Nexusguard DDoS Statistical Report reveals key attack observations and analysis from the first half of 2022.

SAN FRANCISCO--(BUSINESS WIRE)--In the first half of 2022, the amount of DDoS (distributed denial of service) attacks increased by 75.6% compared to the second half of 2021, according to new Nexusguard research revealed in the company’s DDoS Statistical Report for 1HY 2022. While the total number of attacks did grow, the average (0.59 Gbps) and maximum (232.0 Gbps) attack sizes each decreased by 56% and 66.8%, respectively, during the same period. Notably, application attacks increased a whopping 330% compared to the second half of 2021, and amplification attacks increased by 106.7%.

Single-vector attacks represented 85% of all attacks globally in H1 2022. UDP (User Datagram Protocol) attacks, which quickly overwhelm the target defenses, and HTTPS Flood, which exhaust servers with valid HTTPS requests, were the two most predominant vectors. Nearly four out of 10 (39.6%) attacks were UDP, an increase of 77.5% from H2 2021, and the two groups combined accounted for more than half (55.5%) of DDoS attacks globally. UDP attacks frequently serve as a smokescreen to mask other malicious activities such as efforts to compromise personal identifiable information (PII) or the execution of malware or remote codes.

New to Nexusguard DDoS reports are statistics describing top reflected attack destinations. Reflection attacks spoof the IP address of the target, tricking it to believe it has received an authentic request, typically via UDP, to which the target responds. Nearly three-quarters (74.6%) of all reflected attacks targeted organizations in Brazil and South Korea. Within Europe, the United Kingdom received almost a quarter (24.6%) of all reflected attacks in that region and in the Middle East and Africa, the Seychelles and Saudi Arabia combined received more than half (55.5%).

Stealthy Bit-and-Piece attacks continue to plague ASN-level Communications Service Providers (CSPs) globally, especially internet service providers (ISPs). While 81% of attacks globally were less than a single Gbps, Bit-and-Piece attacks by /24 networks registered minimum sizes of 0.0637 Gbps and a maximum of 123.7 Gbps. By drip-feeding doses of junk traffic into a large IP pool, the traffic remains small enough to evade traditional threshold-based detection, but accumulates to be enough to clog and disable the target.

“Attackers came out of winter hibernation with never-before-seen levels of intent, showing an incredible increase of attacks in Q2 2022 alone and by June, reaching the highest first-half levels since 2018,” said Juniman Kasman, chief technology officer of Nexusguard. “We’ve expanded our DDoS reports to include data on reflected attack destinations and have separated Europe from the Middle East and Africa regions to provide organizations with even more information on DDoS attacks. The wide variability in attack types shown by our latest report demonstrates that companies must remain vigilant in protecting themselves against the risk of DDoS attacks.”

Read Nexusguard’s DDoS Statistical Report 1HY 2022 for more information on attack vectors, stats and trends based on data gathered from CSPs, honeypots, botnet scanning and research on traffic moving between attackers and their targets.

**About Nexusguard**

Founded in 2008, Nexusguard is a leading cloud-based distributed denial of service (DDoS) security solution provider fighting malicious internet attacks. Nexusguard ensures uninterrupted internet service, visibility, optimization and performance. Nexusguard is focused on developing and providing the best cybersecurity solution for every client across a range of industries with specific business and technical requirements. Nexusguard also enables communications service providers to deliver DDoS protection solutions as a service. Nexusguard delivers on its promise to provide you with peace of mind by countering threats and ensuring maximum uptime. Visit www.nexusguard.com for more information.

Nexusguard Research Shows Total Number of DDoS Attacks Increased during First Half of 2022 While Maximum Attack Size Decreased Compared to Second Half of 2021

Resistant AI and ComplyAdvantage launch AI transaction monitoring solution to combat fraud and money laundering.

LONDON, Oct. 11, 2022 /PRNewswire-PRWeb/ -- Holvi, the digital banking service for small businesses, is among the initial group of customers to implement the AI-driven solution to manage their financial crime risk.

