Mandiant's ongoing investigation of UNC3886 has uncovered new details of threat actors' TTPs.

A Chinese cyber-espionage group that researchers previously have spotted targeting VMware ESXi hosts has quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines (VMs).

Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been following for some time and whom they reported on last year. They disclosed the vulnerability to VMware, which released a patch addressing the flaw on Tuesday.

**Authentication Bypass Zero-Day**

The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.

The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host.

Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and sophisticated attack chain that its researchers have been unraveling over the past several months.

In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors — collectively dubbed VirtualPITA and VirtualPIE — on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor's logging service and to execute arbitrary commend between guest VMs on the same hypervisor.

Mandiant's analysis at the time showed the threat actor required admin-level privileges on the ESXi hypervisor to deploy the backdoors. But it found no evidence of UNC3886 actors leveraging any zero-day vulnerability to break into the ESXi environment or to deploy the weaponized VIBs.

**New Details on Threat Actor's Tactics and Methods**

The security vendor's continuing investigation of UNC3886's campaign — summarized in a technical report this week — uncovered new details on the threat actor's tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines. Mandiant's research also showed UNC3886 actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. "This … enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place," Mandiant said.

Mandiant's report this week goes into the technical details on the entire attack chain beginning with the threat actor gaining privileged access to an organization's vCenter server and retrieving service account credentials for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs and then exploiting CVE-2023-208670 to execute commands for transferring files to and from guess VMs.

The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.

"To enable connections to many ESXi hosts at once, UNC3886 targeted vCenter servers, each \[of which\] administrate multiple ESXi hosts," says Alex Marvi, a consultant at Google Cloud's Mandiant. "Each ESXi host creates a service account called the 'vpxuser' when it is initially connected to a vCenter server. UNC3886 was seen harvesting this vpxuser account on vCenter servers so they could connect with administrative rights to all connected ESXi hosts." Once connected to the ESXi hosts, the threat actor leveraged CVE-2023-20867 to run commands and transfer files on running guest machines without the need for the guest’s credentials, he says.

**Previously Unseen Techniques**

The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that Mandiant has not seen utilized by other attackers in the past, Marvi says. "This should help organizations detect and respond to this attack path, regardless of the exact malware being deployed or commands being used."

Mandiant has assessed UNC3886 as a threat actor that is particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its primary targets have been in the US and on organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to switch up attacker paths and tactics when needed. He points to a novel set of malware tools the threat actor deployed on Fortinet devices as evidence of its abilities and access to resources needed to carry out highly sophisticated attacks.

"UNC3886 has shown itself to be a flexible, yet highly capable threat actor, which will modify open source projects to complete their mission," he says. "I would argue that this group’s TTPs are more dynamic than unique, built around the exact needs to either regain access or persist in an environment with whatever they are given access to."

Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs

Threat actors have created over 3,000 domains, some as old as two years, to lure in customers to false, name brand websites for personal financial gain.

Threat actors have been impersonating more than 100 apparel, clothing, and footwear brands such as Nike, New Balance, and Vans to lure customers as part of a malicious phishing scam since June 2022.

The threat research team from Bolster.ai identified more than 3,000 registered domains and around 6,000 sites carried out by threat actors with the intent to target the customers of these popular brands to steal account credentials and financial information. Other brands that have been affected include Doc Martens, Miu Miu, Converse, and Etsy, an American e-commerce company that hosts countless small businesses on its site.

As the height of its campaign activity between November 2022 and February 2023, the malicious actors were adding around 300 new fraudulent sites on a monthly basis, the researchers said. The attackers followed a simple naming convention for these domains: combining the brand name with a city or country, followed by a generic top-level domain such as .com.

Many of the domains were old, some even two years old, which helped boost the success of this scam. The older a domain name, the less likely they are to be flagged by security tools as being malicious. Old domains also help boost global malvertising campaigns because those sites have time to be indexed by Google, tend to rank higher in search terms, and can lure in users who assume that a page ranking high in search must be credible. 

**Notable for Fraud Risk**

These domains were traced back to Autonomous System number AS48950, (which refers to IP prefixes run by network operators) — and the domains' IP addresses are hosted by Packet Exchange Limited and Global Colocation Limited. Both Internet service providers are known for fraud risk, according to Bolster.ai. 

Companies can mitigate these risks by training employees to be aware and take note of the signs for impersonation attempts and phishing scams, using cybersecurity software to block attempts to begin with, and even using artificial intelligence (AI) to automate these processes.

