A nasty SSRF bug in Web Services plagues a laundry list of enterprise printers.

A critical security vulnerability allowing remote code execution (RCE) affects more than 120 different Lexmark printer models, the manufacturer warned this week.

And, there's proof of concept (PoC) exploit code circulating publicly, it added — though so far, in-the-wild attacks have yet to materialize.

The bug (CVE-2023-23560), which carries a score of 9 out of 10 on the CVSS vulnerability-severity scale, is a server-side request forgery (SSRF) vulnerability in the "Web Services feature of newer Lexmark devices," according to the print giant's advisory (PDF).

The printers have an embedded Web server that allows users to view and remotely configure printer settings via an Internet portal. In a typical SSRF attack, an attacker can take over such a server and force it to make a connection either to internal resources housing sensitive information; or to external systems serving malware (or harvesting things like tokens and credentials).

Enterprise printers are a stealth entryway for threat actors into enterprise environments — but are often overlooked by IT security. However, as the community saw with the now-infamous "PrintNightmare" RCE flaw in Microsoft's Windows Print Spooler that sent security teams scrambling, they often have privileged access to internal resources, and that can be problematic.

Lexmark has issued a firmware patch and noted that disabling Web Services on TCP port 65002 altogether will also do the trick for protection.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Lexmark Printer Bug Has Public Exploit

Google has mounted a massive takedown, but Dragonbridge's extensive capabilities for generating and distributing vast amounts of largely spammy content calls into question the motivation behind the group.

Google's Threat Analysis Group (TAG) spent 2022 working to disrupt the online presence of pro-Chinese influence operation (IO) Dragonbridge (aka Spamoflage Dragon) in 2022, wiping out more than 50,000 instances of activity across Twitter, YouTube, Blogger, and other channels.

The report added that despite producing plenty of content, Dragonbridge failed to attract an organic audience, mainly due to the low-quality, nonsensical nature of the content, which mostly consists of apolitical, spammy, often nonsensical clips of sports, food, or animals.

Also, "blurry visuals, garbled audio, poor translations, malapropisms, and mispronunciations are also common," the report noted. "The content is often hastily produced and error-prone — for example, neglecting to remove Lorem Ipsum text from a video."

Of the 56,771 YouTube channels created by Dragonbridge and deactivated by TAG last year, nearly 60% of the channels had zero subscribers and 42% of the videos posted on these channels had zero views.

Roughly 95% of Blogger blogs received 10 or fewer views, and more than 96% of the posts had zero comments.

The report said it has closed 100,960 accounts across multiple channels, including YouTube, Blogger, and AdSense over the operation's lifetime.

The group does generate some pro-China, anti-US messaging, in Mandarin, English, and other languages: For instance, while the pro-China content praises the country's COVID-19 pandemic response, it criticizes the US for meddling in international affairs, with one video portraying voting as useless. But these themes represent a small fraction of the content.

Despite the nearly nonexistent levels of engagement, Dragonbridge continues to experiment with content formats and attempts to improve the general low quality of its efforts, the report noted.

Dragonbridge joins other China-based IO campaigns, including HaiEnergy, a fake-news influence campaign leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the country.

These operations can be dangerous: In the US, for instance, disinformation campaigns were deployed around last year's midterm elections in an attempt to change attitudes of undecided voters and energizing supporters to get out and vote.

Google TAG researchers say that Dragonbridge likewise has the capability to become a more potent threat.

**Ramping Up Activity During Political Flashpoints**

Dragonbridge activity ramped up in July 2022 following US House Speaker Nancy Pelosi's announcement of a possible visit to Taiwan, with the group's rhetoric growing more belligerent as the Chinese People’s Liberation Army (PLA) prepared drills around the island.

Dragonbridge "displayed unusually coherent behavior in using uniform hashtags and titles across channels, while swiftly and repeatedly uploading topical, high-production-value content that was not interspersed with the usual misdirecting spam," the report noted.

