Chris Kirsch, CEO of runZero, sits down with Dark Reading’sTerry Sweeney for a Fast Chat on the importance of asset discovery.

Chris Kirsch, CEO of runZero, sits down with Dark Reading’sTerry Sweeney for a Fast Chat on the importance of asset discovery.

Dark Reading

Comprehensive asset discovery is critical to effective cybersecurity programs. CISA has issued a directive requiring federal civilian agencies to improve asset visibility and vulnerability detection by April 2023. Chris Kirsch, CEO of runZero, discusses the directive and the importance of asset discovery.

*   Why is asset discovery still so difficult for so many organizations?
*   Why do companies need asset discovery if they already are scanning for vulnerabilities and protecting endpoints?
*   How will the CISA directive change things for federal agencies and other organizations?
*   What should organizations do with the asset inventory once they have one?

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Karen Spiegelman, Features Editor

Robert Lemos, Contributing Writer, Dark Reading

Nate Nelson, Contributing Writer, Dark Reading

Webinars

*   A Roadmap to Zero Trust: Steps for Meaningful Progress Amongst the Hype
*   Every DDoS Resilience and Response Playbook Should Include These Things
*   Rethinking Authentication: MFA, Passwordless, Certificates, and More
*   Deciphering the Hype Around XDR
*   The Ransomware Evolution: Protecting Against Professionalized Cybercriminal Operations

Reports

*   The Promise and Reality of Cloud Security
*   10 Hot Talks From Black Hat USA 2022
*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Zero Trust and the Power of Isolation for Threat Prevention
*   Increased Cooperation Between Access Brokers, Ransomware Operators Reviewed

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   State of Email Security
*   Ransomware Is On The Rise
*   State of Ransomware Readiness: Facing the Reality Gap
*   How Hybrid Work Fuels Ransomware Attacks

Events

*   Emerging Cybersecurity Technologies - A Dark Reading Mar 23 Event
*   Black Hat USA - August 5-10 - Learn More
*   Black Hat Asia - May 9-12 - Learn More

Why Most Companies Still Don’t Know What’s on Their Network

Data Privacy Day rolls around year after year, and data privacy breaches likewise. Two-thirds of data breaches result in data exposure.

There are continued breaches of data privacy, and according to Omdia's Security Breaches Tracker, approximately two-thirds of security breaches involve data exposure, many of these of personally identifiable information (PII). Data Privacy Day serves to highlight the inadequacies of data protection and to support the confidentiality of information.

Omdia's Cybersecurity Decision Maker survey, conducted in the second quarter of 2022, found that 32% of organizations are "extremely confident" in their organization's security controls, and a further 58% describe themselves as "reasonably confident." However, this confidence is likely misplaced. The same survey found that 77% of organizations have suffered numerous security incidents and breaches, some with a severe impact on the organization. Realistically, strong security controls should be preventing some of these incidents and breaches.

Some of these security breaches are included in Omdia's Security Breaches Tracker. This data looks at the leading outcome of security breaches, and in the breaches reported during the first nine months of 2022, for 66% of breaches tracked this was data exposure. Looking back at the historical data to 2019, we see that approximately two-thirds of breaches have consistently resulted in data exposure: 68% in 2021, 67% in 2020, and 64% in 2019. Thus, it is not a stretch to say that organizations will continue to fail customers' data privacy expectations.

**Not a One-and-Done Task**

Better cyber hygiene would result in few breaches of data privacy; however, cyber hygiene is not a one-and-done task. Cyber hygiene can be defined as the good practice that all organizations can follow to minimize the opportunity for cybersecurity incidents to materialize. Examples include timely patching, password management, backups, and much more.

Cyber hygiene requires constant review and updating, because malicious actors are also constantly reviewing and updating their offensive capabilities. Attacks range from ransomware-as-a-service (RaaS) to highly sophisticated nation-state and organized criminal group attacks — a significant threat landscape.

