The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

The cybercriminals switch up carriers and SIM cards regularly, making it difficult for either mobile users or telecom companies to block the barrage of malicious calls and voicemails.

Chinese threat actors have been targeting Chinese-speaking students in the United Kingdom with a unique phone scam that aims to steal their personal information with repeated phone calls and voicemails that are hard for victims or carriers to block.

A group dubbed RedZei — or RedThief — calls victims once or twice a month from a unique UK-based phone number, leaving an "unusual" automated voicemail message if the receiver does not answer, revealed cybersecurity researcher Will Thomas in a blog post published just before the new year.

"I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK," he wrote in his post.

Thomas, who goes by BushidoToken on Twitter, said he's been tracking the campaign for more than a year, and has created a profile for the threat actors based on the calls and voicemails. RedZei chooses its targets carefully, seeming to know that these foreign students would be "a rich victim group that is ripe for exploitation," he wrote in the post.

What's more, once a victim is a target of the scam — which employs social engineering tactics to get students to give up personal information — it's difficult to block future attempts to compromise victims, Thomas said. That's because for each wave of scam calls, RedZei mainly uses a new pay-as-you-go UK-based phone number from one of the main mobile network operators, he explained.

"This essentially renders blocking the scammers phone numbers ineffective," Thomas wrote.

**The Scam Itself****

Phone call-based scams (aka "vishing" campaigns) are not unique in the cybercriminal world. Threat actors have been known to employ entire call centers to make malicious robocalls in attempts to defraud victims, impersonating banks and other trusted entities. In another version, scammers use emails or some other method of Internet-based contact to convince victims to make a phone call to, say, a bogus "tech support" number, where their personal information is harvested for malicious intent.

The RedZei campaign shares some similar tactics but also puts its own twist on the phone scam. It has used known enterprises, such as the Bank of China or China Mobile (CMLink), in socially engineered campaigns to try to fool the students to give up their personal details. But they use other scams as well, according to Thomas.

"Other themes exploited by RedZei includes the 'abnormal usage of your NHS number' and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK," he said.

Thomas doesn't speak Chinese and did not manage to have all the voicemails associated with the most recent campaign translated. He's posted the voicemails that he could not get verified by Chinese speakers to his SoundCloud account and included a GitHub link for people to use if they can translate the calls.

****Difficult to Mitigate****

Thomas included a list of numbers associated with the RedZei campaign in his post. The numbers are primarily +44 numbers — the country code for the United Kingdom — with one number from an Irish (+353) carrier and one from a Norwegian (+47) carrier.

O2 is the UK telecom carrier most often associated with the numbers the threat actors use to attempt to compromise victims, while EE and Three are also favored by RedZei. The Ireland-based number used a Tesco Mobile SIM card, while the Norwegian carrier used by the threat group was Telia, according to Thomas.

Just as victims are at a loss to do anything to stop the scam, carriers also are challenged to try to halt the activity because of the frequency with which RedZei changes carriers and thus SIM cards, Thomas noted.

There is also a language barrier, he said. "As the activity is also in Chinese, the carriers are less likely to investigate this campaign \[because of the\] additional effort required," Thomas wrote.

All in all, this does not bode well for victims of the scam, which won't see relief from the calls anytime soon, he said.

"The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future," Thomas wrote.

**

Chinese 'RedZei' Group Batters Victims With Incessant Vishing Effort

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Upside down. Right-side up. Everything is just a matter of perspective. Maybe that's how cyberattackers justify their dirty work. What do you think? Come up with a fitting caption for the cartoon, above. Our favorite will win a $25 Amazon gift card.  

The contest closes on Wednesday, Jan. 25, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge January 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations go to Daniel E., whose caption for December's contest, "Not Your Average Bear," tickled Dark Reading editors' funny bones. Your prize is on the way!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: The Upside Down

The era of digital trust is broken, and constant vigilance is needed to get things back on track.

Most of the attention paid to cybersecurity by practitioners and the general public alike is to threats that are external, such as attackers and scammers acting individually or as part of a larger organization. But a pair of stories this month alleging insider abuse at Meta and Twitter have served as harsh reminders that sometimes the call is coming from inside the house.

