Cryptocurrency drainers are the latest hot ticket being used in a string of lucrative cyberattacks aimed at virtual currency investors.

There's a trendy new way to con cryptocurrency investors out of the contents of their wallets, no blockchain know-how required.

Threat actors are selling ready-made, spoofed crypto webpages to be served up as phishing lures, loaded with "crypto drainer" scripts that crack wallets and steal the balances in a snap.

In one instance, on a "top-tier Dark Web forum," according to researchers at Recorded Future, cybercrime group iSeeYou was offering a ready-to-use phishing page that when made live, purports to mint nonfungible tokens (NFTs). Instead, it deploys a crypto drainer that empties an unsuspecting victim's connected virtual currency wallet. And adding insult to injury, "once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets," the researchers warned.

The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a range of entities, including cryptocurrency exchanges and NFT outlets. The lures often boost their credibility, as was the case in the the iSeeYou campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask. 

"The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s 'scam litmus test,'" according to the report.

The crypto drainer scams were observed in 2022, and Recorded Future raised the alarm in a report this week that they are becoming increasingly popular — so popular, in fact, that Recorded Future recently found 100 phishing pages lurking in the wild, loaded with crypto drainer malware.

"We have observed that Dark Web threat actors are highly interested in this tool," Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.

The interest is largely because the scripts are easy to deploy and cheap to acquire (the firm said crypto drainers can cost anywhere from $300 to $500). Sometimes they're even free, as was the case with iSeeYou — but there was a double-crossing catch in that case. 

"Remarkably, the threat actor who posted this crypto drainer phishing template did not charge other threat actors who wished to make use of their tool," Volovik explains. "Unremarkably, this was no act of charity — the crypto drainer was likely designed to defraud other cybercriminals of a portion of their illicit earnings."

In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they're helping to usher in a new business model for phishers.

"Designing crypto drainers requires coding skills that phishing specialists may lack," Volovik says. "As a result, many cybercriminals develop crypto drainers to sell or rent out as components in ready-to-go phishing packages; this is likely part of a greater trend toward phishing-as-a-service (PhaaS)." And that, he warns, means that advanced phishing campaigns can scale very quickly.

As cryptocurrency markets mature, it's up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions. 

"Exchange platforms/crypto markets should probably provide education to their users about these crypto drainers and how cybercriminals use them," Volovik adds. "We want to educate the general populace to never send payments to unknown entities (a Nigerian prince or otherwise)."

**Cryptocurrency Cybercrime Is Booming**

Cryptocurrency investors continue to be a prime source of revenue for cybercriminals, with a record-breaking $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.

During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.

Much of the crypto cybercrime boom can be attributed to cyberattacks from North Korean state-backed actors, and the targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols, and other centralized cryptocurrency services.

DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies like Bitcoin, Ethereum, Solana, and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they present a unique opportunity for cybercriminals to get their hands on vast sums of money that would otherwise be protected by those traditional financial institutions.

The now-notorious FTX claimed it was the victim of a cyberattack in November, just hours after filing bankruptcy, which cost the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner's bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.

**Cybersecurity for Cryptocurrency**

Erin Plante, Chainalysis' vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure, and investors, against cybercrime will require a commitment to user training, but she adds that the DeFi platforms and other crypto services need better in-house cybersecurity too.

"Cryptocurrency services should invest in security measures and training," Plante says. "For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector."

Moving forward, DeFi platforms should model cybersecurity efforts off the traditional finance system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and building in transaction fail-safes to slow down contract execution if suspicious activity is observed.

Crypto Drainers Are Ready to Ransack Investor Wallets

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

A global ransomware attack on VMware ESXi hypervisors is expanding, according to multiple government agencies and researchers, having already infected thousands of targets.

The attack, first flagged late Feb. 3 by the French Computer Emergency Response Team (CERT-FR), has already compromised more than 3,200 servers in Canada, France, Finland, Germany, and the US so far, according to tracking from Censys.

The avenue of compromise is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

The attack's goal appears to be the installation of a novel ransomware strain dubbed "ESXiArgs" — though the gang behind it is unknown, according to a Feb. 5 notice from French hosting provider OVHcloud, which has customers affected by the attacks.

"We \[previously\] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions."

The operators behind the attack are asking for around 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned, according to a copy of the ransom note posted by a Dark Web monitor known as DarkFeed. However, cybersecurity firm Rapid7 noted in an analysis that there's no evidence of actual data exfiltration so far.

