Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

"Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns," the HYAS Labs researchers wrote. "But in practice, this is very rarely the case."

They tested the attack against an EDR system that was not identified specifically, but characterized as "industry leading," often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

"MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems," they wrote. "Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration."

Moreover, because BlackMamba's delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.

**What This Means for Modern Security**

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real," the researchers wrote in the post. "By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today's predictive security solutions."

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they're doing everything in their power to detect and prevent malicious activity. However, BlackMamba's use of AI now demonstrates that "they are not foolproof," the HYAS Labs researchers noted.

"The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene," they wrote.

The security landscape will have to evolve alongside attackers' use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it's imperative that organizations "remain vigilant, keep their security measures up to date," they advised, "and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space."

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

For International Women's Month, new ongoing initiative is aimed at celebrating women and bringing visibility to those making cybersecurity history.

**Mountain View, Calif., March 8, 2023 –** Lacework®, the data-driven cloud security company, in celebration of International Women’s History Month, today announced the launch of a new ongoing initiative, “Secured by Women,”  to honor, bring visibility to, and increase opportunities for the women making history in today’s cybersecurity landscape. 

Despite comprising nearly half of the workforce, women only account for 38% of those in the STEM industry and 25% in the cybersecurity industry, according to Cybersecurity Ventures. Secured by Women not only celebrates the groundbreaking women shaping modern security, but is also designed as an ongoing initiative to help more women secure a seat at the table, a voice in the decision-making process, and all the opportunities they deserve. 

“In the security industry, we often talk about visibility – how to increase visibility into our technology environments to better see and understand our risks and potential threats. In that same spirit, now is time to increase visibility for the incredible women in the space who are leading, innovating, and revolutionizing modern security, ” said Sowmya Karmali, Director of Product Management, Lacework. “With this ongoing initiative, we hope to shine a light on this and create more urgency around increasing opportunities for women in security to showcase their amazing contributions and capture leadership roles.” 

On March 23, five women, nominated by their peers for making an impact in cybersecurity, will be selected as the first Secured by Women leaders. Lacework will sponsor each individual to attend one of the following upcoming major security conferences: RSA, Black Hat USA, Black Hat EMEA, or AWS re:Invent. Those recipients unable to attend a conference will be awarded the opportunity to donate the value of this sponsorship to a charity of their choice. And for every nomination submitted, Lacework is donating $1 to Girls Who Code. 

Do you know a brilliant woman in cybersecurity who's making history? Now's your chance to give her the recognition she deserves. Nominations open today, International Women’s Day, and will be open until Monday, March 20th, 5PT.  Submit your nominations today on SecuredbyWomen.com! 

Resources: 

*   Learn more from Lacework CMO Meagen Eisenberg on Secured by Women. 
*   Celebrate the rise of the CISO with us! 
*   Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

**About Lacework **

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s cloud and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Lacework Launches Secured by Women Initiative

Organizations in both industries are falling short when addressing new challenges to protect data in the cloud, finds Blancco report.

**AUSTIN and LONDON – March 8, 2023**—New research launched today by Blancco Technology Group (LON: BLTG), the industry standard in data erasure and mobile lifecycle solutions, reveals the extent to which healthcare and financial services organizations have embraced cloud, as well as the effects cloud adoption has had on data classification, minimization and end-of-life (EOL) data disposal.

Based on a global survey of 1,800 respondents, the study, _Data at a Distance__,_ found extensive cloud adoption, thanks to the ease of managing increasing volumes of data. However, 65% say the switch has increased the volume of redundant, obsolete or trivial (ROT) data they collect.

Increasing volumes of stored data brings with it many issues and is of growing concern for organizations operating in heavily regulated markets. In addition to regulatory noncompliance risks, there are the cost and sustainability impacts of storing this data, as well as security concerns—more data means a greater attack surface and more liability in case of a breach.

Data management best practices indicate that organizations need to know what data they have collected, including its value, where it’s stored and when it needs to be permanently erased. Yet just over half of organizations (55%)can boast a mature data classification model that determines when data has reached EOL—meaning that nearly half fall short when it comes to determining when to dispose of cloud-stored data.

