The implosion of Silicon Valley Bank will impact investors, startups, and enterprise customers as they become more cautious over the near term, security experts say.

Last week's stunning collapse of Silicon Valley Bank (SVB) could put a damper on the ability of venture-backed cybersecurity startups to secure vital capital for operations and strategic investments.

Security experts perceive that even the US government's swift move over the weekend to protect SVB customer deposits will likely do little to tamp down the uncertainly that the bank's sudden exit has caused.

**Younger Startups Will Feel the Brunt**

"Financial support in the form of lines of credit and venture debt is going to become much more difficult \[for startups\] to come by," says Rob Ackerman, founder and managing director of AllegisCyber Capital. "SVB was the leading source of that financing and with them gone, the slope of the hill for young startups just became that much more difficult."

SVB was, until the middle last week, the 16th largest bank in the US with assets of more than $200 billion and total deposits of some $175 billion. Its troubles began March 8 when the bank, in a midquarter update, announced that it had lost $1.8 billion from the sale of US treasuries and mortgage-backed securities that it had purchased heavily in recent years. On the same day, SVB announced plans to raise $2.25 billion via public offering to pay customers seeking to withdraw their deposits from the bank.

The news triggered a near immediate run on the institution, as spooked investors and customers withdrew a staggering $42 billion from the bank in a 24-hour period — leaving SVB with a negative balance of $958 million by close of business March 9. A day later, on Friday, March 10, federal regulators declared the bank insolvent and seized its deposits, signaling the biggest banking failure since the collapse of Lehman Brothers in 2008.

**Containing the Damage**

Over the weekend, the Federal Deposit Insurance Corporation (FDIC) as receiver created a new entity called the Deposit Insurance National Bank of Santa Clara (DINB) and transferred all of SVB's deposits to it. On March 12, a US government scrambling to prevent a broad meltdown across the banking sector quickly announced that depositors would have full access to all of their money at SVB starting Monday, March 13. In a statement, Secretary of the Treasury Janet Yellen said the government would extend the same exception for customers of Signature Bank of New York, which also went insolvent over the weekend.

Analysts see SVB's failure as taking an especially heavy toll on the technology sector. "SVB was a foundational cornerstone of the financing ecosystem for the innovation ecosystem, and the cybersecurity industry is no exception," Ackerman says. "They were arguably more influential than any other single player to the growth and success of tech startups."

Virtually every venture firm was engaged with SVB at some level — be it the venture firms themselves banking at SVB, or their portfolio companies. And within the security community, they were vital to the banking and financing needs of the sector in the US, Israel, and the UK, Ackerman says.

**A Revaluation of Investment Practices?**

Richard Stiennon, chief research analyst at IT-Harvest, says public reports show that some 500 cybersecurity vendors banked with SVB — a not-surprising number considering there are 640 cybersecurity firms just in California alone. The move by federal regulators to ensure that SVB customer deposits remained untouched has relieved some of the early anxiety over the failure when many cybersecurity firms faced the real prospect of being unable to make payroll. 

"The VCs that were locked out of their accounts on Friday spent a long weekend trying to save their portfolio companies, while their own funds were unavailable," Stiennon says.

That experience will likely leave them reevaluating their practices. "I fully expect a death in new investments in cybersecurity," Stiennon tells Dark Reading. Cybersecurity investment activity in the first two months of 2023 has already been low; at just $1.7 billion so far, it's back at 2020 levels. 

"Companies, which were raising to extend runways, will either have dramatic down rounds or actually have to shut down," he says. Limited partners, or the investors who back VC initiatives, are going to be reluctant to put more money into funds. And with the generous venture funding that was available only through SVB now gone, startups have three options, he says. They have to either find a way to become profitable, significantly cut costs, or find a new funding source.

"Companies with good technology and good teams may be snapped up by strategic investors at rock-bottom valuations," Stiennon notes. "Private equity firms will have a unique opportunity to snap up some good companies."