Resistant AI, the AI and machine learning financial crime prevention specialists, and ComplyAdvantage, the financial industry's leading source of AI-driven financial crime risk data and detection technology, today announced the general availability of their solution for fighting financial crime across  
the U.S. and Europe.

Financial crime is a multi-trillion-dollar problem. According to the \[United Nations, the estimated amount of money laundered globally in one year is 2 - 5% of global GDP, or 800 billion - 2 trillion US dollars. While the cost of fraud and money laundering to financial organizations and other businesses is significant, the cost and damage to economies and society as a whole is immeasurable.

Adding Resistant AI's capabilities to ComplyAdvantage's transaction risk monitoring platform extends anti-money laundering (AML) and anti-fraud protections offered to financial institutions and other businesses by:

\-- Enabling them to detect previously unknown patterns of behavior and identify new risks faster.  
\-- Delivering alert prioritization so organizations can focus on the highest-risk areas and make the best use of their investigative resources.

With these capabilities, organizations can transition to a more dynamic approach to financial crime that uncovers novel behavior as it happens.

"Effectiveness and efficacy are key to scaling," comments Valentina Butera, Head of AML and AFC Operations at Holvi. "Integrating an AI-driven transaction monitoring solution means we can grow our customer base without growing our headcount at the same rate. With Resistant AI and ComplyAdvantage, we can manage our known risks more efficiently while also identifying and adapting to previously unknown risks."

Martin Rehak, founder, and CEO at Resistant AI, commented, "We are delighted that our joint solution is now available to drive game-changing efficiency gains. Alert prioritization, the ability to make systems more effective and identify previously unknown risks enables the most effective use of investigative resources and ensures a true risk-based approach."

"In a complex, rapidly shifting world, criminals continue to find new ways to exploit financial services to launder the proceeds of their crimes. At ComplyAdvantage, we are passionate about giving our clients the best tools to protect themselves - and their customers - from these bad actors and fight back.

The addition of Resistant AI's capabilities will allow our clients to do just that," said Charles Delingpole, founder, and CEO at ComplyAdvantage.

Today's announcement coincides with the launch of a new thesis paper on AI in transaction monitoring. Co-authored by ComplyAdvantage and Resistant AI, it explores how customers like Holvi can increase the speed and accuracy with which they monitor transactions for fraud and other financial crime risks.

**About Resistant AI**

Founded in 2019, Resistant AI uses AI and machine learning to provide identity forensic solutions that protect automated financial services from fraud and manipulation, including customer onboarding, AML and existing fraud detection systems. The Resistant AI founding team has a deep background in machine learning, artificial intelligence and computer security with more than 15 years of experience applying AI in the computer security domain. Backed by GV (formerly Google Ventures), Index Ventures, Credo Ventures, Seedcamp, and several angel investors specializing in financial technology and security, Resistant AI is headquartered in Prague with offices in London and New York.

Visit resistant.ai to learn more.

**About ComplyAdvantage**

ComplyAdvantage is the financial industry's leading source of AI-driven financial crime risk data and detection technology. ComplyAdvantage's mission is to neutralize the risk of money laundering, terrorist financing, corruption, and other financial crime. More than 500 enterprises in 75 countries rely on ComplyAdvantage to understand the risk of who they're doing business with through the world's only global, real-time database of people and companies. The company identifies thousands of risk events daily from millions of structured and unstructured data points.

ComplyAdvantage has four global hubs in New York, London, Singapore, and Cluj-Napoca and is backed by Goldman Sachs, Ontario Teachers', Index Ventures, and Balderton Capital. Learn more at https://complyadvantage.com/.

Resistant AI and ComplyAdvantage Launch AI Transaction Monitoring Solution To Combat Fraud and Money Laundering

HackerOne Assets combines ASM with insights from security experts to protect known and unknown digital assets.

