Once isolated occurrences, nation-state attacks are now commonplace; security professionals should know the elements of defense.

Throughout the ongoing war on Ukraine, known and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a combination of techniques including phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service providers. These threat actors have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks.

Between late February and early April 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. After each wave of attacks, threat actors modified the malware to better avoid detection. Based on these observations, we’ve developed strategic recommendations to global organizations on how to approach network defense in the midst of military conflict.

**Common Russian Intrusion Techniques**

Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:

*   Exploiting public-facing applications or spear-phishing with attachments/links for initial access.

*   Stealing credentials and leveraging valid accounts throughout the attack life cycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made identities a key intrusion vector.

*   Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.

*   Utilizing known, publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.

*   “Living off the land” during system and network discovery, often using native utilities or commands that are nonstandard for the environments.

*   Leveraging destructive capabilities that access raw file systems for overwrites or deletions.

**5 Ways to Safeguard Your Operations**

Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization.

**1\. Minimize credential theft and account abuse:** Protecting user identities is a critical component of network security. We recommend enabling multifactor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.

**2\. Secure Internet-facing systems and remote access solutions:** Ensure your Internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerabilities and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.

**3\. Leverage anti-malware, endpoint detection, and identity protection solutions:** Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.

**4\. Enable investigations and recovery:** Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.

**5\. Review and implement best practices for defense in depth:** Whether your environment is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. These security best practices cover topics like governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.

**What This Means for the Global Cybersecurity Landscape**

As the war in Ukraine progresses, we expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict. This will force already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. All organizations associated with the conflict in Ukraine should proactively protect themselves and monitor for similar actions in their environments.

Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time. For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.

What Every Enterprise Can Learn From Russia’s Cyber Assault on Ukraine

The enterprise's shift to the cloud means digital forensics investigators have had to adopt new remote techniques and develop custom tools to uncover and process evidence off compromised devices.

With more organizations moving to the cloud for storage, applications, and processing, digital forensics investigators increasingly require new tools and techniques capable of conducting investigations on systems where they have no physical access.

Gone, for the most part, are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyze it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network could be located almost anywhere — for European Union cloud infrastructures, servers generally have to be in the same country as where the data was created, but that’s as specific as the law gets. For the most part, investigators have no direct access to the servers.

Instead, companies need to work with their cloud providers in advance to articulate clearly what access they can have before an event occurs, says Thomas Brittain, former managing director of cyber risk at Kroll who recently joined Amazon Web Services as a security leader for cloud response.

For example, ask the cloud provider up front about any limitations during an investigation, Brittain recommends. Questions include: What logging or log sources are available from each of your cloud vendors? How do you ensure that your personnel have the training and the understanding to do an investigation in that cloud environment?

Considering that investigators will not have physical access to compromised disk drives, enterprises need to ensure ahead of time that the investigators will have the ability to obtain a forensic image of the hard disk even without having actual physical access. That may mean the provider’s staff would need to create and provide the image to the investigators, or the provider would allow the investigators virtual access to the compromised devices.

**Cloud-Ready Forensics Tools**

New digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.-

Because there are no standardized tools designed to meet every cloud vendors’ network needs, many forensics teams develop custom applications. But there is still a problem. “It's insane, trying to figure out standardized training, there is no, there are no standardized tools,” Brittain says.

“We've had to adapt from more of a forensic standpoint to more of a live-by-instant-response in triage,” concurs Aaron Crawford, senior security consultant with NCC Group’s North America Incident Response. “The lines between triage and forensics have absolutely blurred with the introduction of the cloud. It's even more complicated because you have several flavors of clouds out there and providers such as Tencent, Google, Amazon, and Microsoft — the primary Big Four out there.”

Crawford also acknowledges the lack of industry-standard tools. “We've had to become our own tool smiths now. We've had to write our own tools \[and\] create our own custom solutions to address a lot of these issues to help relieve the burden for our clients,” he says. “One of the biggest things that's changed is that immediacy for information and updates is absolutely critical. And that's because the threat landscape changed. The threat landscape got significantly more malicious, and the repercussions are even greater than they were before.”