Instead, the encryption process seems to be the main goal, which is specifically targeting virtual machine files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and \*.vmem), according to the firm's assessment. "In some cases, encryption of files may partially fail, allowing the victim to recover data."

Also, "the malware tries to shut down virtual machines by killing the VMX process to unlock the files," Rapid7 explained; VMX, or Virtual Machine Executable, is a process that runs in the VMkernel that handles I/O commands. "This function is not systematically working as expected, resulting in files remaining locked," the alert added.

To avoid being caught up in the cyberattacks, admins should patch immediately, or, as a workaround, "the SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise," according to the CERT-FR alert.

Also, "users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations,” Singapore's SingCERT advised in a notice over the weekend.

VMware remains a popular target for cybercriminals; just last week, exploit code emerged for other RCE bugs lurking in the virtualization specialist's product portfolio.

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

**TYSONS, Va.--(****BUSINESS WIRE****)--** Cadien Cyber Response, a US-based incident response and complex digital forensics firm, formally launched operations today and unveiled its team of leading industry and government cyber experts focused on reactive services.

“Our entire team shares a singular belief -- that resolving an incident or digital problem requires flawless execution, incredible confidence, and superior responsiveness,” said engineer-turned-entrepreneur Jason Ingalls, President and Chairman of the Board. “We stand ready on day one to deliver the level of quality and support decision-makers and their advisors need and deserve to adequately resolve consequential problems in the most timely and effective manner.”

Ingalls has assembled a decorated team of leaders across technical services, engagement, and partnership, including Matt Swenson, former Division Chief at the U.S. Department of Homeland Security Investigations Cyber Crimes Center; former AON Cyber Solutions/Stroz Friedberg executive Judy Branham; and former Dell and Capgemini business risk strategist Mel Sanford. Other technical experts at Cadien similarly hail from federal military, defense or law enforcement or have served notably in the private cybersecurity sector. Cybersecurity veteran James M. Aquilina and business executive Lincoln Holton will serve on the company’s board of directors.

The firm focuses exclusively on reactive services, filling what the company perceives as a gap in the marketplace for dedicated, specialized, and deeply experienced responders and investigators who can navigate the often complex legal or regulatory landscape surrounding critical incidents. Initial services offerings include incident response, digital forensics, expert witness testimony, insider threat investigations, and personalized individual cyber services.

"At Cadien, we are focused on building a team of the industry’s preeminent experts,” said Matt Swenson. “We understand the importance of operating without interruption. Our team of professionals can be trusted to work with speed, precision, and care to protect critical assets."

Cadien Cyber Response is forging direct relationships with companies large and small, with individuals particularly susceptible to cyber threats, and with law firms and other professional services firms engaged to advise in contexts where analysis of digital evidence is critical to resolution.

**About Cadien Cyber Response**

The Cadien Cyber Response team is comprised of subject matter experts with decades of combined cyber and investigative experience serving government and leading private organizations alike. We have deconstructed some of the most complex cyber incidents, remediated significant data breaches, and helped organizations navigate critical civil, criminal, and regulatory proceedings and internal investigations. Our team understands the speed, discretion, and precision required to successfully bring any incident to resolution.

Cadien Cyber Response Launches to Deliver Incident Response & Complex Digital Forensics Services

Look for recent trends in attacks, strategies, and vulnerabilities to continue gaining steam throughout 2023.

Global risks from population pressures and climate change to political conflicts and industrial supply chain challenges characterized 2022. Cybercriminals used this turmoil to exploit these trending topics, including significant events, public affairs, social causes, and anywhere else opportunity appeared.

2023 will see a continuation of these challenges, especially as bad actors continue to take advantage of the chaos caused by the expected backlash from Russia due to the Ukraine conflict.

The following cyberthreat predictions are based on key observations made by the Zscaler ThreatLabz research team, made up of more than 125 security experts with decades of experience in tracking threat actors, malware reverse engineering, behavior analytics, and data science.

**CaaS Offerings Continue to Rise**

Crime-as-a-service (CaaS) encompasses the full range of cyber threat service offerings, including ransomware-as-a-service, where developers outsource ransomware to their affiliates who execute the attack and share the profits, and phishing-as-a-service, where cybercriminals can buy grammatically perfect email templates, replicas of popular webpages, and more.