**Spreading the Financial Risk**

Expect to see VC firms and their portfolio companies diversify where they hold their deposits, Ackerman adds. Increasingly, they are going to be looking for the security offered by much larger financial institutions — which, however, are unlikely going to be as supportive or as understanding of the requirements of innovative cybersecurity firms, he notes.

Analysts also expect that the SVB debacle will have an impact on how and from where enterprise organizations source their cybersecurity requirements, at least in the short term. SVB's failure has drawn attention to the risks associated with buying from startups and many are going to be looking for the security that more established, mature organizations offer.

"I'd expect procurement teams to introduce more hurdles in the due diligence process of earlier-stage vendors to understand the underlying resilience of the cybersecurity vendors' financial ecosystem," Forrester analyst Jeff Pollard tells Dark Reading. Enterprise procurement staff are going to want to know more about the concentration risk and resilience of their vendor's banking processes, he adds. And they will likely need reassurances that if a similar scenario plays out again, their early vendor can continue to make payroll or pay critical suppliers for a specific period of time.

Also, cybersecurity startups will increasingly look to bank with more than one entity to spread risk. "The problem with that is many startups worked with SVB because SVB made it easy for startups to work with them," Pollard says. 

Now startups are going to have a hard time working with other banks, because cyber startups tend to have more volatility in their cash flows, he notes. "In addition, many founders may not be US citizens which can create its own set of issues when trying to establish accounts."

SVB Meltdown: What It Means for Cybersecurity Startups' Access to Capital

AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.

Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.

That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.

"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker \[and\] phishing still continues to be the No. 1 threat for almost all of our customers."

In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.

Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.

The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.

**An Often-Ignored Threat**

Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.

Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.

It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.

"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."

Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.

Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.

**The Long Tail of Phish**

The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.

Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.

"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those \[that\] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."

Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures

Campaign demonstrates the DPRK-backed cyberattackers are gaining tools to avoid EDR tools.

North Korean advanced persistent threat (APT) group Lazarus (aka UNC290) has been targeting security researchers with a phishing campaign via LinkedIn since last June.

Mandiant reported that the phishing attacks started against a US-based tech company, and noted the threat actors were using three new code families — Touchmove, Sideshow, and Touchshift — in their activities.

Posing as recruiters on LinkedIn, the group works to earn a victim's trust, and it then convinces them engage on WhatsApp or by email, where they can send a malware dropper, Mandiant explained.

"Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting US and European media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against endpoint detection and response (EDR) tools," Mandiant said about the emerging phishing campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers Lure Cybersecurity Researchers With Fake LinkedIn Recruiter Profiles

AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more.

Artificial Intelligence is being used to generate videos pretending to be step-by-step tutorials on how to access programs like Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others without a license. Instead, the videos are loaded with infostealer malware that scrapes the viewer's sensitive personal data stored on the device.

Researchers with CloudSEK measured a month-over-month increase of 200% to 300% since November 2022 of AI-created YouTube videos with links to infostealer malware, including Vidar, RedLine, and Raccoon.

Making the video lures more compelling to its targets, the CloudSEK security team added, AI video tools such as Synthesia and D-ID are being used to generate personas intended to exude trustworthiness across multiple languages and social media platforms, supercharging threat actors' ability to deliver infostealer malware.

"It is well known that videos featuring humans, especially those certain facial features, appear more familiar and trustworthy," the CloudSEK report explained. "Hence, there has been a recent trend of videos featuring AI-generated personas, across languages and platforms (Twitter, Youtube, Instagram), providing recruitment details, educational training, promotional material, etc. And threat actors have also now adopted this tactic." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Created YouTube Videos Spread Around Malware

Developers must balance creativity with security frameworks to keep applications safe. Correlating business logic with security logic will pay in safety dividends.

Web applications are the top vectors attackers use to pull off breaches. According to Verizon's "Data Breach Investigations Report" (PDF), Web applications were the way in for roughly 70% of all breaches studied.

After conducting more than 300 Web application penetration tests, I see why. Developers keep making the same security missteps that create vulnerabilities. They often don't use secure frameworks and try to write security code and authentication processes themselves.