Reportedly, employees at both companies have recently used internal workarounds or private channels to sell access to platforms and verification, in some instances for bribes, creating a precarious and unmoderated black market for people who have already been denied re-entry to the platforms by official mechanisms. Twitter employees, Elon Musk appeared to imply in a tweet shortly after taking over as CEO of the company, may have sold verification status to users off the books for as much as $15,000. The Wall Street Journal, meanwhile, reported that more than two dozen employees and third-party contractors at Meta abused an internal account recovery tool to restore accounts for people who otherwise had no recourse to recover an account.

Though some of the employees allegedly might have capitalized on their internal access to help a family member or a friend who lost their account, it's not outside the realm of possibility that a well-informed threat actor (nation-state or otherwise) could take advantage of the workaround to gain access to Facebook or Twitter, or even leverage their connection to an employee to gain access to company secrets.

Once active on the platform through their connection to a Meta employee, an attacker has free rein to continue their scams unabated. And if an employee is already abusing an internal mechanism to enable account recovery, they probably also have a dollar figure that they would accept in return for access to deeper company information or credentials, and not necessarily through their own free will.

**Employees as Unintentional Threats**

Employees who may think they're doing the right thing — with a little monetary incentive — by helping people bypass Meta's dead-end customer service ecosystem might unknowingly elevate attackers posing as normal users. Rising inflation over the past several months in the United States has also likely pushed employees everywhere — not just at Meta or Twitter — to be more susceptible to offers of extra cash or cryptocurrency in exchange for simply doing their job. Not all insider threats are created equal, but two of the world's largest social media firms seem to have enabled employees to become both active insider and unintentional insider threats.

Of course, the fact that employees at Meta and Twitter had the motivation to become insider threats isn't surprising. Insider threats, double agents, and moles existed in security modeling long before the cybersecurity industry was born. But that the black market behavior at Meta and Twitter was allegedly widespread and unchecked is another sign that the ability to trust anyone or anything online is diminishing rapidly, especially on Twitter, where Musk has disassembled and reassembled the company's previously longstanding verification system several times in just a few weeks.

At both companies, employees were allegedly abusing their privilege and access, but using the mechanisms to offer verification and account recovery as they were designed. When you leave the onus of security and proper data protection to the end user, bad things happen. Because while companies may have the best intentions and believe staff to be trustworthy and dependable, in a mature threat model, virtually every employee is an insider threat — especially when they can act through unmonitored channels.

**Digital Trust Is Broken**

And reversing this trend isn't a simple fix. Managing and mitigating the risks involved with providing staff the tools they need to do their job — in this case, account administrators and recovery mechanisms — necessarily means granting access to confidential data and credentials, which can be abused by anybody with the right savviness and determination.

One way companies try to avoid this is through data loss prevention programs that send out an alert when data is exfiltrated through email or a USB, or when privileged programs or locations are accessed too frequently or at unusual times. Some companies will go so far as to monitor internal communications to find disruptive behavior, as Musk has reportedly done at Twitter since taking over.

The reality is that both organizations and consumers should begin to act as if the era of digital trust is broken. If years-old systems meant to verify the authenticity of users and keep attackers at bay are being misused within an organization, then customers cannot log in with absolute certainty that their personal information won't be abused as well.

That doesn't mean users should quit these platforms immediately and go back to snail mail. But it should serve as a wake-up call to organizations that constant vigilance is the only way to ensure threats don't go unchecked, whether they're internal or external.

Are Meta and Twitter Ushering in a New Age of Insider Threats?

Dark Reading's Kelly Jackson Higgins explains the enormous legacy left behind by Dan Kaminsky and his seminal "Great DNS Vulnerability" talk at Black Hat 2008.

He was one of the good guys.

The late, great Dan Kaminsky offered many big moments in Black Hat history, none more enormous than his reveal at Black Hat 2008 with his "Great DNS Vulnerability" presentation, where he showed up on roller skates and explained why the entire Internet was at risk and open to cyberattack.