While forensics teams are creating tools for the various environments, they also need to ensure that their tools will interoperate with existing security tools. Custom tools need to be “sustainable, explainable, \[and\] repeatable. If I go to court as an expert witness, I have to make sure that those tools are repeatable, and you can understand them, and someone else other than me can use them.”

Wayne Johnson, director of Global Cyber Incident Response and leader of the forensics practice at Protiviti, also sees challenges and possibilities with custom forensic tools. “From an interoperability perspective, I think that's incumbent on those that are that are making those one-off tools, \[that\] as the different coding languages change, as the different coding capabilities increase, the digital forensics domain has to be able to move with them right and be able to understand those," he says.

“Even with traditional architectures that are that are on-prem, there are many organizations that still have their own custom code and custom applications. So be those in the cloud or on prem., the same concept applies.”

**Soliciting Board Support**

As the attack surface grows, in part due to the explosion of internet of things (IoT) devices, cybersecurity experts need a place at the table with the board of directors and general counsels, Johnson notes. Ultimately, combining the digital forensics capabilities with incident response is “an area where we've really seen the board's taking notice and realizing that there's definitely a conversation there.”

The added benefit to having a cyber-savvy board member is to help the other board members “understand and interpret what’s coming from the CISO and the CIO.” The addition of cybersecurity experts on the board, combined with a cyber-knowledgeable general counsel, will further bolster the board’s understand on what cybersecurity and forensics can do to protect corporate assets.

“I think we're seeing, we're seeing a much more sophisticated and cyber-savvy boards starting to emerge as you start looking across various industries,” Johnson says.

How the Cloud Changed Digital Forensics Investigations

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but 38% of large companies and 62% of small to midsize companies don’t do it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

**What’s Stopping Companies From Enabling MFA?**

Although every enterprise is different, there are a few common trends when it comes to the reasons they don’t deploy MFA.

*   **MFA costs too much:** Security team resources are already limited, so adding an additional tool to their portfolio can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
*   **They think their users will hate MFA:** Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine if something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.
    
    End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.
    
    **MFA’s Too Hard to Deploy**
    
    Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.
    
    We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin,” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps or devices to easily deploy different policies at scale.
    
    Ultimately, an enterprise must be able to protect its own operations, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit.
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Jeffrey Schwartz, Contributing Writer, Dark Reading

Tara Seals, Managing Editor, News, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Dark Reading Staff, Dark Reading

Webinars

*   How to Protect Your Legacy Software Applications
*   Developing and Testing an Effective Breach Response Plan
*   Cloud Security Essentials
*   Seeing Your Attack Surface Through the Eyes of an Adversary
*   Security Considerations for Working with Cloud Services Providers

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   2021 Data Breach Investigations Report (DBIR)
*   Cloud & Hybrid Security Tooling Report
*   Future Proofing Your Network for 5G

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Ransomware Resilience and Response: The Next-Generation
*   Ransomware Is On The Rise
*   How Hybrid Work Fuels Ransomware Attacks
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Events

*   Cybersecurity Outlook 2023 - December 13 Event
*   Black Hat Europe - December 5-8 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

Is MFA the Vegetable of Cybersecurity?

Financing and acquisitions are trending toward smaller deals, which means fewer high-valuation purchases and funding, but likely fewer post-merger layoffs as well.

As the US economy has tightened, the venture capital and acquisition landscape has quickly shifted to become a buyers' market, with startups failing to command the high valuations that were common in past years.

While the sheer number of financing deals is on track to match the more than 1,000 cybersecurity-related investments announced in 2021, the value of those deals has dropped by more than a quarter, according to data from cybersecurity-focused advisory firm Momentum Cyber. The value of purchased companies is also on track to drop by a quarter in 2022, although the absolute number of acquisitions will only drop by about 8%.

The leaner times for startups and their venture-capital backers come as the private sector is cutting costs and refocusing on the most profitable lines of business to ready themselves for a possible recession, says Eric McAlpine, a managing partner at Momentum Cyber.