It's important to note how much pressure developers are under to bring products to market quickly. They're rewarded based on how many features they can introduce as quickly as possible, not necessarily as securely as possible. This leads to taking security shortcuts and, down the road, vulnerabilities in Web applications.

**Five Lessons for More-Secure Apps**

Pen testers play the role of devil's advocate and reverse engineer what application developers create to show where and how attackers gain access. The results have highlighted common fundamental mistakes. Here are five lessons software development companies can learn to make their applications more secure.

1.  **Attackers are still leveraging cross-site scripting (XSS).** XSS has long been a popular Web application vulnerability. In 2021, it came off the Open Web Application Security Project (OWASP) top 10 list due to improvements in application development frameworks, but it's still evident in nearly every penetration test we perform.
    
    It's often thought of as low risk, but the XSS risks can be severe, including account takeover, data theft, and the complete compromise of an application's infrastructure. Many developers think that using a mature-input validation library and setting proper HttpOnly cookie attributes is enough, but XSS bugs still find a way in when custom code is used. Take WordPress sites, for example — an XSS attack that targets an administrator is critical because the credentials allow the user to load plug-ins, thus executing code-like malicious payloads on the server.
    
2.  **Automated scanners don't go far enough.** If you're only scanning Web applications using automated tooling, there's a good chance that vulnerabilities slip through the cracks. Those tools use fuzzing — a method that injects malformed data into systems — but that technique can create false positives.
    
    Scanners are typically not up to date with modern Web development and don't offer the best results for JavaScript single-page applications, WebAssembly, or Graph. Complicated vulnerabilities need a handcrafted payload to validate them, making the automated tools less effective.
    
    There's a human element required for the most accurate and detailed analysis of vulnerabilities and exploits, but these scanners can be a complementary resource to quickly find the low-hanging fruit.
    
3.  **When authentication is homegrown, it's usually too weak.** Authentication is everything to securing a Web application. When developers try to create their own forgotten password workflow, they typically don't do it in the most secure way.
    
    Pen testers often get access to other users' information or have excessive privileges that aren't in line with their role. This creates horizontal and vertical access control issues that can allow attackers to lock users out of their accounts or compromise the application.
    
    It's all about how these protocols are implemented. Security Assertion Markup Language (SAML) authentication, for instance, is a single sign-on protocol that's becoming more popular as a means of increasing security, but if you implement it incorrectly, you've opened more doors than you've locked.
    
4.  **Attackers target flaws in business logic.** Developers look at features to determine whether they accomplish a customer's use case. They're often not looking from the other side of the lens to identify how an attacker might use that feature maliciously.
    
    A great example is the shopping cart for an e-commerce website. It's business-critical, but often not secure, which creates severe vulnerabilities such as zeroing out the total at checkout, adding items after checkout, or replacing products with other SKUs.
    
    It's hard to blame developers for focusing on the primary use case and not recognizing other, typically nefarious, uses. Their performance is based on delivering the feature. Executives need to see the other side of the coin and understand that the business logic should correlate to security logic. The features with the highest business value, such as a shopping cart or authentication workflow, probably aren't the job for a junior developer.
    
5.  **There's no "out of scope" in a good penetration test.** Web applications can quickly become complex based on how many resources and assets go into them. Back-end API servers that enable the functionality of the main application need to be considered.
    
    It's important to share all those external assets, and how they connect to what the developers built, with security auditors that conduct penetration tests. The developer may consider those assets to be "out of scope" and that they therefore aren't responsible for them, but an attacker wouldn't respect that line in the sand. As penetration tests show, nothing is "out of scope."
    

**A Question of Balance**

When software development companies understand some of these common risks up front, they can have better engagements with security auditors and make penetration tests less painful. No company wants to hold its developers back, but by balancing creativity with security frameworks, developers know where they have freedom and where they need to align with the guardrails that keep applications safe.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

5 Lessons Learned From Hundreds of Penetration Tests

With the rise of cybercriminals targeting online piracy, this year's Oscar-nom fans need to be especially careful not to download malicious files while attempting to watch popular films for free.