As threat actors seek to increase payouts, they will leverage more service model offerings to increase the effectiveness of their attacks and cut out the development time to quickly scale operations. CaaS also lowers the technical barrier to entry, enabling novice cybercriminals to execute sophisticated threats.

**Supply Chains Bigger Targets Than Ever**

Supply chain attacks occur when adversaries compromise partner and supplier ecosystems to reach their ultimate breach target and goals, such as executing a ransomware attack. Compromising a target's weaker suppliers is more accessible and has led to successful upstream attacks, which is why this tactic will likely increase in the future.

**Dwell Time Decreases**

Dwell time is the period between the initial compromise and the final stage of an attack — for example, the median dwell time for threat actors to deploy ransomware is now just five days, according to Mandiant. For most organizations, this is also the length of time an attack can be detected and stopped by defenders before it causes damage.

**Attackers Rebrand**

Malware families, ransomware gangs, and other cybercriminal associations reorganize themselves frequently.

GandCrab rebranded as REvil, the group responsible for the spotlight attacks on JBS and Kaseya. The old groups typically go dark after an incident, then a new group appears months or years later. Researchers eventually discern that it's basically the old group getting back together, with similar techniques and code styles giving them away.

They may rebrand because of new member affiliations to avoid criminal charges and to ensure they can secure cyber insurance payouts.

**Endpoint Protection Won’t Be Enough**

Threat actors will increase the use of tactics to bypass antivirus and other endpoint security solutions. In addition, their attacks will have an increasing focus on core business service technologies, like VMware ESX, for example.

Last fall, researchers observed attackers using new techniques to install persistent backdoors on ESXi hypervisors, a virtualization software and a primary component in the VMware infrastructure software suites for virtual machines.

Because of this, organizations will have an even greater need for defense-in-depth, rather than relying solely on endpoint security to prevent and detect intrusions.

**Leaked Source Code Leads to Forks**

Forked malware, of course, is just another variant that include updates with more sophisticated techniques. Sometimes the source code for a specific malware is leaked online by a researcher, as in the case of Conti ransomware.

Since Conti ransomware was leaked, for example, parts of the source code have been found in other types of ransomware, borrowed or repurposed by different developers.

Updated and forked versions of malware and other threats make it harder for defenders to detect, because there are so many variants using custom techniques to deploy the same attack. We expect such variants will continue to evolve at different rates.

Read more _Partner Perspectives_ with Zscaler.

Cybercrime Shows No Signs of Slowing Down

Despite growing awareness, organizations remain plagued with unpatched vulnerabilities and weaknesses in credential policies.

Weak credential policies and a lax approach to patching were among the most common points of IT security failure for organizations in 2022, while a failure to configure tools properly could leave organizations open to attack.

That's according to a recent study by cybersecurity firm Horizon3.ai, based on findings from approximately 7,000 penetration tests that evaluated approximately 1 million assets.

Of the Top 10 vulnerabilities Horizon3.ai detected in 2022, the use of weak or reused credentials topped the list, followed by weak or default credential checks in protocols (SSH and FTP) and threat actors using Dark Web credential dumps from Windows or Linux hosts.

Exploitation of critical vulnerabilities on CISA's list of Top 15 Routinely Exploited Vulnerabilities list, as well as the exploitation of critical VMware vulnerabilities, rounded out the top five.

Corey Sinclair, cyber-threat intelligence analyst for Horizon3.ai, explains that professionals are challenged by balancing the three factors of security, functionality, and usability. The requirements of the end user, usability and functionality, are often at odds with or contradictory to the best security practices.

"To ease our own burden, we as individuals tend to shy away from the difficult, and move to what's easy and convenient," he says. "This means having fewer or easier credential requirements."

Individuals thus tend to reuse credentials when they know they should have unique passwords for everything, and organizations fail to enforce stronger credential requirements or invest in a companywide password solution.

Sinclair adds that sometimes, companies simply don't know to go back and check to see if default credentials were changed when a new technology is brought online.

Security teams should be on notice: The successful combo of using stolen credentials and social engineering to breach networks is increasing the demand for infostealers on the Dark Web, according to Accenture's Cyber Threat Intelligence team (ACTI), which recently surveyed the infostealer malware landscape over 2022.

That report also warned that malicious actors are combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.