Besides deciding to share this monumental find with the cybersecurity community and helping steer some of the best minds of the time to produce a fix, Kaminsky represented a kinder, gentler side of infosec that put people and their security first. 

To wit: He developed the DanKam augmented reality for a colorblind friend, and hearing aids for this grandmother, who made regular appearances at Black Hat as well, with plates of homemade cookies to share with everyone.

Dark Reading's editor-in-chief, Kelly Jackson Higgins, tells the story of that seismic DNS day in 2008, and all that Dan Kaminsky meant to the cybersecurity community, in this first installment of our new series, "Black Hat Flashback." 

On a regular basis, editors from Dark Reading will reminisce about some of the major Black Hat moments in history that changed the game forever.

Take a look, then watch Dan Kaminsky in action giving a keynote speech at Black Hat 2016.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Black Hat Flashback: The Day That Dan Kaminsky Saved the Internet

There are a few reasons that the topic of API security has been popping up more and more as 2022 comes to a close.

Back in July 2021, Gartner predicted that by 2022, application programming interface (API) attacks will become the most frequent attack vector, causing data breaches for enterprise web applications.

Was the analyst firm right? It's too early to know for sure since OWASP is still tallying the results.

API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.

When we talk about API security, we're referring to the measures and practices that we use to secure APIs and the data they transmit. We might be worried about unauthorized access, adverse reaction to a DDoS (more than one API has fallen over and left the underlying system wide open and completely insecure), or other malicious attacks.

There's an art to securing APIs; a light touch and a delicate combination of technical and organizational skills are required to do it right.

On the technical side we’re looking at measures such as authentication and authorization, encryption, automated testing, and monitoring. On the organizational side, you need to know exactly who in the org chart the API was designed to serve, and tailor access accordingly. For external APIs, you need to know how much data should be available to the outside world, and how that data needs to be curated and presented.

**How Are APIs Protected?**

There's a sane order of operations when you're trying to secure your company's APIs.

First, find and catalog every API. The number of companies that actually do this and keep their API inventory up to date is small indeed. Developer convenience, rapid website development, and the increasing push towards federated services all contribute to mystery APIs popping up out of the blue without any kind of compulsory registration structure in place.

To avoid this kind of API creep, every single one of them should be registered centrally with the following information:

*   Name
*   Tools and packages used to build the API
*   Servers that it runs on
*   Services that rely on that API
*   Documentation of all valid uses and error codes
*   Typical performance metrics
*   Expected uptime or downtime windows

All of this information goes into a repository run by the cybersecurity team.

Second, set up security and performance automation for every API. This is why you asked for all of that information, and this is how you keep everything secure. Using the data provided by the developers (and DevOps team, the Web team, etc.), the cybersecurity and/or testing team can put together automation that tests the API regularly.

Functional tests are important because they make sure that everything is working as expected. Non-functional tests are important because they probe the reliability and security of the API. Remember that APIs must fail securely. It isn't enough to know that one has fallen over — you need to know the consequences of that failure.

Finally, add the API to the normal threat prevention suite. If any of the tools or packages used to build the API are found to be buggy, you need to know. If any of the protocols that it uses are deemed insecure when you do detect trouble, you need to have the team shut the APIs down until they can be examined and rebuilt.

Doing these things once is great; creating a programming and security culture that allows you to maintain fully cataloged and documented APIs is the long-term goal.

**Specific API Behaviors to Note**

When pen testing and securing an API, some techniques are more useful than others.

1.  **Start with behavioral analysis.** This tests whether or not the reality matches the documentation in terms of the level of access granted, the protocols and ports used, the results of successful and unsuccessful queries, and what happens to the system as a whole when the API itself stops functioning.
2.  **Next is service levels.** This involves the priority of the process itself on the server, rate limiting for transactional APIs, minimum and maximum request latency settings, and availability windows. Some of these details are important for DDoS prevention (or blunting). Others are useful to monitor whether there are any slow memory leaks or garbage collection issues that might be a long-term threat to the integrity of the server itself.
3.  **Authentication and sanitation issues** speak directly to the level of trust you have for the API's users. As you would with any service, queries need to be sanitized before they're accepted. This prevents code injection, buffer overflows, and the like.

