**SAN DIEGO, Calif., March 17, 2023 /PRNewswire-PRWeb/ --** We are thrilled to  
announce that Prancer, a leading cloud security solution provider, has  
integrated its SOC2 Type II certified cloud security solution with ChatGPT, a  
highly advanced language model for natural language processing, and OpenAI APIs.

This integration represents a significant milestone in cloud security solutions,  
enabling organizations to identify and remediate potential security risks using  
various advanced technologies.  

In addition to providing a range of security assessments, including  
infrastructure security based on Cloud Security Posture Management (CSPM) and  
Infrastructure as Code (IaC) security, application security testing with Static  
Application Security Testing (SAST), Software Composition Analysis (SCA) and  
penetration testing, and compliance assessments, Prancer's cloud security  
solution now integrates with OpenAI APIs to use other models that are intended  
to provide remediation code and security check the codes. This collaboration  
will enable Prancer and ChatGPT to correlate vulnerabilities for specific  
architecture patterns to identify attack paths, remediate security findings, and  
analyze findings from infrastructure and applications.  

Integrating Prancer's cloud security solution with ChatGPT and OpenAI APIs  
brings together some of the most advanced technologies in cloud security to  
deliver a comprehensive security solution for organizations operating in the  
cloud. With the growing concerns around cloud security, this integration is  
crucial in providing an all-encompassing security solution that can detect,  
prevent, and remediate potential security risks.  

As a leader in cloud security, Prancer is dedicated to providing cutting-edge  
security solutions that meet the highest industry standards. This integration  
with ChatGPT and OpenAI APIs represents a significant milestone in cloud  
security solutions and will help organizations identify and mitigate potential  
security risks.  

We look forward to working with our customers to deliver the best cloud security  
solutions available, utilizing the advanced technologies of Prancer, ChatGPT,  
and OpenAI APIs.

**About Prancer**  
Prancer is the industry's first cloud-native, self-service SAAS platform for  
automated security assessment and penetration testing in the cloud. Prancer  
provides a comprehensive suite of Infrastructure and Application Security  
solutions to enable shift-left approaches to implement preventative controls and  
offensive security testing mechanisms. Prancer Security Solutions allows  
customers to rapidly validate their cloud applications against ever-growing  
cyber threats, resulting in faster release cycles, greater false-positive  
reduction, and cost savings for both security and engineering teams.  
For more information, visit the website at: https://www.prancer.io

Prancer Announces Integration With ChatGPT for Enhanced Security Assessments

Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.

Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victim's Net-NTLMv2 challenge-response authentication hash and impersonating the user.

Now it's becoming clear that CVE-2023-23397 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago, more proof-of-concept (PoC) exploits have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.

If patching isn't possible quickly, there are some options for addressing the issue, noted below.

**Easy Exploit: No User Interaction Necessary**

The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when they're retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.

Discovered by researchers from Ukraine's Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsoft's Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.

"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control," says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.

**A Range of Potential Exploit Impacts**

Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didn't mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.

"The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim," he says.

Bud Broomhead, CEO at Viakoo, notes that "the likely victims are ones most susceptible to business email compromise (BEC) and to having their identity used for other forms of exploits." He points out there are a few areas that this potentially impacts, the most serious being identity management and trust of internal email communications.

"The risks also include breaching of core IT systems, distribution of malware, business email compromise for financial gain, and disruption of business operations and business continuity," Broomhead cautions.

**Is This the "It" Bug of 2023?**

Viakoo's Broomhead says that while at this point in 2023 there could be many possible "It" bugs coming from Microsoft, this is certainly a contender.

"Because it impacts organizations of all types and sizes, has disruptive methods of mitigation, and training employees on it won’t stop it, this could be a vulnerability that requires more significant effort to mitigate and remediate," he explains.

He notes the attack surface is at least as big as the user base of desktop Outlook (massive), and potentially core IT systems connected to Windows 365 (very massive), and even any recipients of emails sent through Outlook (pretty much everyone).

Then as mentioned, the PoCs that are circulating makes the situation even more attractive to cybercriminals.

"Since the vulnerability is public and instructions for a proof-of-concept are well documented now, other threat actors may adopt the vulnerability in malware campaigns and target a more widespread audience," adds Daniel Hofmann, CEO of Hornetsecurity. "Overall, exploiting the vulnerability is simple, and public proofs-of-concept can already be found on GitHub and other open forums."

What should businesses do? They may have to look beyond patching, Broomhead warns: "Mitigation in this case is difficult, as it causes disruption in how emails systems and users within it are configured."

**How to Protect Against CVE-2023-23397**

For those unable to patch right away, Hornetsecurity's Hofmann says that to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings.

"This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397," he explains.

