CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.

Organizations in the US healthcare and public health sector are among the top targets for state-sponsored North Korean cyber-threat actors seeking to fund espionage activities via ransomware and other attacks.

That's the assessment of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the US Department of Health and Human Services, and South Korean intelligence agencies. In a joint advisory Feb. 9, the group described the North Korean government as using revenues — in the form of cryptocurrency — from these ransomware attacks to fund other cyber operations that include spying on US and South Korean defense sector and defense industrial base organizations.

**State-Sponsored Ransomware Attacks With a Mission**

"The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives," the advisory said.

The alert also cautioned ransomware victims in healthcare and critical infrastructure sectors against paying ransoms. "Doing so does not guarantee files and records will be recovered and may pose sanctions risks," it said.

There is little in the advisory to indicate whether it was prompted by new threat intelligence or word about imminent attacks. But it comes amid a continuing increase in ransomware attacks against healthcare entities overall. A report by the Journal of the American Medical Association (JAMA) earlier this year identified a doubling in the number of ransomware attacks against healthcare entities between 2016 and 2021. Of the total 374 ransomware attacks on US healthcare organizations during that period, some 44% disrupted heathcare delivery.

The most common disruptions included systems downtime, cancellations of scheduled care, and ambulance diversions. JAMA's study found an increase especially in ransomware attacks against large healthcare organizations with multiple facilities between 2016 and 2021.

A June 2022 report from Sophos showed 66% of healthcare organizations experienced at least one ransomware attack in 2021. Sixty-one percent of those attacks ended with the attackers' encrypting data and demanding a ransom for the decryption key.

"Healthcare saw the highest increase in volume of cyberattacks (69%) as well as the complexity of cyberattacks (67%) compared to the cross-sector average of 57% and 59% respectively," Sophos said.

**New Intel, New Tactics**

CISA's latest cybersecurity advisory this week updates its earlier guidance on state-sponsored ransomware attacks from North Korea directed against the US healthcare and public health sector. It highlighted multiple tactics, techniques, and procedures (TTPs) that North Korean cyber actors are currently employing when executing ransomware attacks against healthcare targets. Most of the TTPs are typical of those observed with ransomware attacks and include tactics like lateral movement and asset discovery.

The advisory also highlighted several ransomware tools — and associated indicators of compromise (IoCs) — that North Korean actors have been using in attacks on healthcare organizations. Among them were privately developed variants such as Maui and H0lyGh0st and publicly available encryption tools such as BitLocker, Deadbolt, Jogsaw, and Hidden Tear.

"In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group," in an attempt to evade attribution, the advisory said.

In addition to obfuscating their involvement by operating with other affiliates and foreign third parties, North Korean actors frequently use fake domains, personas, and accounts to execute their campaigns, CISA and the others said. "DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK."

The advisory highlighted some of newer software vulnerabilities that state-backed groups in North Korea have been exploiting in their ransomware attacks. Among them were the Log4Shell vulnerability in the Apache Log4j framework (CVE-2021-44228) and multiple vulnerabilities in SonicWall appliances.

CISA's recommended mitigations against the North Korean threat included stronger authentication and access control, implementing the principle of least privilege, employing encryption and data masking to protect data at rest, and securing protected health information during collection, storage, and processing.

The advisory also urged healthcare entities to maintain isolated backups, develop an incident response plan, update operating systems and applications, and monitor remote desktop protocol (RDP) and other remote access mechanisms.

Healthcare in the Crosshairs of North Korean Cyber Operations

Killnet claims DDoS attack against NATO Special Operations Headquarters, Strategic Airlift Capability, and more.

NATO's Special Operations Headquarters and Strategic Airlift Capability — both working to deliver humanitarian aid to victims of the recent Turkish-Syrian earthquake — were among NATO organizations disrupted by a weekend cyberattack.

Russian-based Killnet threat group has claimed responsibility for launching distributed denial-of-service (DDoS) attacks against NATO, according to reports.

