Cloud service providers are getting better at protecting data, pushing adversaries to develop new cloud ransomware scripts to target PHP applications, a new report says.

Instead of solely leaning on leaky buckets and cloud service provider (CSP) vulnerabilities to exfiltrate sensitive data, a fresh crop of cloud-targeting ransomware is aimed instead at exploiting unprotected Web applications to drop encryptors and lock up victims' data.

The pivot to focusing on PHP applications demonstrates the success that CSPs have had in shoring up their environments with policies like AWS's Key Management Service, according to a new report from SentinelOne on the state of cloud ransomware landscape in 2024. CSPs can now ensure that almost no data is really lost, thanks to policies that require a waiting period and confirmation before data can be deleted. There are some fairly exotic malicious workarounds for some of these protections, but attacks can easily be blocked by implementing service control policies, the report said.

**Cloud Ransomware's New Look at Web Applications**

Cloud ransomware operators have started to mine Web applications for opportunities in increasing volumes, according to SentinelOne.

"Web applications are often run via cloud services," SentinelOne's report explained. "Their more minimal nature makes cloud environments a natural hosting point where the applications are easier to manage and require less configuration and upkeep than running on a full operating system. However, Web applications themselves are vulnerable to extortion attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

Analysis uncovered new ransomware scripts specifically developed to attack PHP applications — such as a Python script named "Pandora," and another attributed to Indonesian-based threat actor IndoSec group.

"The Pandora script uses AES encryption to target several types of systems, including PHP servers, Android, and Linux," the report added. "The PHP ransom functions encrypt files using AES via the OpenSSL library. The Pandora Python script runs on the Web server, writing the PHP code output to the path pandora/Ransomware with a file name provided as an argument at runtime and appended with the php extension."

The ransom script targeting PHP applications developed by IndoSec uses a PHP backdoor to manage and delete files, according to the report. It searches through directories, reads, and then encodes the file contents using a Web service's API.

"This is an interesting approach because the encryption is provided through a remote service, rather than using native functionality like many other tools," the report noted.

**Using Legitimate Cloud-Native Functions to Steal Data**

Aside from trying to breach them, adversaries have also figured out how to use these cloud services themselves to exfiltrate stolen data, the report explained. SentinelOne offers the example of September Rhysdia and BianLian cloud ransomware attacks that abandoned their historical exfiltration tools like MEGAsync and rclone, and instead used Azure Storage Explorer to download the data. The following month, the LockBit ransomware group was discovered using Amazon's S3 storage to exfiltrate data from Windows and macOS systems, SentinelOne added.

Related:Google AI Platform Bugs Leak Proprietary Enterprise LLMs

In keeping with the trend, the SentinelOne research identified a new Python script on VirusTotal it named "RansomES." This code is designed to infiltrate a Windows system, look for files with extensions that indicate the file contains data, including .doc, .xls, .jpg, .png, or .txt. Once those files have been identified, the RansomES code allows the ransomware attacker to exfiltrate those files to an S3 storage bucket or an FTP site, and encrypt the local versions.

"RansomES is a simple script, and we do not believe it has been used in the wild," the report noted. "The author included an Internet connectivity check to the WannaCry killswitch domain, which may suggest the script was developed by a researcher or someone with an interest in threat intelligence."

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The key to protecting data against Web application cloud ransomware attacks is to assess the overall cloud environment to protect against misconfigurations and overly permissive storage buckets, the report concluded.

"Additionally, always enforce good identity management practices such as requiring MFA on all admin accounts, and deploy runtime protection against all cloud workloads and resources," according to SentinelOne.

Cloud Ransomware Flexes Fresh Scripts Against Web Apps

If the government truly wants to protect the US's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

November 14, 2024

6 Min Read

Source: Sergey Borisov via Alamy Stock Photo

COMMENTARY

The recent revelations about the Salt Typhoon cyber-espionage group breaching major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies, lay bare a systemic vulnerability in America's approach to cybersecurity. This incident is not just an isolated attack; it's an indictment of the US government's inadequate response to the increasing cyber threats posed by state-backed entities like China. Despite years of warnings and multiple high-profile breaches, the government's cybersecurity posture remains reactionary, fragmented, and underwhelming.  