Organizations should also add users to the "Protected Users Security Group" in Active Directory to prevent NTLM as an authentication mechanism.

"This approach simplifies troubleshooting compared to other methods of disabling NTLM," Broomhead says. "It is particularly useful for high-value accounts, such as domain administrators."

He points out Microsoft has provided a script to identify and clean up or remove Exchange messages with UNC paths in message properties, and it advises administrators to apply the script to determine if they have been affected by the vulnerability and to remediate it.

Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug

If the approaches stand up to scrutiny, companies may soon be able to encrypt most databases in a way that allows using data without needing to decrypt to plaintext.

Pervasive encryption that protects data not just in transit and at rest, but in use — thus freeing companies of the fear of data breaches — has long been a dream of business executives, IT teams, and compliance professionals.

In 2023, those dreams may become a practical reality, with a number of database and data-security firms releasing software to allow companies to keep data encrypted while still allowing common operations, such as searching. Last year, for example, database-technology provider MongoDB released a preview of its Queryable Encryption capability, which allows companies to search for data records in "expressive" ways without needing to decrypt the data. And, this week, data security firm Vaultree released a software development kit to allow application makers to try its Data-in-Use Encryption feature, which — the company claims — allows more extensive operations on encrypted data.

The goal is to allow companies and their applications the ability to access and search databases efficiently, while preventing unauthorized users from ever decrypting sensitive information, says Kenn White, security principal at MongoDB.

"What we hear a lot from customers is concerns around leaks, breaches, and attacks on public cloud infrastructure, including privileged users, and so we're focused on areas where we can add additional security controls and technical measures to limit who can see sensitive data in real time," he says. "\[W\]e believe \[encryption-in-use\] will continue to be an area with a lot of potential for innovation, particularly for operational workloads."

The technologies promise to help organizations minimize the so-called "blast radius" when a network or system is compromised. Typically, businesses suffering a breach face a cascade of forensic investigations, regulatory filings and fines, and the potential exposure of sensitive data and intellectual property. Encrypted data allows companies to sidestep many of the devastating impacts of a breach, but has typically required complex data architecture designs to make sure plaintext information is not inadvertently left insecure.

Many technology companies have attempted to solve the problem and allow the secure use of data by applications by extending the use of encryption. In the 2010s, for example, Ionic Security aimed to encrypt all data on the fly and only allow its use by authorized users with specific privileges. Twilio bought the company in 2021.

If the current crop of technologies succeed where others have failed, companies could see significantly less risk in the event of a breach, says Ryan Lasmaili, CEO at Vaultree.

"We know if there's a leak, and the data is fully encrypted, it reduces the company's risk immediately to regulatory compliance," he says. "But GDPR right now, for example, does not cover data-in-use encryption, because to date, it has been seen as not being there yet."

**Avoiding Llamas in the Indy 500**

MongoDB's Queryable Encryption encrypts database fields, meaning that the information is cryptographically secure at all times, yet can still be used for searching. The keys for decrypting the information are stored with each client, giving only specific people and devices the ability to decrypt sensitive fields. Even a database administrator cannot decrypt every field unless they have the proper keys.

    

A flow chart of how Queryable Encryption works. Source: MongoDB

Making the technologies a reality relied on research by small groups of academic cryptographers. Queryable Encryption, for example, came from the work of Seny Kamara and Tarik Moataz, both of Brown University, who went on to create a startup, Aroki Software, which was purchased by MongoDB in 2021.

The goal of Queryable Encryption is to deliver technology today that can handle queries that are actually useful and make the capability easy for developers, MongoDB's White said during a presentation at the USENIX ENIGMA Conference in January. Key to all that is that performance should not get in the way, he said.

"It has to be sub-linear — the difference between 1,000 documents, a million, 5 million, and 100 million documents, it should be sub-linear," he said. "A lot of the academic work had been done in a way that was super-linear, so works great on 10 records, or 100, 1,000, 5,000 — beyond that, it's painful. And you can throw more CPUs at it, but you know, it's kind of like racing the Indy 500 with llamas — there's only so much you can do."

Other technologies, like fully homomorphic encryption (FHE), promise to allow a more extensive range of operations on encrypted data and have been extensively funded by the US Department of Defense. A team from Intel and Microsoft signed a multiyear research grant with the DoD in 2021 under the DARPA Data Protection in Virtual Environments (DPRIVE) program to create a hardware accelerator to speed up the notorious processing-intensive FHE approaches. In January, Duality Technologies, another DPRIVE grant recipient, announced it was named to Phase 2 of that program to accelerate machine-learning processing on encrypted data.

"Structured encryption, like most encryption schemes, protects data confidentiality — this means that data is protected in a way where only people approved to receive the data actually have access to this data," says Kurt Rohloff, chief technology officer at Duality Technologies. "FHE also provides data confidentiality, but allows more processing on the data without requiring decryption."