When asked about their cloud approaches, 60% of respondents said that their cloud provider handles EOL data for them. However, more than a third (35%) do not trust their cloud provider to appropriately manage EOL data on their behalf.

“Healthcare and financial services providers handle some of the most confidential and sensitive information possible. While they have made the move to cloud for better connectivity, digital transformation and ease of managing data, many of them are still falling short when it comes to knowing how to reduce risk and maintain compliance when that data is no longer serving a business function,” said Jon Mellon, President Global Sales, Marketing and Field Operations at Blancco.

“Covid changed working norms for all industries, and adopting the cloud helped adapt to those changes. But hackers also changed their approach. The industry reported that 45% of breaches that occurred in 2022 were cloud based. Yet our research found multiple instances of insufficient practices for managing EOL data in the cloud.”

**According to Blancco’s global study of 1,800 healthcare and financial services respondents:**

*   65% of organizations feel that they can better manage EOL data on premises than in the cloud
*   63% use software-based erasure with an audit trail for managing all data – both on-premises and cloud, but a worrying 38% carry out erasure without an audit trail
*   91% of those surveyed recognize data classification as an important first step for achieving data security
*   36% are just beginning to implement a policy for data classification and minimization, with nearly one in ten yet to implement any such process

Regular assessment of data and setting retention periods is a critical and growing concern as regulatory requirements increase for the healthcare and financial services industries. The study found that 57% of organizations have a data schedule where they review different data types to determine whether data has reached end of life. But just over a quarter (28%) use the blunt approach of automatically setting a data expiration date, which is simple but ineffective: it does not consider what the data is, what it’s worth, or the risk of it getting into the wrong hands.

Healthcare and financial services organizations are, however, aware of the new challenges for managing EOL data in the cloud. In fact, 65% have found it necessaryto reassess how they determine what data is no longer needed since making the switch from analog to digital. But in addition to falling short when it comes to data classification and minimization, a worrying 59% of respondents reported using processes without verified data destruction at least some of the time to deal with at least some of their EOL data. This can leave data intact and retrievable without a proper audit trail to prove proper EOL data disposal.

Best practice that may have been in place in on-premises data centers can be left behind when organizations migrate their data to the cloud. While it is standard for cloud providers to refer to data deletion or destruction processes within user agreements, the practice of receiving clear assurances that specific sensitive data has been removed for good is still in its infancy, leaving highly regulated industries vulnerable to both regulatory noncompliance and unauthorized data access threats.

Rapid covid-generated cloud adoption is bringing to light the need for organizations to rethink ownership of their data in a heavily regulated and threat-saturated market. The report lists best practices that will guide these and other data-dependent industries towards ensuring regulations are met and that they can continue to protect both themselves and their customers.For full analysis, read the report here: https://www.blancco.com/data-at-a-distance.

Surge in Cloud Adoption Means a Greater Data Attack Surface for Healthcare and Financial Services

Using a risk-based approach to deal with policy violations and continuous compliance monitoring will help avoid data exposures and fines.

Public cloud spending and adoption is growing fast. Analysts predict that organizations will spend $591.8 billion on cloud infrastructure and services in 2023, up 20.7% from the year before. In fact, according to Forrester, the public cloud market is projected to reach $1 trillion by 2026, with the majority of spending directed to the big four: Alibaba, Amazon Web Services, Google Cloud, and Microsoft.

So, what's happening? Organizations accelerated their cloud migration during the pandemic and saw huge benefits as cloud services enabled faster innovation, provided elasticity to respond to fluctuating demand, and scaled with growth. Now, there's no turning back, even as the C-suite cuts spending in other areas. Organizations' appetite is particularly large for infrastructure-as-a-service (IaaS), projected to reach $150 billion; and platform-as-a-service (PaaS), anticipated to reach $136 billion in 2023.

Yet all this heady growth, which is thrilling to business strategists and technologists alike, has a dark side. Organizations risk significantly increasing public cloud data risks if they don't take necessary steps to improve its security.