"We are carrying out strikes on NATO," Killnet wrote on its Telegram channel, according to The Telegraph.

Reports added NATO's NR network, reportedly used to transmit sensitive and classified data, was also targeted. Besides knocking sites temporarily offline, the cyberattack disrupted communications between NATO and at least one of its airplanes transporting search and rescue equipment to Incirlik Air Base in Turkey, The Telegraph reported.

A devastating earthquake hit in southeastern Turkey and Syria on Feb, 6 and along with its aftershocks. has already claimed 35,000 lives. Emergency workers from around the world have converged on the area to join in efforts to pull survivors from the rubble.

"NATO cyber experts are actively addressing an incident affecting some NATO websites," a NATO spokesperson told The Telegraph confirming the hack. "NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Hackers Disrupt NATO Earthquake Relief Operations

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.

The latest hack of a well-known company highlights that attackers are increasingly finding ways around multifactor authentication (MFA) schemes — so employees continue to be an important last line of defense.

On Jan. 9, Reddit notified its users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spearphishing attack, which led to "a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens." 

The compromise of the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours, accessing internal documents, dashboards, and code, Reddit stated in its advisory.

The company continues to investigate, but there's no evidence yet that the attacker gained access to user data or production systems, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

"It is extremely difficult to prove a negative, and also why, as mentioned, we are continuing investigating," he said. "The burden of proof right now supports that access was limited to outside of the main production stack."

Reddit is the latest software company to fall prey to a social engineering attack that harvested workers' credentials and led to a breach of sensitive systems. In late January, Riot Games, the maker of the popular League of Legends multiplayer game, announced it had suffered a compromise "via a social engineering attack," with the threat actors stealing code and delaying the company's ability to release updates. Four months earlier, attackers successfully compromised and stole source code from Take Two Interactive's Rockstar Games studio, the maker of the Grand Theft Auto franchise, using compromised credentials.

The cost of even minor breaches caused by phishing attacks and credential theft continues to be high. In a survey of 1,350 IT professionals and IT security managers, three-quarters (75%) said that their company had suffered a successful email attack in the past year, according to the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection. In addition, the average firm saw its most expensive such attack cause more than $1 million in damages and recovery costs.

Still, companies feel prepared to deal with both phishing and spear-phishing, with only 26% and 21% of respondents fearing they were unprepared. That's an improvement from the 47% and 36%, respectively, who worried their firms were unprepared in 2019. Concerns over account takeover have become more common though, the report found.

"\[W\]hile organizations may feel better equipped to prevent phishing attacks, they are not as prepared to deal with account takeover, which is usually a by-product of a successful phishing attack," the report stated. "Account takeover is also a bigger concern for organizations with the majority of their employees working remotely."

**More Proof That 2FA is Not Enough**

To head off credential-based attacks, companies are moving to MFA, usually in the form of two-factor authentication (2FA), where a one-time password is sent via text or email. Reddit's Slowe, for example, confirmed that the company required 2FA. "Yup. It's required for all employees, both for use on Reddit as well for all internal access," he said during the AMA.

But techniques like MFA fatigue or "bombing" — as seen with last fall's Uber attack — make getting around 2FA a simple numbers game. In that scenario, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token.

Moving to the next level beyond 2FA is starting to happen. Providers of identity and access management technologies, for instance, are adding more information around access requests, such as the user's location, to add context that can be used to help determine whether access should be authenticated, says Tonia Dudley, CISO at Cofense, a phishing protection firm.

"Threat actors will always look for ways to navigate around the technical controls we implement," she says. "Organizations should still implement the use of MFA and continue to tune the control to protect employees."

**Employees Are Key to Cyber Defense**

Ironically, the Reddit hack also demonstrates the advantages that employee training can deliver. The employee suspected something was wrong after entering credentials into the phishing site, and soon after contacted Reddit's IT department. That reduced the attacker's window of opportunity and limited the damage.