Despite the lack of community engagement and seemingly slipshod content, Dragonbridge manages an extensive network of Google accounts that it likely obtains from bulk account sellers, which had been previously acquired for financially motivated activity before going dormant.

The report also noted that Dragonbridge is experimenting with higher-quality forms of content with real human voices instead of computer-generated narration, more sophisticated "news-like" chat formats, and animated political segments.

The persistent level of content distribution and the network's attempts at innovation when it comes to tactics and techniques are a continued cause for concern, TAG noted.

**Dragonbridge to Nowhere?**

"What's interesting is that nobody is questioning the volume of resources expended to address this," says Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services. "This could be mechanism used as part of a bait-and-switch style scam, keeping Google busy with lots of takedowns — this content is clearly not being watched."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of software-as-a-service (SaaS) for enterprise cyber-risk remediation, adds while it may not appear successful, there are plenty of people out there who will fall for even the most outrageous misinformation.

"While these appear ineffective, even against the gullible, there's a good probability that there are a lot of them out there that are more successful and have managed to evade deletion," he says.

Parkin adds there are multiple possible reasons for doing what the group seems to be doing, from simply wasting resources to using these obviously spammy accounts for training a machine learning model on how to avoid being identified and removed.

Barratt agrees Dragonbridge's relentless onslaught could just be an indication of capability, showing that the group can find ways to drain Google's resources using its own tools against it.

"The level and depth of effort here goes way beyond the traditional script-kiddie disruptions, indicating it could even be a group looking to show off capabilities," he adds. "Nobody seems to be saying directly that it's a state-sponsored endeavor, which could perhaps be to wave off further political tensions."

Parkin cautions that while It looks like the threat is "script-kiddie level", that may be a mask for something more subtle.

"While it may not be an actively state-sponsored group, the sheer volume does imply more resources than the typical script kiddies can pull together," he says.

Barratt points out that with access to major cloud providers, scale is easily achievable by anyone — but the interesting piece of this is that a lot of the real cost is absorbed by the platforms being focused on.

"Custom bot development can spin up accounts, drop content, and then move to promote it; \[it is really a small expense for Dragonbridge\] compared with the cost of hosting the video, reviewing it, and taking it down," he says. "It's a very high return on investment if you measure your returns in the cost your adversary faces."

From his perspective, this is more likely to be a disinformation equivalent of performing military maneuvers at the border.

"Someone is showing someone else what they can do and how hard it is to stop," he says.

Parkin adds it's possible to programmatically create multiple accounts, post videos, and cross-link them all in the comments.

"If that’s how it's being done, then it doesn't take massive resources, and it's possible a small group with the right skills could pull it off," he says. "But without looking at Google's data, it's hard to say whether that's what was done here."

Dark Reading reached out to Google TAG for clarification, and will update this post with any additional information.

Google: Influence Operator Dragonbridge Floods Social Media in Sprawling Cyber Campaign

An academic analysis of website defacement behavior by 241 new hackers shows there are four clear trajectories they can take in future, researchers say.

Tracking malicious hackers' early activities using open source intelligence can offer substantial clues about the likelihood of their becoming a persistent threat in the future, two university researchers claimed in a report this week.

That knowledge can help guide early intervention efforts to nudge fledgling hackers off their criminal trajectories, they noted.

Christian Howell, assistant professor in the Department of Criminology at the University of South Florida, and David Maimon, a professor at Georgia State University's Department of Criminal Justice & Criminology, recently tracked 241 new hackers engaged in website defacements for a period of one year.

**Early Intervention for Fledgling Hackers**

Howell and Maimon identified hackers as new for their study based on information the individuals posted on Zone-H, a platform that malicious actors widely use to report website defacements. Hackers basically upload evidence of their attack, including their moniker, the defaced website's domain name, and an image of the defaced content to Zone-H. Once administrators there verify the content, they post the information to the archive, where it is publicly viewable. Zone-H currently maintains records of more than 15 million attacks that have resulted in website defacements over the years.