Popular Apparel, Clothing Brands Being Used in Massive Phishing Scam

The average cost of a data breach is $4.35 million. Understand the power of public key infrastructure (PKI) and its role in encrypting data and battling breaches.

Identity is the key to unlocking zero-trust environments, but it is also the key to a lucrative payday for cybercriminals selling prized company data and personal information.

In recent years, data breaches (and their impact on companies and affected individuals) have made headlines. Data breaches have affected a variety of industries including financial services organizations Equifax and CapitalOne, energy company Colonial Pipeline, and fast-food chain Chick-Fil-A. While these companies were well-known before their data breaches, if the world did not know their names prior to making headlines for breaches, they do now.

**Understanding the Power of PKI**

The best way to protect anything is by keeping it under lock and key, but for information stored in the cloud or exchanged electronically, a physical lock and key is futile. Public key infrastructure (PKI) serves as a cybersecurity lock-and-key system that protects data and resources, as well as authenticates access, secures communications, and provides data integrity and non-repudiation. PKI is widely used in secure email communication, digital signatures, secure Web browsing (HTTPS), virtual private networks (VPNs), and secure online transactions, and other applications.

At PKI's core is asymmetric cryptography, which uses key pairs: a public key and a private key. The public key is widely distributed and used to encrypt information while the corresponding private key is kept secret and used for decryption. Once these keys are inserted into individual devices and applications, they work to encrypt data and authenticate connected devices and applications.

Imagine your organization has a mailroom that houses feedback boxes for all the departments in the company. Each department's feedback box and the mailroom have a public key that allows anyone in the company to unlock any department's box and drop a message into it. However, the head of each department has a private key that only they possess. This private key is mathematically related to the public key and is the only key in the entire company that can unlock a department's feedback box to access messages or decrypt anything in the box that is encrypted.

**How PKI Encrypts Data**

Since PKI uses mathematically related keys to encrypt and decrypt data, only the private key can decrypt data that is encrypted with the public key. Therefore, data in transit cannot be intercepted, and when at rest on a device or database, encrypted data cannot be read even if stolen because thieves will not have the private key to unlock it.

If you deploy and use PKI across a corporate network, you can establish a zero-trust environment by authenticating and encrypting everything that is written to or retrieved from a server or device. For example, if your website uses a TLS/SSL certificate to encrypt communications between a customer's browsers and your website's server, you are using PKI encryption. As the backbone of enterprise network security, deploying PKI is extremely complex.

**Benefits of Cloud-Based PKI**

Deploying and maintaining PKI requires a lot of resources and talent, but it's critical for protecting company data. Many organizations find deploying PKI in the cloud and as a service (PKIaaS) to be a better option than doing it all in-house. Cloud PKIaaS offers several benefits for enterprises of all sizes, such as:

**Rapid deployment:** PKI has come a long way since its inception. While it used to be a system that required on-premises deployment, it can now be deployed entirely through the cloud. Cloud PKI can be integrated into existing security systems and operational within a matter of days.

**Agility:** PKI has been around for decades and is already deployed in most infrastructures with Microsoft Certificate Authority (CA). PKIaaS provides a straightforward way to migrate from Microsoft CA without changing your enterprise infrastructure.

**Scalability:** Cloud PKIaaS enables organizations to scale as they grow and expand use cases without incurring additional hardware or infrastructure costs.

**Security:** Not only is encrypted data useless without the decryption key but so are your keys to the kingdom: private keys. PKIaaS protects private keys in Federal Information Process Standards (FIPS)-compliant hardware security modules (HSMs) stored in geographically dispersed data centers capable of withstanding nuclear attacks.

**Cost savings:** By leveraging the existing capabilities of your organization's devices, software, and hardware, cloud PKI maximizes your IT investment by eliminating costs of acquiring new devices or tools.

With the average cost of a data breach at $4.35 million in 2022, deploying PKI and encrypting data are more cost-effective than becoming the victim of a breach. For more information on PKI encryption, we recommend reading our Encrypt Everything e-book for strategies to help develop a data breach battle plan.

**About the Author**

    

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

Harness the Power of PKI to Battle Data Breaches

Vendors and buyers both have the power to make the industry a better place. What's needed is more collaboration, mutual support, and respect.

Security leaders are tired of aggressive sales tactics, and cybersecurity companies must change the way they go about acquiring customers. Thankfully, more and more people are becoming vocal about this problem, so I am optimistic it will get better over time. I have been reading a lot of great advice about how cybersecurity startups should engage with security leaders. Some of the best ones, in my opinion, are CISO Manifesto: Rules for Vendors (I would call this one by Gary Hayslip a required read for any security vendor) and 63 CISO Buyer Insights Carefully Curated for Cybersecurity Marketers.