Other factors challenging good cyber hygiene include: the omnipresent security workforce shortage, that organizational data is frequently spread far and wide with no proper handle on all the locations, gray areas of responsibility when it comes to actions such as patching, the complexity of cybersecurity, and more.

Failures in cyber hygiene can lead to opportunities for breaches of data privacy. Not only does this erode customer trust in the organization, it also opens the organization to potential regulatory breaches and fines.

Data privacy legislation has been enacted around the world, and there are plenty of examples of breaches of data privacy legislation. A significant fine of €390 million was issued to Meta (which owns Facebook) for breaking EU data laws on using personal data to deliver targeted advertisements. The ruling rejected Meta's argument that when people engage with social media platforms, such as accepting terms and conditions, they are actually agreeing to receive personalized ads. The ruling was made this month (January 2023), and Meta plans to appeal the decision.

Some consumers are becoming more savvy about their data and how it should be kept private. However, apathy and lack of knowledge are also evident among customers when it comes to data privacy: Many are not always aware of what they are signing up for or don't care about what they are signing for because they get something for free.

In many parts of the world, if a company discovers a breach of data privacy regulations, it must inform its customers and support them. There are, however, many organizations that take their time to report breaches, and especially if they have not created a playbook for such a situation, they may struggle to follow the right and appropriate rules, handle any press inquiries, deal with ransomware demands, and so on.

**Take It Personally**

It is incumbent upon those responsible for data privacy at an organization to look after their customers' data in the same way that they would expect other organizations to look after personal data about them. There is no doubt that maintaining data privacy is a challenge, but it must be tackled head on as a component of winning and maintaining customer trust. Data Privacy Day serves to remind everyone that data is precious and must be looked after.

In no small part, data security focuses on maintaining data privacy. Data security is essential to the fundamental ideas of information ownership, which are dependent on a comprehensive strategy and are made up of three primary elements.

The first of these elements is data discovery, needed to successfully locate information assets that may require protection. The second element is data governance, necessary to ensure that data is managed properly while internal policies are adhered to and external compliance requirements are met. Finally, data protection is essential to prevent information from being accessed or potentially compromised by unauthorized parties.

Ultimately, organizations must focus on data security to have a hope of maintaining the confidentiality of the information they are responsible for, thus adhering to data privacy regulations and expectations.

On Data Privacy Day, Organizations Fail Data Privacy Expectations

A nasty SSRF bug in Web Services plagues a laundry list of enterprise printers.

A critical security vulnerability allowing remote code execution (RCE) affects more than 120 different Lexmark printer models, the manufacturer warned this week.

And, there's proof of concept (PoC) exploit code circulating publicly, it added — though so far, in-the-wild attacks have yet to materialize.

The bug (CVE-2023-23560), which carries a score of 9 out of 10 on the CVSS vulnerability-severity scale, is a server-side request forgery (SSRF) vulnerability in the "Web Services feature of newer Lexmark devices," according to the print giant's advisory (PDF).

The printers have an embedded Web server that allows users to view and remotely configure printer settings via an Internet portal. In a typical SSRF attack, an attacker can take over such a server and force it to make a connection either to internal resources housing sensitive information; or to external systems serving malware (or harvesting things like tokens and credentials).

Enterprise printers are a stealth entryway for threat actors into enterprise environments — but are often overlooked by IT security. However, as the community saw with the now-infamous "PrintNightmare" RCE flaw in Microsoft's Windows Print Spooler that sent security teams scrambling, they often have privileged access to internal resources, and that can be problematic.

Lexmark has issued a firmware patch and noted that disabling Web Services on TCP port 65002 altogether will also do the trick for protection.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Lexmark Printer Bug Has Public Exploit

Google has mounted a massive takedown, but Dragonbridge's extensive capabilities for generating and distributing vast amounts of largely spammy content calls into question the motivation behind the group.