**Patching & Misconfigurations Are a Pain Point**

The survey also found that known critical vulnerabilities were regularly exploited, while popular DevOps tools and resources, including Docker and Kubernetes, were riddled with misconfigurations and vulnerabilities.

"Patching and misconfigurations essentially come down to scale and prioritization," Sinclair says. "Depending on the size and infrastructure of a company's IT department, it will determine how quickly and effectively a company can find what needs to be patched or configured."

Additionally, not all organizations know what to patch, and how to prioritize what needs to be patched first.

"With the plethora of CVEs and vulnerabilities being released daily, most companies find it hard to keep up with, let alone fix what matters, before threat actors exploit them," he adds.

From his perspective, companies must take a different approach to security, in which they view their environments through the eyes of the attacker.

"They need to view their environment and prioritize \[fixes\] based on what is actually reachable, vulnerable, and exploitable," he says. "This mindset shift allows the company to stay one step ahead of the adversary, while ensuring they have a constant pulse on their environment's security posture."

Organizations without the time or talent to patch or review for misconfigurations may find patching-as-a-service (PaaS) a way to improve security, but a successful program will require accurate and robust asset management tools so the vendor knows what's live in the client's environment, he adds.

**Adoption of Multifactor Technologies in 2023**

Sinclair points out that while it is "way too early" to tell what 2023 will bring on the cybersecurity defense front, he believes there are going to be more and more companies adopting new multifactor technologies to aid in the fight against credential reuse and weak credentials.

"By adopting these technologies, it will push cyber-threat actors to find other vulnerabilities and weaknesses to exploit," he says. "As the cybersecurity world is always shifting and evolving, staying one step ahead of malicious cyber-threat actors is paramount."

Patching & Passwords Lead the Problem Pack for Cyber-Teams

It's time to share threat intelligence and prioritize digital literacy and cyber hygiene to stem the rising money laundering tide.

It's almost impossible to pinpoint the amount of money that's laundered globally, but conservative estimates put it at anywhere from $800 million to $2 trillion, according to the United Nations' Office on Drug and Crimes — and that's likely just the tip of the iceberg. It's a crime that, in turn, fuels some of the world's most heinous criminal activities. It's also a tactic used by cybercriminals to help try to cover up the profits they're making from things like wide-scale ransomware attacks. The rise of cryptocurrency also has made it easier for them to evade detection.

Financial institutions, cryptocurrency companies, and other organizations face increasing fines — sometimes ranging in the millions and billions of dollars — for failure to root out money laundering as government agencies and regulators worldwide seek to crack down on this scourge.

Here's the bad news as we look toward 2023: Automation is going to make the problem worse. We will see the rise of money laundering-as-a-service. But the silver lining is there are ways to stem the tide — and collaboratively reduce bad actors' ability to do so.

**The Crypto-Money Laundering Connection**

A preferred tactic by cybercriminal organizations looking to grow their ranks is to use what are known as money mules. These are individuals who are brought in to help launder money — sometimes, unknowingly. They're often lured in under false pretenses and promises of legitimate jobs, only to discover that "job" is to help launder the profits from cybercrime.

Back in the day, this money shuffling was typically done through anonymous wire transfer services. While they often got away with it, such transfers are far easier for law enforcement and regulators to track. These days, most criminals have moved to using cryptocurrency. Its relative lack of regulatory oversight, coupled with often-anonymous transactions, make it almost the ideal vehicle for money laundering. In fact, a report by Chainalysis found that criminals laundered $8.6 billion in cryptocurrency in 2021. That's a 30% increase from the prior year.

**The Rise of Recruitment**

Setting up recruitment campaigns for money mules takes time and energy. In their efforts to obfuscate their true purpose, cybercriminals will sometimes go to great lengths to build legit-looking websites for fake organizations and post fake job listings aimed at making those businesses seem aboveboard.

However, automation and machine learning (ML) will make this process far easier — and quicker. ML can be used to better target potential recruits in a faster manner, for one thing. We also expect to see some of the manual campaigns replaced with automated services that enable bad actors to move dirty money through the layers of crypto exchanges — that's going to make the process faster and harder to trace. And that means it also will be more difficult to recover stolen funds.

Collectively, these efforts comprise what we're calling money-laundering-as-a-service (MLaaS), and it's going to become another tool in the cybercrime tool chest.

**Cutting 'Em Off at Their Knees**

While cybercriminals are going to look for any methodology possible to make money laundering easier, that doesn't mean we have to accept this as a foregone conclusion.