"We have already seen larger venture-backed companies consolidate significantly to cut costs and refocus on profitability," he says. "Strategic acquirers often have a tough time justifying new acquisitions to their board and taking on companies with new employees in a time where they are already cutting resources and headcount internally."

The worry of a downturn has spread across industries. The majority of companies — 83% — are concerned about a recession coming in 2023, with half of organizations taking concrete steps to prepare for an economic slow down, according to Spiceworks Ziff Davis's "2023 State of IT" report. Three-quarters of businesses are planning to reduce the number of security vendors they use, a significant move toward consolidation from two years ago when 29% aimed to reduce their vendor count.

    

Source: Momentum Cyber

As the business landscape changes, so, too, are companies changing the way they operate. The vast majority of firms — 83% — are placing a greater focus on digital capabilities and operations, according to a survey of CEOs conducted by business intelligence firm Gartner. The analyst firm stressed in a March 2022 advisory that such efforts require cybersecurity teams to adapt and take an integrated role in protecting and enabling the business.

Companies' security teams should "transform the security function into a true business-enabling capability by shifting away from risk-averse, control-driven security operating models toward a more agile, advisory-centric way of delivering security services," Gartner stated.

**Smaller Companies, Smaller Investments, Fewer Layoffs**

Venture money is currently following these trends. Overall, the era of big valuations for newcomers has come to "a standstill," says Momentum Cyber's McAlpine, who sees founders not receiving the same high valuations compared with the recent past, leaving many to hold off on being acquired in the current market. 

There are some exceptions, such as Broadcom's massive deal to acquire VMware — a deal valued at $69 billion. And October saw a surge in deal-making, with two large acquisitions — KnowBe4 and ForgeRock — by private equity firms. But those were outliers, with the number of deals reaching a low point in September, according to McAlpine. Overall, smaller and more specialized firms will make up the vast majority of acquisition targets in the near future, he says. 

So far, in 2022, the average (mean) financing deal amounted to $21 million, down from $28 million in 2021. , and the average acquisition price was $21 million (after dropping the deal for VMware), also down from $28 million.

The good news? Employee layoffs will not necessarily be part of the post-merger landscape, McAlpine says. Typically, general business and administration departments represent most of the duplication between merged companies, leading to cuts in employees in those departments, while the engineering and development teams at startups are sought after for their expertise, he says.

"Employee cuts aren't very common after a merger, even in a down market," McAlpine says. "Many smaller firms and startups are lean to begin with, and their employees are typically viewed as a valuable part of the acquisition."

**No Recession in cybersecurity?**

The good news for cybersecurity companies is that the business demand for products and services is not going away anytime soon, and there are signs that the sector will continue to grow — albeit much more slowly than prior years. 

Slightly more than half of companies (51%), for example, expect to increase their IT budgets, and only about 40% of those attribute the increases to inflation, according to Spiceworks Ziff Davis's "2023 State of IT" report. The Bureau of Labor Statistics currently pegs inflation for end-user prices at approximately 9% year-over-year, but the average IT spending is expected to grow by 13% in 2023 compared with the prior year, says Peter Tsai, head of technology insights at Spiceworks Ziff Davis. 

Companies are updating outdated infrastructure, increasing their focus on IT projects like digital transformation, and adding employees to critical areas — all of which represents cybersecurity risk, which requires increased spending on defenses.

"Both the size of the overall tech spending pie was expected to increase, in addition to the security slice of the pie getting a bit larger," Tsai says. "Inflation will certainly be a factor influencing many 2023 budget increases, but it won't be the top reason driving budget growth."

Cybersecurity Consolidation Continues, Even as Valuations Stall

More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more.

The "Bleed You" campaign is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and more than 1,000 systems are unpatched and vulnerable to compromise. 

The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from Cyfirma warns, affecting vulnerable Windows OS, Windows Servers, along with Windows protocol and services. Once they achieve compromise the threat actors move laterally to deploy ransomware and other malware, the team observed.