**More Testing Needed**

New encryption models and technologies typically require a marathon of testing and evaluation. MongoDB's Queryable Encryption stemmed from academic research on structured encryption, with several papers describing the approach. FHE has had decades of research and open development. Vaultree's Data-in-Use Encryption remains, to a large degree, a black box, although CEO Lasmaili pledges that scientific papers will be forthcoming.

In a blog on the possibilities of pervasive encryption, cybersecurity firm Kaspersky warned that such technologies require a great deal of oversight, because even small missteps can undermine the security of the systems.

"This happens to be a common problem of practical cryptography — when the developers of an information system feel compelled to craft something in-house that meets their particular data encryption requirements," the company stated. "This 'something' then often turns out to be vulnerable because the development process failed to take into account the latest scientific research."

While encryption-in-use may claim an early lead because it is usable in its current state, breakthroughs in FHE may win in the long run, especially as quantum computing may end up being a differentiator. FHE continues to have functional and security benefits, especially in a post-quantum encryption world, says Duality Technologies' Rohloff.

"Fully homomorphic encryption does allow many more secure operations on it as compared to general structured encryption," he says. "Not all variations of structured encryption \[are\] protected against quantum computing attacks, but all used fully homomorphic encryption schemes are believed to be protected against quantum computing attacks."

Technology Firms Delivering Much-Sought Encryption-in-Use

The chances of getting hacked are no longer low. Companies need to rethink their data collection and monitoring strategies to protect employee privacy and corporate integrity.

Organizations monitor their computer networks for a host of reasons — from gaining insight into availability, performance, and failures, to identifying potential cybersecurity vulnerabilities and exploits. In the process, they often collect more data than actually needed on employees, customers, prospects, vendors, and more. The prevailing attitude is that because the data exists, is easy to capture, and relatively cheap to store, why not collect it? But given the expansive capabilities of today's technology, combined with how integrated it is in every aspect of our lives, there's a danger of either purposefully or inadvertently collecting unnecessary and private data.

**More Data Means More Risk**

This issue will only increase as monitoring technologies continue to improve and have the ability to gather wider perspectives and unique personal characteristics. As it stands, companies collect plenty of direct data on individuals and use third-party enrichment to add fuller details, some of which are more intrusive than necessary. As layer upon layer of diverse data is captured, it's likely the insights will increasingly cross privacy boundaries and create risk.

All data scooped up during monitoring — including financial information, communications, intellectual property, personnel files, contracts, and other confidential materials — has the potential to enter the public domain, either by hacking or human error. A recent cautionary tale is a Department of Defense server misconfiguration that spilled out email messages and sensitive personal details of federal employees. While this information was required for military security clearances, many companies are collecting similar data without a legitimate need, creating an unnecessary threat of exposure.

Hackers regularly exploit personal data to open up authentication information that allows them to monetize their cybercrimes, which has been made easier and more lucrative thanks to cryptocurrencies. There are also nation-state actors, corporate espionage, and even politically motivated organizations seeking to obtain intellectual property to better their position. This doesn't have to be a proprietary company secret. They may be seeking a process, application, engineering diagram, or even simple text messages.

**When Monitoring Seems Like Surveillance**

Another concern with excessive data collection is the impact on employees. When companies and vendors gain insights that are unnecessary to the core monitoring mission, it can alarm employees. This is especially true as the boundaries between work and home blend together, making personal devices increasingly available to corporate data collection.

Additionally, if the data being collected cannot be tracked to a specific goal, employees may mistake legitimate network and security monitoring for surveillance, especially as employee monitoring tools have become more widely used with the onset of remote work. These tools have a different purpose than network and security monitoring tools, but that's not always clear to workers.

**Taking Control of the Data**

When it comes to network and security monitoring, there's a strong case to be made for collecting and analyzing data at a discrete micro level. But when viewed at a macro level, where more personal and unnecessary information is collected and connected with other data sources, the case can lose its validity. This often happens when chief information officers (CIOs) and others get so caught up in monitoring technology's advanced capabilities that it clouds their good intentions and leads to questionable outcomes. Here are a few steps to help prevent data from getting the upper hand:

● As an organization, it's important to change how data is viewed. For many leaders, every data point is seen through a business mission lens and not from the perspective of privacy. The key is to identify each data point being collected and determine if it's a piece of core information or enrichment information. In most cases, data collected strictly for enrichment purposes is more difficult to justify.

● Given advancements in data analysis, it's not simply about reviewing the information being fed into the system. It's about how the algorithms are being trained, and what controls are in place to define what's confidential and how to keep it that way. Without those controls, the algorithm may use unnecessary data points, resulting in outputs that answer questions never intended to be asked.