Google's Threat Analysis Group (TAG) spent 2022 working to disrupt the online presence of pro-Chinese influence operation (IO) Dragonbridge (aka Spamoflage Dragon) in 2022, wiping out more than 50,000 instances of activity across Twitter, YouTube, Blogger, and other channels.

The report added that despite producing plenty of content, Dragonbridge failed to attract an organic audience, mainly due to the low-quality, nonsensical nature of the content, which mostly consists of apolitical, spammy, often nonsensical clips of sports, food, or animals.

Also, "blurry visuals, garbled audio, poor translations, malapropisms, and mispronunciations are also common," the report noted. "The content is often hastily produced and error-prone — for example, neglecting to remove Lorem Ipsum text from a video."

Of the 56,771 YouTube channels created by Dragonbridge and deactivated by TAG last year, nearly 60% of the channels had zero subscribers and 42% of the videos posted on these channels had zero views.

Roughly 95% of Blogger blogs received 10 or fewer views, and more than 96% of the posts had zero comments.

The report said it has closed 100,960 accounts across multiple channels, including YouTube, Blogger, and AdSense over the operation's lifetime.

The group does generate some pro-China, anti-US messaging, in Mandarin, English, and other languages: For instance, while the pro-China content praises the country's COVID-19 pandemic response, it criticizes the US for meddling in international affairs, with one video portraying voting as useless. But these themes represent a small fraction of the content.

Despite the nearly nonexistent levels of engagement, Dragonbridge continues to experiment with content formats and attempts to improve the general low quality of its efforts, the report noted.

Dragonbridge joins other China-based IO campaigns, including HaiEnergy, a fake-news influence campaign leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the country.

These operations can be dangerous: In the US, for instance, disinformation campaigns were deployed around last year's midterm elections in an attempt to change attitudes of undecided voters and energizing supporters to get out and vote.

Google TAG researchers say that Dragonbridge likewise has the capability to become a more potent threat.

**Ramping Up Activity During Political Flashpoints**

Dragonbridge activity ramped up in July 2022 following US House Speaker Nancy Pelosi's announcement of a possible visit to Taiwan, with the group's rhetoric growing more belligerent as the Chinese People’s Liberation Army (PLA) prepared drills around the island.

Dragonbridge "displayed unusually coherent behavior in using uniform hashtags and titles across channels, while swiftly and repeatedly uploading topical, high-production-value content that was not interspersed with the usual misdirecting spam," the report noted.

Despite the lack of community engagement and seemingly slipshod content, Dragonbridge manages an extensive network of Google accounts that it likely obtains from bulk account sellers, which had been previously acquired for financially motivated activity before going dormant.

The report also noted that Dragonbridge is experimenting with higher-quality forms of content with real human voices instead of computer-generated narration, more sophisticated "news-like" chat formats, and animated political segments.

The persistent level of content distribution and the network's attempts at innovation when it comes to tactics and techniques are a continued cause for concern, TAG noted.

**Dragonbridge to Nowhere?**

"What's interesting is that nobody is questioning the volume of resources expended to address this," says Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services. "This could be mechanism used as part of a bait-and-switch style scam, keeping Google busy with lots of takedowns — this content is clearly not being watched."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of software-as-a-service (SaaS) for enterprise cyber-risk remediation, adds while it may not appear successful, there are plenty of people out there who will fall for even the most outrageous misinformation.

"While these appear ineffective, even against the gullible, there's a good probability that there are a lot of them out there that are more successful and have managed to evade deletion," he says.

Parkin adds there are multiple possible reasons for doing what the group seems to be doing, from simply wasting resources to using these obviously spammy accounts for training a machine learning model on how to avoid being identified and removed.

Barratt agrees Dragonbridge's relentless onslaught could just be an indication of capability, showing that the group can find ways to drain Google's resources using its own tools against it.

"The level and depth of effort here goes way beyond the traditional script-kiddie disruptions, indicating it could even be a group looking to show off capabilities," he adds. "Nobody seems to be saying directly that it's a state-sponsored endeavor, which could perhaps be to wave off further political tensions."