The biggest factor in combating the rise of MLaaS is going to involve public-private collaboration on a much larger scale. Organizations across the map can share threat intelligence with one another, contributing to building a better defense all around.

It must be reiterated that cyber hygiene and education must be prioritized as well. No matter the type of organization you're in or the role you're in, this is essential for everyone. Everyone can play a key role in helping keep organizations safe from bad actors. This includes things like more digital literacy — and how to recognize a too-good-to-be-true job ad for the scam it really is. And of course, there's the concept of fighting fire with fire — as bad actors adopt more automation and ML-based approaches, so, too, must defenders.

How Cybercriminals Are Operationalizing Money Laundering and What to Do About It

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Pigeons are way smarter than most people realize, but who knew they were handy with a smartphone? Now it's time to have some fun: Come up with a witty cybersecurity-related caption for the cartoon, above. Our favorite will win a $25 Amazon gift card.

The contest ends on March 1, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge February 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations to recently retired advertising creative director Jeff Sawyer, who these days says he claims the title of VP/Lethargy and, now, Edge contest winner. Jeff's caption (below) for January's "Upside Down World" amused us all.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: For the Birds

Apply these nine tips to proactively fight fraudulent websites that use your brand to rip people off.

Brand impersonation is a particularly thorny problem for CISOs. Cybercriminals piggyback off a trusted brand to push scam lures through various means to onto unsuspecting customers. They could disguise themselves as part of the organization's IT team or someone familiar to trick employees into clicking on malicious links or send a message that looks like it is coming from a legitimate source to convince the recipient the contents are real.

Retailers, product creators, and service providers are increasingly having to deal with brand impersonation attacks. Mimecast’s "2022 State of Email Security Report" found that 90% of organizations experienced an impersonation attack over the previous 12 months. Further, the Mimecast "2021 State of Brand Protection Report" found that companies on the BrandZ Top 100 Most Valuable Global Brands 2020 list experienced a 381% rise in brand impersonation attacks over May and June of 2020 compared to before the pandemic. New domains suspected of brand impersonation also rose by 366%. These impersonation attacks include not only the typical phishing or malware attacks, but also fraud that sells or claims to sell products or services on behalf of the brand. These include fencing of stolen items, non-delivery scams, and counterfeit or grey market sales of product.

"\[Brand impersonation\] is a fraud problem and a security incident problem," says Josh Shaul, CEO of Allure Security. "People are stealing from you, and you're trying to prevent the theft."

Experts recommend that CISOs take a systematic and multidisciplinary approach to this problem. The right approach will not only require technology like automated detection, but also security leadership in helping business stakeholders to harden the brand on a number of fronts.

**1\. Engage in Trademark Basics**

Shaul says that a "shocking" number of companies don't go through the most basic actions of establishing and maintaining ownership of their brand's trademark. The most fundamental step for hardening a brand from online attacks is to cover the basics like registering trademarks, logos, and unique product images, as well as keeping trademarks up-to-date.

"Once you lose control of the trademark, somebody else might register your trademark," he says. "It's a real problem for you. You can't enforce it if you don't own it, so you've got to start there."

**2\. Take Ownership of Online Landscape**

From there, the other basic component companies need to think about is taking ownership of a brand's online landscape. This means not only picking up as many potentially relevant domain names as possible for the brand, but also setting up a footprint on all possible social media channels, Shaul says.

"A lot of companies are like, 'Hey, we do social media, but we don't do TikTok,' or 'We don't do Instagram,' and therefore they don't set up a presence there," he says. "If you don't set up a presence for your brand on a major social platform, there's nothing stopping somebody else from setting up a presence for your brand on that major social platform. Then you've got to try to recover it, which is kind of a nightmare. Just planting the flag is important."

**3\. Monitor Domains**

Organizations should not only be watching and monitoring the domains they own, but also their domain ecosystem, says Ihab Shraim, CTO of CSC Digital Brand Services.

"This means understanding the types of domains that are being registered around them because it’s a multidimensional cyber threat," he says.

As he explains, often larger enterprises manage thousands of domains, which can make it difficult to keep tabs on and effectively manage the entire portfolio.

"Companies need to devise policies and procedures to monitor and mitigate threats associated with all their domains as an integral part of their security posture," Shraim says. He explains that they should be continuously monitoring their domains and also digital channels within search engines, marketplaces, mobile apps, social media, and email to look out not only for phishing and malware campaigns but also brand abuse, infringements, and counterfeit selling on digital channels. "It is crucial for companies to understand how their brands are operating on the Internet."