● In addition to improving data consistency and quality, a data governance team can be invaluable in helping educate employees and others about what is and what isn't being monitored, and why. They can also develop and enforce company data policies and ensure compliance with standards and regulations to prevent privacy lines from being crossed.

● When it comes to vendors, there should be a clear directive that the data being collected needs to be tied to the services being provided. IT leaders should make these three requests of vendors:

—Provide a detailed account of all data being collected, how it's being collected, how often it's being collected, and how it's being used.

—Describe the access mechanism being used to collect data and determine if, and to what extent, it allows the collection of unnecessary data.

—Explain if there are options to opt out of having specific data points collected and, if so, any implications that may result if taken.

A thorough review of data monitoring and collection procedures will likely reveal that most organizations are overreaching and putting the company, its employees, and its customers at risk. It's time to accept that the chance of getting hacked today is no longer exceedingly low. This intensifies the need for companies to take the necessary steps to rethink their data collection and monitoring strategies, and put best practices in place to protect employee privacy and corporate integrity.

The Ethics of Network and Security Monitoring

The "underreported" APT has returned to focus after attacks promoting Russian and Belarusian government interests and going after targets with humor, zest, and scrappiness.

A politically motivated cyber threat that's hardly discussed in the public sphere has made a sort of comeback in recent months, with campaigns against government agencies and individuals in Italy, India, Poland, and Ukraine.

"Winter Vivern" (aka UAC-0114) has been active since at least December 2020. Analysts tracked its initial activity in 2021, but the group has remained out of the public eye in the years since. That is, until attacks against Ukrainian and Polish government targets inspired reports on resurgent activity earlier this year from the Central Cybercrime Bureau of Poland, and the State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine.

In a follow-on analysis published this week, Tom Hegel, senior threat researcher at SentinelOne, further elucidated the group's TTPs and emphasized its close alignment "with global objectives that support the interests of Belarus and Russia's governments," noting that it should be classified as an advanced persistent threat (APT) even though its resources aren't on the par of its other Russian-speaking peers.

**Winter Vivern, a 'Scrappy' Threat Actor**

Winter Vivern, whose name is a derivative of the wyvern, a type of biped dragon with a poisonous, pointed tail "falls into a category of scrappy threat actors," Hegel wrote. They're "quite resourceful and able to accomplish a lot with potentially limited resources, while willing to be flexible and creative in their approach to problem solving."

The group's most defining characteristic is its phishing lures — usually documents mimicking legitimate and publicly available government literature, which drop a malicious payload upon being opened. More recently, the group has taken to mimicking government websites to distribute their nasties. Vivern has a sense of humor, mimicking homepages belonging to the primary cyber-defense agencies of Ukraine and Poland, as seen below.

Source: SentinelOne

The group's most tongue-in-cheek tactic, though, is to disguise its malware as antivirus software. Like their many other campaigns, "the fake scanners are pitched through email to targets as government notices," Hegel tells Dark Reading.

These notices instruct recipients to scan their machines with this supposed antivirus software. Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

That payload, in recent months, has commonly been Aperitif, a Trojan that collects details about victims, establishes persistence on a target machine, and beacons out to an attacker-controlled command-and-control server (C2).

Source: SentinelOne

The group employs many other tactics and techniques, too. In a recent campaign against Ukraine's I Want to Live hotline, they resorted to an old favorite: a macro-enabled Microsoft Excel file.

And "when the threat actor seeks to compromise the organization beyond the theft of legitimate credentials," Hegel wrote in his post, "Winter Vivern tends to rely on shared toolkits and the abuse of legitimate Windows tools."

**Winter Vivern, APT, or Hacktivists?**

The Winter Vivern story is scattershot and leads to a somewhat confused profile.

Its targets are pure APT: Early in 2021, researchers from DomainTools were parsing Microsoft Excel documents using macros when they came upon one with a rather innocuous name: "contacts." The contacts macro dropped a PowerShell script that contacted a domain that'd been active since December 2020. Upon further investigation, the researchers discovered more than they'd bargained for: other malicious documents targeting entities within Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and even the Vatican.

The group was clearly still active by the summertime, when Lab52 published news of an ongoing campaign matching the same profile. But it wasn't until January 2023 that it resurfaced in the public eye, following campaigns against individual members of the Indian government, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and other European government agencies.

"Of particular interest," Hegel noted in his blog post, "is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war."

This special emphasis on Ukraine adds intrigue to the story since, as recently as February, the Ukraine government was only able to conclude "with a high level of confidence" that "Russian-speaking members are present" within the group. Hegel has now gone a step further, by directly correlating the group with Russian and Belarusian state interests.