The two researchers tracked each of the hackers for a period of 52 weeks from their first disclosed website defacement on Zone-H. Because many attackers use the same online aliases across platforms to establish their reputation and status, the researchers were able track them across multiple environments, including social media channels such as Facebook, Twitter, Telegram, and YouTube.

"Based on a hacker's behavior in the first few months of their career, you can predict where they are going to be further on in their career," Maimon says. "We can definitely nudge these actors away from a life of cybercrime," by intervening early, he adds.

Maimon points to previous research that he was part of, along with Howell and another researcher, that showed early intervention can have an impact on budding criminal behavior. In the study, the researchers — purporting to be hackers themselves — sent direct messages to a selected group of hackers about alleged lawenforcement efforts targeting those involved in defacement activity. The messages prompted many of those who received them to cut back their defacement activity, apparently out of concern about law enforcement tracking them down, he says.

**Four Distinct Trajectories**

They collected information about the total number of attacks that each hacker carried out during the one-year period, analyzed the content of their website defacements, and gathered open source intelligence about the hackers from social media and underground sites and forums.

The data showed that 241 hackers defaced a total of 39,428 websites in the first year of their malicious hacking careers. An analysis of their behavior revealed that new hackers follow one of four trajectories: low threat, natural desisting, increasingly prolific, and persistent.

A plurality of the new hackers (28.8%) fell into the low-threat category, which basically meant they engaged in very few defacements and did not increase their attack frequency through the year. Some 23.9% were naturally desisting, meaning they began their careers with substantial velocity but then appeared to lose interest quickly. Hackers in this category included politically motivated hacktivists who likely lose sight or got bored of their cause, the researchers surmised.

Hackers in the more troublesome categories were the 25.8% who engaged in an increasing number of attacks over the course of the year and the 21.5% in the persistent category who started with a substantial number of attacks and maintained that level through the year.

"Increasingly prolific hackers engage in more attacks as they advance in their career, while persistent threats continually engage in a large number of attacks. Both are problematic for system admins," Howell says. He notes that it's hard to say for sure what percentage of the hackers in the study engaged in other forms of cybercrime besides website defacements. "But I found several selling hacking services on the Dark Web. I suspect most — if not all — engage in other forms of hacking."

**Telltale Signs**

The two researchers found that hackers who had a high level of engagement on social media platforms and reported their website defacements to multiple archives tended to also be the more persistent and prolific actors. They also tended to disclose their aliases and ways to contact them on sites they defaced. Howell and Maimon chalked the behavior up to attempts by these actors to establish their brand as they prepared for a long-term career in cybercrime. 

Often, these actors also indicated they were part of broader teams or became part of a broader group. "New hackers are typically recruited by existing teams with more sophisticated members," Howell says.

The study showed that cyber intelligence from publicly available sources is useful in forecasting both threats and emerging threat actors, Howell says. He notes that the focus now is on developing AI algorithms that can help improve these forecasts going forward.

How Noob Website Hackers Can Become Persistent Threats

OpenAI's chatbot has the promise to revolutionize how security practitioners work.

ChatGPT took the world by storm after OpenAI opened it for testing on Nov. 30, 2022. For an industry calloused by years of largely unsatisfying AI and machine learning "innovations," the reactions have been quite telling. Like many who are excited by its potential, I believe this is finally the moment of clarity for how truly revolutionary AI can be for information security.

It's also quite sobering, as there are already countless examples of how it changes the game for black hats of all stripes. In one of the first proofs-of-concept, NYU professor Brendan Dolan-Gavitt used ChatGPT to exploit a buffer overflow vulnerability. Other examples include writing malware with lightning speed and crafting convincing, grammatically correct phishing emails.

The weaponization of AI within cybersecurity is not new, but what excites me the most about ChatGPT is its potential for closing information security's biggest gap: the lack of sufficient talent, in both breadth and depth of cybersecurity skills (i.e., specializations). To illustrate this further, here are three ways ChatGPT will change infosec in 2023.