Beware the Oscar nominees! In the age of films being available to pirate for free on the Internet, the data shows this: The more popular and critically acclaimed a pirated film is, the more likely it is to have a higher number of infected files.

This year, a research team at ReasonLabs collected data on film piracy from January 2022 to last month, focusing on some of the most well-known films from this past year, all of which are contenders for awards at the upcoming 95th Academy Awards. The researchers found thousands of cases of cyber threats within files pretending to be these highly nominated films. The boobytraps range from spyware to Trojans to malware.

In particular, _Everything Everywhere All at Once_, _Top Gun: Maverick_, and _Avatar: The Way of Water_, all fan and critic favorites, have been among the top films used to fish and lure movie watchers this past year.

Online piracy sites have been experiencing a steady influx of visitors, up 20% more than last year due to the COVID-19 pandemic, according to a study by MUSO, with film piracy experiencing the fastest level of growth. Businesses should take note, given that remote workers often use personal devices to access corporate assets.

ReasonLabs found the most common threats in this year's pirated Oscar contenders to be:

*   **Spyware Personal Documents Stealer:** A false, Microsoft-presenting file written in .NET that steals documents and sends them to the attacker's email.
*   **Password Stealer Extension:** A malicious installer that downloads external files to the C:\\programdata folder, with deceiving names.
*   **The Bat Worm:** An executable that drops three files, hidden from the user, and copies the user's files to each drive in the device.
*   **Keylogger:** An executable that sends stolen data to its server by tracking a user's keyboard activity.
*   **Search Hijacker Extension:** A Trojan file that installs malware instead of movies using a malicious extension and installer.

In turn, users and employers need to protect themselves by utilizing tools available to them. These "include physical and digital products but also include general education," says Dana Yosifovich, security researcher at ReasonLabs. "The continued push for cyber awareness by security companies and AV providers is paramount in order to reduce the vulnerabilities of home users, and the overall success of next-generation attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

And the Cyberattack Goes To ... Oscar-Nominated Film Fans

Between March 3 and March 9, at least 2,000 people a day downloaded the malicious "Quick access to ChatGPT" Chrome extension from the Google Play app store.

A threat actor may have compromised thousands of Facebook accounts — including business accounts — via a sophisticated fake Chrome ChatGPT browser extension which, until earlier this week, was available on Google's official Chrome Store.

According to an analysis this week from Guardio, the malicious "Quick access to Chat GPT" extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the user's Facebook account.

The Quick access to ChatGPT browser extension is just one example of the many ways in which threat actors have been trying to leverage the enormous public interest in ChatGPT to distribute malware and infiltrate systems. One example is an adversary who set up a fake ChatGPT landing page, where users tricked into "signing up" only ended up downloading a Trojan called Fobo. Others have reported a sharp increase in ChatGPT themed phishing emails in recent months, and the growing use of fake ChatGPT apps to spread Windows and Android malware.

**Targeting Facebook Business Accounts for a "Bot Army" **

Guardio's analysis showed that the malicious browser extension actually delivered on the quick access it promised to ChatGPT, simply by connecting to the chatbot's API. But, in addition, the extension also harvested a complete list of all cookies stored in the user's browser, including security and session tokens to Google, Twitter, and YouTube, and to any other active services.

In cases where the user might have had an active, authenticated session on Facebook, the extension accessed Meta's Graph API for developers. The API access gave the extension the ability to harvest all data associated with the user's Facebook account, and more troublingly, take a variety of actions on the user's behalf.

More ominously, a component in the extension code allowed hijacking of the user's Facebook account by essentially registering a rogue app on the user's account and getting Facebook to approve it.

"An application under Facebook's ecosystem is usually a SaaS service that was approved to be using its special API," Guardio explained. Thus, by registering an app in the user's account the threat actor gained full admin mode on the victim's Facebook account without having to harvest passwords or trying to bypass Facebook's two-factor authentication, the security vendor wrote.