"It's time we stop looking as employees as a weakness and instead looking at them as the strength they are, or can be, for organizations," Dudley says. "Organizations can only tune the technical controls so far ... employees can offer that additional context of, 'this just doesn't seem right.'"

The employee at the center of the Reddit breach will not face long-term, punitive action, but did have all access revoked until the problem was resolved, Reddit's Slowe said in the follow-up AMA.

"The problem, as ever, is that it only takes one person to fall for \[a phish\]," he said, adding, "I'm exceedingly grateful the employee, in this case, reported that it happened when they realized it happened."

Reddit Hack Shows Limits of MFA, Strengths of Security Training

The US Treasury Department linked the notorious cybercrime gang to Russian Intelligence Services because cyberattacks that disrupted hospitals and other critical infrastructure align with Russian state interests.

The US and the UK have issued joint sanctions against alleged members of the TrickBot cybercrime gang for their role in cyberattacks against critical infrastructure.

Trickbot, as a malware, began life as a lowly banking Trojan before its authors started adding modules for other forms of malicious activity. It thus evolved into a multifaceted cyber-Swiss Army knife, often used as a first- or second-stage implant that, once ensconced on a victim machine, fetches ransomware or other payloads. The group ultimately grew into to acting as a ransomware affiliate for Conti and other groups. 

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," according to an announcement from the US Treasury Department. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

The announcement, intriguingly, ties the seven sanctioned people to Russian Intelligence Services, since the 2020 attacks "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the US government and US companies." Trickbot has previously been widely considered to be a financially motivated cybercrime gang, Russian-speaking but not Russia-sponsored.

The sanctioned individuals are:

*   Vitaly Kovalev, aka Bentley or Ben
*   Maksim Mikhailov, aka Baget
*   Valentin Karyagin, aka Globus
*   Mikhail Iskritskiy, aka Tropa
*   Dmitry Pleshevskiy, aka Iseldor
*   Ivan Vakhromeyev, aka Mushroom
*   Valery Sedletski, aka Strix

The sanctions mean that the government can seize any assets that they may have in the US or UK, and it prevents US- and UK-based organizations and individuals from doing business with them. All seven perps remain at large, presumably under the comforting protection of the Russian state, which continues to look the other way when it comes to cybercriminals residing within its borders.

"These sanctions are a welcome sight although they may be academic," Timothy Morris, chief security adviser at Tanium, tells Dark Reading. "What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdiction cooperation."

As for the gang itself, a law-enforcement takedown in 2020 saw its activity slowly "wither," according to a report last year from Intel 471, with the malware's operators instead turning to the Emotet botnet to continue its incursions into businesses.

"We've not seen any Trickbot activity since the Feb. 2022 blog post," Michael DeBolt, chief intelligence officer at Intel 471, said in an emailed statement. "It is highly likely that Trickbot won't be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project."

Trickbot Members Sanctioned for Pandemic-Era Ransomware Hits

**FARGO, N.D.** **and** **LONDON****,** **Feb. 10, 2023** **/PRNewswire/ --** Integreon, a trusted worldwide provider of tech-enabled legal and business outsourced services, announced today the development of CyberHawk-AI, an advanced automated technology that utilizes artificial intelligence (AI) to streamline the process of extracting and analyzing sensitive data following cyber breaches. This industry-first technology will be integrated into their cyber response workflow to significantly reduce the manual effort in preparation for breach notification. Integreon also announced its partnership with RadarFirst, a leader in privacy incident management whose patented risk assessment technology automates privacy risk assessments to deliver consistent, actionable breach notification guidance for all relevant regulations.