**Advancing Crowdsourced Threat Intelligence**

For quite some time, one of the industry's holy grails has been successfully crowdsourcing threat intelligence. The promise stems from the ability to see what's happening across a wide swath of companies within a single vertical industry. Unfortunately, the greatest impediment has been the lack of trust between organizations to share the intelligence.

This is the problem that the array of ISACs across industries have been trying to solve — with mixed results. Going forward, an information sharing and analysis center (ISAC) could take an iteration of the ChatGPT model with its natural language interface and feed it log data submitted by ISAC constituents, based on implicit trust within the group. The ISAC could then use ChatGPT to correlate network connections, categories of malicious IP addresses and domains, and similar behaviors. The results could produce a set of IDS rules that the ISAC constituents should implement to protect themselves from threats. The ISAC also would gain insight into the overall risk posture of the industry it represents.

**Doing More With Existing Resources**

The uncertain economy is putting pressure on security organizations to implement hiring freezes to squeeze more productivity out of existing resources. ChatGPT can be extremely beneficial here as a force multiplier that enables one analyst to do the job of multiple people.

Generalists and entry-level staff can describe what they are seeing in alerts and detections, and then ask ChatGPT to decipher their observations to jumpstart the triage process. A specific example is helping with practitioners' daily de-obfuscation of suspected malicious code, which typically takes an hour or more. It now can be performed in seconds.

ChatGPT also has the potential to transform incident response. A team can use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. ChatGPT could then immediately prove or disprove a theory about a compromise. Today, that involves several days of work by an incident response lead, an engineer, and several analysts to fully resolve an incident. I can foresee a future where the process doesn't need an analyst at all.

**Taking the Malware Cat-and-Mouse Game to a New Level**

Today, adversaries generate 100 million new malware samples per year. Because they all require manual coding, it is still a finite, manageable amount for signature detection. With ChatGPT, however, a hacker can say, "Here's what I'm trying to do, and here's the OS I'm trying to do it on," and it can generate hundreds of thousands of iterations of one piece of malware.

This will mean that the detection engines' ML models must be recomputed faster. It's far more complicated, because they're working against a much larger data set. Fortunately, ChatGPT will supercharge the reverse-engineering process and give anti-malware efforts a fighting chance.

For instance, a significant reverse engineering challenge is working with a generic file name, which doesn't provide necessary context about where it was found. This requires much more manual work to identify the system for which it was built. There are minor changes in binary assembly that have marked changes on the end result — e.g., was it written for a 32-bit or 64-bit architecture? Is the system using Little Endian or Big Endian? The answers determine the direction in which you read the machine language (forward or backward).

All these efforts require trial and error if you have no context. ChatGPT can run through these iterations at blazing speed and give reverse engineers the final assembly language and process it from there. They can take it further and have ChatGPT tell them what it thinks the application is doing — in natural language. More importantly, ChatGPT could do all of this at scale, analyzing hundreds of thousands of binary samples and proving insights to an analyst.

It also can help fight back against common cat-and-mouse techniques. For example, malware often contains anti-reverse engineering techniques, such as nested loops, to make it much harder for reverse engineers to keep track of what is happening and the end state. ChatGPT can figure that out much faster than humans. It also can analyze the genetic code of the malware and see where there may be code reuse to identify the fingerprint of the author more quickly.

**Long-Term Implications**

Whenever new advances in AI come to fore, there is the inevitable concern about whether it will replace humans and their jobs. I don't believe ChatGPT will make this happen, but it will make us more powerful consumers of information. The force multiplier effect will be profound at all levels. I can see CISOs feeding it a set of information about its risk register for it to return policies and procedures, incident response plans, and more — all tailored to their environments.

While ChatGPT is only a research preview, I share the excitement of my industry colleagues about its promise to revolutionize how security practitioners work.

3 Ways ChatGPT Will Change Infosec in 2023

Highlighting continued attacks on game developers, attackers stole source code from and issued a ransom demand to the maker of League of Legends.