**Shadow Data Is Growing Due to Lax Security Controls**

Multiple factors are contributing to the problem of "shadow data" or unknown, unmanaged public cloud data. Business users are provisioning their own applications, and developers are continually spinning up their own instances to develop and test applications. Many of these services store and use sensitive data that IT and security teams don't know about. Cloud buckets may also store multiple versions of data in the same bucket, a process called versioning, which increases risks if policies aren't configured properly.

As the pace of innovation increases, unmanaged data stores are often forgotten about and abandoned. In addition, sensitive data that is properly secured could be moved or copied to an unsecured environment or rendered vulnerable if third parties or extraneous users are granted excessive access privileges.

To understand just how much sensitive data is out there, Laminar Labs scanned publicly facing cloud storage buckets. We were able to detect personally identifiable information (PII) in 21% of the buckets. The information we uncovered included physical and email addresses, phone numbers, drivers' license numbers, names, loan details, credit scores, and more. As just one example, we discovered a file with contact information, Ethereum and Bitcoin address information, and block card email addresses — all information that could easily be exploited by a hacker.

The majority of this shadow data was misplaced — often placed in a public bucket that became accidentally exposed. In other cases, AWS S3 buckets were misconfigured as public instead of private. Either way, myriad organizations are exposing sensitive data that is completely open to be exfiltrated.

**Three Steps to Better Public Cloud Data Security**

Most security professionals (82%) are aware of — and concerned about — their growing public cloud data security problem. Here's how these experts can move swiftly to mitigate threats:

*   **Discover and classify all cloud data:** A next-generation public cloud data security platform enables teams to auto-discover all their cloud data, not just known or tagged assets. It detects all cloud data holdings in managed and unmanaged assets, virtual instances, shadow data stores, data caches and pipelines, and big data. With this information, the platform builds a comprehensive, consistent data catalog across organizations' multicloud environments. The catalog precisely identifies and classifies all sensitive data, such as PII, personal health information (PHI), and payment card industry (PCI) transaction data.

*   **Secure and control cloud data:** With holistic insights into their sensitive cloud data, security teams can apply and enforce the right security policies and validate data settings against their organization's predetermined guardrails. A public cloud data security platform will reveal outstanding policy violations that can be prioritized in a risk-based manner, based on data sensitivity level, security posture, volume, and exposure.
*   **Remediate risks and monitor activity without interrupting data flow:** Teams can then begin remediating sensitive data without compromising business activity. A public cloud data security platform will prompt teams to apply best practices, such as enabling encryption and limiting third-party access, and practice better data hygiene, by removing unused sensitive data from the environment. This process is called data security posture management and provides recommendations that are tailored to each cloud environment, making them more relevant and effective. In addition, security teams can use the platform to enable continuous data monitoring. By doing so, they can rapidly identify policy violations and ensure public cloud data adheres to the organization's stated security posture and regulations, regardless of where it is stored, used, or moved in the cloud.

**Reduce Public Cloud Data Security Risks Today**

Public cloud data security is too important to be left to chance. In a report we released last year, "State of Public Cloud Data Security, "50% of respondents said their cloud environments had been breached in 2020 and 2021. And of this group, 58% had experienced cloud data leaks or exfiltration.

The best way to protect this valuable data is with a public cloud data security platform that is cloud-native, agentless, asynchronous, and able to scale with data growth. With this resource, IT and security teams can tame the complexity of managing and securing data across multiple vendors and hundreds of services. They can also regain control over sensitive cloud data: applying proper governance, using a risk-based approach to address the areas of greatest concern, and maintaining continuous compliance to avoid data exposures and fines.

Rising Public Cloud Adoption Is Accelerating Shadow Data Risks

Cisco’s acquisition of cloud-native firewall provider Valtix and HPE’s deal to buy SSE provider Axis Security fill gaps in their existing portfolios.

Cloud-native is where the deals are. Last week, Cisco announced a deal to buy Valtix, a startup offering a cloud-native firewall. A few days later, Hewlett Packard Enterprise (HPE) announced its own plans to buy Axis Security, a secure services edge (SSE) provider. Neither company disclosed the terms of the acquisitions, both of which are pending regulatory and shareholder approvals.