The threat actors speak Mandarin but also have ties to the Russian cybercriminals, according to Cyfirma, which adds that the attacks aren't limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across a number of mostly Western countries, including Canada, the UK, and the US. 

"Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Users are recommended to apply patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability," Cyfirma's researchers advised. "The researchers observed that unknown hackers are sharing the exploit link on the underground forums as well." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber-Threat Group Targets Critical RCE Vulnerability in 'Bleed You' Campaign

A worldwide operation aimed at curtailing fraud has led to the arrest of 975 suspects and the seizure of nearly $130 million, as Interpol expands its efforts and brings new tools to its investigations.

A wide-ranging international operation by law enforcement agencies in 30 countries aiming to prosecute online fraudsters has resulted in nearly a thousand arrests and a net of $130 million in seized virtual assets.

Interpol's National Central Bureaus (NCBs) collaborated with local authorities to pursue arrests. Interpol announced that the linked investigations, dubbed Operation Haechi III, tracked cyber-enabled financial crimes and money laundering in 30 countries. The investigations, which took place between June 28 and Nov. 23, intercepted money transfers and virtual assets, leading to the arrest of 975 suspects in the last five months.

The ability to recover funds quickly will cut into cybercriminal profits, an important deterrence, says Ed Cabrera, chief cybersecurity officer at endpoint security firm Trend Micro.

“Illicit financial transactions are the lifeline of all cyber-enabled crimes," he says. "Having the capability to quickly track, seize and return illicit funds to their victims not only can it make victims whole, but it is an incredibly disruptive tool for law enforcement."

The effectiveness of the effort highlights the need for cross-border collaboration, Hyung Se Lee, the head of Interpol's National Central Bureau in Seoul, said in a statement announcing the operation.

"As we look to the future, we recognize the importance for decisive and concerted law enforcement action across borders," he said, noting that the ongoing operation shows the international community's "dedicated coordination and the strong commitment of participating countries."

The operation is the latest Interpol effort to pursue fraudsters and the money trails that they leave behind. In June, the international law enforcement agency announced the arrest of 2,000 suspects and the seizure of more than $50 million stolen by fraudsters using a variety of social engineering schemes. The previous month, Interpol arrested the suspected head of a massive business email compromise (BEC) gang, who had fled arrest in 2021.

A year ago, Interpol announced the arrests of 1,003 people and the seizure of $27 million during Operation Haechi II, the second program in a three-year initiative aimed at curtailing specific types of online fraud, such as online financial crime trends, impersonation scams, romance frauds, sextortion, and investment fraud.

"Online scams like those leveraging malicious apps evolve as quickly as the cultural trends they opportunistically exploit," José De Gracia, assistant director of criminal networks at Interpol, said in a statement at the time. "Sharing information on emerging threats is vital to the ability of police to protect the victims of online financial crime. It also lets police know that no country is alone in this fight."  

**Encrypted Messaging, Massive Ponzi Schemes**

The wide range of fraud fraudsters pursued by Interpol included two Red Notice fugitives accused of stealing $29 million in a Ponzi scheme affecting South Korea, cybercriminals in India impersonating Interpol officers to defraud victims, and fraudsters that stole more than $1.2 million from victims in Ireland, according to the announcement. A Red Notice is an international request for local authorities to arrest a suspect.

Many of the cybercriminal groups exchanged information and cryptocurrency over encrypted chat messaging applications, the investigation found. 

Among the countries that cooperated in the Haechi III operation are Australia, France, Hong Kong (China), India, Indonesia, Ireland, Japan, Korea, Kyrgyzstan, Laos, Philippines, Poland, Singapore, Spain, Thailand, the United Arab Emirates, the United Kingdom, and the United States.

Interpol, along with Afripol, also announced an Africa-centric effort — the Africa Cyber Surge Operation — involving 27 countries collaborating over the past four months. The efforts resulted in the takedown of a dark market in Eritrea, investigations into cryptocurrency scams in Cameroon, and the arrest of the operators of malicious cyber infrastructure used for botnets, phishing campaigns, and online extortion.