The topic that doesn't get any attention, however, is how security leaders can make the lives of cybersecurity vendors easier. You see, a market is a two-way street, and only when both parties do their best to treat one another well can we make security a better place to be in. I previously discussed how security leaders can accelerate innovation in cybersecurity. In this piece, I will examine how chief information security officers (CISOs) should approach cybersecurity startups.

**Start From a Place of Curiosity**

Although some startup founders are in it exclusively for the money, most of the ones I meet are genuinely passionate about solving hard problems. Cybersecurity companies are started by security practitioners and CISOs, and they don't typically quit their jobs so they can make the industry a terrible place to be in (at least, not intentionally). While you may not agree with a founder's view of the world, recognizing that it has the right to exist and being curious about it is a great start. Without innovative founders willing to take risks, our industry would not have been able to evolve.

**Articulate the Problem You're Trying to Solve and Provide Context**

When asked, "What does your product do?" the only right answer is often this: "It depends." Without understanding the context and the problem you are looking to solve, vendors have no choice but to offload the list of features instead of explaining how (and if) their offerings can address your needs. This doesn't make it easier for the buyer to understand how all of these features can be useful for their particular need. Conversations that start by clearly articulating a problem instead of listing abbreviations a customer is looking to buy, tend to be the most productive for everyone involved.

**Remember That People Who Work for Vendors Are Also Trying to Feed Their Families**

Sales development representative is one of the lowest-paid and hardest occupations, and it's not uncommon for companies to hire fresh graduates and entry-level workers for these roles. Companies that use aggressive sales tactics should be held accountable. To do that, it's a good idea to leave a review online, call out the vendor on social media, tell your peers, and don't buy from the company. However, there is no need to tell the poor person trying to put bread on their table what you think of them, their family, and their life. Remember: They probably hate their job anyway and do it to survive; cold-calling is a soul-crushing grind.

**Proactively Offer Transparent Feedback**

As someone who works in product, I know firsthand how hard it can be to get users to provide feedback and ideas, or even report gaps. Most people, even those working for companies you don't agree with, are genuinely trying to do work they can be proud of. Hearing new ideas and perspectives helps startups innovate and prioritize solving the right problems — the bug that has been annoying your team could probably have been fixed a year ago, if it had been reported.

**Recommend Companies You Trust to Your Peers**

Early-stage startups are struggling to get the word out about their work. To discourage companies from using unethical, aggressive sales methods, it is important to not only bring attention to the bad in the industry, but also to evangelize the good. If there is a company you believe in, tell your peers about it, make an introduction to someone who may benefit from their work, publish a good review on social media, or even give them a testimonial they can put on their website. Best of all — you can do all or some of this even if you aren't able to adopt the product at your organization.

**Say It How It Is**

It is painful to witness security leaders and their teams ghost vendors after spending time going through demos, and even doing a few weeks-long proof of concepts. Managing expectations should be simple: If you see that you won't be able to implement the solution within the timelines you've initially communicated — just say so and provide a new target. This will help the vendor to update its forecasting and plan capacity of support teams. If you decide to not go ahead with the solution — send the people you spoke with a brief email — "Here is what we decided and here is why." If you want to be extra helpful, you can also share some feedback about the experience, what went well, and what the vendor can do better.

Both parties — vendors and buyers — have the power to help make the industry a better place. What we need is more collaboration, mutual support, and respect. At the end of the day, we are all fighting on the same side.

How Security Leaders Should Approach Cybersecurity Startups

While protecting critical infrastructure seems daunting, here are some critical steps the industry can take now to become more cyber resilient and mitigate risks.

There continues to be a lot of pressure on security leaders to do more with less, but today's sophisticated and frequent cyberattacks only exacerbate the situation. And the bad news is these cyber incidents, particularly ransomware attacks, are not going away any time soon. In fact, they are becoming more prevalent in areas like critical infrastructure, supply chain, and financial institutions. For example, the Cybersecurity and Infrastructure Security Agency (CISA) observed ransomware incidents against 14 of the 16 US critical infrastructure sectors in 2021.

As one of the fastest growing types of cybercrime, the financial implications of ransomware have become more pronounced in recent years. These attacks cause more widespread damage than other single-target attacks, so it makes sense that we are seeing an increased response from government and technology vendors to fight off ransomware events. Is it enough?

