Interactive intrusion campaigns jumped nearly 50%, while the breakout time between initial access and lateral movement shrank to less than 90 minutes, putting pressure on defenders to react quickly.

Attackers are increasingly taking a hands-on approach to network intrusions, usually avoiding using malware; they have also reduced the time it takes to move from an initial compromise to infecting other systems in a network.

That's according to cybersecurity services firm CrowdStrike, which found in a report published Tuesday that both targeted attacks and interactive intrusions have increased overall. For the 12 months ending in June, targeted attacks accounted for 18% of all attacks, up from 14% for the prior 12 months, according to the firm's telemetry.

Attackers also focused on interactive intrusions that take a hands-on approach to compromises, with an almost 50% increase in such attacks, the company found. Unsurprisingly, the increase in hands-on attacks meant less reliance on malware — 71% of all events detected by CrowdStrike indicated malware-free activity, the company said.

The technology sector continued to be the focus of the most attacks, with nearly 20% of attacks targeting the industry sector, while telecommunications became the second most targeted at 10%, and manufacturing accounting for about 8% of attacks. Cybercriminal attacks accounted for 43% of all security incidents investigated by CrowdStrike, the firm stated in the report.

**A Rise in Nation-State Cyberattacks**

The shifts in cyberattacker tactics have come from specialized cybercrime offerings and an increase in nation-state attacks, says Param Singh, vice president of CrowdStrike's Falcon OverWatch group.

"This surge is being driven in part by the evolving e-crime landscape which has seen an unprecedented number of new criminally motivated adversary groups emerging and joining the fold in an attempt to capitalize on the lucrative opportunities for financial gain," he says. "Additionally, there has been a prolonged rise in targeted intrusion activity on the part of state-based adversaries in response to the evolving geopolitical landscape and global macro events."

More compromised credentials and more services means that adversaries are able to quickly choose vulnerable systems and gain access essentially on demand, which leads to faster breakout times, he says. At the same time, because advanced actors can use the same access-for-service tools, they are able to gain a beachhead and interactively hack their victim.

A shorter breakout time would normally suggest that attackers are using more automation, but CrowdStrike's threat hunters found that attackers are using interactive hacking more often. There are two separate trends at play, says Singh.

"\[T\]he ongoing surge in ransomware-as-a-service and affiliate networks along with increasing prevalence of access broker activity all adds up to one thing: a lower barrier to entry for criminally motivated adversaries," Singh says. "In practice, this translates to adversaries being able to operationalize an attack and both gain initial access easier and move laterally to additional hosts faster than previously seen."

CrowdStrike pointed toward the Russia-Ukraine conflict as one factor for the growth in targeted attacks, but China remains the most prolific attacker, according to the company's data.

"A look back at the numerous geopolitical and macro global events that have taken place have shown both China and Russia to be outspoken," Singh says. "While a greater proportion of attributable malicious activity has been linked back to China-nexus adversaries, it is our assessment that Russian adversaries continue to operate. However, it is possible that this activity currently falls under the unattributed category of intrusions."

**Mystery Assailants**

Meanwhile, the share of detected security incidents that remain unattributed continues to be high. In the 12 months ending June 2022, 38% of intrusion campaigns could not be positively attributed to a specific group, about the same (39%) as the previous 12 months.

"\[T\]here are often few identifiable artifacts or examples indicative of tradecraft to investigate, which prevents high-confidence attribution," CrowdStrike stated in the report. "This issues is compounded by the continued blurring of the lines between eCrime and targeted intrusion tradecraft and tooling, which also curtails high-confidence attribution."

To keep up with attackers' speed and break their chain of attack, defenders need to both deploy technology-based controls and use human-based threat-hunting services to catch signs of attackers and subvert their automated attacks and hands-on hacking.

"When it comes to breaking that chain, the reality is that adversaries are moving faster, in some cases in mere minutes," Singh says. "Pairing this observation with the increasing proliferation of compromised account usage with the diminishing reliance on malware means defenders must extend their defensive capabilities beyond technology alone."

Cyberattacks Are Now Increasingly Hands-On, Break Out More Quickly

Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.

An apparent operational security slip-up by a member of the TeamTNT threat group has exposed some of the tactics it's using to exploit poorly configured Docker servers.

Security researchers from Trend Micro recently set up a honeypot with an exposed Docker REST API to try and understand how threat actors in general are exploiting vulnerabilities and misconfigurations in the widely used cloud container platform. They discovered TeamTNT — a group known for its cloud-specific campaigns — making at least three attempts to exploit its Docker honeypot.

"On one of our honeypots, we had intentionally exposed a server with the Docker Daemon exposed over REST API," says Nitesh Surana, threat research engineer at Trend Micro. "The threat actors found the misconfiguration and exploited it thrice from IPs based in Germany, where they were logged in to their DockerHub registry," Surana says. "Based on our observation, the motivation of the attacker was to exploit the Docker REST API and compromise the underlying server to perform cryptojacking."

The security vendor's analysis of the activity eventually led to uncovering credentials for at least two DockerHub accounts that TeamTNT controlled (the group was abusing DockerHub free Container Registry services) and was using to distribute a variety of malicious payloads, including coin miners.  