In addition to national government, Interpol credited private-sector partners with helping out, including British Telecom, the Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Palo Alto Networks' Unit 42 team, Shadowserver, and Trend Micro.

**New Tools for Interpol**

As part of its fight against cybercriminals and their financial pipelines, Interpol announced a new tool last year known as the Anti-Money Laundering Rapid Response Protocol (ARRP), which establishes a procedure for quickly stopping criminals' theft of funds — and reversing transactions — before they have completed.

Under ARRP, cooperation channels between Interpol bureaus can be used to freeze the transfer of funds and intercept money before it makes its way into criminals' accounts. Often all, or the vast majority of, funds can be completely recovered.

"Intercepting the illicit proceeds of online financial crimes before they disappear into the pockets of money mules is a race against time," Jorge Luis Vargas Valencia, director general of the Colombian National Police, stated in last year's announcement, noting that "the high level of complexity of coordination with law enforcement units and banking institutions on the other side of the world" has traditionally made such efforts difficult.

Global Cyber-Enforcement Op Nets $130M, Says Interpol

The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organization’s network.

The Black Basta ransomware group is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign using an .IMG file as the initial compromise vector.

More than 10 different customers have been targeted by the campaign in the last two weeks, mostly focused on companies based in the US.

According to a threat advisory posted by the Cybereason Global SOC (GSOC) on Nov. 23, the infections begin with either a spam or phishing email, which contain malicious URL links, with Black Basta deploying Qakbot as the primary method to maintain a presence on victims’ networks.

"In this latest campaign, the Black Basta ransomware gang is using Qakbot malware to create an initial point of entry and move laterally within an organization's network," the report noted.

While Qakbot started out as a banking Trojan, different groups have augmented its capabilities with additional modules, using it as an infostealer, a backdoor, and a downloader. Qakbot has also recently switched up its method of delivering its malicious payload — from JavaScript to VBS.

"We also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller," the research team noted. "Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs."

The report singles out the swiftness with which the attacks are taking place, with ransomware deployed in less than half a day after obtaining domain administrator privileges in under two hours.

In more than one attack, the GSOC team observed the threat actor disabling DNS services, locking the victim out of the network, and making recovery more difficult.

"Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage," the report noted.

The report encourages organizations to identify and block malicious network connections, reset Active Directory access, engage incidence response, and cleanse compromised machines, which includes isolating and reimaging all infected machines.

**Qakbot Ramps Up Operations, Adding Capabilities**

The Qakbot group has recently ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

In September, it resumed expanding its access-as-a-service network, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms.

In June Qakbot operators were observed using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.

**Black Basta Backed by FIN7**

Black Basta, one of this year's most prolific ransomware families, offers its ransomware-as-a-service (RaaS) offering in various underground forums, which means multiple operators have access to Black Basta in their toolset, making attribution difficult.

The group has been active since at least February, although it was only discovered two months later targeting VMware ESXi virtual machines running on enterprise Linux servers, encrypting files inside a targeted volumes folder. The group has targeted English-speaking countries on a global scale.

Evidence has recently emerged that FIN7, a financially motivated cybercrime organization estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, according to researchers at SentinelOne.

Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign

Meta has been found in violation of Europe's GDPR rules requiring the social media giant to protect user data by "design and default."

Following the discovery of a data set of Facebook user personal data available on the Internet, the European Union's Data Protection Commission (DPC) has found Meta Platforms Ireland Ltd. (MPIL) in violation of General Data Protection Regulation rules, fining the platform $275 million (€265 million), and requiring the company to make cybersecurity changes. 

The breached personal data was first discovered in April 2021, and followed by the launch of a DPC investigation, the regulator explained in an announcement of its findings. DPC reported that Facebook was out of compliance with the GDPR regulation to provide "data protection by design and default." As a result a threat actor was able to use "data scraping" to exfiltrate massive amounts of collated personal user data, the DPC said.