**4\. Leverage Threat Intel**

Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG, believes that organizations should leverage threat intelligence to help them with the adjacent domains and also the tricky tactics, techniques, and procedures used by bad actors in their impersonation attacks.

"Organizations need to invest in threat intelligence platforms that will help identify the use of fake domains, phishing campaigns, and other technologies to defeat the TTPs \[tactics, techniques, and procedures\] used to enable brand impersonation," he says.

**5\. Consider Full-Cycle Brand Protection**

Saylors is also a big believer in full-cycle brand protection. He recommends companies consider these services — not just for their detection capabilities but also their expertise in mitigation.

"They should engage the services of specialty firms that deal with the full lifecycle of brand protection to ensure scalability and absolute focus on reducing fraudulent activity," he says. "These firms have advanced capability to identify fake sites, catalogs, and catalog entries and remove them through industrial-strength takedown procedures."

As organizations evaluate online brand protection companies, they've got to keep in mind that this is another cat-and-mouse game detection category, where mileage may vary based on technology and how well companies keep up with evasive behavior from the attackers.

For example, when attackers found that their scams were being discovered through image processing and logo detection, they began with simple evasive techniques like changing the image file format and then evolved to use multiple nested images and text in a single collapsed image to trip up detection, says Shaul.

"So now, unless you can compare sections of an image, which is a super hard technical problem that some of us have solved, you can't detect these things anymore," he says. "They just bypass the evolving detections that organizations are putting out there."

Another new tactic they've taken is creating generic fake shops and evolving them into branded shops over time, he says.

"The scammers are working hard to understand how detection is evolving in the industry, and doing things to try to evade detection as aggressively as they can," he says.

**6\. Use Incident Responders Judiciously**

Incident responders hate handling the mitigation of brand impersonation because it is a different skillset than a lot of analysts who get into the field for fun investigative work and not to chase down registrars to do takedowns, says Shaul. Even if a company can make it fun for their responders, they have got to be careful that they're using their specialized responders in a cost-effective way.

He likes to tell the story of a banking customer that had been putting this on their IR team, who turned it into a fun exercise by breaking into phishing sites that were targeting the company's brand and doing a lot of offensive security work.

"The IR guys were having a ball with it, but they realized, 'Look how much time we're spending basically just playing games with the attackers,'" he says. "They had their best people doing hard work to just clean up after scams that already happened."

He suggests that by knowing in advance that response to these sites takes a different skillset than advanced analysts have, this might be a way to break in new security ops personnel and give early-career responders some experience through a planned career path that starts with impersonation takedowns.

**7\. Proactively Build Law Enforcement Relationships**

Additionally, organizations should understand that they're likely going to need to help from the authorities in many of these cases. Saylors says that CISOs should be working to proactively build partnerships with law enforcement agencies and other relevant government authorities around the globe.

"They should also have direct relationships with law enforcement organizations that will pursue and prosecute the criminals responsible for brand theft and the resulting revenue loss to legitimate companies," he says.

**8\. Educate Consumers and Employees**

Frequent and detailed awareness campaigns for customers about what brand impersonation looks like compared to the real deal can go a long way toward curbing their risk of falling for common frauds.

"Organizations, other than large banks, tend to fail in this area due to concerns about scaring their customers away," he says. But actually, awareness campaigns like this can bring customers closer to the brand when they're done right. Here's a great example of what an awareness site can look like. This is a detailed fraud awareness article put together by Burton Snowboards that provides examples of fake Burton scam sites, with clues for their customers to look for in detecting a scam and some additional pointers. Communications like these can be used as a technique to not only build trust and goodwill among customers, but also build up the brand.

**9\. Differentiate Your Brand**

One final thing that CISOs can encourage their organizations to do is to find ways to ensure all of their sites, pages, and experiences are visually and contextually recognizable as part of the brand. This is an opportunity for collaboration with the marketing department. Not only can customers recognize distinctive brands more easily, but it's also a lot easier for automated detection searches to automatically find impersonated images and logos out in the wild, says Shaul.

"Ensure there's something a little bit different about your brand that makes it so that your customers and even your employees can recognize it. That's great for marketing but also helps security in a big way," he says. "The more your brand has differentiated itself with the way it looks, the way it feels, the way it's set — with little things like how your VPN looks — and the easier it is to protect the brand."