**RVWP: An Important First Step**

In March 2022, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program aimed at helping critical infrastructure organizations protect their systems against ransomware attacks by fixing vulnerabilities. While a good first step, to fully protect against ransomware and other cyberattacks, organizations need a security plan with multiple layers that includes technology measures, employee training, and well-defined and enforced security policies. However, it's clear that not all critical infrastructure providers employ best security practices, which is why the RVWP was initiated. But it doesn't go far enough.

While ransomware operators will absolutely take advantage of newly discovered vulnerabilities to infect targets, these are attacks of opportunity. Widespread network exploitation events impacting critical infrastructure are relatively infrequent these days, although smaller-scale attacks against well-known vulnerabilities persist and still have some level of success.

It's important to note that in the downtime between major vulnerability discoveries, ransomware operators most often use watering-hole attacks, spear phishing, malicious advertising, and other social-engineering tactics that exploit humans to gain a foothold in network environments. No amount of network scanning and reporting will mitigate these risks, so critical infrastructure will continue to be impacted by ransomware.

**GootLoader: An Example of Malware's Spread**

To better understand the potential impact, take a look at GootLoader, a popular malware that gives threat actors initial access to the victim's IT environment. GootLoader is a prime example of a ransomware tactic that can infiltrate an organization's network, and no amount of preventative scanning can stop it. At a high level, GootLoader uses search engine optimization (SEO) poisoning to lure and infect victims and compromise legitimate WordPress websites. If a user clicks on one of these websites and deploys the malware, it gives the threat actors a foothold on the network.

GootLoader does not seem to specifically target critical infrastructure entities, but they should still be concerned. In monitoring GootLoader, we have tracked over 700,000 URLs injected with the malware, and those contain around 3.5 million phrases that someone might use in a keyword search. I did a quick search, and here is a partial list of terms seen in the GootLoader landing pages that someone working in critical infrastructure might search for:

*   Advance Payment in Government Contracts
*   Agreement on Government Procurement
*   Aviation Service Agreement
*   Bermuda Agreement Aviation
*   Civil Aviation Agreement
*   Electricity Meter Operator Agreement
*   General Terms Agreement Aviation
*   Georgia Utility Laws
*   Joint Operating Agreement Oil And Gas
*   Nuclear Power Construction Labor Agreement
*   Oil And Gas Commercial Agreements
*   Oil And Gas Confidentiality Agreement
*   Oil and Gas Asset Purchase Agreement
*   Service Agreement Oil And Gas
*   Signature Aviation Cooperation Agreement
*   Sustainable Aviation Fuel Agreement
*   Texas Utility Laws
*   Transportation Lease Agreement
*   Types of Oil and Gas Joint Venture Agreements
*   Utility Company Agreement
*   Utility Easement Laws in Florida
*   Utility Services Agreement
*   What Is a Master Service Agreement Oil and Gas

**Next Steps to Mitigate Risks**

While protecting critical infrastructure may seem daunting, there are some critical first steps the industry can take now to become more cyber resilient and mitigate risks:

1.  **Training:** In an ideal world, CISA would expand on the RVWP to provide free end-user training and phishing simulations to critical infrastructure providers through third-party security providers.
2.  **Improving search engines:** The industry needs to encourage search engine companies to proactively search for and remove malicious ads and search results from their platforms. CISA could also implement a program to scan for and report malicious ads and search results directly to the responsible teams at the major search engines for rapid mitigation.
3.  **Understanding malware:** Security teams need better insight into ransomware operations' kill chain. For example, remapping dangerous file extensions to open in Notepad instead of executing an application can break the chain so that many types of malware cannot gain a foothold on the network.

Adding these measures could have a far greater impact on stopping the proliferation of ransomware than the current program alone.

Why Critical Infrastructure Remains a Ransomware Target

The attack highlights growing interest among threat actors to target data from software-as-a-service providers.

The 0mega ransomware group has successfully pulled off an extortion attack against a company's SharePoint Online environment without needing to use a compromised endpoint, which is how these attacks usually unfold. Instead, the threat group appears to have used a weakly secured administrator account to infiltrate the unnamed company's environment, elevate permissions, and eventually exfiltrate sensitive data from the victim's SharePoint libraries. The data was used to extort the victim to pay a ransom.

**Likely First of its Kind Attack**

The attack merits attention because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms, says Glenn Chisholm, cofounder and CPO at Obsidian, the security firm that discovered the attack.

"Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments," Chisholm says. "This attack shows that endpoint security isn't enough, as many companies are now storing and accessing data in SaaS applications."