SAN FRANCISCO, October 13, 2022: HackerOne, the leader in Attack Resistance Management, today announced the general availability of its HackerOne Assets product. Assets combines the core capabilities of Attack Surface Management (ASM) with the expertise and reconnaissance skills of ethical hackers to bring visibility, tracking, and risk prioritization to an organization's digital asset landscape. Research from ESG revealed that 69% of organizations have experienced a cyberattack through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. Assets form a key part of HackerOne’s Attack Resistance Management portfolio that aims to discover unknown assets and vulnerabilities and close organizations’ security gaps.

With Assets, customers can manage both the discovery and testing of assets in a single platform. The solution blends security expertise with asset discovery, continuous assessment, and process improvements to reduce risk. HackerOne’s community of ethical hackers enrich the asset and scan data and analyze it themselves, ensuring that newly found assets are tested for risk and mapped according to their metadata. Once the assets have been identified and ranked for risk, security teams can use these insights to initiate pentests on newly discovered assets and add assets to their bug bounty scope.

“HackerOne Assets solves for the inefficiencies in traditional ASM scanning” explained Ashish Warty, SVP of Engineering at HackerOne. “It’s impossible for security teams to see their entire attack surface, while cloud transformation, agile product cycles, and mergers and acquisitions keep the threat landscape growing. By combining attack surface management with the creative power of the ethical hacking community, Assets reduces manual work, increases the accuracy of scanning results, and speeds up time to remediation by prioritizing based on real world risk.”

“Having in-depth visibility of our attack surface is a core part of our security strategy,” said Roy Davis, Lead Security Engineer at Zoom. “With HackerOne Assets and the insights it brings from the hacking community, our security team has been able to effectively prioritize those areas of our attack surface that need the most attention, helping us address security gaps faster.”

HackerOne has already been running an early access program with selected enterprise customers, helping to gain critical insights into customers’ ASM drivers and investigating how to leverage the hacking community as an ASM force multiplier. With this general launch, HackerOne continues to augment its Attack Resistance Management Platform, which includes Asset Inventory, OpenASM and Assets API, Automated and Hacker-led Discovery, Continuous Scanning and Monitoring, Risk Ranking, and Attack Surface Coverage.

To learn more about how the Attack Management approach can close security gaps, visit: HackerOne.com

ABOUT HACKERONE

HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.

Newly Introduced HackerOne Assets Goes Beyond Attack Surface Management To Close Security Gaps

Distrust and verify, because you can't protect what you can't see.

Even before the Biden administration announced US federal agencies and contractors must adopt new zero-trust cybersecurity standards, many enterprise-level companies had already begun their journeys toward zero-trust architecture (ZTA) adoption.

According to a recent survey conducted by Forrester, 78% of global security leaders said they plan to bolster zero-trust operations this year, though only 6% said they have fully implemented their zero-trust projects. These organizations recognize that networks today can be local, reach into the cloud, or extend anywhere remote workers are — which limits the effectiveness of traditional defenses.

In dealing with direct attacks such as the recent Log4j vulnerability, indirect attacks such as phishing with malware, and internal lateral movement, traditional perimeter-based network access control has proven insufficient in detecting, much less preventing, compromise. Zero trust — based on the concept that users must be authenticated and continuously validated to be granted access to applications and data — is much more effective because it protects resources rather than network segments.

But successful execution is more like a journey than a switch that can be flipped on. It requires various technologies working together — including multifactor authentication, endpoint security, and identity protection — with full zero-trust adoption becoming an ongoing process of enhancements, refinements, and policy adjustments.

There's an old adage that became well known during the Cold War: "Trust, but verify." More of each is needed in today's highly distributed world, where networked environments are dynamic and network infrastructure, services, users, and more can rapidly change. Organizations cannot blindly assume their zero-trust architecture (ZTA) is always functioning as intended. Organizations need to actively distrust _and_ verify as they refine their network infrastructure, services, and operational policies. Thankfully, continuous deep packet monitoring provides the independent intelligence necessary to improve policy enforcement decisions.