What CISOs Can Do About Brand Impersonation Scam Sites

The January attack was in retaliation for the satirical French magazine's decision to launch a cartoon contest to lampoon Iran's Supreme Leader.

A recent attack where a threat group calling itself "Holy Souls" accessed a database belonging to satirical French magazine Charlie Hebdo and threatened to dox more than 200,000 of its subscribers was the work of Iranian state-actor Neptunium, Microsoft said on Feb. 3.

The attack appears to have been a response by the Iranian government to a cartoon contest that Charlie Hebdo announced in December, where the magazine invited readers from around the world to submit caricatures "ridiculing" Iran's Supreme Leader Ali Khamenei. Results of the contest were to be published on Jan. 7, the eighth anniversary of a deadly 2015 terror attack on Charlie Hebdo — in retaliation for publishing cartoons of Prophet Mohammed — that left 12 of its staffers dead.

**Doxing Could Have Put Subscribers at Risk of Physical Targeting**

Microsoft said it determined Neptunium was responsible for the attack based on artifacts and intelligence that researchers from its Digital Threat Analysis Center (DTAC) had collected. The data showed that Neptunium timed its attack to coincide with the Iranian government's formal criticism of the cartoons, and its threats to retaliate against Charlie Hebdo for them in early January, Microsoft said.

Following the attack, Neptunium announced it had accessed personal information belonging to some 230,000 Charlie Hebdo subscribers, including their full names, phone numbers, postal addresses, email addresses, and financial information. The threat actor released a small sample of the data as proof of access and offered the full tranche to anybody willing to buy it for 20 Bitcoin — or about $340,000 at the time, Microsoft said. 

"This information, obtained by the Iranian actor, could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations," the company assessed — a very real concern given that Charlie Hebdo fans have been targeted more than once outside of the 2015 incident.

Many of the actions that Neptunium took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that other Iranian state actors have employed when carrying out influence operations, Microsoft said. This included the use of a hacktivist identity (Holy Souls) in claiming credit for the attack, the leaking of private data, and the use of fake — or "sockpuppet" — social media personas to amplify news of the attack on Charlie Hebdo.

For instance, following the attack, two social media accounts (one impersonating a senior French tech executive and the other an editor at Charlie Hebdo) began posting screenshots of the leaked information, Microsoft said. The company said its researchers observed other fake social media accounts tweeting news of the attack to media organizations, while others accused Charlie Hebdo of working on behalf of the French government.

**Iranian Influence Operations: A Familiar Threat**

Neptunium, which the US Department of Justice has been tracking as "Emennet Pasargad," is a threat actor associated with multiple cyber-enabled influence operations in recent years. It is one of many apparently state-backed threat actors working out of Iran that have heavily targeted US organizations in recent years.

Neptunium's campaigns include one where the threat actor attempted to influence the outcome of the US 2020 general elections by, among other things, stealing voter information, intimidating voters via email, and distributing a video about nonexisting vulnerabilities in voting systems. As part of the campaign, Neptunium actors masqueraded as members of the right-wing Proud Boys group, FBI's investigation of the group showed. In addition to its Iran government-backed influence operations, Neptunium is also associated with more traditional cyberattacks dating back to 2018 against news organizations, financial companies, government networks, telecommunications firms, and oil and petrochemical entities.

The FBI said that Emennet Pasargad is actually an Iran-based cybersecurity company working on behalf of the government there. In November 2021, a US grand jury in New York indicted two of its employees on a variety of charges, including computer intrusion, fraud, and voter intimidation. The US government has offered $10 million as reward for information leading to the capture and conviction of the two individuals.

**Neptunium's TTPs: Reconnaissance & Web Searches**

The FBI has described the group's MO as including first-stage reconnaissance on potential targets via Web searches, and then using the results to scan for vulnerable software that the targets could be using. 

"In some instances, the objective may have been to exploit a large number of networks/websites in a particular sector as opposed to a specific organization target," the FBI has noted. "In other situations, Emennet would also attempt to identify hosting/shared hosting services."

The FBI's analysis of the group's attacks shows that it has specific interest in webpages running PHP code, and externally accessible MySQL databases. Also of high interest to the group are WordPress plug-ins such as revslider and layerslider, and websites that run on Drupal, Apache Tomcat, Ckeditor, or Fckeditor, the FBI said. 