Both deals highlight how both companies are interested in cloud-native security capabilities and are filling the gaps in their respective product portfolios. Even so, analysts described both deals as being incremental.

“I see both of these acquisitions primarily as gap fillers,” says Mauricio Sanchez, research director covering network security, SASE, and SD-WAN at Dell’Oro Group. “HPE filled a larger gap by purchasing Axis, while Cisco got some interesting IP.”

**HPE Adds SASE to SD-WAN**

HPE plans to incorporate Axis Security’s SSE capabilities with its existing SD-WAN and network firewall offerings (from its Aruba division) to create a secure access service edge (SASE) offering. SASE provides the function of secure web gateways (SWS), cloud access security brokers (CASB), firewall-as-a-service offerings, and zero-trust network access (ZTNA) tools. Dell’Oro Group forecasts that spending on SSE, which consists of SD-WAN and SASE, will increase fivefold by 2027, when revenues top $60 billion.

HPE Aruba gained its SD-WAN offering to accelerate network connectivity to branch offices with its 2020 acquisition of Silver Peak. But until now, HPE lacked a SASE offering. “If HPE can execute well on that acquisition, it brings them back into the game for a broader SASE play,” says Omdia senior principal analyst Fernando Montenegro.

“With Axis, HPE is now able to say they are an end-to-end SASE vendor versus offering just the networking \[SD-WAN\] piece,” adds Sanchez. “The security element is where the action and money are, so by getting Axis, HPE can double their SAM \[served available market\] in one go.”

However, Axis is a small company with a limited market share, Sanchez warns. “HPE got the technology solution but not the market share,” he says. “They will have to battle it out with the large goliaths, like Zscaler and Palo Alto.”

Sanchez thinks HPE will steer midsize enterprises toward Axis.

**Cisco Will Build a Cloud-Native Firewall**

As for Cisco, Valtix engineers will join the networking giant’s Security Business Group, “where they will work closely to integrate into our Security Cloud portfolio and accelerate our path to delivering a seamless experience in securing workloads across multi-cloud environments,” said Raj Chopra, senior VP and the group’s chief product officer, in a blog post.

The Valtix position is that virtual appliances are not well-suited for multicloud and hybrid environments, a sentiment shared by Omdia’s Montenegro.

“The challenge with deploying virtual firewalls in cloud environments is they don’t integrate as well with the rest of the clouds,” Montenegro says. “You want your network security component, the firewall, to understand how elastic your underlying environment is and to potentially do more than a traditional firewall, which is what Valtix is bringing to Cisco.”

Valtix’s advantage over virtual appliances is that it offers automated orchestration and provides visibility by supporting the integration of cloud provider APIs, the company says. It centralizes and consolidates network security by provisioning distributed enforcement points across Microsoft Azure, Amazon Web Services, Google Cloud Platform and Oracle Cloud Infrastructure. Valtix also offers a web application firewall (WAF), which Valtix says can protect cloud workloads, and it provides low-latency TLS decryption at scale.

Dell’Oro Group’s Sanchez views the Valtix deal as more of an acquisition of intellectual property rather than a “fully baked, market-competitive solution.” Sanchez says that Cisco is behind some of its competitors, such as Palo Alto Networks and Zscaler, in providing a cloud-native security offering.

“Palo Alto, as Cisco’s archnemesis in network security, has successfully monetized both virtual cloud firewalls as well as injecting themselves into the CNAPP market with Prisma Cloud,” he says. “Cisco has been largely on the sidelines. Cisco has a lot of catch up to do, and Valtix does help it incrementally. However, they need to do more, whether it be stitching the various products, like AppDynamics, Tetration, Kenna, together with Valtix to have a go at the CNAPP market, or leverage Valtix to invigorate Firepower \[Cisco’s next generation firewall — NGFW — line) to finally give Palo a run for its money in the cloud.”

Tech Giants Go Cloud-Native Shopping

**CAMBRIDGE, Mass.****,** **March 7, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today introduced the Akamai Hunt security service. The service enables customers to capitalize on the infrastructure of Akamai Guardicore Segmentation, Akamai's global attack visibility, and expert security researchers to Hunt and remediate the most evasive threats and risks in their environments. Akamai also released Agentless Segmentation, helping Akamai Guardicore Segmentation customers extend the benefits of Zero Trust to connected IoT and OT devices that aren't capable of running host-based security software.

