US government ensured a level of consistent risk evaluation and security rigor around these inherently risky junctures in the network.

By doing the same, organizations can better manage risk and ensure a consistent approach, rather than crafty and unique but often unvetted solutions to bridge protected enclaves and the broader network. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers (ISACs) or ad hoc collaborative networks to understand best practices and technologies to minimize the risks at these critical network junctures.

**Protect the Critical Enterprise Along With Critical Infrastructure**

As alluded to above, the crown jewels of critical infrastructure organizations may be well-protected, but they are surrounded by a critical enterprise of enabling functions — HR, customer service, finance, logistics — hosted on a less-secure IT network and sometimes one step removed from the culture of security that permeates operational parts of the organization. But the threat of lateral movement within the network, whereby an adversary could compromise an employee in the critical enterprise and eventually navigate their way to more sensitive systems, renders this an unwise approach. The risk is compounded by the fact that a joint advisory by the NSA, CISA, the FBI, and others highlights China-sponsored threat actors "living off the land" within critical infrastructure networks, using native services rather than malware to evade detection once they have established a foothold.

The intelligence community has long embraced the concept of the critical enterprise by requiring that all employees — whether working operationally or in a support role — complete a thorough suitability process and protect support networks with the same rigor as their mission networks. By doing so, they not only protect their endpoints and systems at a given classification level from technical compromise but also cultivate a culture of security that renders the organization less vulnerable to human-enabled attacks, such as phishing.

While it is untenable for private sector companies to subject their employees to the same degree of scrutiny needed for a US security clearance, they can take a page from the government by securing the entire critical enterprise through training, preventive cybersecurity architecture, and a culture of security that makes the entire critical enterprise aware of the shared risks to their organization.

**Demand Security by Design**

The complexity of creating a solid cybersecurity architecture is compounded by the fact that, as CISA director Jen Easterly put it, "We've unwittingly come to accept as normal that such technology is dangerous-by-design." This has resulted in the need to deploy myriad security and network management solutions, some of which have proven dangerous by design in and of themselves.

The US government, in general, and its Department of Defense, in particular, have long exercised rigorous processes around technology readiness assessment and operational testing and evaluation. These processes, while costly and lengthy, are designed to ensure the security, maturity, and operational readiness of the technologies that will be deployed to conduct the most critical functions of the US government and support its war fighters. By exercising diligence in their procurement processes, including a strong eye toward security, US government agencies minimize the risk that their technology will be compromised.

It would be impractical to recommend that private sector organizations conduct the same degree of testing and evaluation of technology. But incorporating questions geared toward CISA's joint "Security-by-Design and -Default" principles is an appealing alternative. By moving beyond reliance on regulatory certifications (many of which test a manufacturer's processes and policies rather than the inherent security of the underlying technology), security leaders can partner with acquisition teams to increase the security of both critical infrastructure and critical enterprise. A few examples of such questions include:

*   Does your solution include multiple layers of security in case an adversary defeats one layer?
*   Do you provide and maintain a software bill of materials?
*   What hardware architectural protections are in place?
*   What is required to "harden" deployment of this solution?

Government security processes are often viewed as tedious and burdensome, but applying the lessons learned from them doesn't need to be. Taking these three key lessons and applying them to securing not only critical infrastructure but also the broader critical enterprise is imperative for private industry to counter a nation-state threat.

Source

DARKReading