Parkin cautions that while It looks like the threat is "script-kiddie level", that may be a mask for something more subtle.

"While it may not be an actively state-sponsored group, the sheer volume does imply more resources than the typical script kiddies can pull together," he says.

Barratt points out that with access to major cloud providers, scale is easily achievable by anyone — but the interesting piece of this is that a lot of the real cost is absorbed by the platforms being focused on.

"Custom bot development can spin up accounts, drop content, and then move to promote it; \[it is really a small expense for Dragonbridge\] compared with the cost of hosting the video, reviewing it, and taking it down," he says. "It's a very high return on investment if you measure your returns in the cost your adversary faces."

From his perspective, this is more likely to be a disinformation equivalent of performing military maneuvers at the border.

"Someone is showing someone else what they can do and how hard it is to stop," he says.

Parkin adds it's possible to programmatically create multiple accounts, post videos, and cross-link them all in the comments.

"If that’s how it's being done, then it doesn't take massive resources, and it's possible a small group with the right skills could pull it off," he says. "But without looking at Google's data, it's hard to say whether that's what was done here."

Dark Reading reached out to Google TAG for clarification, and will update this post with any additional information.

Google: Influence Operator Dragonbridge Floods Social Media in Sprawling Cyber Campaign

An academic analysis of website defacement behavior by 241 new hackers shows there are four clear trajectories they can take in future, researchers say.

Tracking malicious hackers' early activities using open source intelligence can offer substantial clues about the likelihood of their becoming a persistent threat in the future, two university researchers claimed in a report this week.

That knowledge can help guide early intervention efforts to nudge fledgling hackers off their criminal trajectories, they noted.

Christian Howell, assistant professor in the Department of Criminology at the University of South Florida, and David Maimon, a professor at Georgia State University's Department of Criminal Justice & Criminology, recently tracked 241 new hackers engaged in website defacements for a period of one year.

**Early Intervention for Fledgling Hackers**

Howell and Maimon identified hackers as new for their study based on information the individuals posted on Zone-H, a platform that malicious actors widely use to report website defacements. Hackers basically upload evidence of their attack, including their moniker, the defaced website's domain name, and an image of the defaced content to Zone-H. Once administrators there verify the content, they post the information to the archive, where it is publicly viewable. Zone-H currently maintains records of more than 15 million attacks that have resulted in website defacements over the years.

The two researchers tracked each of the hackers for a period of 52 weeks from their first disclosed website defacement on Zone-H. Because many attackers use the same online aliases across platforms to establish their reputation and status, the researchers were able track them across multiple environments, including social media channels such as Facebook, Twitter, Telegram, and YouTube.

"Based on a hacker's behavior in the first few months of their career, you can predict where they are going to be further on in their career," Maimon says. "We can definitely nudge these actors away from a life of cybercrime," by intervening early, he adds.

Maimon points to previous research that he was part of, along with Howell and another researcher, that showed early intervention can have an impact on budding criminal behavior. In the study, the researchers — purporting to be hackers themselves — sent direct messages to a selected group of hackers about alleged lawenforcement efforts targeting those involved in defacement activity. The messages prompted many of those who received them to cut back their defacement activity, apparently out of concern about law enforcement tracking them down, he says.

**Four Distinct Trajectories**

They collected information about the total number of attacks that each hacker carried out during the one-year period, analyzed the content of their website defacements, and gathered open source intelligence about the hackers from social media and underground sites and forums.

The data showed that 241 hackers defaced a total of 39,428 websites in the first year of their malicious hacking careers. An analysis of their behavior revealed that new hackers follow one of four trajectories: low threat, natural desisting, increasingly prolific, and persistent.

A plurality of the new hackers (28.8%) fell into the low-threat category, which basically meant they engaged in very few defacements and did not increase their attack frequency through the year. Some 23.9% were naturally desisting, meaning they began their careers with substantial velocity but then appeared to lose interest quickly. Hackers in this category included politically motivated hacktivists who likely lose sight or got bored of their cause, the researchers surmised.