As organizations embrace digital transformation and workforces continue to evolve, ransomware and other advanced attacks are still a threat to business continuity and overall brand trust, costing more than $20 billion in 2021 alone. To combat these threats, IT administrators must take new approaches to safeguard their networks, intellectual property and employees through the Zero Trust frameworks and microsegmentation to stop lateral movement within the network.

"Microsegmentation is proven to defend against ransomware and other attacks by greatly reducing attack surfaces in complex and dynamic environments," said Pavel Gurvich, Senior Vice President and General Manager, Enterprise Security at Akamai. "These new offerings for Akamai Guardicore Segmentation customers will extend protection to devices that have historically been difficult to secure and will provide the extra visibility and analysis necessary to fend off the most evasive threats."

**Akamai Hunt** 

Akamai Hunt combines the infrastructure, telemetry and control of Akamai Guardicore Segmentation with the data that Akamai has by delivering much of the world's internet traffic.

Now customers can eliminate threats in their environment, virtually patch vulnerabilities, and improve their IT hygiene. Other benefits include:

*   **Unique Dataset:** Rich telemetry from the customer's environment correlated with priority global threat data enables Hunt to find evasive threats and risks.
*   **Big Data Analysis:** Massive data is correlated and queried for suspicious and anomalous activity that other tools miss.
*   **Expert Investigation:** Dedicated security experts investigate detections to ensure teams are not bogged down by false positives.
*   **Alerts and Monthly Reports:** Detailed alerts provide the information required for mitigation, while monthly reports provide an executive overview.
*   **Guided Mitigation:** Hunt experts assist in the remediation of threats, patching of vulnerabilities, and hardening of IT infrastructures.

For more information about Akamai Hunt join the Akamai webinar on March 23 at 12:00 p.m. ET or click here.

**Akamai Agentless Segmentation**

Securing IoT and OT devices has traditionally been a challenge for most organizations. With Akamai Agentless Segmentation organizations are now able to reduce their attack surface, and enforce Zero Trust policies on devices that can't run host-based security software. Other features include:

*   **Continuous Device Discovery:** Automatically discover new network-connected devices and execute predefined device onboarding workflows.
*   **Integrated Device Fingerprinting:** Identify, assess, and categorize all connected devices to ensure that appropriate security policies are applied.
*   **Visualization of Enterprise Assets:** View IoT and OT devices, traffic, and interactions with endpoints, servers, and cloud assets throughout the enterprise.
*   **Agentless Zero Trust Segmentation:** Enforce agentless least-privilege segmentation policies and quarantine suspicious devices through direct integration with network control points.
*   **Roaming Device Awareness:** Maintain device visibility, context, and control as devices move between different areas of your wired and wireless network infrastructure.

Akamai Agentless Segmentation will be available for Akamai Guardicore Segmentation customers in Q2 2023.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world's most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Technologies Releases New Service and Tools to Stop Advanced Threats and Drive Zero Trust Adoption

Two novel malware binaries, including "HiatusRAT," offer unique capabilities that point to the need for better security for companies' router infrastructure.

A cyber-espionage campaign featuring novel malware has been uncovered, targeting DrayTek routers at medium-sized businesses worldwide.

Unlike most spyware efforts, this campaign, dubbed "Hiatus" by Lumen Black Lotus Labs, has dual goals: to steal data in targeted attacks and to co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.

The threat actors use known vulnerabilities to target DrayTek Vigor models 2960 and 3900 running an i368 architecture, according to an analysis this week on Hiatus from Black Lotus. Once the attackers achieve compromise, they can plant two unique, malicious binaries on the routers. 

The first is an espionage utility called tcpdump, which monitors router traffic on ports associated with email and file-transfer communications on the victim's adjacent LAN. It has the ability to passively collect this cleartext email content as it transits the router.