The attack that Obsidian observed began with an 0mega group actor obtaining a poorly secured service account credential belonging to one of the victim organization's Microsoft Global administrators. Not only was the breached account accessible from the public Internet, it also did not have multi-factor authentication (MFA) enabled — something that most security experts agree is a basic security necessity, especially for privileged accounts.

The threat actor used the compromised account to create an Active Directory user — somewhat brazenly — called "0mega" and then proceeded to grant the new account all the permissions needed to create havoc in the environment. These included permissions to be a Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator. For additional good measure, the threat actor used the compromised admin credential to grant the 0mega account with so-called site collection administrator capabilities within the organization's SharePoint Online environment and to remove all other existing administrators.

In SharePoint-speak, a site collection is a group of websites within a Web application that share administrative settings and have the same owner. Site collections tend to be more common in large organizations with multiple business functions and departments, or among organizations with very large data sets.

In the attack that Obsidian analyzed, 0mega threat actors used the compromised admin credential to remove some 200 administrator accounts within a two-hour period.

Armed with the self-assigned privileges, the threat actor then helped themselves to hundreds of files from the organization's SharePoint Online libraries and sent them off to a virtual private server (VPS) host associated with a Web hosting company in Russia. To facilitate the exfiltration, the threat actor used a publicly available Node.js module called "sppull" that, among other things, allows developers to interact with SharePoint resources using HTTP requests. As its maintainers describe the module, sppull is a "simple client to pull and download files from SharePoint."

Once the exfiltration was complete, the attackers used another node.js module called "got" to upload thousands of text files to the victim's SharePoint environment that basically informed the organization of what had just happened.

**No Endpoint Compromise**

Usually, in attacks targeting SaaS applications, ransomware groups compromise an endpoint and then encrypt or exfiltrate files, leveraging lateral movement as necessary, Chisholm says. "In this case, the attackers used compromised credentials to log into SharePoint Online granted administrative privileges to a newly created account, and then automated data exfiltration from that new account using scripts on a rented host provided by VDSinra.ru." The threat actor executed the whole attack without compromising an endpoint or using a ransomware executable. "To the best of our knowledge, this is the first publicly recorded instance of automated SaaS ransomware extortion occurring," he says.

Chisholm says Obsidian has observed more attacks targeting enterprise SaaS environments in the last six months than in the previous two years combined. Much of the growing attacker interest stems from the fact that organizations are increasingly putting regulated, confidential, and other sensitive information into SaaS applications without implementing the same kind of controls as they are on endpoint technologies, he says. "This is just the latest threat technique we're seeing from bad actors," he says. "Organizations need to be prepared and ensure they have the right proactive risk management tools in place across their entire SaaS environment."

Others have reported observing a similar trend. According to AppOmni there has been a 300% uptick in SaaS attacks just since March 1, 2023 on Salesforce Community Sites and other SaaS applications. The primary attack vectors have included excessive guest user permissions, excessive object and field permissions, lack of MFA, and overprivileged access to sensitive data. A study that Odaseva conducted last year had 48% of respondents saying their organization had experienced a ransomware attack over the preceding 12 months and SaaS data was the target in more than half (51%) of the attacks.

Researchers Report First Instance of Automated SaaS Ransomware Extortion

Sophisticated attackers are lacing malware into PNG image files in order to steal cryptocurrency and business information.

A sophisticated attack by Russian-language actors is using a novel loader and malware-laced PNG image file to drop malware for stealing cryptocurrency or business account information, researchers said. The multistage campaign appears to be primarily targeting entities in Europe, the United States, and Latin America, Kaspersky researchers wrote in a blog post published June 12.

The attack begins with "DoubleFinger," a multistage loader that drops a image file containing malicious code onto a victim's computer. The malware infects victims with "GreetingGhoul," a novel stealer specially designed to siphon off cryptocurrency credentials.

However, DoubleFinger isn't exclusive to cryptocurrency attacks, the Kaspersky researchers said, as researchers also observed it dropping Remcos RAT, a popular tool among financially motivated cybercriminals. Once the Remcos RAT gets into an enterprise network, stopping the malware and its follow-on attacks can be difficult for businesses.

Russian-speaking artifacts within the code suggest that the perpetrators of this campaign come from a Commonwealth of Independent States nation, though the researchers qualified that "the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space."

**Stenography for Cryptocurrency**

DoubleFinger attacks begin with a phishing email. If the victim clicks on the associated malicious program information file (.pif). This triggers a chain reaction leading to some malicious shellcode downloading a PNG image from imgur.com. The seemingly nondescript image utilizes steganography — hiding secret information within nonsecret data. The shellcode searches the PNG for a particular string in its code, 0xea79a5c6, which contains an encrypted payload.