Hackers in the more troublesome categories were the 25.8% who engaged in an increasing number of attacks over the course of the year and the 21.5% in the persistent category who started with a substantial number of attacks and maintained that level through the year.

"Increasingly prolific hackers engage in more attacks as they advance in their career, while persistent threats continually engage in a large number of attacks. Both are problematic for system admins," Howell says. He notes that it's hard to say for sure what percentage of the hackers in the study engaged in other forms of cybercrime besides website defacements. "But I found several selling hacking services on the Dark Web. I suspect most — if not all — engage in other forms of hacking."

**Telltale Signs**

The two researchers found that hackers who had a high level of engagement on social media platforms and reported their website defacements to multiple archives tended to also be the more persistent and prolific actors. They also tended to disclose their aliases and ways to contact them on sites they defaced. Howell and Maimon chalked the behavior up to attempts by these actors to establish their brand as they prepared for a long-term career in cybercrime. 

Often, these actors also indicated they were part of broader teams or became part of a broader group. "New hackers are typically recruited by existing teams with more sophisticated members," Howell says.

The study showed that cyber intelligence from publicly available sources is useful in forecasting both threats and emerging threat actors, Howell says. He notes that the focus now is on developing AI algorithms that can help improve these forecasts going forward.

How Noob Website Hackers Can Become Persistent Threats

OpenAI's chatbot has the promise to revolutionize how security practitioners work.

ChatGPT took the world by storm after OpenAI opened it for testing on Nov. 30, 2022. For an industry calloused by years of largely unsatisfying AI and machine learning "innovations," the reactions have been quite telling. Like many who are excited by its potential, I believe this is finally the moment of clarity for how truly revolutionary AI can be for information security.

It's also quite sobering, as there are already countless examples of how it changes the game for black hats of all stripes. In one of the first proofs-of-concept, NYU professor Brendan Dolan-Gavitt used ChatGPT to exploit a buffer overflow vulnerability. Other examples include writing malware with lightning speed and crafting convincing, grammatically correct phishing emails.

The weaponization of AI within cybersecurity is not new, but what excites me the most about ChatGPT is its potential for closing information security's biggest gap: the lack of sufficient talent, in both breadth and depth of cybersecurity skills (i.e., specializations). To illustrate this further, here are three ways ChatGPT will change infosec in 2023.

**Advancing Crowdsourced Threat Intelligence**

For quite some time, one of the industry's holy grails has been successfully crowdsourcing threat intelligence. The promise stems from the ability to see what's happening across a wide swath of companies within a single vertical industry. Unfortunately, the greatest impediment has been the lack of trust between organizations to share the intelligence.

This is the problem that the array of ISACs across industries have been trying to solve — with mixed results. Going forward, an information sharing and analysis center (ISAC) could take an iteration of the ChatGPT model with its natural language interface and feed it log data submitted by ISAC constituents, based on implicit trust within the group. The ISAC could then use ChatGPT to correlate network connections, categories of malicious IP addresses and domains, and similar behaviors. The results could produce a set of IDS rules that the ISAC constituents should implement to protect themselves from threats. The ISAC also would gain insight into the overall risk posture of the industry it represents.

**Doing More With Existing Resources**

The uncertain economy is putting pressure on security organizations to implement hiring freezes to squeeze more productivity out of existing resources. ChatGPT can be extremely beneficial here as a force multiplier that enables one analyst to do the job of multiple people.

Generalists and entry-level staff can describe what they are seeing in alerts and detections, and then ask ChatGPT to decipher their observations to jumpstart the triage process. A specific example is helping with practitioners' daily de-obfuscation of suspected malicious code, which typically takes an hour or more. It now can be performed in seconds.

ChatGPT also has the potential to transform incident response. A team can use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. ChatGPT could then immediately prove or disprove a theory about a compromise. Today, that involves several days of work by an incident response lead, an engineer, and several analysts to fully resolve an incident. I can foresee a future where the process doesn't need an analyst at all.