There needs to be some level of authentication with APIs that are designed for a specific user base. However, this can get complex. Federation is one issue that you need to deal with, determining which central identification and authentication servers you'll accept. You might want to have two-factor authentication for particularly sensitive or powerful APIs. And of course authentication itself isn't necessarily a password these days; biometrics is a valid way to wall off an API. To make a long story short: Apply the standards that you find reasonable, and test the limitations that you've set on a regular basis.

Finally, encryption and digital signatures need to be part of the conversation. If it's on the Web, then we're talking about TLS at minimum (repeat the mantra: We don't REST without TLS!). Other interfaces also need encryption, so pick your protocols wisely. Remember that the static information, be it a database or a pool of files somewhere, also needs to be encrypted. No flat text files anywhere, no matter how "innocent"; salt and hash should be the standard. And checksums are a must when providing or receiving files that are known entities (size, contents, etc.).

Finally, key management can be difficult to get right. Don't expect every DevOps person to have perfect digital key implementation when a decent portion of the cybersecurity folks are half-assing it themselves. When in doubt, go back to the OWASP Cheat Sheet! That's what it's there for.

**Responding to an API Attack**

The cardinal rule is: If your API is going to fail, pinch off access. Under no circumstance should services fail in an open or accessible state. Remember to rate-limit and keep error messages short and generic. Don't worry about honey pots or API jails — worry about survival.

Custom-crafted API attacks on an individual basis need to be treated like any other breach attempt. Whether you caught the attempt yourself or via AI/ML analysis, follow your SOP. Don't cut corners because it's "just" an API.

API security separates the mediocre CISO who focuses solely on infrastructure from the masterful CISO who addresses actual business threats and ensures survivability. Create a system for API security, create reusable interface testing automation, and keep your API inventory up to date.

API Security Is the New Black

The effectiveness of attacks largely depends on organizations' distributed denial-of-service defenses.

As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.

Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.

What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.

And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

**2022: A Record-Setting Year for DDoS**

The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.

To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.

Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.

Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.

But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.

One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.

**Don't Become Collateral Damage**

DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.

In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.

Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.

In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

War and Geopolitical Conflict: The New Battleground for DDoS Attacks

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.

"Many were published in the previous two decades," noted Grey Noise's vice president of data science, Bob Rudis, in the report.

Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

"The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers," CSW wrote in its "Decoding the CISA KEV" report.

Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog's curated list of CVEs under active attack to create their priority lists.

In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW's report).

An organization relying on the NVD to prioritize patching would miss issues that are under active attack.

Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.

For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.

The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.

CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

Dark Reading's panel of security experts deliver a magnum of bubbly hot takes on what 2023 will look like, featuring evil AIs, WWIII, wild workplace soon-to-be-norms, and more.

The end of the year is upon us, and that means predictions — lots and lots of predictions. And no wonder: With 2022 in the books, cybersecurity professionals worth their salt are starting to think about what's around the next bend; one needs to be prepared, after all.

This year, we wanted to break out of the mold of covering predictable predictions ("more automation is on the horizon," anyone?) to focus on some of the more out-there views on what the cybersecurity landscape might hold for the next revolution around the sun. In this, our stable of experts didn't disappoint.

Security experts from near and far gave Dark Reading their most outrageous/boldest security predictions for 2023. Whether that's something that will happen on the threat side of things (hackers will start WWIII), an impending crazy cyberattack (looking at you, evil Santa elves), a prediction for insane futuristic tech on the defensive side (bot vs. bot), nutty enterprise trends (spyware for employees), what have you — these crystal ball-isms will hopefully make you think about what is in store.

For instance, David Maynor, director of the Cybrary Threat Intelligence Team (CTIG), offered up a slew of hot takes for 2023 that run to the dystopian. And we're here for it:

"Information security practitioners will continue to be divided into topics, such as active defense, to the point that pseudo-religious cults may form," he opines. "DEF CON will be canceled. A reboot or sequel of one of the following movies will be greenlit: Hackers, Sneakers, WarGames, The Net, Swordfish."