"More established, medium-size businesses run their own mail servers, and sometimes have dedicated internet lines," according to the report. "These networks utilize DrayTek routers as the gateway to their corporate network, which routes traffic from email servers on the LAN to the public internet."

The second binary is a remote access Trojan (RAT) called HiatusRAT, which allows cyberattackers to remotely interact with the routers, download files, or run arbitrary commands. It also has a set of prebuilt functions, including two proxy functions that the threat actors can use to control other malware infection clusters via an infected Hiatus victim's machine.

**HiatusRAT's Proxy Functions**

The two proxy commands are "purpose-built to enable obfuscated communications from other machines (like those infected with another RAT) through the Hiatus victims," according to the Black Lotus report.

They are:

*   **socks5:** Sets up a SOCKS version 5 proxy on the compromised router.
*   **tcp\_forward:** For proxy control, this takes a specified listening port, forwarding IP, and forwarding port and transmits any TCP data that was sent to the listening port on the compromised host to the forwarding location. It establishes two threads to allow for bidirectional communications between the sender and the specified forwarding IP.

The ability to turn the router into a SOCKS5 proxy device "allows the threat actor to interact with malicious, passive backdoors such as Web shells via infected routers as a midpoint," explains Danny Adamitis, principal threat researcher for Lumen Black Lotus. "Using a compromised router as the communications for backdoors and Web shells enables the threat actors to bypass geo-fencing-based defense measures and avoid being flagged on network-based detection tools."

The TCP function, meanwhile, has likely been designed to forward beacons or interact with other RATs on other infected machines, which would "allow the router to be a C2 IP address for malware on a separate device," according to the report.

All of this means that organizations shouldn't underestimate their worth as a target, the report noted: "Anyone with a router who uses the internet can potentially be a target for Hiatus — they can be used as proxy for another campaign — even if the entity that owns the router does not view themselves as an intelligence target."

**Varied Types of Hiatus Victims**

The campaign is unusually small, having infected only around 100 victims, mainly in Europe and Latin America.

"This is approximately 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the Internet," according to Adamitis. "This suggests the threat actor is intentionally maintaining a minimal footprint to limit their exposure and maintain critical points of presence."

In terms of espionage, some of the victims are "targets of enablement," says the researcher, and include IT service and consulting firms.

"We believe the threat actors target these organizations to gain access to sensitive information about their customers’ environments," using the scraped email communications to mount downstream attacks, Adamitis says.

He adds that a second grouping of victims can be considered targets of direct interest for data theft, "which included municipal government entities and some organizations involved in the energy sector."

While the number of primary victims is small, the scope of the data theft suggests an advanced persistent threat as the culprit behind Hiatus.

"Based upon the amount of data that would be collected from these accesses, it leads us to believe that the actor is well resourced and is capable of processing large volumes of data, suggesting a state-backed actor," Adamitis notes.

**What to Learn From Hiatus**

The key takeaway for businesses is that the conventional idea of perimeter security needs to be adapted to include routers.

"The benefits of using routers for data collection are that they are unmonitored, and all traffic passes through them," Adamitis explains. "This stands in contrast to Windows machines and mail servers, which usually have endpoint detection and response (EDR) and firewall protections deployed in enterprise networks. This lack of monitoring allows the threat actor to collect the same information that would be achieved without directly interacting with any assets that might have EDR products pre-installed on them."

To protect themselves, businesses need to make sure that routers are "routinely checked, monitored, and patched like any other perimeter device," he says.

Organizations should take action: The Hiatus binaries were first seen last July, with new infections continuing up to at least mid-February. The attacks use version 1.5 of the malware, indicating that there could have been activity using version 1.0 prior to July. Black Lotus said that it fully expects the activity to continue.

Hiatus Campaign Infects DrayTek Routers for Cyber Espionage, Proxy Control

An Acer statement confirms that a document server for repair techs was compromised, but says customer data doesn't appear to be part of the leak.

Acer has confirmed its systems were breached after a threat actor offered 160GB of data they say was stolen from the electronics company.

Acer sells a variety of consumer electronics products, including Chromebooks, monitors, laptops, and desktop PCs.