"With the potential ties into Belarus, it's challenging to determine if this is a new organization or simply new tasking from those we know well," Hegel tells Dark Reading.

Even so, the group doesn't fit the profile of a typical nation-state APT. Their lack of resources, their "scrappiness" — relative to their heavy-hitting counterparts like Sandworm, Cozy Bear, Turla, and others — place them in a category nearer to more ordinary hacktivism. "They do possess technical skills to accomplish initial access, however, at this time they don't stack up to highly novel Russian actors," Hegel says.

Beyond the limited capacities, "their very limited set of activity and targeting is why they are so unknown in the public," Hegel says. It may be in Winter Vivern's favor, in the end. So long as it lacks that extra bite, it may continue to fly under the radar.

Low-Budget 'Winter Vivern' APT Awakens After 2-Year Hibernation

A more holistic model beyond MITRE et al is needed to help defenders better identify and understand commonalities in different online threat campaigns, the Facebook parent company says.

Two researchers at Facebook parent Meta have proposed a new framework approach for dealing with online threats, that uses a shared model for identifying, describing, comparing, and disrupting the individual phases of an attack chain.

The basis of their new "Online Operations Kill Chain" is the idea that all online attacks — however different and whatever their motivations — often share many of the same common steps. To launch any online campaign, for instance, an attacker would require at least an IP address, likely an email or mobile phone for verification, and capabilities for obscuring their assets. Later in the attack chain, the threat actor would need capabilities for gathering information, testing target defenses, executing the actual attack, evading detection, and remaining persistent.

**Shared Taxonomy and Vocabulary**

Using a shared taxonomy and vocabulary to isolate and describe each of these phases can help defenders better understand an unfolding attack so they can look for opportunities to more quickly disrupt it, the Meta researchers said.

"It will also enable them to compare multiple operations across a far wider range of threats than has been possible so far, to identify common patterns and weaknesses in the operation," the two Meta researchers, Ben Nimmo and Eric Hutchins, wrote in a new white paper on their kill chain. "It will allow different investigative teams across industry, civil society, and government to share and compare their insights into operations and threat actors according to a common taxonomy," they noted.

Nimmo is Meta's global threat intelligence lead. He has helped expose foreign election interference in the United States, UK, and France. Hutchins, a security engineer investigator on Meta's influence operations team, was the co-author of Lockheed Martin's influential Cyber Kill Chain framework for detecting and protecting against cyber intrusions.

The two researchers describe Meta's Online Operations Kill Chain as something that is vital to uniting efforts in the fight against all forms of online threats, ranging from disinformation and interference campaigns to scams, fraud, and child safety. Currently the security teams and researcher addressing these different threat operations approach them as separate problems though they all have common elements, Nimmo tells Dark Reading.

**Breaking Down the Silos**

"We talk with so many different investigative teams around cyber espionage and fraud and online scams, and time and time again we hear 'your bad guys are doing the same thing as our bad guys,'" Nimmo says. Investigative teams can often miss the meaningful commonalities that might be present between different threat operations because defenders work in silos, he says.

Nimmo and Hutchins differentiate their new kill chain from the slew of other kill chain frameworks that are currently available, on the basis that it's more broadly focused on online threats and provides a common taxonomy and vocabulary across all of them.

For example, Lockheed Martin's intrusion kill chain, the MITRE ATT&CK framework, Optiv's cyber fraud kill chain, and a proposed kill chain for attack takeovers from Digital Shadows are all tailored for specific online threats. They do not address the full spectrum of online threats that Meta's kill chain does, Nimmo and Hutchins argued. 

Similarly, none of them address the problems caused by a lack of a common taxonomy and vocabulary across different threat types. For example, within the space of online political interference, it's common for defenders to use the terms "disinformation," "information operations," "misinformation incidents," "malinformation," and "influence operations" interchangeably, though each term could have a distinct meaning.

**A Map & a Dictionary**

Nimmo describes the new Online Operations Kill Chain as providing a common map and a dictionary of sorts that security teams can use to logically understand the sequence of a threat campaign, so they can look for ways to disrupt it. "The goal is really to enable as much structured and transparent information sharing as possible," to help inform better defenses, Nimmo says.

Hutchins says Meta's framework expands the scope of the existing kill chains while still focused on what the adversary is doing — the same principle behind the other frameworks. He perceives the model as allowing security experts across the industry to more easily share information they might have gathered from their specific vantage points. "It provides an opportunity to put these different pieces together in a way we haven't been able to before," Hutchins says.

Meta's Online Operations Kills Chain breaks down an online threat campaign into 10 different phases — three more than Lockheed Martin's kill chain. The 10 phases are:

**1\. Asset acquisition:** This is when the threat actor acquires assets required for launching an operation. Assets could range from an IP and email addresses to social media accounts, malware tools, Web domains, and even physical buildings and office space.