If the extension encountered a Business Facebook account, it quickly harvested all information pertaining to that account, including currently active promotions, credit balance, currency, minimum billing threshold, and whether the account might have a credit facility associated with it. "Later, the extension examines all the harvested data, preps it, and sends it back to the C2 server using the following API calls — each according to relevancy and data type."

**A Financially Motivated Cybercriminal**

Guardio assessed that the threat actor will probably sell the information it harvested from the campaign to the highest bidder. The company also foresees the potential for the attacker to create a bot army of hijacked Facebook Business accounts, which it could use to post malicious ads using money from the victims' accounts.

Guardio described the malware as having mechanisms for bypassing Facebook's security measures when handling access requests to its APIs. For instance, before Facebook grants access via its Meta Graph API, it first confirms that the request is from an authenticated user and also from trusted origin, Guardio said. To circumvent the precaution, the threat actor included code in the malicious browser extension that ensured that all requests to the Facebook website from a victim's browser had their headers modified so they appeared to originate from there as well. 

**"**This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace," Guardio researchers wrote in the report on the threat.

ChatGPT Browser Extension Hijacks Facebook Business Accounts

A novel take on investment scams mixes romance and the lure of crypto riches to con targets out of "the whole hog" of their assets.

Pig butchering is a repulsively named, rising investment scam that uses a potent mix of the promise of romance and the lure of making easy cryptocurrency millions against its unsuspecting targets.

Through a careful process of "fattening up" victims with small returns on cryptocurrency deals and personal interactions, often with a romance element, all of which is meant to convince them to invest wildly. If successful, as they often are, threat actors are able to make off with the "whole hog" of their targets' assets.

Investment fraud as a category, of which pig butchering is a subset, cost victims about $3 billion in 2022, making it the top cybercrime loss leader, overtaking business email compromise (BEC) and even ransomware, according to a new analysis from Cofense of the latest FBI Internet Crime Report (IC3).

Within that, Cofense researcher Ronnie Tokazowski says that Cofense observed a 127% rise in pig butchering cases in 2022, though the latest IC3 doesn't specifically break out the threat. 

"FBI has mentioned pig butchering as a scam in several public alerts, news outlets have reported a massive increase, and seeing this missing is very surprising," Tokazowski says, noting that one alert was issued in New Mexico to warn residents about the rise of pig butchering scams during last December's holiday season.

"I have spoken with IC3 in the past, and this \[oversight\] may be a result of how metrics and data are collected," Tokazowski explains about his findings. "What I mean by that is if a victim initially \[calls something\] 'crypto investment' even though there may be a romance scam angle to it, this would ultimately be put in the 'crypto investment' bucket. Unfortunately, this single-bucket approach doesn’t tell the whole story, where victims are simultaneously part of different cybercrimes."

**Pandemic Loneliness Fueled Rise of Pig Butchering**

Pig butchering started in Asia, where it got its name, but the pandemic created an opportunity for threat groups to expand their operations into the US, Tokazowski explains.

"Based on reports from insiders tracking the scam, actors retooled their approaches to start targeting those in the west," he says. "Due to the increased isolation of the pandemic, this left people alone and vulnerable at home, anxiously awaiting any love connection. Scammers capitalized on this and is why we saw such a steep rise."

Experts who spoke to Dark Reading about the rising investment scam pointed out that it's essentially a riff on the classic Ponzi scheme.

"The abhorrently titled scam is essentially a rebrand of a Ponzi/pyramid scam," says Andrew Barratt, vice president of Coalfire. "Often executed using crypto, where more and more is taken until the mark/victim essentially thinks they’re onto a sure thing and puts more and more of their assets into an apparently growing 'investment,' before the calls go cold and the money is gone."

The rise of pig butchering is yet another example of how cybercriminals are leaning into social engineering to pull off their scams, Mike Britton, Abnormal Security's CISO says, but it demonstrates a shift to more time investment for a bigger payoff.