The post in the cybercrime forum claims to have a slew of secret information for sale, including Acer slides, employee manuals, and product information. Acer said in a statement reacting to the claims that the compromised data doesn't appear to include customer information.

"We have recently detected an incident of unauthorized access to one of our document servers for repair technicians," Acer said in a statement about the cybersecurity incident. "While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server."

Acer has suffered several compromises over the past few years, including a $50 million ransomware attack in March 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Acer Confirms Data Offered Up for Sale Was Stolen

Flaw in Toyota's C360 customer relationship management tool exposed personal data of unknown number of customers in Mexico, a disclosure says.

A production API in Toyota's C360 customer relationship management (CRM) tool loaded with the personal information of an unknown number of the carmaker's customers in Mexico was found to expose reams of sensitive data.

A disclosure from threat hunter Eaton Zveare outlines how it was possible to access Toyota customers' names, addresses, phone numbers, emails, and tax identification numbers, as well as vehicle ownership and service history stored in the C360 CRM.

After reporting the issue to Toyota, Zveare said the sites were taken offline, and the APIs were secured so that they now require an authentication token.

"I would like to stress that I do not know how many customers are in this CRM," Zveare wrote. "There wasn't a user list — it was only possible to search for customers by name, ID, phone number, or email address."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hacker Cracks Toyota Customer Search Tool

**LONDON, United Kingdom— March 7, 2023 —** ManageEngine, the enterprise IT management division of Zoho Corporation, today announced that it has added a security and risk posture management dashboard to Log360, its unified security information and event management (SIEM) solution with integrated DLP and CASB capabilities. Enterprises can leverage this new feature to implement proactive security strategies and prevent cyberattacks before they occur.

Establishing a proactive security strategy relies largely on assessing the risks of network platforms continuously. Risk assessment and management, if done right, strengthens enterprise security and thereby prevents hackers from intruding in the network. Compliance regulations across regions require enterprises of all industries and sizes to follow security best practices to harden their network infrastructures. AD is often a primary target for adversaries. Continuously assessing AD risks and enhancing its security posture are essential to preventing cyberattacks from happening.

**Pre-empt Intrusions with Log360's Security and Risk Posture Management**

Stolen or compromised credentials are a common attack vector. Once an account within an organisation is compromised, attackers can get hold of other user accounts, move laterally through the network, and access sensitive data. This is where AD security hardening can help an organisation ward off security threats related to sensitive data. 

"With the introduction of more regional compliance mandates, aligning security and compliance is more crucial than ever and has become an important conversation in board meetings. Security and risk posture management—a proactive security strategy—is an integral part of many compliance requirements," said Manikandan Thangaraj, vice president of ManageEngine.

"ManageEngine has augmented its unified SIEM solution with security and risk posture management that allows enterprises to gain visibility into the current risk posture of their network resources. This helps identify critical loopholes and vulnerabilities that, if exploited, can cause significant damage. Furthermore, the feature helps curb account compromise and misconfigurations, two of the most commonly used techniques for launching an attack," Thangaraj said.

**Highlights of ManageEngine** **Log360's Security and Risk Posture Management**

*   Visibility into AD infrastructure compliance with Microsoft security baselines
*   Accurate detection of weak and risky AD infrastructure configurations and comprehensive security and risk posture calculations
*   Continuous assessments along with AD security posture recommendations to fix loopholes and reduce the risk of being attacked
*   A continuous risk assessment and management dashboard that helps you meet stringent compliance requirements with ease

Log360 also has extensive machine learning-based user and entity behaviour analytics that actively monitor user behaviour and identity compromise. By combining all these features, Log360 offers comprehensive protection against account compromise and identity theft and facilitates quick action against potential breaches.

**About Log360**

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, machine learning-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks and offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud, and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities. For more information about Log360, visit manageengine.com/log-management/.

**About ManageEngine**

ManageEngine is the enterprise IT management division of Zoho Corporation. Established and emerging enterprises—including 9 of every 10 Fortune 100 organisations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China and Australia, as well as 200+ global partners to help organisations tightly align their business and IT. For more information, please visit manageengine.com, follow the company blog and get connected on LinkedIn, Facebook and Twitter.

Source

DARKReading