When attempting to break into a target network, Neptunium first verifies if the organization might be using default passwords for specific applications, and it tries to identify admin or login pages. 

"It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify," the FBI said.

Iran-Backed Actor Behind 'Holy Souls' Cyberattack on Charlie Hebdo, Microsoft Says

At least 1,200 Redis servers worldwide have been infected with "HeadCrab" cryptominers since 2021.

An unknown threat actor has been quietly mining Monero cryptocurrency on open source Redis servers around the world for years, using a custom-made malware variant that is virtually undetectable by agentless and conventional antivirus tools.

Since September 2021, the threat actor has compromised at least 1,200 Redis servers — that thousands of mostly smaller organizations use as a database or a cache — and taken complete control over them. Researchers from Aqua Nautilus, who spotted the campaign when an attack hit one of its honeypots, are tracking the malware as "HeadCrab."

**Sophisticated, Memory-Resident Malware**

In a blog post this week, the security vendor described HeadCrab as memory-resident malware that presents an ongoing threat to Internet-connected Redis servers. Many of these servers don't have authentication enabled by default because they are meant to run on secure, closed networks.

Aqua's analysis of HeadCrab showed that the malware is designed to take advantage of how Redis works when replicating and synchronizing data stored across multiple nodes within a Redis Cluster. The process involves a command that basically allows administrators to designate a server within a Redis Cluster as a "slave" to another "master" server within the cluster. Slave servers synchronize with the master server and perform a variety of actions, including downloading any modules that might be present on the master server. Redis modules are executable files that administrators can use to enhance the functionality of a Redis server.

Aqua's researchers found HeadCrab exploiting this process to load a cryptocurrency miner on Internet-exposed Redis systems. With the attack on its honeypot, the threat actor, for instance, used the legitimate SLAVEOF Redis command to designate the Aqua honeypot as the slave of an attacker-controlled master Redis server. The master server then initiated a synchronization process in which the threat actor downloaded a malicious Redis module containing the HeadCrab malware.

Asaf Eitani, security researcher at Aqua, says several features of HeadCrab suggest a high degree of sophistication and familiarity with Redis environments.

One big sign of that is the usage of the Redis module framework as a tool to perform malicious actions — in this case, downloading the malware. Also significant is the malware's use of the Redis API to communicate with an attacker-controlled command-and-control server (C2) hosted on what appeared to be a legitimate but compromised server, Eitani says. 

"The malware is specifically built for Redis servers, as it heavily relies on Redis Modules API usage to communicate with its operator," he notes.

HeadCrab implements sophisticated obfuscation features to remain hidden on compromised systems, executes more than 50 actions in a completely fileless fashion, and uses a dynamic loader to execute binaries and evade detection. "The threat actor is also modifying the normal behavior of the Redis service to obscure its presence and to prevent other threat actors from infecting the server by the same misconfiguration he used to gain execution," Eitani notes. "Overall, the malware is very complex and uses multiple methods to achieve an edge on defenders."

The malware is optimized for cryptomining and appears custom-designed for Redis servers. But it has built-in options to do a lot more, Eitani says. As examples, he points to HeadCrab's ability to steal SSH keys to infiltrate other servers and potentially steal data and also its ability to load a fileless kernel module to completely compromise a server's kernel.

Assaf Morag, threat lead analyst at Aqua, says the company has not been able to attribute the attacks to any known threat actor or group of actors. But he suggests that organizations using Redis servers should assume a full breach if they detect HeadCrab on their systems.

"Harden your environments by scanning your Redis configuration files, ensure the server requires authentication and doesn't allow "slaveof" commands if not necessary, and do not expose the server to the Internet if not necessary," Morag advises.

Morag says a Shodan search showed more than 42,000 Redis servers connected to the Internet. Of this, some 20,000 servers allowed some sort of access and can potentially be infected by a brute-force attack or vulnerability exploit, he says.

HeadCrab is the second Redis-targeted malware that Aqua has reported in recent months. In December, the security vendor discovered Redigo, a Redis backdoor written in the Go language. As with HeadCrab, Aqua discovered the malware when threat actors installed on a vulnerable Redis honeypot.

"In recent years, Redis servers have been targeted by attackers, often through misconfiguration and vulnerabilities," according to Aqua's blog post. "As Redis servers have become more popular, the frequency of attacks has increased."

Source

DARKReading