Nicely done, David. And that's just the beginning.

**Cookies to the Rescue: A Seasonally Appropriate Hacking Collective**

To kick things off, Dean Agron, CEO and co-founder of Oxeye Security, flagged an impending cyberattack that's sure to hit everyone on Santa's list, not just the naughty ones.

>   
> "The 'Santa's Gift' attack, from a Greenland-based hacking group called '\[email protected\]'s 3lves' will allow attackers to bypass input sanitation mechanisms by using a specific combination of 🎅🏼 🦌 🧝 🎄 🎁 🛷 emojis (Santa, reindeer, elf, Christmas tree, gift, and sleigh). Every input that allows inputting emojis is vulnerable, and the right permutation of emojis will immediately enable root access to your cloud infrastructure. Privacy and security advocates who have been fighting to eliminate cookies are rethinking their posture, as an overflowing stack of cookies (and a glass of milk) is the only known measure to combat this attack." — Dean Agron, CEO and co-founder of Oxeye Security

Yes, he was just kidding. But it made you wonder for a minute, didn't it? Onto the real predictions!

**Automation Is Finally Ready for Prime Time**

Sure, predicting the use of more security automation is like saying there might be more political division in Congress in the new year. But at least one of the experts we tapped took it an extra step further.

>   
> "The drive to use automation to replace human workers will evolve into automating away the need for useless middle management where both workers and executives rejoice." — John Bambenek, principal threat hunter at Netenrich

Ouch.

**Scary AI & Machine Learning Gets ... Scarier**

The idea of weaponized deep fakes becoming a go-to method for attackers was a theme for many of the bold predictions that Dark Reading received.

>   
> "We haven't really seen it at scale yet, but with the trouble we already have getting our users to follow policy and not fall for social engineering attacks, how much worse will it be if (when) we have to deal with videos of their boss telling them that it's totally cool to give that random caller your password?" — Mike Parkin, senior technical engineer at Vulcan Cyber

Others also warmed to this theme.

>   
> "In 2023, fraudsters will devise new ways to hack into accounts, including new ways to spoof biometrics, new ways to create fraudulent identity documents, and new ways to create synthetic identities." — Ricardo Amper, founder and CEO at Incode

Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, points out that scary-level AI can juice the D, too.

>   
> "2023 will be the first year of bot vs. bot. The good guy's threat hunting and vulnerability-closing bots will be fighting against the bad guy's vulnerability-finding and attacking bots, and the bots with the best AI algorithms will win. 2023 is the year where AI becomes good enough that the humans turn over defense and attacks to self-traveling and replicating code for the entire attack chain from initial root exploit to extraction of value." — Roger Grimes, data-driven defense evangelist at KnowBe4

**Chatbot AIs: A Particularly Nasty Strain**

Sometimes the dark view of AI use has to do with unintended consequences, with Maynor linking back to his WarGames reboot note.

>   
> "A person with no programming or security knowledge may accidentally create a destructive, self-propagating worm using an AI chatbot and then accidentally release it on the Internet, causing almost a trillion dollars in damage worldwide." — Cybrary's Maynor

Hmmmm, what AI chatbot could he possibly be referring to? At least one person we talked to has no qualms naming names, with a dark prediction about AI-assisted phishing.

>   
> "Hackers will use ChatGPT to develop multilingual communications with unsuspecting users in business supply chains. Many of the most notorious cybercriminal gangs and state-sponsored cybercriminals operate in countries like Russia, North Korea, and other foreign countries \[which makes them\] somewhat easier for end users to detect. This technology can develop written communications in any language, with perfect fluency. It will be very difficult for users to recognize that they are potentially communicating via email with an individual who barely speaks or writes in their language. The damage this technology will cause is almost a certainty." — Adrien Gendre, chief tech & product officer and co-founder at Vade

Of course, these are early days for ChatGPT and its ilk. Imagine the risk once development really gets going.