"The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe," the DPC ruled. "In addition, the decision has imposed administrative fines totaling €265 million on MPIL." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$275M Fine for Meta After Facebook Data Scrape

KnowBe4 empowers end users by introducing security awareness and compliance training on the go at no additional cost.

**TAMPA, Fla., Nov. 28, 2022 /PRNewswire/** — KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced it is launching the new KnowBe4 Mobile Learner App to empower end users by introducing security awareness and compliance training on the go at no additional cost to customers, improving user engagement and strengthening security culture.

With a large majority of the world's population using smartphones today, mobile training revolutionizes the way people learn. This new app will enable end users to complete their security awareness and compliance training conveniently from their tablets or smartphones, giving them 24/7/365 access.

"The KnowBe4 Mobile Learner App is the first of its kind to launch in the security awareness and compliance training space, making it easier than ever to train users while subsequently strengthening an organization's security culture," said Stu Sjouwerman, CEO, KnowBe4. "This new app will enable IT and security teams to improve engagement and completion rates for required training thanks to a seamless user experience. This will also help users to associate security with their personal devices, keeping it top of mind all the time rather than only when they are at work on their computers. We are making this substantial new capability available at no additional cost to all subscription levels as a show of our commitment to supporting our customers' security and human risk management objectives."

Based on subscription levels, KnowBe4 offers 100+ Mobile-First training modules that were designed specifically for mobile. The KnowBe4 Learner App supports push notifications for custom announcements, and updates on assigned training as well as KnowBe4 newsletters.

The app is available for iOS and Android, and free to all KnowBe4 customers with a KnowBe4 training platform subscription. For more information, visit https://www.knowbe4.com/mobile-learner-app.

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

SOURCE: KnowBe4

KnowBe4 Launches New Mobile Learner App for Cybersecurity Learning

The DLMS-compatible, zero-trust meter-level security is built into the Renesas smart meter solutions, enabling smart meter manufacturers to get to market faster with built-in advanced security solutions.

**HOD HASHARON, Israel, Nov. 28, 2022 /PRNewswire/** — NanoLock Security, a leading cybersecurity provider for IIoT and OT devices and machines, today announces built-in, zero-trust meter-level cyber security protection for Renesas Electronics Corp. customers' smart meter products.

As the global energy economy worsens and cyberthreats like energy fraud and theft grow more frequent, Renesas' customers in meter manufacturing will now have NanoLock Security's DLMS compatible, zero-trust cyber protection built-in to their meters with no impact on performance, functionality, or deployment speed, giving them a significant competitive advantage.

This new solution gives Renesas' customers, renowned smart meter manufacturers, the ability to quickly build a product that is secure from all attack vectors, including insider manipulation and human error, without any disruptions to meter operations or product time to market.

"Edge devices like advanced metering infrastructure (AMI) are vulnerable targets for cyber attackers and can compromise service integrity, revenue, and safety," said David Stroud, Chief Revenue Officer, NanoLock Security. "With our meter-level protection built into Renesas metering solutions, Renesas customers can now bring secure and tamper-proof smart meters to the market faster, a critical edge in a hotly competitive industry."

NanoLock will be exhibiting the new solution at the Enlit Europe show in Frankfurt Germany at Altlatica Booth #12.1.C132.

To find out how manufacturers can get the new Renesas MCUs into their smart meters, visit the Renesas RL78 Partner page. To learn more about NanoLock, visit NanoLockSecurity.com.

**About NanoLoc****k Security**

NanoLock Security protects the operational integrity of connected devices, smart meters, and machines against cyber events and human error to maintain business continuity, improve safety and safeguard revenues.

Trusted by critical infrastructure customers, such as utilities, industrial and manufacturing companies, NanoLock Security protects power generation and energy management, industrial, water and wastewater plants, as well as food & beverage manufacturing, while ensuring compliance with international security standards and guidelines. NanoLock is headquartered in Israel with offices in the US, Europe, and Japan. Visit www.nanolocksecurity.com for more information and follow NanoLock on Twitter and LinkedIn.

SOURCE: NanoLock Security

Source

DARKReading