**The Role of Deep Packet Monitoring**

In the Zero Trust Maturity Model laid out by the Cybersecurity and Infrastructure Security Agency (CISA), five distinct pillars reflect how advanced an organization is in its zero-trust implementation. Cutting across these pillars are guidelines for visibility and analytics, automation and orchestration, and governance — suggesting the need for cross-pillar collaboration, integration, and management for more mature ZTAs.

In traditional, non-zero-trust deployments, packet monitoring at the perimeter and occasionally in sensitive areas of the internal network provides the foundation for network visibility and analytics. But as an organization's ZTA matures, traditional perimeters blur or even vanish altogether. North-south traffic will always need to be seen and controlled, but equally as importantly, east-west traffic must be seen and controlled to detect and prevent lateral or deeper compromise in the environment. To achieve zero-trust maturity, pervasive network visibility of the entire network through deep packet monitoring is required.

Packets are the best source of high-fidelity network data available, especially for organizations further along in their digital transformation journeys toward greater public or hybrid cloud use. In these environments, organizations often lose a degree of visibility compared with traditional data centers, and traditional cybersecurity safeguards like endpoint defenses may not even come into play. Packet data transcends the limitations of distributed infrastructure to help verify performance and policy compliance in near real time, offering a single source of truth that can be analyzed months or even years later.

While networking teams have traditionally used packet monitoring to analyze networks, manage traffic, and identify performance issues, the data that packets provide to security teams can be just as invaluable for threat detection and investigations. Packet data allows security teams to trace communications between interconnected devices and historical trends, for example, and can assist in orchestrating mitigation between management and enforcement tools through APIs. It also fills in visibility and data gaps left by other cybersecurity tools (e.g., security information, event management, and endpoint detection), making those tools and existing cybersecurity staff more effective. Finally, organizations can use packet monitoring to classify networks, servers, and services based on risk, allowing for very rapid and concise verification of ZTA.

In summary, enterprises just beginning their zero-trust journeys will require refinements to their architectures as they mature. Their solutions will increasingly rely on automated processes and systems, with greater integration across pillars and more dynamic policy enforcement decisions. For these systems to remain successful, continuous validation of zero-trust designs and enforcement boundaries is required, and deep packet monitoring offers the most comprehensive level of visibility available to verify their effectiveness.

At the end of the day, zero trust is a philosophy. To buy in completely, nothing can be taken for granted. Even organizations with more mature zero-trust implementations must continually verify their adherence with constant, pervasive network visibility. After all, you can't protect what you can't see, and what you can't see, you shouldn't trust.

Comprehensive Network Visibility Is Imperative for Zero-Trust Maturity

A timing attack helps cyberattackers lob malicious code-bombs at corporate targets by cloning private package names.

A novel timing attack has emerged for targeting private corporate software packages hosted in the npm code repository. The goal is to uncover the legitimate offerings and then create malicious public packages using the same names in order to trick employees into downloading the doppelganger blocks.

Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories on npm and elsewhere. The idea is to avoid software supply chain attacks and other code dependency issues, and to protect sensitive internal developer code. As such, if they can be hijacked or weaponized, they provide an attractive avenue for cybercriminals looking to crack corporate networks and exfiltrating sensitive information.

**Code Dependency Confusion Rides Again**

Last year, researcher Alex Birsan pioneered what's known as the code dependency confusion attack, using benign proof-of-concept (PoC) code blocks to target internal apps at Amazon, Lyft, Slack, and Zillow, among others. He created "copycat" packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. What ensued was that internal projects began defaulting to importing the new public packages instead of the private ones.

The PoC demonstrated how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla, and Uber. Unsurprisingly, it didn't take long for malicious actors to replicate the attack pattern.

One way to defend against these kinds of attacks is to keep the package names secret so they can't be cloned. But according to Aqua Security’s Nautilus research team, it's possible to reveal private packages names by using a glitch in npm's registry API.

**A New Type of Timing Attack**

Npm's registry API allows users to check for the existence of packages, download them, and receive information about them. If a user searches for a private package or one that doesn't exist, the website throws a 404 HTTP error message in both cases. However, there's a difference in the amount of time it takes to return that error page: The average response time to 404 a private package is 648 milliseconds, while the average time when a package doesn't exist at all is just 101 milliseconds.