_The PNG with embedded shellcode. Source: Kaspersky_

At the end of this attack chain, more often than not, is GreetingGhoul, an infostealer with two primary functions: It can detect victims' cryptocurrency wallet apps and steal the sensitive credentials associated with them. GreenGhoul uses MS WebView2 — a tool for embedding web code into desktop apps — to overlay phishing pages on top of legitimate crypto-wallet interfaces. It's a move that evokes banking Trojans of old, as users unwittingly type their sensitive wallet credentials into attacker-controlled fields.

The image below, for example, depicts an overlay mimicking Ledger, the world's most popular vendor for cryptocurrency hardware wallets. It prompts victims to enter their wallet's seed phrase — the ultrasensitive set of 12 or 24 words which generates their private key, and grants unfettered access to all contents of the wallet. This is why cryptocurrency investors are regularly reminded to never give up their seed phrases to access their wallets to anyone.

_Source: Kaspersky_

New Loader Delivering Spyware via Image Steals Cryptocurrency Info

Okta platform data-based study finds FastPass and WebAuthn offer far stronger security and faster, more reliable user experiences.

**SAN FRANCISCO, June 12, 2023 –** Okta, Inc. (NASDAQ: OKTA), the leading independent identity partner, today announced the release of its international Secure Sign-In Trends Report. The report, which analyzes billions of monthly workforce customer logins to Okta Workforce Identity Cloud across more than 16 industries around the world, reveals that the use of multi-factor authentication (MFA) has nearly doubled since 2020 and that phishing-resistant authenticators represent the best choice in terms of security and convenience for users.

“Okta is advancing our customers’ zero trust security strategies by helping them adopt innovations like phishing-resistant MFA and passwordless,” said Todd McKinnon, co-founder and CEO of Okta. “By sharing data on our customers’ adoption of these critical technologies, we can drive greater progress with governments, our partners, and our customers.”

The top takeaways include:

*   90% of Okta administrators and 64% of users signed in using MFA during the month of January 2023.
*   Sign-in methods that offer the highest phishing resistance (Okta FastPass and FIDO2 WebAuthn) also prove to offer the fastest, most reliable user experience.
*   The technology industry is best placed to move to a passwordless future, with 87% of account logins already using MFA. Insurance (77%), Professional Services (75%), Construction (74%), and Media & Communications (72%) round out the top five industry adopters. Surprisingly, highly-regulated industries tend to lag behind.
*   MFA adoption by Okta's workforce customers jumped from 35% to 50% in two months between February and March 2020.
*   Organizations with fewer than 300 employees (79%) exceed the MFA use of enterprises with more than 20,000 employees (54%).

MFA adds an extra layer of security on top of credentials like passwords, which are highly susceptible to abuse. More than 80 percent of Business Web Application Attacks and nearly half of all business email compromise attacks result from stolen username and passwords. MFA provides greater certainty that a user is who they claim to be before granting access to an application or online account. MFA verifies identities by asking users to provide different types of information or factors to gain access to an account or application. However, an increase in sophisticated MFA bypass attacks is prompting organizations to evaluate the need for phishing-resistant authentication flows.

According to the report, the use of phishing-resistant authentication such as Okta FastPass or FIDO2 WebAuthn offers the optimal mix of security and user experience. While it's frequently assumed that technology decision-makers must “trade off” security for user experience, Okta's research finds that on average, signing in with passwordless, phishing-resistant authenticators saves time and is less prone to failure when compared to using passwords.

**About the Okta Secure Sign-In Report**

The Secure Sign-In Trends Report was built from data of direct MFA authentication events in the Okta Workforce Identity Cloud (WIC). Analysts anonymized and aggregated data from billions of monthly authentications and veriﬁcations across countries worldwide. Okta enterprise customers and their employees, contractors, partners, and customers use Okta to securely log in to devices, websites, apps, and services and to leverage security features to protect their data. They span every major industry and vary in size, from small businesses to some of the world's largest organizations, with hundreds of thousands of employees and millions of customers. The full report can be found at: https://okta.com/the-secure-sign-in-trends-report.

**Okta**

The foundation for secure connections between people and technology

Okta is the World’s Identity Company. As the leading independent Identity partner, we free everyone to safely use any technology—anywhere, on any device or app. The most trusted brands trust Okta to enable secure access, authentication, and automation. With flexibility and neutrality at the core of our Okta Workforce Identity and Customer Identity Clouds, business leaders and developers can focus on innovation and accelerate digital transformation, thanks to customizable solutions and more than 7,000 pre-built integrations. We’re building a world where Identity belongs to you. Learn more at **okta.com**.