**Taking the Malware Cat-and-Mouse Game to a New Level**

Today, adversaries generate 100 million new malware samples per year. Because they all require manual coding, it is still a finite, manageable amount for signature detection. With ChatGPT, however, a hacker can say, "Here's what I'm trying to do, and here's the OS I'm trying to do it on," and it can generate hundreds of thousands of iterations of one piece of malware.

This will mean that the detection engines' ML models must be recomputed faster. It's far more complicated, because they're working against a much larger data set. Fortunately, ChatGPT will supercharge the reverse-engineering process and give anti-malware efforts a fighting chance.

For instance, a significant reverse engineering challenge is working with a generic file name, which doesn't provide necessary context about where it was found. This requires much more manual work to identify the system for which it was built. There are minor changes in binary assembly that have marked changes on the end result — e.g., was it written for a 32-bit or 64-bit architecture? Is the system using Little Endian or Big Endian? The answers determine the direction in which you read the machine language (forward or backward).

All these efforts require trial and error if you have no context. ChatGPT can run through these iterations at blazing speed and give reverse engineers the final assembly language and process it from there. They can take it further and have ChatGPT tell them what it thinks the application is doing — in natural language. More importantly, ChatGPT could do all of this at scale, analyzing hundreds of thousands of binary samples and proving insights to an analyst.

It also can help fight back against common cat-and-mouse techniques. For example, malware often contains anti-reverse engineering techniques, such as nested loops, to make it much harder for reverse engineers to keep track of what is happening and the end state. ChatGPT can figure that out much faster than humans. It also can analyze the genetic code of the malware and see where there may be code reuse to identify the fingerprint of the author more quickly.

**Long-Term Implications**

Whenever new advances in AI come to fore, there is the inevitable concern about whether it will replace humans and their jobs. I don't believe ChatGPT will make this happen, but it will make us more powerful consumers of information. The force multiplier effect will be profound at all levels. I can see CISOs feeding it a set of information about its risk register for it to return policies and procedures, incident response plans, and more — all tailored to their environments.

While ChatGPT is only a research preview, I share the excitement of my industry colleagues about its promise to revolutionize how security practitioners work.

3 Ways ChatGPT Will Change Infosec in 2023

Highlighting continued attacks on game developers, attackers stole source code from and issued a ransom demand to the maker of League of Legends.

Cyberattackers have compromised and demanded a ransom from Riot Games, the developer behind the popular League of Legends game, in the latest attack to target video-game makers.

In a series of posts on Twitter, Riot Games acknowledged the breach this week and confirmed that the attackers had exfiltrated source code for the League of Legends (aka LoL) and Teamfight Tactics (TFT) games, as well as source code for an older anti-cheat platform. The attackers issued a ransom demand for $10 million, threatening to otherwise release the source code.

The attack disrupted Riot Games' development environment but appears to have failed to compromise player data, the company stated.

"We've made a lot of progress since last week and we believe we’ll have things repaired later in the week, which will allow us to remain on our regular patch cadence going forward," the company said on Twitter. "The League and TFT teams will update you soon on what this means for each game."

Riot Games joins other major video-game makers as a victim of online attackers. In September, Take Two Interactive's Rockstar Games — the maker of Grand Theft Auto — acknowledged that an unknown third party had compromised its network and gained access to videos and files for its coming Grand Theft Auto 6. And in 2021, cybercriminals used social engineering to gain access to the Slack channel for developers at Electronic Arts, giving them access to source code for the company's FIFA 21 and Battlefield franchises.

More recently, Rockstar Games has scrambled over the past week to deal with hackers exploiting vulnerabilities in the PC version of its Grand Theft Auto Online.

Industry analysts estimate that more than half of the US population plays games, with games on mobile devices about twice as popular as those on PCs or consoles. And attackers go where the people are, Tonia Dudley, CISO at Cofense, said in a statement to Dark Reading.