**2\. Disguising assets:** This phase includes efforts by the threat actor to make their malicious assets look authentic by, for instance, using fake and AI-generated profile pictures and impersonating real people and organizations.

**3\. Gathering information:** This can include using commercially available surveillance tools to conduct target reconnaissance, scraping public information, and harvesting data from social media accounts.

**4\. Coordinating and planning:** Examples include efforts by threat actors to coordinate efforts to harass people and entities via online bots and publishing lists of targets and hashtags.

**5\. Testing platform defenses:** The goal at this stage is to test the ability of defenders to detect and disrupt a malicious operation — for example, by sending spear-phishing emails to target individuals or testing new malware against detection engines.

**6\. Evading detection:** Measures at this stage can include using VPNs for routing traffic, editing images, and geofencing website audiences.

**7\. Indiscriminate engagement:** This is when a threat actor might engage in activities that make no effort to reach a target audience. "In effect, it is a 'post and pray' strategy, dropping their content onto the internet and leaving it to users to find it," according to the Meta researchers.

**8\. Targeted engagement:** The stage in an online operation where the threat actor directs the malicious activity at specific individuals and organizations.

**9\. Asset compromise:** In this phase, the threat actor takes over or attempts to take over accounts or information by for instance using phishing and other social engineering methods to acquire credentials or installing malware on a victim system.

**10\. Enabling longevity:** The part when a threat actor takes measures to persist through takedown attempts. Examples include replacing disabled accounts with new ones, deleting logs, and creating new malicious Web domains.

The framework does not prescribe any specific defensive measure, nor does it purport to help defenders understand the objectives of a campaign, Nimmo says. "The kill chain is not a silver bullet. It is not a magic wand," he says. "It is a way to structure our thinking on how to share information."

Meta Proposes Revamped Approach to Online Kill Chain Frameworks

Attackers are increasingly staying under the radar by using your own tools against you. Only behavioral AI can catch these stealthy attacks.

The most advanced cyberattackers try to look like your administrators, abusing legitimate credentials, using legitimate system binaries or tools that are natively utilized in the victim's environment. These "living-off-the-land' (LotL) cyberattacks continue to cause headaches for security teams, which often have no effective means of differentiating between malicious behavior and legitimate administrative behavior.

When an attacker uses applications and services native to your environment, your own staff also use these systems, and a signature- or rules-based detection system will either miss the activity or end up alerting or disrupting your own employees' actions.

It is no surprise then that these attacks have been found to be highly effective, with the Ponemon Institute finding that fileless malware attacks are about 10 times more likely to succeed than file-based attacks.

LotL cyberattackers rely on a variety of tools and techniques, including:

*   **Using PowerShell** to launch malicious scripts, escalate privileges, install backdoors, create new tasks on remote machines, identify configuration settings, evade defences, exfiltrate data, access Active Directory information, and more
*   Using **Windows Command Processor (CMD.exe)**, to run batch scripts, and **(WScript.exe) and Console Based Script Host (CScript.exe)** to execute Visual Basic scripts, offering them more automation.
*   **.NET applications** for resource installation via the .NET Framework. Installutil.exe allows attackers to execute untrusted code via the trusted program
*   Using the **Registry Console Tool (reg.exe)** to maintain persistence, store settings for malware, and store executables in subkeys.
*   And many others, including **WMI (Windows Management Instrumentation), Service Control Manager Configuration Tool (sc.exe), Scheduled Tasks (AT.EXE Process)**, and Sysinternals such as **PSExec**.

LotL techniques involving Remote Desktop Protocol (RDP) connections can be some of the most difficult activities to triage for security teams, as RDP often represents a critical service for system administrators. For security teams, it can be exceptionally difficult to parse through and identify which RDP connections are legitimate and which are not, especially when administrative credentials are involved.

Defensive systems focused on "known bads" and historical attack data fail to catch the malicious use of some of the tools described above. Stopping these attacks requires a business-centric defensive strategy that uses AI to understand "normal" behavior of every user and device in your organization to detect anomalous activity in real time.

Take, for example, this real-world attack that targeted a Darktrace customer in July 2022.

    

Figure 1: A timeline of the attack. Source: Darktrace

The first sign of a compromise was observed when Darktrace's AI revealed an internal workstation and domain controller (DC) engaging in unusual scanning activity, before the DC made an outbound connection to a suspicious endpoint that was highly rare for the environment. The contents of this connection revealed that the threat actor was exporting passwords from a successful cracking attempt via Mimikatz — a presence that previously had been unknown to the security team.