"If a threat actor sends around five consecutive requests for information about a private package and then analyzes the time taken for npm to reply, it is possible for them to determine whether the private package in fact exists," Nautilus researchers said in an Oct. 13 blog post.

There are a few methods that could be used to create a list of private package names to test with the timing attack, according to the research. These include:

*   Guess the names of the private packages by performing a dictionary attack using the patterns found in the nomenclature of the organizations' public packages.
*   Use online public data sets (such as libraries.io) access historic information about public packages that were deleted — these may have been converted to private packages.

The researchers reported the issue to npm owner GitHub's bug bounty program, getting this response: “Because of these architectural limitations, we cannot prevent timing attacks from determining whether a specific private package exists on npm.”

To protect themselves, the researchers said, corporations should be actively looking for typosquatting, lookalikes, or copycat packages, and verifying that there are no other packages with the same name as internal private packages being hosted in repositories.

Novel npm Timing Attack Allows Corporate Targeting

The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.

Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.

The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed "Alchimist," a previously unseen remote access Trojan (RAT) called "Insekt," and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.

"Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor," says Nick Biasini, head of outreach at Cisco Talos.

**A Cobalt Strike Alternative?**

Researchers from Cisco Talos who discovered the attack framework described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver. 

"The emergence of such frameworks in the wild suggests that threat actors are actively trying to develop alternative solutions to popular attack frameworks ... whose increasing popularity has led to rigorous detection efforts," Biasini says. 

In a blog post on Oct. 13, Cisco Talos described Alchimist as a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist's primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.

"\[Alchimist\] can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands," the report noted. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

Of note, the Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system, Biasini says.

A campaign utilizing the attack framework has been active since at least January. 

"Although Talos does not have information on the precise targeting intended in this campaign, the intention of the attacks is to compromise and establish long-term access into victim environments," Biasini says.

**Stand-Alone Frameworks**

Cisco Talos has compared the Alchimist framework with another attack framework it discovered recently, dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver that a threat actor was actively using in a campaign involving COVID-19 and China-themed lure documents.

Both Alchimist and Manjusaka are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations. Both come ready to use with no installation required, and both can patch and generate implants such as the Insekt RAT on the fly, Cisco Talos said.

One feature of the new C2 that the company highlighted as being notable is its ability to generate PowerShell and wget code snippets for Windows and Linux.

The snippets give threat actors the ability to create an infection vector for Insekt RAT without having to author custom code or utilize additional tools, Biasini says. Attackers can simply add the PowerShell/wget code to a delivery vector such as a malicious document's VBA Macro or to a malicious shortcut file and then distribute it to victims for infection. 

"This offering may be an attempt by the authors to provide bonus features in the C2 framework and make it more enticing to threat actors," he notes.

Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments

Company enables organizations to mark endpoint performance and take immediate action to mitigate risk.

KIRKLAND, Wash., Oct. 13, 2022 – Tanium, the industry’s only provider of converged endpoint management (XEM), today announced the launch of Tanium Benchmark, an industry-first solution that delivers real-time, holistic assessments of the security and operational risks associated with connected endpoints, empowering teams to prioritize efforts, collaborate effectively, and take risk-mitigation action while reducing IT costs and complexity.

Benchmark, powered by the Tanium XEM platform, determines real-time risk scores by analyzing up-to-date, comprehensive data from millions of endpoints across Tanium’s global customer base. Benchmark compares a customer’s endpoint metrics against their industry peers to establish a baseline for ongoing measurement and evaluation. Benchmark also enables IT operations, risk, and security teams to provide corporate board members and executive leadership with just-in-time data to make more informed decisions.

“A near-real-time risk score with comprehensive visibility into the state of endpoints enables executives to better understand the impact of cyberattacks on business outcomes,” said Phil Harris, research director in the Cybersecurity Risk Management Services practice at IDC. “Decision makers can prioritize severe vulnerabilities and response to breaches much nor quickly to reduce the attack surface radically.”