"Threat actors have seen huge payouts in their shift from high volume/low yield 'spray and pray' campaigns, to targeted and low volume — but massively high yield — social engineering attacks," Britton explains. "And with these incentives, they won’t be slowing down anytime soon."

Pig Butchering & Investment Scams: The $3B Cybercrime Threat Overtaking BEC

BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.

BlackLotus, the first in-the-wild malware to bypass Microsoft's Secure Boot (even on fully patched systems), will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity, security experts said this week.

That means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

On March 1, cybersecurity firm ESET published an analysis of the BlackLotus bootkit, which bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. Microsoft introduced Secure Boot more than a decade ago, and it's now considered one of the foundations of its Zero Trust framework for Windows because of the difficulty in subverting it.

Yet threat actors and security researchers have targeted Secure Boot implementations more and more, and for good reason: Because UEFI is the lowest level of firmware on a system (responsible for the booting-up process), finding a vulnerability in the interface code allows an attacker to execute malware before the operating system kernel, security apps, and any other software can swing into action. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine — even after OS reinstalls and hard drive replacements — and load additional malware at the kernel level.

There have been some previous vulnerabilities in boot technology, such as the BootHole flaw disclosed in 2020 that affected the Linux bootloader GRUB2, and a firmware flaw in five Acer laptop models that could be used to disable Secure Boot. The US Department of Homeland Security and Department of Commerce even recently warned about the persistent threat posed by firmware rootkits and bootkits in a draft report on supply chain security issues. But BlackLotus ups the stakes on firmware issues significantly.

That's because while Microsoft patched the flaw that BlackLotus targets (a vulnerability known as Baton Drop or CVE-2022-21894), the patch only makes exploitation more difficult — not impossible. And the impact of the vulnerability will hard to measure, because affected users will likely not see signs of compromise, according to a warning from Eclypsium published this week.

"If an attacker does manage to get a foothold, companies could be running blind, because a successful attack means that an attacker is getting around all of your traditional security defenses," says Paul Asadoorian, principal security evangelist at Eclypsium. "They can turn off logging, and essentially lie to every kind of defensive countermeasure you might have on the system to tell you that everything is okay."

Now that BlackLotus has been commercialized, it paves the way for the development of similar wares, researchers note. "We expect to see more threat groups incorporating secure boot bypasses into their arsenal in the future," says Martin Smolár, malware researcher at ESET. "Every threat actor's ultimate goal is persistence on the system, and with UEFI persistence, they can operate much stealthier than with any other kind of OS-level persistence."

    

BlackLotus quickly followed after the publishing of the original exploit code. Source: ESET

**Patching Is Not Enough**

Even though Microsoft patched Baton Drop more than a year ago, the certificate of the vulnerable version remains valid, according to Eclypsium. Attackers with access to a compromised system can install a vulnerable bootloader and then exploit the vulnerability, gaining persistence and a more privileged level of control.

Microsoft maintains a list of cryptographic hashes of legitimate Secure Boot bootloaders. To prevent the vulnerable boot loader from working, the company would have to revoke the hash, but that would also prevent legitimate — although unpatched — systems from working.

"To fix this you have to revoke the hashes of that software to tell Secure Boot and Microsoft's own internal process that that software is no longer valid in the boot process," Asadoorian says. "They would have to issue the revocation, update the revocation list, but they're not doing that, because it would break a lot of things."

The best that companies can do is update their firmware and revocation lists on a regular basis, and monitor endpoints for indications that an attacker has made modifications, Eclypsium said in its advisory.

ESET's Smolár, who led the earlier investigation into BlackLotus, said in a March 1 statement to expect exploitation to ramp up.

"The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet," he said. "We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit's easy deployment and crimeware groups' capabilities for spreading malware using their botnets."

BlackLotus Secure Boot Bypass Malware Set to Ramp Up

Hackers are increasingly tantalized by the troves of sensitive data held by lightly protected law firms and legal services organizations.