"In recent years, the gaming sector has become an increasingly popular target for cybercriminals," she said. "As investments in everything from e-sports to video games have increased, cyberattacks — particularly distributed denial-of-service (DDoS) attacks — have skyrocketed."

**Cyberattackers Playing Games**

Part of the reason that attackers focus on video-game makers is the large overlap between gamer and hacker interests. For instance, some are driven by a desire to find cheats to gain an advantage in online play. 

Attacks targeting online gamers typically make up a plurality of DDoS attacks detected each year and accounted for 46% of all attacks in 2020.

Cybercriminals also often target game makers that, arguably, have alienated their fan bases. In February 2021, for example, hackers targeted CD Projekt Red — the maker of the Witcher and Cyberpunk 2077 video games — because they were angry with the buggy state of the Cyberpunk 2077 game.

Yet games also make good platforms to distribute malware. Pirated games are often a vector for opportunistic malware. With most games connected to, and downloading data from, the Internet, games and their online services make ideal vectors of attack, says Boris Larin, lead security researcher at Kaspersky’s Global Research and Analysis Team.

"\[T\]hey have compromised a victim's build environments to conduct supply chain attacks, \[which\] could be considered as a very effective strategy for infection of a large number of PCs with a single attack," he says. "Massive multiplayer online (MMO) games have large user bases, and those users expect to receive automatic updates, so if attackers Trojanize a game update, a very large portion of players will be infected all at once."

**No Pay to Play**

Riot Games' response to the attack highlights another trend in the industry: Victims of ransomware attacks are refusing to pay. Last week, digital currency trackers estimated that ransomware revenues fell nearly 40% to nearly $460 million, with the average attack returning less in revenue per transaction.

The cybercriminals behind the attack on Riot Games demanded $10 million to not release the company's source code, according to an article in Motherboard.

Riot Games had a simple response.

"Today, we received a ransom email," the company stated in its post to Twitter. "Needless to say, we won't pay."

Riot Games handled the notification aspect of the breach very well, laying everything out to its customers, noting that personal information was likely not compromised, and detailing what code had been stolen, according to Kaspersky's Larin.

"We think that Riot Games did the right thing choosing not to pay," he says. "If you become a victim, never pay the ransom. \[Paying\] will not guarantee you get your data back nor that it will not be leaked online, but it will encourage criminals to continue their business."

Riot Games plans to release a full report on the incident to the public, "detailing the attackers' techniques, the areas where Riot's security controls failed, and the steps we’re taking to ensure this doesn’t happen again," the company stated.

Riot Games Latest Video-Game Maker to Suffer Breach

Whether you dream of your child growing into a CISO or just want them to improve their security hygiene, consider this roundup of literary geekery.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Child's Garden of Cybersecurity

Hackers don't need a key to get past your defenses, if they can essentially teleport using RMMs, warns CISA and the NSA.

It has come to light that hackers cleverly utilized two off-the-shelf remote monitoring and management systems (RMMs) to breach multiple Federal Civilian Executive Branch (FCEB) agency networks in the US last summer.

On Jan. 25, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing the attacks, warning the cybersecurity community about the malicious use of commercial RMM software, and offering mitigations and indicators of compromise to watch out for.

IT service providers use RMMs to remotely monitor and manage clients' networks and endpoints. But hackers can use the same software to bypass typical software control policies and authorization requirements on victim computers — as the US government found out.

**How Hackers Breached the Government With RMMs**

Last October, CISA conducted a retrospective analysis of Einstein — its intrusion detection system, deployed across FCEB agencies. The researchers found, perhaps, more than they'd bargained for.

In mid-June last year, hackers sent a phishing email to an FCEB employee's government address. The email prompted the employee to call a phone number. Calling the number prompted them to visit a malicious Web address: "myhelpcare.online."