>   
> "It's only now that the AI algorithms have evolved where good bot vs. bad bot becomes a realistic threat. ChatGPT showed us what was possible ... and it's not even the latest AI version. I'm not scared of ChatGPT. I'm scared of its children and grandchildren." — KnowBe4's Grimes

**Apocalypse Now? Critical Infrastructure Is Set to Burn...**

Evil AIs are forever tied in most of our minds with taking over the world and bringing about apocalypse (save John Connor!). But some experts tell Dark Reading that the apocalypse doesn't need to wait for the sentient robots.

>   
> "In 2023 we'll see a disruption to network supply chain unlike anything we've ever seen before: A new tactic that will be added to the warfare arsenal is the sabotage of fiber cable. It has long been a war tactic to target communication lines, but the attacks will be farther reaching and wipe out Internet access for entire continents." — Daniel Spicer, chief security officer at Ivanti

Sure, the Internet disappearing overnight could cause major dysfunction, but what about a long-term lack of power?

>   
> "The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid in 2023. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years. The combination of aforementioned factors makes the US's power grid more vulnerable to cyberattacks than it has been in a long time." — Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence

Ian Pratt, global head of security for personal systems at HP Inc., even offers Dark Reading a potential attack vector for such a scenario.

>   
> "Session hijacking — where an attacker will commandeer a remote access session to access sensitive data and systems — will grow in popularity in 2023. If such an attack connects to operational technology (OT) and industrial control systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety — potentially cutting off access to energy or water for entire areas." — HP's Pratt

**... Or Maybe Not**

There's a contrarian in every bunch. Ron Fabela, CTO and co-founder at SynSaber, laid one such prediction on Dark Reading: that 2023 will be remembered for the ICS cyberwar that wasn't.

>   
> "While everyone in industrial cybersecurity will continue to fear all-out cyberwar, with predictions of turning off the power grid and poisoning our water shouted from rooftops and Capitol Hill, one thing is for certain: It's a paper dragon, all hot air and no teeth. The security operator in the SOC and the industrial operator in the control center deserve our attention rather than Russian APTs." — SynSaber's Fabela

**WWIII Started by Hackers?**

So if fears that the Bad Guys will take out our critical infrastructure are overblown, does anything have the power to light off a firestorm of kinetic war?

Why, messing with our finances, of course.

>   
> "An attack against the Securities & Exchange Commission (or IRS, or some similar fundamental agency to the US government) would likely be as clear a flash point for war as the assassination of Archduke Franz Ferdinand. So, if it were to happen, it would be a very carefully calculated and planned, state-sponsored attack." — Simon Eyre, CISO and managing director at Drawbridge

**Cybersecurity Consolidation? Less Vendor Choice? Nope & Nope**

Speaking of finances, anyone who has been following the volatile vagaries of the cybersecurity market from an M&A, valuation, and funding perspective will be aware that most analysts believe that enterprises will rapidly consolidate their cyber-defense tools under just a handful of vendor names — meaning that security Big Kahunas will just keep snapping up small fry and rivals until the choices end up very limited indeed.

Enterprises seem to want that too, according to survey after survey, given the upside in terms of interoperability and management.

Richard Stiennon, chief research analyst at IT-Harvest, says bah humbug to all that.

>   
> "I have been hearing this since there were less than 100 vendors. Now, I count more than 3,200 cybersecurity vendors covering 17 major categories and 660 subcategories. There are always going to be new threats, and new threat actors creating demand for new products that will come from startups. Yes, there will be lots of M&A action in 2023, probably close to 400 transactions. Every acquisition whets the appetite of investors to get in on the action. It also creates founders who are now wealthy who start their next company as soon as they earn out." — IT-Harvest's Stiennon

**Big Brother IS Watching You**

We would be remiss if we wrapped up without mentioning the myriad predictions that Dark Reading received regarding the future of remote and hybrid working. It isn't going anywhere — that genie is well and truly out of the bottle, we all agree. But there's a rather horrific side effect of that reality: The use of creepy productivity monitoring tools by employers, which for all intents and purposes, is spyware by another name, says one expert.