Integreon's CyberHawk-AI is a machine learning-based BoT designed to expedite the review process for potentially compromised data while improving accuracy and overall efficiency. This solution, developed by Integreon's i-Lab technology enablement team, learns and subsequently identifies patterns of frequently compromised information. The BoT quickly highlights these patterns and automates the first pass review of documents to identify personally identifiable information. Automated first-pass review, followed by next-level review and quality checks conducted by cyber review experts, allows Integreon to reduce turnaround times while ensuring accuracy. This new software is the first technology in the cyber incident response space to utilize machine learning, human-in-the-loop (HITL) and a reinforced training module.

"This groundbreaking technology helps Integreon better address our clients' concerns and demands, advances the tech-enablement of our services and drives greater innovation," said Subroto Mukerji, Chief Executive Officer of Integreon. "As technology and our industry continue to evolve, we will lead the way and maintain the high quality of services that we are known for."

Integreon applies cyber-specific processes and best-in-breed technology to offer a true end-to-end cyber incident response (CIR) solution that spans data mining, review, consolidated entity list (CEL) preparation, notification preparation applying jurisdictional requirements and breach notification. RadarFirst uses software as a service (SaaS) technology to automate privacy risk assessment and maps a risk of harm analysis directly to relevant jurisdictions with clear breach notification obligations, notification timelines and applicable points of contact, replacing significant manual effort by breach counsel.

With the integration of RadarFirst, Integreon automatically uploads the Consolidated Entity List (CEL) and enters information about the breach into RadarFirst's SaaS software, and based on jurisdictional notification requirements, the platform highlights and creates a notification prioritization. This joint offering arms breach coaches with a powerful tool to cost-effectively and quickly give clients a roadmap to meet their post breach obligations. Previously, significant time and resources were spent analyzing the data to then determine compliance with regulatory jurisdictions. Given it significantly reduces manual effort, law firms will be able to assume more client work and avoid resource shortfalls. Insurance companies are promoting its use given the significant impact on costs.

"The integration of RadarFirst's industry-leading privacy incident management solution with Integreon's CyberHawk-AI technology has created a powerful, end-to-end solution solving for the growing demands on global privacy teams." Don India, CEO of RadarFirst said. "RadarFirst and Integreon both understand the complexities of data breach resolution and are committed to streamlining incident management. This is a natural partnership where we will be able to increase accessibility to our solution – helping organizations of all sizes accelerate efficiency and build customer trust."

**About Integreon**

Integreon is the trusted, global provider of creative, business, and legal outsourced services to corporations and law firms seeking to expand their capabilities and transform their performance. The company's 3,500+ professionals provide expert support across a range of managed services—from creative design, content delivery and administrative support to legal and compliance. With global delivery centers on three continents, Integreon delivers round-the-clock service in 50+ languages and is deeply committed to client success, consistently delivering innovative, tech-enabled solutions that improve agility and efficiency to drive business performance. Integreon is owned by EagleTree Capital, a leading New York\-based private equity firm that has invested approximately $2.7 billion of equity capital since inception.

**About RadarFirst**

RadarFirst offers innovative software solutions to data privacy challenges in today's increasingly complex and changing privacy regulations. With RadarFirst's patented SaaS-based incident management platform, organizations make consistent, defensible breach notification decisions in a fraction of the time. The Radar Breach Guidance Engine™profiles and scores data privacy incidents and generates incident-specific notification recommendations to help ensure compliance with data breach laws and contractual notification obligations. Privacy leaders around the globe rely on RadarFirst for an efficient, consistent, and defensible solution for privacy incident management. To learn more about simplifying your incident management visit radarfirst.com.

For more information about Integreon's range of services, email \[email protected\], visit www.integreon.com and follow Integreon at LinkedIn, Twitter and Facebook.

SOURCE Integreon

Integreon Launches Cyber Incident Response Offering with Development of AI-Based Review and Integration of RadarFirst

The authentication bypass used by the Nobelium group, best known for the supply chain attack on SolarWinds, required a massive, real-time investigation to uncover, Microsoft says.

Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group. 

The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.

The eight investigators were not focused "so much \[on\] a whodunit as a how-done-it," Microsoft's Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.

"Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs)," the company stated. "Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch."

The attack underscores the increasing sophistication of APT groups, which have increasingly targeted technology supply chains, such as the SolarWinds breach, and identity systems. 

**A "Masterclass" in Cyber Chess**

MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of .NET infrastructure, Microsoft said.

MagicWeb, which Microsoft first described in August 2022, was built on previous post-exploitation tools, such as FoggyWeb, which could steal certificates from AD FS servers. Armed with these, the attackers could make their way deep into organizational infrastructure, exfiltrating data along the way, breaking into accounts, and impersonating users.

The level of effort needed to uncover the sophisticated attack tools and techniques shows that the upper echelons of attackers require companies to be playing their best defense, according to the Microsoft.

"Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess," the company stated. "In fact, Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia."

**Limit Privileges for Identity Systems**

Companies need to treat AD FS systems and all identity providers (IdPs) as privileged assets in the same protective tier (Tier 0) as domain controllers, Microsoft stated in its incident response advisory. Such measures limit who can access those hosts and what those hosts can do on other systems. 

In addition, any defensive techniques that raise the cost of operations for cyberattackers can help prevent attacks, Microsoft stated. Companies should use multifactor authentication (MFA) across all accounts throughout the organization and make sure they monitor the authentication data flows to have visibility into potential suspicious events.

MagicWeb Mystery Highlights Nobelium Attacker's Sophistication

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

Event organizers should be exercising various cyberattack scenarios to ensure they have the proper checks and balances in place to respond accordingly and maintain resilience.

When Super Bowl LVII between the Kansas City Chiefs and Philadelphia Eagles kicks off in Phoenix on Feb. 12, most everyone's eyes will be on the gridiron. But farther afield, malicious actors and cyberattackers may be looking to score their own kind of touchdown — by shutting down systems, perpetuating ransomware, or carrying out hacktivism.

The 2022 FIFA World Cup tournament held in Doha, Qatar, over the winter raised similar operational concerns, and cybersecurity experts note that large-scale events in general offer a very broad attack surface area to threat actors of all stripes, thanks to the sheer number of systems involved in carrying it off.

"The thing that's tricky for security teams is that it’s not just one entity or single network they must look after," says James Campbell, CEO and co-founder of Cado Security. "An event like the Super Bowl involves numerous suppliers, media companies, and so on, all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run."

Campbell adds that one of the biggest disruptions to the Super Bowl would be preventing it from being televised. With millions of people worldwide watching, and given the advertising and revenue generated from the Super Bowl, if a threat group wanted to get a certain point across, restricting the ability to broadcast it live would do the trick.

"That would probably have the biggest impact, other than physically ensuring the Super Bowl doesn't \[actually take place\] — a harder task," he says.

**Critical Steps for Securing the Super Bowl**

Bud Broomhead, CEO at Viakoo, points out that the large number of third parties involved in the event from a technical perspective means that ensuring that multiple networks are segmented from each other is a crucial first step in protecting the event — so that if one system is breached (Rihanna's microphones), the threat actors can't reach another system (video surveillance, for instance).  
He adds the large number of Internet of Things (IoT) devices and ad hoc networks that third parties will bring to the party — by stakeholders as varied as caterers and sound engineers — means multiple points of failure. Thus, layers of testing for worst-case scenarios will be important leading up to the event.

"There will need to be overall testing of those systems ahead of the event to ensure sufficient redundancy exists," Broomhead says. "Security for a big event like the Super Bowl must also have a focus on resiliency — if bad things happen, is there an already established plan to minimize the impact?"

Darren Guccione, CEO and co-founder at Keeper Security, notes that on the IoT front, many physical control systems are "smart" — i.e., Internet-facing; as such, they should be of particular concern.

He poses a hypothetical: The broadcast network equipment and servers sitting in the data room in the Super Bowl may be hardened with up-to-date patches, firewalls, and other defenses, but what about the building management system? This might be a separately controlled network — and not as well secured.