Cyberattackers have compromised and demanded a ransom from Riot Games, the developer behind the popular League of Legends game, in the latest attack to target video-game makers.

In a series of posts on Twitter, Riot Games acknowledged the breach this week and confirmed that the attackers had exfiltrated source code for the League of Legends (aka LoL) and Teamfight Tactics (TFT) games, as well as source code for an older anti-cheat platform. The attackers issued a ransom demand for $10 million, threatening to otherwise release the source code.

The attack disrupted Riot Games' development environment but appears to have failed to compromise player data, the company stated.

"We've made a lot of progress since last week and we believe we’ll have things repaired later in the week, which will allow us to remain on our regular patch cadence going forward," the company said on Twitter. "The League and TFT teams will update you soon on what this means for each game."

Riot Games joins other major video-game makers as a victim of online attackers. In September, Take Two Interactive's Rockstar Games — the maker of Grand Theft Auto — acknowledged that an unknown third party had compromised its network and gained access to videos and files for its coming Grand Theft Auto 6. And in 2021, cybercriminals used social engineering to gain access to the Slack channel for developers at Electronic Arts, giving them access to source code for the company's FIFA 21 and Battlefield franchises.

More recently, Rockstar Games has scrambled over the past week to deal with hackers exploiting vulnerabilities in the PC version of its Grand Theft Auto Online.

Industry analysts estimate that more than half of the US population plays games, with games on mobile devices about twice as popular as those on PCs or consoles. And attackers go where the people are, Tonia Dudley, CISO at Cofense, said in a statement to Dark Reading.

"In recent years, the gaming sector has become an increasingly popular target for cybercriminals," she said. "As investments in everything from e-sports to video games have increased, cyberattacks — particularly distributed denial-of-service (DDoS) attacks — have skyrocketed."

**Cyberattackers Playing Games**

Part of the reason that attackers focus on video-game makers is the large overlap between gamer and hacker interests. For instance, some are driven by a desire to find cheats to gain an advantage in online play. 

Attacks targeting online gamers typically make up a plurality of DDoS attacks detected each year and accounted for 46% of all attacks in 2020.

Cybercriminals also often target game makers that, arguably, have alienated their fan bases. In February 2021, for example, hackers targeted CD Projekt Red — the maker of the Witcher and Cyberpunk 2077 video games — because they were angry with the buggy state of the Cyberpunk 2077 game.

Yet games also make good platforms to distribute malware. Pirated games are often a vector for opportunistic malware. With most games connected to, and downloading data from, the Internet, games and their online services make ideal vectors of attack, says Boris Larin, lead security researcher at Kaspersky’s Global Research and Analysis Team.

"\[T\]hey have compromised a victim's build environments to conduct supply chain attacks, \[which\] could be considered as a very effective strategy for infection of a large number of PCs with a single attack," he says. "Massive multiplayer online (MMO) games have large user bases, and those users expect to receive automatic updates, so if attackers Trojanize a game update, a very large portion of players will be infected all at once."

**No Pay to Play**

Riot Games' response to the attack highlights another trend in the industry: Victims of ransomware attacks are refusing to pay. Last week, digital currency trackers estimated that ransomware revenues fell nearly 40% to nearly $460 million, with the average attack returning less in revenue per transaction.

The cybercriminals behind the attack on Riot Games demanded $10 million to not release the company's source code, according to an article in Motherboard.

Riot Games had a simple response.

"Today, we received a ransom email," the company stated in its post to Twitter. "Needless to say, we won't pay."

Riot Games handled the notification aspect of the breach very well, laying everything out to its customers, noting that personal information was likely not compromised, and detailing what code had been stolen, according to Kaspersky's Larin.

"We think that Riot Games did the right thing choosing not to pay," he says. "If you become a victim, never pay the ransom. \[Paying\] will not guarantee you get your data back nor that it will not be leaked online, but it will encourage criminals to continue their business."