Customer IT and operations teams can utilize Tanium Benchmark findings to manage and track the current state of endpoints and mitigate risk proactively based on more than 20 different metrics including vulnerability, outstanding patches, and lateral movement risk.

“Without accurate real-time data, you are flying blind and unable to make the best decisions from a security and risk perspective,” said Tanium Chief Product Officer Nic Surpatanu. “Tanium Benchmark is a game-changer with its unprecedented insight that instantly assesses the very heart of your most important functions—IT, Risk, and Compliance—and delivers the ability to compare and contrast scores with similar organizations, bringing unique clarity to what is working and where there are areas for improvement. Benchmark enables you to make accurate and effective decisions on where to invest to improve your risk posture.”

Get your no-cost risk assessment now to experience the peace of mind that Tanium Benchmark delivers and make the most of your technology investments.

About Tanium  
Tanium, the industry’s only provider of converged endpoint management (XEM), leads the paradigm shift in legacy approaches to managing complex security and technology environments. Only Tanium protects every team, endpoint, and workflow from cyber threats by integrating IT, Compliance, Security, and Risk into a single platform that delivers comprehensive visibility across devices, a unified set of controls, and a common taxonomy for a single shared purpose: to protect critical information and infrastructure at scale. Tanium has been named to the Forbes Cloud 100 list for seven consecutive years and ranks on Fortune’s list of the Best Large Workplaces in Technology. In fact, more than half of the Fortune 100 and the U.S. armed forces trust Tanium to protect people; defend data; secure systems; and see and control every endpoint, team, and workflow everywhere. That’s the power of certainty. Visit www.tanium.com and follow us on LinkedIn and Twitter.

Tanium Benchmark Sets New Standard for Tracking and Improving Security and Operational Metrics

The QAKBOT group has successfully ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

The QAKBOT malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week.

In the most recent incident, cybersecurity firm Trend Micro observed QAKBOT-infected systems deploying Brute Ratel, an "adversary emulation" platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities. Another group, known as Black Basta, is likely responsible for the subsequent attacker activity using the two platforms, Trend Micro said.

Black Basta's use of the QAKBOT, also known as QBot or Pinkslipbot, highlights how cybercriminal groups are specializing in particular attack-chain activities, says Jon Clay, vice president of threat intelligence for Trend Micro.

"QBot appears to have improved their offering as they have to compete with other groups selling similar services in the underground — BlackBasta is one such group that feels their tool set works for them," he says. "They continue to update their code and malware to enhance obfuscation and ability to successfully compromise victims."

After QAKBOT infects a system, the attack tools conducts automated reconnaissance and then downloads and installs Brute Ratel, which is then used by Black Basta to move laterally to other systems in the network and execute payloads, according to Trend Micro's report.

Other security firms have also noted that cybercriminal groups have increasingly focused on specific elements of the attack chain. While QAKBOT started out as a banking trojan, different groups have augmented its capabilities with additional modules, according to the NCC Group, a threat intelligence firm.

"QBot is considered a banking Trojan, but thanks to its modular design, it can also act as an infostealer, a backdoor — with its _backconnect_ module — and a downloader," the Global Threat Intelligence Team at NCC Group said in response to questions from Dark Reading, adding: "After the takedown attempt on Emotet and the recent pause of its operation, QBot and Bokbot had been sharing the market."

The approach has garnered success for the group. In a separate report, threat researchers at cybersecurity firm Kaspersky said that QAKBOT had infected at least 1,800 victims, at least half of which are business systems or workers' computers.

Black Basta is just one of the groups that have either use a QAKBOT service or distribute the malware themselves. The Black Basta group first appeared in April, conducting double extortion operations in which the attacker installs ransomware and steals data to put pressure on the business to pay the ransom. The group is likely made up of member of the Conti gang, which dissolved in May, but whose members continue to be a threat.