Visiting the domain triggered the download of an executable, which then connected to a second domain, which is where two RMMs — AnyDesk and ScreenConnect (now ConnectWise Control) — came into play. The second domain didn't actually install AnyDesk and ScreenConnect clients onto the target's machine. Instead, it went backward: downloading the programs as self-contained, portable executables, configured to connect back to the threat actor's server.

Why does this matter? "Because," the authoring organizations explained, "portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software's installation on the network."

Having made a mockery of admin privileges and software controls, the threat actors could then use the executable "to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service."

It turns out, though, that the June compromise was merely the tip of an iceberg. Three months later, traffic was observed between a different FCEB network and a similar domain — "myhelpcare.cc" — and further analysis, the authors recalled, "identified related activity on many other FCEB networks."

Despite targeting government employees, the attackers appear to have been financially motivated. After connecting to target machines, they enticed victims to log in to their bank accounts, then "used their access through the RMM software to modify the recipient’s bank account summary," the authors wrote. "The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to 'refund' this excess amount to the scam operator."

**Why Hackers Like RMMs**

Hackers have a long history of utilizing legitimate software for illegitimate ends. Most popular are red-team tools — like Cobalt Strike and Metasploit — which cyber defenders use to test their own systems but can be seamlessly applied in the same way in an adversarial context.

Even software with no obvious relationship with cybersecurity can be repurposed for evil. As just one example, North Korean hacking clusters have been observed hijacking email marketing services to send phishing lures past spam filters.

In this case, RMMs have become ubiquitous in recent years, allowing attackers who use them an easy way to hide in plain sight. More than anything, though, it's the degree of autonomy that RMMs require in order to perform their normal functions that hackers turn to their advantage.

"Many RMM systems use tools that are built into the operating system," Erich Kron, security awareness advocate at KnowBe4, explains to Dark Reading. "These, as well as purpose-built RMM tools, typically have very high levels of system access, making them very valuable to attackers."

"To add to the issue," Kron notes, "RMM tools are often excluded from security monitoring as they can trigger false positives and appear malicious and unusual when doing their legitimate work."

Added together, "it makes the activities much harder to spot as they blend in with normal computing operations," he adds. Organizations that manage to spot the difference will find further headaches in preventing malicious use of RMMs, while maintaining legitimate use of RMMs over the same systems.

It's no wonder, then, that more hackers are adopting these programs into their attack flows. In a Jan. 26 report covering their incident response findings from the fourth quarter of 2022, Cisco Talos made special note of Syncro, an RMM they encountered in nearly 30% of all engagements.

It was "a significant increase compared to previous quarters," Talos researchers explained. "Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts."

To conclude their notice, the NSA, CISA, and MS-ISAC suggested steps that network defenders can take to combat RMM-enabled attacks, including:

*   Good hygiene and awareness around phishing,
*   Identifying remote access software on your network and whether it's only being loaded into memory,
*   Implementing controls against, and auditing for, unauthorized RMMs running as a portable executable,
*   Requiring that RMMs only ever be used over approved virtual private networks and virtual desktop interfaces, and
*   Blocking connections on common RMM ports and protocols at the network perimeter.

Federal Agencies Infested by Cyberattackers via Legit Remote Management Systems

The accused sold an enormous data set stolen from the Austrian radio and television licensing authority — to an undercover cop.

The stolen personal information of tens of millions of people from across the world was put up for sale on a cybercrime forum by a 25-year-old from the Netherlands, according to authorities.

He's now in custody after he sold it to an undercover Austrian cop, Dutch prosecutors said.

The data was lifted from an Austrian radio and television licensing agency and contained personal data on residents of Britain, China, Colombia, Thailand, and the Netherlands, Dutch prosecutors allege.

The unnamed accused, who lives in Amsterdam, has been in Dutch custody for three months, according to reports, but the arrest was just made public this week.

"The man is suspected of trading the personal details of tens of millions of people, stolen from all over the world," Dutch prosecutors told Agence France-Presse.

The suspect faces charges related to stealing personal data, breaking into computer systems, and laundering cryptocurrency.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading