It's not just Internet-accessible hosts that are vulnerable, researchers say.

Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware's ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.

That's the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.

**Two-Year-Old Flaw**

The vulnerability in question, CVE-2021-21974, is present in VMware's implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.

VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. On Feb. 3, France's computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.

The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.

Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.

While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.

They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.

**Other Ways to Exploit Flaw**

"Threat actors can use any existing vulnerability to compromise a virtual machine — whether it's Linux or Windows-based," Zugec notes.

A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.

"If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server," Zugec says. "The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines."

Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.

**Shades of WannaCry**

Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.

"We can compare this to WannaCry," Zugec notes. "While these attacks can reach a wide range of machines, the impact remains limited."

But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.

To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.

Embattled VMware ESXi Hypervisor Flaw Exploitable in Myriad Ways

Competitor markets working to replace Hydra's money-laundering services for cybercriminals.

During the first few months of 2022, business was booming at Hydra Marketplace, _the_ premiere Dark Web destination for cybercrime money laundering and selling narcotics and other illegal goods and services.

In fact, until its takedown in April 2022, Hydra owned a full 93% of all illicit underground economic activities.

Here's how massive Hydra's presence was on the Dark Web: In the days leading up to Hydra's takedown, the average daily revenue for all underground markets was about $4.2 million. That number fell to just $447,000 after Hydra disappeared, according to new data released by Chainalysis.

Year-over-year, Dark Web marketplace revenues at the end of 2021 were about $3.1 billion, but by the end of 2022 they totaled only about $1.5 billion.

**Hydra Takedown Leaves Void**

Fast forward 10 months after the demise of Russian-based Hydra, and the Dark Web marketplace ecosystem is still struggling to recover. Namely, it's been tough to replicate or replace Hydra's money-laundering services for cybercriminals.

Out of the rubble of the demolished Hydra Marketplace, three early contenders for biggest player emerged: OMG!OMG! Market, Blacksprut, and Mega Darknet Market, according to Chainalysis' research.

Early on, OMG was the frontrunner, peaking at just over 65% of the underground market business, but a June distributed denial-of-service (DDoS) attack on OMG drove users to competitors Mega Darknet Market and Blacksprut Market, according to Chainalysis.

So far, no other marketplace has been able to dominate the Dark Web market like Hydra did in its heyday.

**Fraud Services Falter Post-Hydra**

Four of the top five most successful darknet markets focused on illicit substance sales. The fifth, a platform called "Brian Dumps," is the only one among the top underground marketplaces dealing in stolen credit card and other personally identifying information (PII), a business model Chainalysis calls a "fraud shop."

Bypass Shop, another similar fraud shop, was shuttered by Russian authorities last March, the report said. Brian Dumps appears to have also suffered some disruption last October, dropping its revenues for that month to zero, according to Chainalysis. But the reason behind the issue remains unclear.

**A New Mission**

Mounting struggles in the darknet ecosystem present an enormous opportunity to absorb Hydra's user base and reign the underground supreme. But the key to attracting users to these platforms is providing cryptocurrency and fiat currency-laundering services, the research shows.

All three top markets, Mega Darknet, Blacksprut, and OMG, show signs they have started offering cryptocurrency money-laundering services to lure in Hydra users, according to Chainalysis. There is also some evidence of collaboration between the platforms, the report pointed out.

Early after Hydra's closure, OMG's market share of business exploded because it offered money-laundering services, says Eric Jardine, cybercrimes research lead at Chainalysis. That business shifted to Mega Darknet once it was able to spin up similar services.

**New Cybercrime Business Opportunity**

Dark Web marketplaces are evolving into financial services providers for cybercriminals, Jardine says.

"With Hydra and the evolution of money-laundering services as a feature of the darknet market ecosystem, a number of new financial motivations come into play," Jardine says. "Previous markets, such as Silk Road, largely connected buyers and sellers of drugs, but providing money laundering and fiat currency off-ramp services to cybercriminals ties darknet markets more to the ebb and flow of ransomware and cybercrime than had previously been the case."

As these platforms continue to provide digital asset services, cybercriminals will be motivated to commit more digital asset-based cybercrimes, says Karl Steinkamp, with cybersecurity advisory firm Coalfire.

Dark Web Revenue Down Dramatically After Hydra's Demise

The network is alleged to have operated 100 bank accounts and stolen millions from American people and companies.

Nine suspects have been arrested — eight in Madrid and one in Miami — for their suspected participation in a cybercriminal organization accused of stealing more than 5 million euros from unsuspecting victims in less than a year.

The joint operation between the Spanish National Police and the US Secret Service traced the group's activities to more than 100 bank accounts created to collect stolen money, which they would then withdraw at cash machines, transfer abroad, or convert into cryptocurrency, the Spanish National Police said in an announcement of the takedown.

The ring targeted American people and companies with social engineering phishing emails and SMS text messages to gather sensitive data, then followed up with so-called "vishing" phone calls to collect the remaining information required to defraud victims.

The authorities of Panama, Spain, and the US seized assets belonging to the accused cybercriminals, including assets of more than a half-million euros and expensive watches estimated to be worth about 200,000 euros.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

9 Scammers Busted for 5M Euro Phishing Fraud Ring

Morphus's deep cybersecurity research expertise, cyber defense and threat intelligence services widen Accenture's cybersecurity footprint in Latin America.

**FORTALEZA, Brazil and NEW YORK; Feb. 13, 2023 –** Accenture (NYSE: ACN) has acquired Morphus, a privately held Brazil-based cyber defense, risk management and cyber threat intelligence services provider, expanding its practice capabilities in Brazil and Latin America. Financial terms were not disclosed.

Founded in 2003, Morphus is headquartered in Fortaleza, which is in the Ceará region in northeastern Brazil, with offices in Recife, São Paulo, Rio de Janeiro and Santiago, Chile. Morphus’s end-to-end portfolio includes red and blue team services; governance, risk and compliance services; enterprise risk management; cyber strategy; threat intelligence; and managed security services (MSS). 

According to Accenture’s recent Cyber Threat Intelligence research, Brazil is one of the top victims of infostealer malware – a malicious software designed to steal victim information such as passwords. 

“Together with the capabilities and experienced leadership of Morphus, we will work as one team to help organizations build a cyber resilient business and better secure their digital core, their technology and supply chains,” said Paolo Dal Cin, who leads Accenture Security globally. “The acquisition brings more than 230 highly skilled professionals, making Accenture one of the largest cybersecurity professional services providers in Brazil. Our clients are always looking for the best solutions to strengthen their cyber defenses, and the addition of Morphus expands our global research workforce and network of talented, innovative security professionals.”

The acquisition expands Accenture’s portfolio and marks the launch of a Cyber Industry practice in Latin America led by seasoned former CISOs from Morphus. The new offerings also expand Accenture’s position in Growth Markets in Morphus’s primary industry groups: communications media and technology, financial services, energy, retail and aviation.

Rawlison Brito, CEO of Morphus, said: “We believe that security and science go hand-in-hand. With Accenture, we can continue our cyber threat research and expand our advanced studies of cybersecurity by collaborating with security research experts on a global scale. We are excited to join Accenture to offer our thought leadership and better serve our clients by providing market-leading services and stronger cyber defense protection in Latin America.”

With a strong footprint in Brazil and Chile, the acquisition brings to Accenture Morphus Labs, a research facility in Fortaleza dedicated to cybersecurity studies, vulnerability and threat analysis and MSS. This will add a new Cyber Fusion Center in Fortaleza to Accenture’s existing global network, which includes Morphus’s cybersecurity R&D capabilities.

Andre Fleury, Accenture Security lead for Latin America, said: “The cybersecurity team at Morphus will accelerate the growth of our Cyber Industry practice in the region, nearly doubling our security footprint in Brazil. The acquisition complements our global Security practice and will enable us to help our clients embed security by design and enhance the offerings we provide across a wide variety of industries in Latin America.”

Last year, Accenture was recognized as a leader in strategic security services and MSS in Brazil by ISG.

Since 2015, Accenture Security has made 16 acquisitions. Following its January 2020 acquisition of Symantec’s Cyber Security Services business, Accenture became one of the leading global providers of MSS. Accenture further strengthened its cyber defense and MSS capabilities through the acquisition of Brazil-based Real Protect, and European cyber companies Sentor and Openminded in 2021.

**Forward-Looking Statements**

Except for the historical information and discussions contained herein, statements in this news release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as “may,” “will,” “should,” “likely,” “anticipates,” “aspires,” “expects,” “intends,” “plans,” “projects,” “believes,” “estimates,” “positioned,” “outlook,” “goal,” “target” and similar expressions are used to identify these forward-looking statements. These statements are not guarantees of future performance nor promises that goals or targets will be met, and involve a number of risks, uncertainties and other factors that are difficult to predict and could cause actual results to differ materially from those expressed or implied. These risks include, without limitation, risks that: the transaction might not achieve the anticipated benefits for Accenture; Accenture’s results of operations have been, and may in the future be, adversely affected by volatile, negative or uncertain economic and political conditions and the effects of these conditions on the company’s clients’ businesses and levels of business activity; Accenture’s business depends on generating and maintaining client demand for the company’s services and solutions including through the adaptation and expansion of its services and solutions in response to ongoing changes in technology and offerings, and a significant reduction in such demand or an inability to respond to the evolving technological environment could materially affect the company’s results of operations; if Accenture is unable to match people and their skills with client demand around the world and attract and retain professionals with strong leadership skills, the company’s business, the utilization rate of the company’s professionals and the company’s results of operations may be materially adversely affected; Accenture faces legal, reputational and financial risks from any failure to protect client and/or company data from security incidents or cyberattacks; the markets in which Accenture operates are highly competitive, and Accenture might not be able to compete effectively; Accenture’s ability to attract and retain business and employees may depend on its reputation in the marketplace; Accenture’s environmental, social and governance (ESG) commitments and disclosures may expose it to reputational risks and legal liability; if Accenture does not successfully manage and develop its relationships with key ecosystem partners or fails to anticipate and establish new alliances in new technologies, the company’s results of operations could be adversely affected; Accenture’s profitability could materially suffer if the company is unable to obtain favorable pricing for its services and solutions, if the company is unable to remain competitive, if its cost-management strategies are unsuccessful or if it experiences delivery inefficiencies or fail to satisfy certain agreed-upon targets or specific service levels; changes in Accenture’s level of taxes, as well as audits, investigations and tax proceedings, or changes in tax laws or in their interpretation or enforcement, could have a material adverse effect on the company’s effective tax rate, results of operations, cash flows and financial condition; Accenture’s results of operations could be materially adversely affected by fluctuations in foreign currency exchange rates; changes to accounting standards or in the estimates and assumptions Accenture makes in connection with the preparation of its consolidated financial statements could adversely affect its financial results; as a result of Accenture’s geographically diverse operations and strategy to continue to grow in key markets around the world, the company is more susceptible to certain risks; if Accenture is unable to manage the organizational challenges associated with its size, the company might be unable to achieve its business objectives; Accenture might not be successful at acquiring, investing in or integrating businesses, entering into joint ventures or divesting businesses; Accenture’s business could be materially adversely affected if the company incurs legal liability; Accenture’s global operations expose the company to numerous and sometimes conflicting legal and regulatory requirements; Accenture’s work with government clients exposes the company to additional risks inherent in the government contracting environment; if Accenture is unable to protect or enforce its intellectual property rights or if Accenture’s services or solutions infringe upon the intellectual property rights of others or the company loses its ability to utilize the intellectual property of others, its business could be adversely affected; Accenture may be subject to criticism and negative publicity related to its incorporation in Ireland; as well as the risks, uncertainties and other factors discussed under the “Risk Factors” heading in Accenture plc’s most recent Annual Report on Form 10-K and other documents filed with or furnished to the Securities and Exchange Commission. Statements in this news release speak only as of the date they were made, and Accenture undertakes no duty to update any forward-looking statements made in this news release or to conform such statements to actual results or changes in Accenture’s expectations.

**About Accenture** 

Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.

Accenture Acquires Morphus, Brazil-Based Cybersecurity Company

CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.

Organizations in the US healthcare and public health sector are among the top targets for state-sponsored North Korean cyber-threat actors seeking to fund espionage activities via ransomware and other attacks.

That's the assessment of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the US Department of Health and Human Services, and South Korean intelligence agencies. In a joint advisory Feb. 9, the group described the North Korean government as using revenues — in the form of cryptocurrency — from these ransomware attacks to fund other cyber operations that include spying on US and South Korean defense sector and defense industrial base organizations.

**State-Sponsored Ransomware Attacks With a Mission**

"The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives," the advisory said.

The alert also cautioned ransomware victims in healthcare and critical infrastructure sectors against paying ransoms. "Doing so does not guarantee files and records will be recovered and may pose sanctions risks," it said.

There is little in the advisory to indicate whether it was prompted by new threat intelligence or word about imminent attacks. But it comes amid a continuing increase in ransomware attacks against healthcare entities overall. A report by the Journal of the American Medical Association (JAMA) earlier this year identified a doubling in the number of ransomware attacks against healthcare entities between 2016 and 2021. Of the total 374 ransomware attacks on US healthcare organizations during that period, some 44% disrupted heathcare delivery.

The most common disruptions included systems downtime, cancellations of scheduled care, and ambulance diversions. JAMA's study found an increase especially in ransomware attacks against large healthcare organizations with multiple facilities between 2016 and 2021.

A June 2022 report from Sophos showed 66% of healthcare organizations experienced at least one ransomware attack in 2021. Sixty-one percent of those attacks ended with the attackers' encrypting data and demanding a ransom for the decryption key.

"Healthcare saw the highest increase in volume of cyberattacks (69%) as well as the complexity of cyberattacks (67%) compared to the cross-sector average of 57% and 59% respectively," Sophos said.

**New Intel, New Tactics**

CISA's latest cybersecurity advisory this week updates its earlier guidance on state-sponsored ransomware attacks from North Korea directed against the US healthcare and public health sector. It highlighted multiple tactics, techniques, and procedures (TTPs) that North Korean cyber actors are currently employing when executing ransomware attacks against healthcare targets. Most of the TTPs are typical of those observed with ransomware attacks and include tactics like lateral movement and asset discovery.

The advisory also highlighted several ransomware tools — and associated indicators of compromise (IoCs) — that North Korean actors have been using in attacks on healthcare organizations. Among them were privately developed variants such as Maui and H0lyGh0st and publicly available encryption tools such as BitLocker, Deadbolt, Jogsaw, and Hidden Tear.

"In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group," in an attempt to evade attribution, the advisory said.

In addition to obfuscating their involvement by operating with other affiliates and foreign third parties, North Korean actors frequently use fake domains, personas, and accounts to execute their campaigns, CISA and the others said. "DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK."

The advisory highlighted some of newer software vulnerabilities that state-backed groups in North Korea have been exploiting in their ransomware attacks. Among them were the Log4Shell vulnerability in the Apache Log4j framework (CVE-2021-44228) and multiple vulnerabilities in SonicWall appliances.

CISA's recommended mitigations against the North Korean threat included stronger authentication and access control, implementing the principle of least privilege, employing encryption and data masking to protect data at rest, and securing protected health information during collection, storage, and processing.

The advisory also urged healthcare entities to maintain isolated backups, develop an incident response plan, update operating systems and applications, and monitor remote desktop protocol (RDP) and other remote access mechanisms.

Healthcare in the Crosshairs of North Korean Cyber Operations

Killnet claims DDoS attack against NATO Special Operations Headquarters, Strategic Airlift Capability, and more.

NATO's Special Operations Headquarters and Strategic Airlift Capability — both working to deliver humanitarian aid to victims of the recent Turkish-Syrian earthquake — were among NATO organizations disrupted by a weekend cyberattack.

Russian-based Killnet threat group has claimed responsibility for launching distributed denial-of-service (DDoS) attacks against NATO, according to reports.

"We are carrying out strikes on NATO," Killnet wrote on its Telegram channel, according to The Telegraph.

Reports added NATO's NR network, reportedly used to transmit sensitive and classified data, was also targeted. Besides knocking sites temporarily offline, the cyberattack disrupted communications between NATO and at least one of its airplanes transporting search and rescue equipment to Incirlik Air Base in Turkey, The Telegraph reported.

A devastating earthquake hit in southeastern Turkey and Syria on Feb, 6 and along with its aftershocks. has already claimed 35,000 lives. Emergency workers from around the world have converged on the area to join in efforts to pull survivors from the rubble.

"NATO cyber experts are actively addressing an incident affecting some NATO websites," a NATO spokesperson told The Telegraph confirming the hack. "NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Hackers Disrupt NATO Earthquake Relief Operations

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.

The latest hack of a well-known company highlights that attackers are increasingly finding ways around multifactor authentication (MFA) schemes — so employees continue to be an important last line of defense.

On Jan. 9, Reddit notified its users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spearphishing attack, which led to "a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens." 

The compromise of the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours, accessing internal documents, dashboards, and code, Reddit stated in its advisory.

The company continues to investigate, but there's no evidence yet that the attacker gained access to user data or production systems, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

"It is extremely difficult to prove a negative, and also why, as mentioned, we are continuing investigating," he said. "The burden of proof right now supports that access was limited to outside of the main production stack."

Reddit is the latest software company to fall prey to a social engineering attack that harvested workers' credentials and led to a breach of sensitive systems. In late January, Riot Games, the maker of the popular League of Legends multiplayer game, announced it had suffered a compromise "via a social engineering attack," with the threat actors stealing code and delaying the company's ability to release updates. Four months earlier, attackers successfully compromised and stole source code from Take Two Interactive's Rockstar Games studio, the maker of the Grand Theft Auto franchise, using compromised credentials.

The cost of even minor breaches caused by phishing attacks and credential theft continues to be high. In a survey of 1,350 IT professionals and IT security managers, three-quarters (75%) said that their company had suffered a successful email attack in the past year, according to the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection. In addition, the average firm saw its most expensive such attack cause more than $1 million in damages and recovery costs.

Still, companies feel prepared to deal with both phishing and spear-phishing, with only 26% and 21% of respondents fearing they were unprepared. That's an improvement from the 47% and 36%, respectively, who worried their firms were unprepared in 2019. Concerns over account takeover have become more common though, the report found.

"\[W\]hile organizations may feel better equipped to prevent phishing attacks, they are not as prepared to deal with account takeover, which is usually a by-product of a successful phishing attack," the report stated. "Account takeover is also a bigger concern for organizations with the majority of their employees working remotely."

**More Proof That 2FA is Not Enough**

To head off credential-based attacks, companies are moving to MFA, usually in the form of two-factor authentication (2FA), where a one-time password is sent via text or email. Reddit's Slowe, for example, confirmed that the company required 2FA. "Yup. It's required for all employees, both for use on Reddit as well for all internal access," he said during the AMA.

But techniques like MFA fatigue or "bombing" — as seen with last fall's Uber attack — make getting around 2FA a simple numbers game. In that scenario, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token.

Moving to the next level beyond 2FA is starting to happen. Providers of identity and access management technologies, for instance, are adding more information around access requests, such as the user's location, to add context that can be used to help determine whether access should be authenticated, says Tonia Dudley, CISO at Cofense, a phishing protection firm.

"Threat actors will always look for ways to navigate around the technical controls we implement," she says. "Organizations should still implement the use of MFA and continue to tune the control to protect employees."

**Employees Are Key to Cyber Defense**

Ironically, the Reddit hack also demonstrates the advantages that employee training can deliver. The employee suspected something was wrong after entering credentials into the phishing site, and soon after contacted Reddit's IT department. That reduced the attacker's window of opportunity and limited the damage.

"It's time we stop looking as employees as a weakness and instead looking at them as the strength they are, or can be, for organizations," Dudley says. "Organizations can only tune the technical controls so far ... employees can offer that additional context of, 'this just doesn't seem right.'"

The employee at the center of the Reddit breach will not face long-term, punitive action, but did have all access revoked until the problem was resolved, Reddit's Slowe said in the follow-up AMA.

"The problem, as ever, is that it only takes one person to fall for \[a phish\]," he said, adding, "I'm exceedingly grateful the employee, in this case, reported that it happened when they realized it happened."

Reddit Hack Shows Limits of MFA, Strengths of Security Training

The US Treasury Department linked the notorious cybercrime gang to Russian Intelligence Services because cyberattacks that disrupted hospitals and other critical infrastructure align with Russian state interests.

The US and the UK have issued joint sanctions against alleged members of the TrickBot cybercrime gang for their role in cyberattacks against critical infrastructure.

Trickbot, as a malware, began life as a lowly banking Trojan before its authors started adding modules for other forms of malicious activity. It thus evolved into a multifaceted cyber-Swiss Army knife, often used as a first- or second-stage implant that, once ensconced on a victim machine, fetches ransomware or other payloads. The group ultimately grew into to acting as a ransomware affiliate for Conti and other groups. 

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," according to an announcement from the US Treasury Department. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

The announcement, intriguingly, ties the seven sanctioned people to Russian Intelligence Services, since the 2020 attacks "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the US government and US companies." Trickbot has previously been widely considered to be a financially motivated cybercrime gang, Russian-speaking but not Russia-sponsored.

The sanctioned individuals are:

*   Vitaly Kovalev, aka Bentley or Ben
*   Maksim Mikhailov, aka Baget
*   Valentin Karyagin, aka Globus
*   Mikhail Iskritskiy, aka Tropa
*   Dmitry Pleshevskiy, aka Iseldor
*   Ivan Vakhromeyev, aka Mushroom
*   Valery Sedletski, aka Strix

The sanctions mean that the government can seize any assets that they may have in the US or UK, and it prevents US- and UK-based organizations and individuals from doing business with them. All seven perps remain at large, presumably under the comforting protection of the Russian state, which continues to look the other way when it comes to cybercriminals residing within its borders.

"These sanctions are a welcome sight although they may be academic," Timothy Morris, chief security adviser at Tanium, tells Dark Reading. "What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdiction cooperation."

As for the gang itself, a law-enforcement takedown in 2020 saw its activity slowly "wither," according to a report last year from Intel 471, with the malware's operators instead turning to the Emotet botnet to continue its incursions into businesses.

"We've not seen any Trickbot activity since the Feb. 2022 blog post," Michael DeBolt, chief intelligence officer at Intel 471, said in an emailed statement. "It is highly likely that Trickbot won't be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project."

Trickbot Members Sanctioned for Pandemic-Era Ransomware Hits

**FARGO, N.D.** **and** **LONDON****,** **Feb. 10, 2023** **/PRNewswire/ --** Integreon, a trusted worldwide provider of tech-enabled legal and business outsourced services, announced today the development of CyberHawk-AI, an advanced automated technology that utilizes artificial intelligence (AI) to streamline the process of extracting and analyzing sensitive data following cyber breaches. This industry-first technology will be integrated into their cyber response workflow to significantly reduce the manual effort in preparation for breach notification. Integreon also announced its partnership with RadarFirst, a leader in privacy incident management whose patented risk assessment technology automates privacy risk assessments to deliver consistent, actionable breach notification guidance for all relevant regulations.

Integreon's CyberHawk-AI is a machine learning-based BoT designed to expedite the review process for potentially compromised data while improving accuracy and overall efficiency. This solution, developed by Integreon's i-Lab technology enablement team, learns and subsequently identifies patterns of frequently compromised information. The BoT quickly highlights these patterns and automates the first pass review of documents to identify personally identifiable information. Automated first-pass review, followed by next-level review and quality checks conducted by cyber review experts, allows Integreon to reduce turnaround times while ensuring accuracy. This new software is the first technology in the cyber incident response space to utilize machine learning, human-in-the-loop (HITL) and a reinforced training module.

"This groundbreaking technology helps Integreon better address our clients' concerns and demands, advances the tech-enablement of our services and drives greater innovation," said Subroto Mukerji, Chief Executive Officer of Integreon. "As technology and our industry continue to evolve, we will lead the way and maintain the high quality of services that we are known for."

Integreon applies cyber-specific processes and best-in-breed technology to offer a true end-to-end cyber incident response (CIR) solution that spans data mining, review, consolidated entity list (CEL) preparation, notification preparation applying jurisdictional requirements and breach notification. RadarFirst uses software as a service (SaaS) technology to automate privacy risk assessment and maps a risk of harm analysis directly to relevant jurisdictions with clear breach notification obligations, notification timelines and applicable points of contact, replacing significant manual effort by breach counsel.

With the integration of RadarFirst, Integreon automatically uploads the Consolidated Entity List (CEL) and enters information about the breach into RadarFirst's SaaS software, and based on jurisdictional notification requirements, the platform highlights and creates a notification prioritization. This joint offering arms breach coaches with a powerful tool to cost-effectively and quickly give clients a roadmap to meet their post breach obligations. Previously, significant time and resources were spent analyzing the data to then determine compliance with regulatory jurisdictions. Given it significantly reduces manual effort, law firms will be able to assume more client work and avoid resource shortfalls. Insurance companies are promoting its use given the significant impact on costs.

"The integration of RadarFirst's industry-leading privacy incident management solution with Integreon's CyberHawk-AI technology has created a powerful, end-to-end solution solving for the growing demands on global privacy teams." Don India, CEO of RadarFirst said. "RadarFirst and Integreon both understand the complexities of data breach resolution and are committed to streamlining incident management. This is a natural partnership where we will be able to increase accessibility to our solution – helping organizations of all sizes accelerate efficiency and build customer trust."

**About Integreon**

Integreon is the trusted, global provider of creative, business, and legal outsourced services to corporations and law firms seeking to expand their capabilities and transform their performance. The company's 3,500+ professionals provide expert support across a range of managed services—from creative design, content delivery and administrative support to legal and compliance. With global delivery centers on three continents, Integreon delivers round-the-clock service in 50+ languages and is deeply committed to client success, consistently delivering innovative, tech-enabled solutions that improve agility and efficiency to drive business performance. Integreon is owned by EagleTree Capital, a leading New York\-based private equity firm that has invested approximately $2.7 billion of equity capital since inception.

**About RadarFirst**

RadarFirst offers innovative software solutions to data privacy challenges in today's increasingly complex and changing privacy regulations. With RadarFirst's patented SaaS-based incident management platform, organizations make consistent, defensible breach notification decisions in a fraction of the time. The Radar Breach Guidance Engine™profiles and scores data privacy incidents and generates incident-specific notification recommendations to help ensure compliance with data breach laws and contractual notification obligations. Privacy leaders around the globe rely on RadarFirst for an efficient, consistent, and defensible solution for privacy incident management. To learn more about simplifying your incident management visit radarfirst.com.

For more information about Integreon's range of services, email \[email protected\], visit www.integreon.com and follow Integreon at LinkedIn, Twitter and Facebook.

SOURCE Integreon

Source

DARKReading