Several devices then began initiating outbound connections to AnyDesk-related websites, a possible means of persistence or a backdoor for the attacker. In their first demonstration of LotL methods, the attacker initiated a "golden ticket attack" culminating in new admin logins. With their new position of privilege, use of the automating "ITaskSchedulerService" and Hydra brute-force tool the next day allowed for even deeper insights and enumeration of the customer's environment.

One device even remotely induced a living-off-the-land binary (LOLBin) attack. By creating and running a new service on three different destinations, the attacker retrieved MiniDump memory contents and feed any information of interest back through Mimikatz. Not only can this strategy be used to identify further passwords, but it allows for lateral movement via code executions and new file operations such as downloading or moving.

On the final day, a new DC was seen engaging in an uncommonly high volume of outbound calls to the DCE-RPC operations "samr" and "srvsvc" (both of which are legitimate WMI services). Later, the DC responsible for the initial compromise began engaging in outbound SSH connections to a rare endpoint and uploading significant volumes of data over multiple connections.

    

Figure 2: Darktrace's Device Event Log reveals some of the LotL techniques used by the attacker

The attacker's use of legitimate and widely used tools throughout this attack meant the attack flew under the radar of the rest of the security teams' stack, but Darktrace's AI stitched together multiple anomalies indicative of an attack and revealed the full scope of the incident to the security team, with every stage of the attack outlined.

This technology can go further than just threat detection. Its understanding of what's "normal" for the business allows it to initiate a targeted response, containing only the malicious activity. In this case, this autonomous response functionality was not configured, but the customer turned it on soon after. Even so, the security team was able to use the information gathered by Darktrace to contain the attack and prevent any further data exfiltration or mission success.

LotL attacks are proving successful for attackers and are unlikely to go away as a result. For this reason, security teams are increasingly moving away from "legacy" defenses and toward AI that understands "'normal" for everyone and everything in the business to shine a light on the subtle anomalies that comprise a cyberattack — even if that attack relies primarily on legitimate tools.

**About the Author**

    

Tony Jarvis is Director of Enterprise Security, Asia-Pacific and Japan, at Darktrace. Tony is a seasoned cybersecurity strategist who has advised Fortune 500 companies around the world on best practice for managing cyber-risk. He has counseled governments, major banks, and multinational companies, and his comments on cybersecurity and the rising threat to critical national infrastructure have been reported in local and international media including CNBC, Channel News Asia, and The Straits Times. Tony holds a BA in Information Systems from the University of Melbourne.

Leveraging Behavioral Analysis to Catch Living-Off-the-Land Attacks

The 'ChipMixer' cryptocurrency service for cybercriminals was shut down by law enforcement, and its alleged operator has been charged.

Criminal, cryptocurrency, money-laundering service ChipMixer has been shuttered following an international law enforcement effort led by the US Department of Justice (DoJ).

The cryptocurrency service for cybercriminals, according to charges, laundered more than $3 billion in illicit funds since 2017 for a roster of threat actors engaged in ransomware, fraud, and more. Minh Quốc Nguyễn (49) of Hanoi, Vietnam, is being charged with operating the illicit ChipMixer service, the DoJ added.

Cryptocurrency mixing involves using pools of cryptocurrency to make tracking electronic transactions almost impossible, so it's perfect for money-laundering. It's become a common service used by cybercriminals, especially as more governments regulate cryptocurrency exchanges.  

"Today's announcement demonstrates the FBI's commitment to dismantling technical infrastructure that enables cybercriminals and nation-state actors to illegally launder cryptocurrency funds," FBI Deputy Director Paul Abbate said in a statement about the ChipMixer takedown. "We will not allow cyber criminals to hide behind keyboards nor evade the consequences of their illegal actions."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$3B Crypto-Mixer Money Laundering Operation Seized by Cops

After years of relative stability and steady growth, Omdia research indicates the NDR segment is poised for rapid change.

After several years of relative stability and steady growth, Omdia research indicates that the network detection and response (NDR) segment appears poised for rapid change.

While a handful of vendors continue to enjoy significant market traction, the segment faces uncertainty due to the evolving demands on threat detection, investigation, and response (TDIR) solutions.

It's becoming tougher for many vendors to find traction in a changing NDR market landscape. Several second-tier players have exited the market in the last several quarters, and Omdia expects a further culling of vendors in this segment. As the NDR market shakes out over the next 12–24 months, vendors must ensure that they can meet the visibility requirements of customers, as continued network evolution, cloud computing, and the need for proactive security approaches demand a greater focus on extended network visibility. This will include fully articulating NDR’s value within broader initiatives such as XDR and zero trust.