>   
> "Many leaders are resistant to remote work because they are used to leading based on observations, i.e. who is sitting at their desk the longest? In today’s ‘anywhere work’ environment, ‘observation leadership’ is causing managers to implement spy-like tools that measure activity and working hours which invade privacy and create a feeling of distrust among employees." — Dean Hager, CEO of Jamf

Silver lining alert: Hager adds that this kind of completely whacked-out employee tracking will backfire, leading to an outcome-based leadership that will have a positive effect on employee morale and company culture.

Beyond the Obvious: The Boldest Cybersecurity Predictions for 2023

Businesses need to educate employees the type of social engineering attacks used by hacking group DEV-0537 (LAPSUS$) and strengthen their security posture.

The hacking group DEV-0537, also known as LAPSUS$, operates on a global scale using a pure extortion and destruction model without deploying ransomware payloads. Unlike other social engineering attackers, DEV-0537 publicly announces its attacks on social media and pays employees for login credentials and multifactor authentication (MFA) approval. In the past, they have also used SIM-swapping to facilitate account takeovers, targeted personal employee email accounts, and intruded on crisis-communication calls once their targets have been hacked.

With some education on DEV-0537’s known tactics and strong cyber hygiene, businesses can guard themselves against future social engineering attacks.

**Strengthen MFA Implementation**

MFA is one of the primary lines of defense against DEV-0537. Require MFA for all users across all locations — regardless of whether they’re working remotely, from a trusted environment, or even from an on-premises system.

DEV-0537 often attempts to access networks via compromised credentials, so user and sign-in risk-based policies can protect against threats like new device enrollment and MFA registration. "Break glass" accounts and enterprise or workplace credentials should be stored offline rather than in a password vault or an online browser. Businesses can also leverage password protection to guard against easily guessed passwords.

Passwordless authentication methods can further reduce risks. Finally, you can use automated reports and workbooks to gain insight into risk distribution, risk detection trends, and opportunities for risk remediation.

Avoid telephone-based MFA methods to mitigate the risk of SIM-jacking, where the attackers trick the mobile carrier into transferring the phone number to a different SIM card. Other MFA factors such as voice approvals, simple push (instead, use number matching), and secondary email addresses are also weak and can be bypassed. Prevent users from sharing their credentials, and block location-based MFA exclusions — which allow bad actors to bypass the MFA requirements if they can fully compromise a single identity.

**Require Healthy and Trusted Endpoints**

Another way to guard against data theft is by requiring trusted, compliant, and healthy devices for access to resources. Cloud-delivered protection can further protect against rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.

**Leverage Modern Authentication Options for VPNs**

Implementing modern authentication and tight conditional VPN access policies like OAuth or SAML has previously been effective against DEV-0537. These strategies block authentication attempts based on sign-in risk — requiring compliant devices in order for users to sign in and tighter integration with your authentication stack to improve risk detection accuracy.

**Strengthen and Monitor Your Cloud Security Posture**

Because DEV-0537 uses legitimate credentials to attack networks and leak sensitive enterprise data, at first glance, the group’s activity might appear consistent with typical user behavior. However, you can strengthen your cloud security posture by reviewing Conditional Access user and session risk configurations, configuring alerts to prompt a review on high-risk modification, and reviewing risk detections.

**Improve Awareness of Social Engineering Attacks**

Strong employee education is another way to protect your organization against social engineering attacks like DEV-0537. Your technical team should know what to watch out for and how to report unusual employee activity. Likewise, IT help desks should quickly track and report any suspicious users. Review your help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.

**Establish Operational Security Processes in Response**

One hallmark tactic of DEV-0537 is to monitor and eavesdrop on incident response communications in the event of a cybersecurity breach. Companies should monitor these communication channels closely, and attendees should be routinely verified.

In the event that your organization is hacked by DEV-0537, follow tight operational security practices. Develop an out-of-band communication plan for incident responders that can be used for multiple days while an investigation occurs, and ensure response plan documentation is closely guarded and not easily accessible.

_Microsoft will_ _continue monitoring_ _DEV-0537’s activities, and we will share_ _additional insights and recommendations_ _as the situation evolves._

Read more _Partner Perspectives_ from Microsoft.

Source

DARKReading