**Brute Ratel in the QAKBOT Mix**  
In May, a malicious file linked to the attack tool, Brute Ratel, was uploaded to VirusTotal, a common way to check whether current anti-malware scanners can detect a new variant. None of the 56 scanners detect that the file contained malicious code, Mike Harbison and Peter Renals, two threat researchers at network security firm Palo Alto Networks, wrote in an analysis of Brute Ratel in July.

The attack likely came from a Russian group known as APT29 and poses issues for companies, the researchers stated.

"While \[Brute Ratel C4\] has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," Harbison and Renals wrote. "Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities."

Trend Micro concurred with Palo Alto Networks that, while Cobalt Strike is a well-known payload used by many cybercriminals, more attackers are starting to use Brute Ratel for extending their compromise and delivering payloads, especially after stolen code and leaked licenses have made pirated copies of the software available.

Obscurity helps the program be successful, Trend Micro stated in its analysis.

"This makes Brute Ratel and other less established C2 frameworks an increasingly more attractive option for malicious actors, whose activities may remain undetected for a longer period," the company stated.

Since the current QAKBOT group extensively uses spam, targeted emails, and compromising email threads as a way to distribute the initial links and malware, Trend Micro recommends that users follow email security best practices, such as verifying the email sender and content before downloading attachments and hovering over embedded links to see the actual target URL. Security-awareness training is important part of raising the level needed to infect a company.

QAKBOT Attacks Spike Amid Concerning Cybercriminal Collaborations

This legacy of corporations' appetite for data is not worth the risk, leaders say, emphasizing the need to find, secure and redact records

CHICAGO and NEW YORK, Oct. 6, 2022 -- Dark data represents the biggest potential cybersecurity exposure for U.S. and U.K. businesses, according to a special cybersecurity edition of the DealMaker Meter report, "Understanding Risk: The Dark Side of Data," from Donnelley Financial Solutions (NYSE: DFIN), a leading risk and compliance company. Defined as data that a company has collected but no longer needs — ranging from outdated customer information to old employee records — dark data is often forgotten and unprotected by corporations, creating substantial liabilities as well as tempting targets for cyber criminals.

The rise in dark data has accompanied corporations' increased interest in accumulating a wide variety of data sets (often called Big Data), which can be used to improve marketing, product development, customer service and a host of other activities. Dark data can be unstructured, sensitive, personal, regulated, vulnerable or high-risk information an organization has collected and stored over time.

Nearly seven of 10 enterprise leaders surveyed said data storage presents more risk than value. But while 33 percent of senior leaders and IT personnel are aware of the risks of dark data, 18 percent of others within organizations are less knowledgeable.

In addition to worrying about managing dark data, 96 percent of executives are concerned about data fraud and 95 percent are worried data breach incidents will increase over the next two years. Rightfully so, given more than half have experienced an incident this year and others indicated they had more than five data breaches and/or data fraud incidents this past year.

One key takeaway from the report is that IT departments should deploy technologies to better find, secure and redact dark data.

Other key findings include:

*   Preparing for Tomorrow: Company leaders are focused on improving how their companies protect sensitive data, with 77 percent enacting new policies and processes, 72 percent increasing reporting measures and 75 percent investing in partners and software and solutions. 

*   Technology First: To enhance protection, more than 83 percent indicated they would choose new technology tools over adding more team members, the choice of just 17 percent.

Containing insights from a blue-ribbon panel of finance, legal, HR and IT professionals at large public and private companies in the U.S. and U.K., the special fall edition of the DealMaker Meter is an online tool that provides a snapshot of cybersecurity and dark data concerns. It is designed to help business decision-makers better understand key topics impacting their industry and the world around them.

"This report shows that the appetite for Big Data within corporations has a cost," said Dannie Combs, Chief Information Security Officer at DFIN. "Our clients are increasingly turning to us to help mitigate the risks associated with dark data. We are seeing an influx of requests from companies to leverage virtual data rooms as corporate repositories to store, secure and manage data across departments including finance, legal, HR and R&D. Our Data Protect software is used globally by clients to cost-effectively find and redact dark data across disparate IT systems."