**How Do NDR Vendors Differentiate Themselves?**

NDR vendors differentiate across numerous features, but the most successful vendors share the goal of providing the highest possible signal-to-noise ratio in their threat detection techniques. No one needs another network-based "alert cannon." There is significant variation in approaches, however, both regarding what data is collected and how it is analyzed, and this is particularly true with respect to how leading vendors handle analysis of encrypted traffic.

Another important market dynamic is the consolidation of network security features within NDR platforms. For example, several vendors position themselves as replacements for traditional IDS products. More broadly, NDR solutions are taking on security functionality that has traditionally resided in NTA, IDS, UEBA and TIP solutions. Additionally, Omdia is seeing NDR vendors move into adjacent markets such as cloud detection and response (CDR) and identity detection and response (IDR).

Despite significant shifts in enterprise network architectures, NDR technology continues to demonstrate value by detecting threats that other security technologies miss, either because of lack of traffic visibility or lack of analytical sophistication. As a result, there will remain specific use cases for NDR as a stand-alone product. The market is clearly moving toward integrated XDR solutions, however, and enterprises should future-proof NDR deployments by fully understand which XDR interoperability initiatives are supported by any NDR prospect they may be considering.

There are several paths along which the NDR market could evolve, but recent acquisitions in the space demonstrate continued optimism that NDR functionality will remain an important component of enterprise security architectures. The uncertainty lies in how it will be delivered in the longer term.

Omdia remains optimistic and forecasts the global NDR market will eventually grow to $1.98 billion in 2027. Within that time, Omdia expects continued consolidation and retrenchment in the market as a smaller number of vendors represent a larger percentage of total market revenue.

For a deeper dive into current trends in the NDR market, Omdia customers can access "Fundamentals of Network Detection and Response" (Article number: OM029348).

Change Is Coming to the Network Detection and Response (NDR) Market

The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.

The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It's also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

BianLian, first discovered last July, hasn't deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

However, the swiftness with which the group's command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.

"BianLian has discovered that they don't need to actually encrypt victim networks to get paid," Adam Flatley, vice president of intelligence at Redacted, says.

This shift to focus on data-leak extortion is "extremely dangerous," because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.

"BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on," Flatley says.

BianLian's motivation for changing its encryption strategy is likely a response to Avast's release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.

Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization's stolen data online if a ransom wasn't paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.

**Maturing As a Cyberattack Business**

This shift is part of BianLian's overall evolution and maturation as a business, the researchers said. While from its inception the group has had "a high level of operational security and skill in network penetration," they now appear to be hitting their stride in terms of the actual business of running a cybercriminal extortion gang.

Indeed, moving away from the unique encryption method that it displayed in early attacks is a smart business move, Flatley says, particularly as an evasion tactic. Because data theft does not cause network nor business disruption, it calls less attention to BianLian's activity, "which means their operations can fly more under the radar," he says.

"When business services are disrupted, it's very hard to keep an event quiet because customers and business partners start to notice that services are down, for example," Flatley says.

Another thing the group has going for it to achieve success with this new strategy is a faster time to deploy a backdoor on a network once they've gained initial access, the researchers said. This speed is linked to BianLian's strong C2 server game, with the group bringing close to 30 new ones online each month, each with a typical lifetime of about two weeks, they said.

Once BianLian establishes a C2 connection to a victim network, it now deploys its backdoor in mere minutes — which means that by the time security administrators discover a BianLian C2, "it is highly likely that the group has already established a solid foothold into a victim's network," the researchers said.

While it's difficult to know how many victims BianLian has compromised, as of March 9, the group has detailed 116 victim organizations on its leak site, the researchers noted. Of those victims, healthcare organizations represent the single largest industry vertical victimized by the group — a shift from early attacks, which focused mainly on the media and entertainment sector.

**Shoring Up Cyber Defense Against Data Theft & Extortion**

With BianLian and other ransomware group's pivoting to pure extortion tactics, enterprises must also make changes to how they defend against these attacks, the researchers said.

"They will need to focus even more on techniques that can help them avoid having to pay the ransom in double-extortion scenarios," Flatley says.

Some of those techniques include a stronger prevention strategy against easily thwarted attacks, as well as quicker detection of "unpreventable" network intrusions, he says. This can be done by "following best practices on passwords and multifactor authentication, aggressively patching your systems in a prioritized and enforced regime, and providing security training for your employees," Flatley wrote in a blog post on how organizations can avoid paying a ransom.

Shoring up incident response as well as having a plan ahead of an attack to prepare for ransom demands can also help organizations avoid the worst outcome of extortion-based attacks, Flatley says.

As part of the former, Flatley notes in his post that organizations should ensure that they have good system backups, that those backups are secured effectively so an attacker can't access them, and that the restoration process is fully tested to ensure it works correctly.

Source

DARKReading