Use of Multifactor Authentication (MFA) Nearly Doubles Since 2020, Okta Secure Sign-in Trends Report Finds

The group appears to be targeting victims based on their proximity and involvement to and within pro-Ukraine organizations.

The threat actor known as RomCom has returned to the scene, targeting Ukrainian politicians and a healthcare organization in the United States involved with aiding refugees fleeing the war-torn country.

The deployment of this attack is through a trojanized version of Devolutions Remote Desktop Manager, which victims were likely encouraged to download after being directed to a cloned website through phishing tactics.

The threat group used a form of typosquatting to create a striking resemblance to the authentic site, according to the report from the BlackBerry Threat Research and Intelligence team.

By creating fake websites that closely resemble the legitimate software sites, RomCom can distribute malicious payloads to unsuspecting victims who download and install the compromised software, thinking it's legitimate.

The trojanized installer begins installing malware after the user is prompted to select the destination path where they’d like the files to be installed. It then begins systematically collecting essential host and user metadata from the infected system, which is subsequently transmitted to its command-and-control (C2) server.

**A Cyberattack With Geopolitical Motivations**

The campaign strongly suggests that the motivation of this threat actor is not money, but rather a geopolitical agenda that is guiding its attack strategy and targeting methods.

Recon on what software targets use in order to deliver fake update notifications was part of the process, according to Dmitry Bestuzhev, senior director, CTI, BlackBerry. "In other words, the threat actor behind RomCom RAT relies on previous information about each victim, such as what software they use, how they use it, and the social or political programs they're working on."

The endgame is the exfiltration of sensitive information. "We saw RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, \[and\] military training programs," Bestuzhev notes.

He says with the US-based healthcare providing aid to the refugees from Ukraine, the targeted information included how that program works to determine who the refugees are — that includes the refugees' personal information, which can be used for further attacks.

**A RomCom You Haven't Seen Before**

Previous RomCom campaigns against the Ukraine military used fake Advanced IP Scanner software to deliver malware, and the group has also targeted English-speaking countries — especially the UK — with trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.

Callie Guenther, cyber threat research senior manager at Critical Start, explains that in the most recent campaigns, along with using different software, RomCom also adapted its C2 infrastructure to blend in with legitimate network traffic.

"This could involve using communication protocols commonly associated with political campaigns or healthcare organizations, making it more challenging to detect their malicious activities," she says.

She adds that social media was an important part of the recent campaigns. "RomCom may employ phishing emails, spear-phishing, or other social engineering techniques tailored to the targeted individuals or organizations," she explains.

For politicians, they could craft email messages impersonating political colleagues or officials, and in the case of the healthcare company, they might send emails posing as healthcare regulatory authorities or vendors of medical equipment or software.

Guenther says RomCom's active development of new capabilities and techniques indicates a notable level of sophistication and adaptability.

"This suggests that their target selection may evolve as they refine their tactics and seek new opportunities for compromise," she says.

**How to Defend Against the RomCom APT**

Mike Parkin, senior technical engineer at Vulcan Cyber, says the standard defense tactics apply here as they do with any attacker, regardless of whether they are cybercriminal or state sponsored.

"Keep patches up to date. Deploy following industry best practices and vendor 'secure installation' recommendations," he says. "Make sure users are trained and cultivate a secure culture which makes them part of the solution rather than the most vulnerable part of the attack surface."

Bestuzhev says the threat actor behind RomCom relies on social engineering and trust. So, employee training on how to spot spear phishing is also important.

"Secondly, it's important to rely on a good cyber threat intelligence program providing contextual, anticipative, and actionable threat intelligence, such as behavior rules to detect RomCom's ops in the systems, network traffic, and files," he says. "With this context about RomCom, there is room for building an effective threat modeling based on the tactics, techniques, and procedures (TTP), and geopolitical developments."

RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare

Time and money are valuable and finite, but some actions are well worth spending those resources on.

Most of us have benefited from the mistakes of others. While this may sound like an odd statement, it makes a lot of sense when you think about it. For those of us who have been fortunate enough to have others share their missteps with us and are smart enough to internalize and apply those lessons to our lives, we learn not to repeat their mistakes.