A rash of 10 cyberattacks hitting six different law firms materialized throughout January and February, attempting to infect law firm employees with info-stealing malware. The campaigns are emblematic of the rapidly growing attack landscape in the legal profession, driven by the treasure trove of data that firms possess: personal details about clients, information about criminal defense proceedings, very specific contractual information, financial account data, and so much more.

For law firms, the risk is twofold: The cost of remediation and maintaining operational status in the face of a cyberattack and potential legal consequences if the data they hold is exposed.

According to eSentire's Threat Response Unit (TRU), the most recent spate of attacks came from two separate, ongoing threat campaigns. In the first campaign, attackers attempted to infect law firm employees using SEO poisoning to lure victims to compromised WordPress websites. The sites were seeded with malicious links to phony contract or agreement templates that ran GootLoader malware. The second campaign utilized watering-hole attacks against victims, by poisoning a notary public's website with SocGholish malware, in the hopes of ensnaring lawyers and other related legal professionals.

"Law firms and legal services organizations have exceptional access to non-public and confidential data across all facets of the public and private sectors," says Larry Gagnon, senior vice president of security services and incident response for eSentire. "They, therefore, face significant cyber threats from adversaries' intent on financial cybercrime that want to steal and sell sensitive data associated with those clients and their activities."

And indeed, an analysis in January published by The American Lawyer on Law.com shows that cyberattacks in the legal sector have escalated significantly in the past few years. In looking at national data sets posted by four state governments required to publicly disclose the data, between 2014 and 2019, fewer than 20,000 Americans had their personally identifiable information (PII) compromised by law firm breaches. But between 2020 through 2022, that number shot up exponentially to 779,000. While only a limited data set, the growth statistic provides an excellent proof point to the fact that attackers are drawn to law firms like moths to light.

**Why Legal Firms Are So Attractive to Hackers**

It isn't just the sensitivity of the data that legal firms handle but also the scope and detail of data that can be dug up by attackers who successfully breach a single firm — especially if it's a large one. One attack can be a one-stop shop for monetizing the data and access stolen from not just one organization, but a whole portfolio of them.

"Law firms connect with and support many clients at any given time. Compromising one law firm gives bad actors access to numerous client networks without having to directly reach each one of them," says Michael Tal, technical director for Votiro, a cloud file security firm that works extensively with the legal industry. "Files are the primary form of communication and weaponizing them gives bad actors a sure way to get the clients to open and infect the clients."

For example, he noted one potential attack that his team uncovered where a hacker managed to breach the email inbox of a law firm and was using that access to send out malicious password-protected zipped files to insurance companies.

The other attractive element for hackers is that law firms and legal services companies tend to be very soft targets.

"Most law firms don’t have dedicated cybersecurity programs or personnel. As a result, their cybersecurity posture has likely failed to keep up with their requirements as a business," says eSentire's Gagnon, who notes that the legal IT environment also tends to be challenging to harden because it is typically comprised of a mix of legacy technology and more modern cloud-based solutions that sometimes don't play nicely together without advanced support. "When attackers successfully breach a legal organization, they tend to progress beyond the initial foothold to the intrusion phase more quickly."

This is likely also attributed to the fact that fewer than half of law firms have some kind of cyber incident response plan in place. According to the American Bar Association's (ABA) annual tech report published last November, only 42% of firms have a plan in place.

A cyberattack is a nightmare scenario for law firms that are at risk of not only having their reputations torn to tatters but also of breaking very strict compliance mandates and confidentiality laws. But the good news is that many law firms are at least building awareness about cybersecurity risks among their business and attorney stakeholders. 

The ABA report shows that the number of respondents reporting at least some cybersecurity governing policies in place for technology usage has grown from 77% two years ago up to 89% in 2022. 

It may take a while for investments to catch up with awareness, says Fran Haasch, founding attorney of Fran Haasch Law Group.

"Some law firms may view cybersecurity as an unnecessary expense or may not prioritize it over other business concerns," she says. "However, with the increasing prevalence of cyber threats and the potential legal and financial repercussions of a cyberattack, law firms should take cybersecurity seriously and invest in appropriate measures to protect their clients and themselves."

Source

DARKReading