This special fall edition of the DealMaker Meter, "Understanding Risk: The Dark Side of Data," is available for download on the DFIN website here.

**About Donnelley Financial Solutions (DFIN)**

DFIN is a leading global risk and compliance solutions company. We provide domain expertise, enterprise software and data analytics for every stage of our clients' business and investment lifecycles. Markets fluctuate, regulations evolve, technology advances, and through it all, DFIN delivers confidence with the right solutions in moments that matter. Learn about DFIN's end-to-end risk and compliance solutions online at DFINsolutions.com or you can also follow us on Twitter @DFINSolutions or on LinkedIn.

DFIN DealMaker Meter: Surge in 'Dark Data' Represents Growing Danger for Corporations

SAS and Neterium partnered to deliver Neterium’s next-gen screening capabilities on SAS’ analytics platform.

Cary, NC (Oct 10, 2022) The volume, velocity and complexity of today’s sanctions screening landscape require extraordinary vigilance, backed by best-of-breed analytics and data orchestration that empower always-on monitoring and immediate action. To meet these modern-day thresholds, Paris-based Orange Bank teamed with SAS and Neterium to achieve real-time sanctions screening in the cloud.

“Our newly deployed AML-CTF platform, powered by SAS and Neterium, is already proving to be a game-changer,” said Veronique McCarroll, Deputy CEO of Orange Bank.

Ever committed to staying at the forefront of banking innovation, Orange Bank began contemplating new sanctions screening tools in 2021. Going real-time would enable its compliance team to bolster the French bank’s anti-money laundering (AML) and counter-terrorist financing (CTF) guardrails. The bank also aimed to streamline the varied tools used and managed by its analysts. It relied on SAS to deliver on its vision.

Achieving next-gen sanctions screening

“As we considered complementing technologies that would help Orange Bank achieve the agility and responsiveness it required, Neterium was an immediate standout,” said Stu Bradley, Senior Vice President of Fraud and Security Intelligence at SAS. “SAS chose to partner with Neterium to provide the real-time sanctions screening engine because of the efficiency, effectiveness and scalability of its solutions, and also for the explainability of its AI-driven decisioning.”

Over a period of nine months, SAS and Neterium collaborated to align Neterium’s cloud-native real-time “watchlist screening-as-a-service” with SAS® Visual Investigator. Neterium’s dual API-based offerings, Jetscan and Jetflow, operate seamlessly on the SAS platform. The potent synthesis gives Orange Bank automated entity and transaction screening against major government and global watchlists as well as politically exposed persons (PEP) lists.

“Built-in AI and advanced screening technologies improve detection relevance and allow our analysts to monitor a holistic, real-time view of AML risk,” said McCarroll. “I’m confident this implementation will sustainably increase our team’s efficiency and effectiveness – and, likewise, that we leverage the best technology partners to continually enhance our integrated compliance platform.”

“By focusing exclusively on developing infinitely scalable screening capabilities delivered through an API, Neterium has mastered the nuances and complexities of what is perhaps the most confounding facet of financial crimes compliance,” said Florence Vicentini, Chief Commercial Officer and Head of Partnerships at Neterium. “The depth and breadth of SAS’ financial crimes compliance platform is similarly unmatched in the market, which makes the connecting of our technologies and capabilities for Orange Bank a formidable mix.”

“The world’s volatile geopolitical landscape is fraught with risks that demand a real-time view of entities and transactions in the context of ever-expanding sanctions watchlists,” added SAS’ Bradley. “Achieving real-time sanctions screening will help Orange Bank address their compliance challenges through reduced false positives, enhanced performance and improved operational efficiency.”

Today’s announcement was made during Sibos 2022, the world’s global, premier financial services event, convening in Amsterdam, Oct. 10-13. Attendees are invited to engage with SAS experts on sanctions screening and other topics throughout the conference at Sibos Booth B115.

About SAS

SAS is the leader in analytics. Through innovative software and services, SAS empowers and inspires customers around the world to transform data into intelligence. SAS gives you THE POWER TO KNOW.

Source

DARKReading