For example, most of us know not to buy a car or a home without having it inspected first. Obviously, this inspection takes time and costs money. But we know that skipping this important step could take much more time and cost much more money down the line. Likely, we know this because we've heard nightmare stories from people who thought they would save a little time and money by skipping this step.

If you have been reading my pieces for some time, it will come as no surprise that I believe that we can learn an important security lesson from this. How so? A number of security processes, procedures, best practices, and initiatives require a significant investment in time and money. Yet skipping them is a big mistake for security teams.

While not an exhaustive list, here are 10 items that require an investment in time and money yet pay huge dividends for security teams.

**1\. Formalizing Policy**

Policy isn't sexy or exciting, and it takes time to get right, but it is necessary. Having a formal policy codifies the rules of the game within an enterprise when it comes to security. Policy is an important basis for nearly everything that a security organization does. After all, the security team needs to have good answers when asked questions like, "Where does it say that is not allowed?" or, "Why can't I continue doing things the way I've always done them?"

**2\. Understanding Regulations**

Regulations and compliance with those regulations is cumbersome. Nonetheless, there is little choice but to excel at it — the risk of fines and other complications is simply too high not to make understanding regulations a priority. This applies globally to all the applicable regulations in all the locales that a business operates in. Not the easiest task to stay on top of, but an important one.

**3\. Staying the Course**

While it is difficult to stay on track and implement strategic initiatives despite tactical distractions that might arise, it is essential for a successful security program. Our strategic initiatives, if designed properly, ensure that we mitigate risk that has been prioritized and stay on track to meet our objectives and improve the state of security. As tempting as tactical distractions might be, they most often interfere with our strategic risk mitigation efforts — thus, in essence, lowering the security posture of the enterprise. Staying the course requires energy and determination, but it is important.

**4\. Nurturing Relationships**

As security leaders, our relationships with key stakeholders in the business, executives, board members, and others are extremely important. Building and nurturing these relationships takes time — time that we might otherwise want to spend on other tasks. Nonetheless, these are important relationships that merit the time investment. These are the partners who will help us improve the state of security within our organizations.

**5\. Architecting for the Future**

It is not easy to account for different possibilities that may arise in the future. Nonetheless, it is worth the time and energy. Consider a database schema — if we architect it only for the data we have available today, we may find ourselves in a conundrum in the future when we want to incorporate additional data into our workflow and processes. Then we would need to re-engineer or scrap solutions that were not architected for the future, which takes more time in the long run than getting it right in the first place does.

**6\. Resisting the Quick Fix**

When dealing with a challenge, it can be all too enticing to put a quick fix in place. For example, it might be tempting to write a quick script to move data around, rather than leveraging a formal extract, transform, and load (ETL) process. However, the odds that a repeatable solution can be reused are high, whereas Band-Aid solutions generally need to be rewritten everywhere they are applied. Maintaining band-aid solutions often becomes a major headache for organizations as well.

**7\. Implementing Useful Training**

Properly training staff requires a training budget and time away from other important tasks. It is well worth the investment for several reasons. Security professionals who are continually expanding and enhancing their knowledge and skill sets are less likely to leave for greener pastures. Well-trained staff also perform better. This directly influences the effectiveness of the security organization, which in turn directly influences the security posture of the enterprise.

**8\. Creating Proper Documentation**

I don't think I've ever met a security professional who loves documentation. It is certainly time consuming, and it can be tedious. Nonetheless, when it comes time to understand how to do something, documentation is the natural go-to. Further, having well-documented processes and procedures also provides a means to show stakeholders within the business exactly how certain things work under the hood.

**9\. Capturing Lessons Learned**

Documenting lessons learned in a way that they can be leveraged in the future takes effort. It is an effort that pays dividends, however, as only by learning from the past can security organizations really improve over time. As an example, consider a high-profile security incident that exposed some gaps and opportunities for improvement in the security program. Rather than covering these up, it pays huge dividends to painstakingly go through and capture each relevant point. Taking some time to log lessons in detail as they occur pays off later.

**10\. Applying Lessons Learned**

It may be difficult to comb through lessons learned and figure out how to apply them to improving the state of security. This is worth the time and money, however, as it is a way to directly mitigate risk. Mistakes that were made and lessons that were learned from them provide a view into where risk was improperly managed in the past. This is one of the biggest targets for improvement that has one of the greatest impacts on the overall security posture.

**Invest Your Time Wisely**

Although it is tempting to skip important things to save time or money, it isn't wise. The best security organizations understand the need to invest in important processes, procedures, best practices, and initiatives. History has shown that such investment goes a long way toward greatly improving the overall security posture of an enterprise.

Source

DARKReading