Riot Games plans to release a full report on the incident to the public, "detailing the attackers' techniques, the areas where Riot's security controls failed, and the steps we’re taking to ensure this doesn’t happen again," the company stated.

Riot Games Latest Video-Game Maker to Suffer Breach

Whether you dream of your child growing into a CISO or just want them to improve their security hygiene, consider this roundup of literary geekery.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Child's Garden of Cybersecurity

Hackers don't need a key to get past your defenses, if they can essentially teleport using RMMs, warns CISA and the NSA.

It has come to light that hackers cleverly utilized two off-the-shelf remote monitoring and management systems (RMMs) to breach multiple Federal Civilian Executive Branch (FCEB) agency networks in the US last summer.

On Jan. 25, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing the attacks, warning the cybersecurity community about the malicious use of commercial RMM software, and offering mitigations and indicators of compromise to watch out for.

IT service providers use RMMs to remotely monitor and manage clients' networks and endpoints. But hackers can use the same software to bypass typical software control policies and authorization requirements on victim computers — as the US government found out.

**How Hackers Breached the Government With RMMs**

Last October, CISA conducted a retrospective analysis of Einstein — its intrusion detection system, deployed across FCEB agencies. The researchers found, perhaps, more than they'd bargained for.

In mid-June last year, hackers sent a phishing email to an FCEB employee's government address. The email prompted the employee to call a phone number. Calling the number prompted them to visit a malicious Web address: "myhelpcare.online."

Visiting the domain triggered the download of an executable, which then connected to a second domain, which is where two RMMs — AnyDesk and ScreenConnect (now ConnectWise Control) — came into play. The second domain didn't actually install AnyDesk and ScreenConnect clients onto the target's machine. Instead, it went backward: downloading the programs as self-contained, portable executables, configured to connect back to the threat actor's server.

Why does this matter? "Because," the authoring organizations explained, "portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software's installation on the network."

Having made a mockery of admin privileges and software controls, the threat actors could then use the executable "to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service."

It turns out, though, that the June compromise was merely the tip of an iceberg. Three months later, traffic was observed between a different FCEB network and a similar domain — "myhelpcare.cc" — and further analysis, the authors recalled, "identified related activity on many other FCEB networks."

Despite targeting government employees, the attackers appear to have been financially motivated. After connecting to target machines, they enticed victims to log in to their bank accounts, then "used their access through the RMM software to modify the recipient’s bank account summary," the authors wrote. "The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to 'refund' this excess amount to the scam operator."

**Why Hackers Like RMMs**

Hackers have a long history of utilizing legitimate software for illegitimate ends. Most popular are red-team tools — like Cobalt Strike and Metasploit — which cyber defenders use to test their own systems but can be seamlessly applied in the same way in an adversarial context.

Even software with no obvious relationship with cybersecurity can be repurposed for evil. As just one example, North Korean hacking clusters have been observed hijacking email marketing services to send phishing lures past spam filters.

In this case, RMMs have become ubiquitous in recent years, allowing attackers who use them an easy way to hide in plain sight. More than anything, though, it's the degree of autonomy that RMMs require in order to perform their normal functions that hackers turn to their advantage.

"Many RMM systems use tools that are built into the operating system," Erich Kron, security awareness advocate at KnowBe4, explains to Dark Reading. "These, as well as purpose-built RMM tools, typically have very high levels of system access, making them very valuable to attackers."

"To add to the issue," Kron notes, "RMM tools are often excluded from security monitoring as they can trigger false positives and appear malicious and unusual when doing their legitimate work."

Added together, "it makes the activities much harder to spot as they blend in with normal computing operations," he adds. Organizations that manage to spot the difference will find further headaches in preventing malicious use of RMMs, while maintaining legitimate use of RMMs over the same systems.

It's no wonder, then, that more hackers are adopting these programs into their attack flows. In a Jan. 26 report covering their incident response findings from the fourth quarter of 2022, Cisco Talos made special note of Syncro, an RMM they encountered in nearly 30% of all engagements.