"Suppose threat actors attack IoT and turn off the air conditioning in the building management system," he says. "In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 20 minutes."

The scenario of an attack via the HVAC system is familiar from the infamous Target breach of 2014 — all it takes is one employee falling for a phish.

"Leading up to the big game, IT professionals should be on the lookout for phishing attacks, malware and viruses, and social engineering attacks as threat actors attempt to gain access to the computer systems used to manage the event," Guccione advises.

Despite the what-ifs, the good news is that cybersecurity is firmly on the radar screen for this upcoming weekend: In addition to preparations on the part of the event organizers and all of the third-party stakeholders involved, a variety of government organizations also have thorough cyber-defense plans in place for the event, including the Arizona Cyber Command and the Federal Aviation Administration.

Attacker Allure: A Look at the Super Bowl's Operational Cyber-Risks

Bridging the divide between developers and security can create a culture change organically.

Over the past few years, organizations have dramatically expanded their use of cloud environments by more than 25%. This expansion came as organizations shifted toward hybrid workforces, where employees needed to access business-critical applications from their kitchen, local coffee shop, or halfway across the world. There is no debate today that the majority of applications have moved to the cloud and cloud-native development will continue to gain popularity, with developers able to build and deploy new applications within minutes. In fact, Gartner estimates that by 2025, more than 95% of new cloud workloads will be deployed on cloud-native platforms, up from 30% in 2021.

However, if you ask any developer what the one aspect to application development/deployment that slows them down is, they'll give you one word: security. There has been a long-standing and well-known disconnect between application developers and security teams — a constant tug and pull where developers don't want their applications slowed down or user experience to be altered by security protocols.

Meanwhile, security teams are working to ensure these applications won't open their organizations to increased risk. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of chief information security officers (CISOs) agree that security slows down DevOps in their organizations. So, how do we satisfy both groups and have them work together to deliver secure applications? 

By setting and pursuing shared goals, your organization's security and DevOps teams can reinforce each other's success rather than working in silos. Here are a few ways each team can better work together to deliver secure applications that do not impact user experience or time to deployment.

**Define Your Shift-Left Security Strategy Together**

Create a mutual understanding of what shifting left means to the organization. In its simplest form, it means embedding security at the forefront of application development rather than at the end. With this approach, organizations shift from reactive to proactive, where security vulnerabilities can be addressed early on, when they are less complex and costly. This mutual understanding can mean developing a document that outlines the vision, ownership/responsibility, milestones, and metrics. This way, both security and DevOps teams commit to one another that security is not an afterthought and both are aligned to create a more holistic approach to application security.

**Understand Where and How Software Is Created in Your Organization**

One of the biggest challenges of shifting security left is understanding how and where software is created within the organization. This is shaped by various variables, including the company's size and whether the work is outsourced to multiple vendors. For example, a large organization will likely spend more than a few months digging, and require additional time to review contracts. Key items to identify are people, process, and technology: 

*   People = who is developing the code
*   Process = the flow from development laptops to production
*   Technology = systems used to enable the process

**Developer-Friendly Security Tools**

Providing and implementing developers with friendly tools from the beginning of development ensures that security teams are empowering DevOps teams with the right set of tools to take ownership for the security posture of their applications. Practical and unobtrusive security tools dramatically increase developers' willingness and ability to inject security into their pipelines. As security professionals, we must equip them with tools that do not hinder their processes but, rather, empower them to build with the confidence that their applications are secure.

Implementing these steps within your organization is the start of bridging the divide between developers and security teams. If done correctly and there is complete buy-in from both sides, a culture change will occur organically. Security teams will begin to trust developers to take ownership for security, while developers will continue to operate with speed and agility. By shifting left, both teams put themselves in a position to better protect the organization and strengthen the overall security posture.

Source

DARKReading