**The Critical Failures in US Cybersecurity Strategy**

Salt Typhoon's targeting of systems used for government intelligence collection, including those integral to surveillance and wiretapping capabilities, is a brazen assault on America's most sensitive digital infrastructure. It exposes a critical flaw: the lack of robust, proactive measures to secure such vital systems. How did a foreign state-backed group infiltrate and potentially remain undetected in these systems for months? The answer lies in insufficient federal oversight, underinvestment in cutting-edge defenses, and an overreliance on private companies to self-police. 

US telecom giants have historically enjoyed light regulatory oversight, often lobbying for fewer obligations and responsibilities. The government, in turn, has adopted a laissez-faire approach, trusting these corporations to manage their cybersecurity. This model is fundamentally flawed. When private entities prioritize profits over robust security measures, it opens the door for adversaries like Salt Typhoon to exploit weak points. The compromised systems at Verizon, AT&T, and Lumen Technologies illustrate the risks of letting corporations with such immense national security implications operate without stringent and enforceable cybersecurity standards. 

**Lawmakers' Outrage: Too Little, Too Late**

In the wake of the Salt Typhoon breach, US lawmakers have begun demanding answers from the affected companies, calling for greater accountability and urging federal regulators to impose stricter standards. While this post-breach outrage may seem like a strong response, it's another chapter in the reactive cycle that defines American cybersecurity policy. Rather than addressing systemic vulnerabilities before they are exploited, federal agencies and lawmakers are again playing catch-up. 

The reality is that sophisticated state-backed actors like Salt Typhoon have likely been probing and compromising critical US infrastructure for years, undetected and unchallenged. The question is not just why this breach happened but why the US government consistently finds itself responding after the fact. The issue goes beyond the individual companies breached — this pattern reflects a more significant failure in Washington to develop a proactive, cohesive, well-resourced cybersecurity strategy.

**The Illusion of Federal Oversight**

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are reportedly investigating the extent of these breaches. However, these investigations often lack the teeth and reach necessary to effect real change. Despite the resources and expertise within agencies like CISA, they are limited in their power to enforce compliance or impose significant penalties on corporations that fail to meet cybersecurity benchmarks. This hands-off approach only emboldens adversaries who know that American companies are not adequately protected and that the government's response mechanisms are limited. 

Further, the fragmented nature of federal oversight complicates a comprehensive defense strategy. With multiple agencies sharing responsibility — yet lacking a unified and coordinated approach — gaps in response capabilities are inevitable. The breaches at Verizon, AT&T, and Lumen Technologies should serve as a wake-up call: The current oversight model is failing to keep pace with the sophistication of state-backed cyber threats. 

**The Need for a Paradigm Shift**

The US must abandon its outdated and ineffective approach to cybersecurity regulation to address these vulnerabilities. Here are key steps the government should take: 

*   Mandatory federal standards and penalties: Telecom companies are critical to national security. They must be held to federal standards that are not just recommendations but legal obligations, with meaningful penalties for non-compliance. The government cannot leave the protection of such vital infrastructure to the discretion of profit-driven entities. 
    
*   A unified cyber defense agency: The United States must streamline its response by creating a centralized agency with the power and authority to coordinate and enforce cybersecurity measures across the public and private sectors. The current patchwork of agencies is insufficient in an era where cyber threats know no borders or jurisdictions. 
    
*   Investment in advanced detection and response capabilities: The government must invest heavily in advanced technologies that provide real-time monitoring and automated response capabilities. Relying on companies to detect and report breaches months after they occur is unacceptable when adversaries can inflict catastrophic damage in seconds. 
    
*   Active cyber deterrence: The US must adopt a more aggressive cyber-deterrence strategy. The current approach of merely investigating breaches after the fact does not dissuade adversaries. It's time for the government to develop and deploy offensive cyber capabilities that signal a clear and present cost for any attempt to infiltrate US systems. 
    

**The Cost of Complacency**

The Salt Typhoon breach is just the latest chapter in a series of cyber-espionage incidents that have exposed the inadequacies of the US cybersecurity framework. If this pattern of complacency and reactionary policy continues, it won't be long before another attack not only compromises intelligence-gathering capabilities but potentially cripples critical infrastructure. The stakes are too high for lawmakers and federal agencies to continue operating with the exact amount of inertia and neglect. 

If Washington truly wants to protect the nation's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures. Otherwise, the US will continue to react to — rather than prevent — attacks that undermine its national security and global standing. 

Don't miss the free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Washington's Cybersecurity Storm of Complacency

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

PRESS RELEASE

WATERLOO, ON, Oct. 31, 2024 /PRNewswire/ -- OpenText (NASDAQ: OTEX), (TSX: OTEX), has revealed its highly anticipated "Nastiest Malware of 2024" list, spotlighting the year's most notorious cyber threats. Now in its seventh year, OpenText's cybersecurity experts have identified the most relentless and adaptive malware trends impacting industries worldwide. This year, ransomware aimed at critical infrastructure takes center stage, highlighting an urgent call for reinforced security to protect vital services. In response, organizations are projected to increase their cybersecurity investments by 14.3% in 2024, reaching more than $215 billion.

Once again, ransomware group LockBit secures the #1 spot as the nastiest malware of the year. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns. According to the FBI's 2023 2023 Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The ongoing standoff between the FBI and LockBit shows the gritty persistence of today's ransomware market and its growing sophistication. For several months now, the battle for dominance between the FBI and LockBit has highlighted the persistence of the ransomware market and how as technology evolves these threats continually lurk in the shadows.    

"Ransomware attacks on critical infrastructure are on the rise, and cybercriminals are increasingly using artificial intelligence to develop highly personalized threats, which significantly endangers national security and public safety," said Muhi Majzoub, EVP and Chief Product Officer, OpenText. "However, the increased attention on ransomware and cybersecurity is encouraging, as more organizations are proactively prioritizing cybersecurity investments. This commitment highlights their dedication to safeguarding essential services from evolving threats." The 2024 list showcases how adaptive and innovative each ransomware is, but also how well these threats push boundaries. With their malicious capabilities and evasiveness, these cybercriminals continue to find new ways to surpass our darkest expectations.

2024's Nastiest Malware Hall of Infamy: 

1.  LockBit: This ransomware-as-a-service (RaaS) heavyweight leads the pack again, unfazed by FBI efforts to take it down. LockBit's aim? Target one million businesses before calling it quits, solidifying its spot as a top ransomware menace in 2024.
    
2.  Akira: A fresh and ferocious entry, Akira brings a splash of '80s aesthetics to the dark web, quickly climbing the ranks with ruthless encryption tactics and swift deployment. It's especially active in healthcare, manufacturing, and finance, cementing itself as a go-to Ransomware-as-a-Service (RaaS) model for affiliates.
    
3.  RansomHub: Rumored to be a descendant of the Black Cat (ALPHV) group, RansomHub burst onto the scene targeting high-profile organizations. After attacking Planned Parenthood, this group made headlines by stealing and ransoming sensitive patient data, threatening public exposure.
    
4.  Dark Angels: Known for its laser-focused, high-impact attacks on top-tier targets, Dark Angels doesn't hold back. Using advanced infiltration methods, they've secured ransom payments as high as $75 million, leaving their mark on one of the year's biggest Fortune 50 attacks.
    
5.  Redline: Not ransomware but still formidable, Redline Stealer specializes in stealing credentials and sensitive information with skillful evasion tactics, making it a persistent headache across various sectors.
    
6.  Play Ransomware: Making waves with high-profile attacks, Play Ransomware is as versatile as it is relentless. From targeting public and private sectors to exploiting FortiOS vulnerabilities and RDP servers, this group keeps victims on their toes with ever-evolving techniques.
    

Want the full rundown? Visit the OpenText Cybersecurity Community, view the infographic, and join us for our "Nastiest Malware Webinar" to dive deeper into this year's findings and stay ahead of emerging threats!

About OpenText Cybersecurity  
OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified/end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high-efficacy products, compliant experience and simplified security to help manage business risk.

About OpenText   
OpenText™ is the leading Information Management software and services company in the world.  We help organizations solve complex global problems with a comprehensive suite of Business Clouds, Business AI, and Business Technology.  For more information about OpenText (NASDAQ/TSX: OTEX), please visit us at www.opentext.com.

Connect with us:

OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn 

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies, and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Readers are cautioned not to place undue reliance upon any such forward-looking statements, which speak only as of the date made. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. Further, readers should note that we may announce information using our website, press releases, securities law filings, public conference calls, webcasts and the social media channels identified on the Investors section of our website (https://investors.opentext.com). Such social media channels may include the Company's or our CEO's blog, Twitter account or LinkedIn account. The information posted through such channels may be material. Accordingly, readers should monitor such channels in addition to our other forms of communication.

OpenText Cybersecurity Unveils 2024's Nastiest Malware

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

PRESS RELEASE

(Paris, France) – October 31, 2024 – As counterfeiting represents a global issue for brands and societies alike, Cypheme, a pioneering French company focused on AI-powered anti-counterfeiting solutions, today announced that Vrai AI, its AI anti-counterfeit technology that can detect fake products based on just a picture of a specific detail of a product or label, purely with visual analysis, is now available to brands worldwide. This ground-breaking artificial intelligence, which is perfect for companies across multiple verticals (i.e.: jewelry, pharmaceuticals, electronics, fashion, etc.), is easy to implement and only requires the use of a smartphone to keep a brands’ reputation and customers safe.

Lacoste, a world-renowned fashion brand, is the first company to pioneer the use of this technology, marking a major milestone in the worlds of AI development, the fashion industry and the global fight against counterfeiting. Already, Cypheme’s ground-breaking solution has achieved a near perfect level of accuracy of 99.7% for Lacoste, helping them easily identify fake products and remove them from the market.

By incorporating Cypheme’s powerful technology, which examines microscopic visual details of a specific feature of the product, the AI can differentiate a real from a fake, much in a way similar to a human expert. No modification of the product, no special label, or hidden marker is needed. For Lacoste, Cypheme uses the famous and iconic crocodile logo to identify fakes among a wide variety of Lacoste products. This represents an unprecedented technological leap in the fight against counterfeiting that could play a major part in solving or mitigating crisis linked to the criminal activity across multiple regions and sectors.

For certain types of products, however, the use of Cypheme’s “Noise Print Label,” a proprietary fingerprint anti-counterfeit label that protects every product it is affixed on, is also available. Noise Print is an anti-copy label that utilizes an advanced set of algorithms powered by an artificial neural network that verifies a product’s authenticity. However, it doesn’t stop there. Noise Print can also help trace back the origin points where fake products are known to be made.

“Today, according the European Union Agency for Law Enforcement Cooperation, counterfeiting represents 2.5% of the world’s trade, or $461 billion, and puts low-quality goods on the market, generating risks for health, well-being, security and safety,” explains Hugo Garcia-Cotte, CEO, Cypheme. “Implementing anti-counterfeiting technologies helps brands combat piracy, secure operations, enhance revenue and improve customer engagement, however they do not stop at just that, they have a much larger impact, helping shape safer societies overall.”

About Cypheme  
Cypheme is a pioneering French company focused on AI-powered anti-counterfeiting solutions. With their AI technology, Vrai AI, they aim to make counterfeit trade an unattractive activity for all people of the world. Cypheme’s technology is used in many different industries and countries to safeguard people from the negative impact of fake goods. For more information, visit https://www.cypheme.com/.

Lacoste First to Use AI-Powered Anti-counterfeiting Solution

Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.

Source: JUN LI via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency is warning that the most routinely exploited vulnerabilities in 2023 were zero-days in its latest research conducted alongside global cybersecurity authorities.

These findings are a reversal from 2022, when less than half of the most exploited vulnerabilities were zero-days.

CISA's "2023 Top Routinely Exploited Vulnerabilities" report shows that threat actors continue to have success exploiting these kinds of vulnerabilities even two years after public disclosure. After this time frame, the value of the vulnerability tends to decline as patches get applied and systems are replaced.

Some of the top zero-day flaws came from vendors such as Citrix and Cisco, with vulnerabilities involving code injection bugs (CVE-2024-3519), privilege escalation (CVE-2023-20198), and buffer overflow (CVE-2023-4966).

To combat exploitation from threat actors, CISA is urging organizations to check for signs of compromise and keep up with patching CVEs. However, even this may not be enough. Three other tools that CISA recommends are endpoint detection and response (EDR), Web application firewalls, and network protocol analyzers. 

As to why zero-days were among the top exploited, many individuals in the cybersecurity community argued that it's because the quality of software is getting worse.

Others argue that it's because cybercriminals are focusing less on sharing proof-of-concepts (PoC) on forums and more on reserving knowledge about vulnerabilities in-house.

Regardless, CISA provides a variety of mitigation resources for end users and organizations to combat these threats in its study, highlighting identity and access management, protective controls and architecture, and supply chain security.

Zero-Days Win the Prize for Most Exploited Vulns

PRESS RELEASE

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its 2025–2026 International Strategic Plan, the agency’s first, which supports the agency’s first comprehensive strategic plan and aligns with the National Security Memorandum on Critical Infrastructure Security and Resilience. The International Strategic Plan focuses on how CISA will proactively engage international partners to strengthen the security and resilience of our nation’s critical infrastructure.  

“In following this plan, CISA will improve coordination with our partners and strengthen international relationships to reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” said CISA Director Jen Easterly. 

Since the risks we face are complex, geographically dispersed and do not abide by borders, protecting and securing our cyber and physical infrastructure requires the concerted efforts of public and private partners around the globe. Our International Strategic Plan outlines three goals CISA must achieve to address the ever-changing and dynamic challenges facing America and our international partners: 

*   Bolster the Resilience of Foreign Infrastructure on Which the U.S. Depends; 
    

*   Strengthen Integrated Cyber Defense; and 
    

*   Unify Agency Coordination of International Activities.  
    

Read CISA’s International Strategic Plan to learn more.

CISA Releases Its First Ever International Strategic Plan

The consolidation folds Cybereason's endpoint detection and response (EDR) platform into Trustwave's managed security services offerings, such as managed detection and response (MDR).

Source: nespix via Adobe Stock Photo

Managed services provider Trustwave and endpoint detection and response (EDR) company Cybereason announced a definitive merger agreement on Tuesday. The merger reflects the market appetite for integrated cybersecurity solutions, as seen in Check Point's acquisition of Cyberint earlier this year.

Trustwave and Cybereason will "function independently but collaborate strategically on value-added services and capabilities," the companies said in a statement. Cybereason has a significant presence in Japan and Europe, and Trustwave is strong in the Americas and Australia.

The combined company portfolio will span managed detection and response, EDR, offensive security, security research, digital forensics and incident response, and threat intelligence services. Trustwave and Cybereason have complementary product offerings in EDR, email security, and database security.

For example, Cybereason can offer "combined EDR and MDR solutions," said Eric Gan, chairman and CEO of Cybereason said, a statement.

Together, Trustwave and Cybereason will focus on strengthening client consulting services and managed detection and response (MDR) capabilities to develop an all-in-one solution with Cybereason's EDR for midmarket organizations, as well as help customers integrate and optimize Microsoft Security. A primary areas for strategic investment is a purpose-built AI that can detect known and unknown threats with greater speed and accuracy.

Singtel acquired Trustwave in 2015 for $770 million; it sold the company to MC² Security Fund, a private equity fund sponsored by The Chertoff Group, in January of this year for $205 million. Cybereason has raised over $850 million to date from a variety of investors.

SoftBank, Cybereason's largest shareholder, will remain as the majority investor. Trustwave's current owner and MC² Security Fund will remain as a channel partner and strategic adviser.

Financial details of the merger were not disclosed. The transaction is expected to close in early 2025, pending customary closing conditions and regulatory approvals.

Source

DARKReading