It was "a significant increase compared to previous quarters," Talos researchers explained. "Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts."

To conclude their notice, the NSA, CISA, and MS-ISAC suggested steps that network defenders can take to combat RMM-enabled attacks, including:

*   Good hygiene and awareness around phishing,
*   Identifying remote access software on your network and whether it's only being loaded into memory,
*   Implementing controls against, and auditing for, unauthorized RMMs running as a portable executable,
*   Requiring that RMMs only ever be used over approved virtual private networks and virtual desktop interfaces, and
*   Blocking connections on common RMM ports and protocols at the network perimeter.

Federal Agencies Infested by Cyberattackers via Legit Remote Management Systems

The accused sold an enormous data set stolen from the Austrian radio and television licensing authority — to an undercover cop.

The stolen personal information of tens of millions of people from across the world was put up for sale on a cybercrime forum by a 25-year-old from the Netherlands, according to authorities.

He's now in custody after he sold it to an undercover Austrian cop, Dutch prosecutors said.

The data was lifted from an Austrian radio and television licensing agency and contained personal data on residents of Britain, China, Colombia, Thailand, and the Netherlands, Dutch prosecutors allege.

The unnamed accused, who lives in Amsterdam, has been in Dutch custody for three months, according to reports, but the arrest was just made public this week.

"The man is suspected of trading the personal details of tens of millions of people, stolen from all over the world," Dutch prosecutors told Agence France-Presse.

The suspect faces charges related to stealing personal data, breaking into computer systems, and laundering cryptocurrency.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dutchman Detained for Dealing Details of Tens of Millions of People

A vulnerability within Microsoft's OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.

Microsoft is a primary target for threat actors, who scour Microsoft applications for weaknesses. Our security research team at Adaptive Shield recently discovered a new attack vector caused by a vulnerability within Microsoft's OAuth application registration that allows attackers to leverage Exchange's legacy API to create hidden forwarding rules in Microsoft 365 mailboxes.

To understand this new attack vector, you must understand the key components therein. These include hidden forwarding rules and SaaS-to-SaaS app access, all of which amount to a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes — without the users' knowledge.

Learn more about the top use cases to secure your entire SaaS stack.

**Hidden Forwarding Rules**

Inbox rules are actions that occur based on preset conditions within a Microsoft mailbox. Users or admins can use forwarding rules to trigger protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass Security's Damian Pflammater in 2018. He covered the discovery and Microsoft’s response in a blog post titled "Hidden Inbox Rules in Microsoft Exchange." These rules are fully functional and can be seen on the back end. However, they are not visible common interfaces such as email clients, an admin dashboard, or an API (Figure 2).

    

Figure 1. Hidden forwarding rules are visible on the back end.

    

Figure 2. Forwarding rules don’t appear in searches through common interfaces.

**SaaS-to-SaaS Access Through OAuth 2.0**

SaaS-to-SaaS app access, also referred to as third-party app access, describes the conditions under which one app can connect to another app and, in doing so, gain access and permission to different information and settings. The OAuth 2.0 mechanism simplifies the process of authentication and authorization between consumers and service providers through a seamless process that allows users to quickly verify their identities and grant permissions to the app. The app is then allowed to execute code and perform logic within its environment behind the scenes.

In many instances, these apps are completely harmless and often serve as a valuable business tool. In other instances, these apps can act as malware, similar to an executable file.

    

Figure 3. Connecting third-party apps.

**The Next Evolution: An Attack Method Through SaaS**

With this SaaS rootkit, threat actors can create malware that lives as a SaaS app and can infiltrate and maintain access to a user's account while going unnoticed.

While bad actors can't find Exchange Legacy scopes that can used to add programmatically online hidden forwarding in the Microsoft UI, they can add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the legacy scope protocols removed from the UI to the app (exploiting the vulnerability that the Adaptive Shield team uncovered), and send an offer to users to connect to it. The user will see an OAuth app dialogue box on the official Microsoft site, and many will likely accept it (Figure 4).

    

Figure 4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants permission to create forwarding rules and hides them from the user interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken for a one-off attack but, rather, the start of a new attack method through SaaS apps.

**Microsoft Response**

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft in response said that the issue has been flagged for future review by the product team as an opportunity to improve the security of the affected product.

**How to Best Mitigate a SaaS Rootkit Attack**

There's no bulletproof way to eliminate SaaS rootkit attacks but there are a few best practices that can help keep organizations more protected.

*   **Monitor third-party app access** and their permissions to ensure that apps are legitimate and given only the access they require.
*   **Track activities** and be on the lookout for new inbox rules to identify any new connections from untrusted domains.
*   **Disable third-party app registrations** where possible to reduce risk.

**Conclusion**

Hidden forwarding rules are still a threat, even more so when they appear through the trusted Microsoft website. The traditional controls that were created to stop malware have struggled to keep up with the evolution of malware and the new attack vector that can exploit any SaaS app, from M365 to Salesforce to G-Workspace, etc. Organizations should utilize native security configurations to control the OAuth application installations across SaaS apps to protect users from malicious attacks like these.

Get Forrester's SSPM Report, "Embrace aParadigm Shift In SaaS Protection: SaaS Security Posture Management."

**About the Author**

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his B.Sc. in computer science and is CEO and co-founder of Adaptive Shield.

SaaS RootKit Exploits Hidden Rules in Microsoft 365

The US Department of Justice hacked into Hive's infrastructure, made off with hundreds of decryptors, and seized the gang's operations.

The Feds have disrupted the prolific Hive ransomware gang, saving victims from a collective $130 million in ransom demands. But it remains to be seen how much of a blow the effort will be to the overall ransomware landscape.

The group's operations have been buzzing with activity for months, racking up more than 1,500 victims in 80-plus countries around the world since it appeared in June 2021, according to an announcement from the US Justice Department. The gang has been operating with a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion, and delivering its venom indiscriminately to school districts, financial firms, critical infrastructure, and others. At least one affiliate has become a bit of a hospital specialist, disrupting patient care in some attacks.

In what officials called "a 21st-Century cyber-stakeout," the FBI has been infiltrating the gang's network infrastructure since last July and, perhaps most notably, has now seized its decryption keys.

"The FBI has provided over 300 decryption keys to Hive victims who were under attack," according to Thursday's announcement. "In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims."

**Hive: Gone for Good?**

Aside from swiping the decryptors, the DoJ also worked with German law enforcement to execute a coordinated seizure of the group's command-and-control (C2) infrastructure (including two servers located in Los Angeles) and the group's Dark Web leak site, US Attorney General Merrick Garland said during a press conference.

The actions could have a significant effect on the volume of ransomware attacks, at least in the short term. According to Mandiant, Hive was the most prolific ransomware family that it dealt with in its incident response engagements, accounting for more than 15% of the ransomware intrusions that it responded to.

That said, while the strike will certainly be a blow to the gang, it's unlikely that its affiliates and members will be dormant for long. As with other high-profile takedowns such as those of Conti and REvil, it's likely that they will simply join other teams or regroup to sting another day.

"We've seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727," Kimberly Goody, senior manager at Mandiant Intelligence — Google Cloud, said in an email statement. "Hive also hasn't been the only ransomware in their toolkit; in the past we've seen them employ Conti and MountLocker, among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations."

**Ransomware Is Becoming Less Attractive**

Still, the ransomware game is getting tougher for operators, who are facing declining profit margins, lower valuations for cryptocurrency, intense law enforcement scrutiny, more victims having appropriate backups in place, and increasing refusals from targets to pay up. As such, researchers have seen an emerging trend of ransomware actors pursuing other avenues to make money.

Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security, said via email that this latest event is likely to add fuel to that phenomenon.

"It's very possible that we'll start to see ransomware actors pivot to other types of cyberattacks, like business email compromise (BEC)," he said. "BEC is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company's network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks."

Source

DARKReading