One of the accounts (with the name "alpineos") hosted a malicious container image containing rootkits, kits for Docker container escape, the XMRig Monero coin miner, credential stealers, and Kubernetes exploit kits. 

Trend Micro discovered the malicious image had been downloaded more than 150,000 times, which could translate into a wide swath of infections.

The other account (sandeep078) hosted a similar malicious container image but had far fewer "pulls" — just about 200 — compared with the former. Trend Micro pointed to three scenarios that likely resulted in the leak of the TeamTNT Docker registry account credentials. These include a failure to logout from the DockerHub account or their machines being self-infected.  

**Malicious Cloud Container Images: A Useful Feature**

Developers often expose the Docker daemon over its REST API so they can create containers and run Docker commands on remote servers. However, if the remote servers are not properly configured — for instance, by making them publicly accessible — attackers can exploit the servers, Surana says.

In these instances, threat actors can spin up a container on the compromised server from images that execute malicious scripts. Typically, these malicious images are hosted on container registries such as DockerHub, Amazon Elastic Container Registry (ECR), and Alibaba Container Registry. Attackers can use either compromised accounts on these registries to host the malicious images, or they can establish their own, Trend Micro has previously noted. Attackers can also host malicious images on their own private container registry.   

Containers that are spun up from a malicious image can be used for a variety of malicious activities, Surana notes. "When a server running Docker has its Docker Daemon publicly exposed over REST API, an attacker can abuse and create containers on the host based on attacker-controlled images," he says.

**A Plethora of Cyberattacker Payload Options**

These images may contain cryptominers, exploit kits, container escape tools, network, and enumeration tools. "Attackers could perform crypto-jacking, denial of service, lateral movement, privilege escalation, and other techniques within the environment using these containers," according to the analysis.  

"Developer-centric tools like Docker have been known to be abused extensively. It’s important to educate \[developers\] at large by creating policies for access and credential use, as well as generate threat models of their environments," Surana advocates.

Organizations should also ensure that containers and APIs are always properly configured to ensure that exploits are minimized. This includes ensuring that they are accessible only by the internal network or by trusted sources. In addition, they should follow Docker's guidelines for strengthening security. "With the rising number of malicious open source packages targeting user credentials," Surana says, "users should avoid storing credentials in files. Instead, they are advised to choose tools such as credential stores and helpers."

TeamTNT Hits Docker Containers via 150K Malicious Cloud Image Pulls

Twitter did not know what data it had or who had access to it, Peiter "Mudge" Zatko told Congressional lawmakers during a Senate panel hearing.

Former Twitter security chief Peiter Zatko, aka "Mudge," testified before a Senate panel (video) Tuesday alleging widespread security deficiencies at the social media company. His testimony expanded on the 200-plus page whistleblower complaint submitted to Congress last month.

Zatko, who was Twitter's head of security from November 2020 until being fired in January 2022, alleged "extreme, egregious deficiencies" in areas of user privacy, digital and physical security, and platform integrity/content moderation.

"What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards," he said in his testimony.

**No Framework to Protect User Data**

As a social media platform, Twitter is sitting on a giant trove of user information, such as the user's phone number, the user's current and past IP addresses used to connect to Twitter, current and past email addresses, the person's approximate location based on IP addresses, the user's language, and information about the person's device or browser they are using.

Protecting that information is critical. In the wrong hands, it can be used to dox individual users and open them up to physical harm. The communications can expose information users may not want publicized.

Twitter doesn't know "what they have, where it lives, or where it came from," Zatko told Congressional lawmakers during his testimony. "And so, unsurprisingly, they can't protect it."

**No Access Logs**

One of the core tenets of data protection is to have access controls so that there is a way to monitor whether anyone is accessing information they should not be. Twitter did not have that kind of logging, Zatko said, claiming that Twitter had no visibility over what anyone was doing with the data.

Employees have "too much access to too much data," Zatko said. The information is available to roughly half of Twitter's staff, or about 4,000 employees, and engineers are given access to the data by default, he said.

The lack of controls made account takeovers trivial. "It's not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room," Zatko said. "It doesn't matter who has keys if you don't have any locks on the doors."

That scenario isn't so far-fetched. Zatko came to Twitter shortly after a 2020 incident where a group of teenagers gained access to an internal tool and then took over the accounts of high-profile Twitter users as part of a crypto-currency scam.

"From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems," Aaron Turner, CTO of SaaS Protect at Vectra, previously told Dark Reading.

**Red Flags Were Ignored**

One system that tracked logins for Twitter engineers was registering "thousands" of failed login attempts each week, Zatko said. Despite the fact that the company saw as many as 3,000 failed attempts each day, the company did not prioritize investigating to see where the attempts were coming from or what systems were being targeted.

Not investigating was a missed opportunity. Trying to figure out what the failed attempts were targeting could have helped identify potentially vulnerable systems and whether they needed additional layers of protection.

Twitter is "so far behind on their infrastructure," and the engineers aren't given the opportunity to modernize the platform, Zatko testified.

Twitter has pushed back on the allegations. "Today's hearing only confirms that Mr. Zatko's allegations are riddled with inconsistencies and inaccuracies," a spokesperson said,

Key Takeaways From the Twitter Whistleblower's Testimony

CloudFox is a command-line tool that helps penetration testers understand unknown cloud environments.

Bishop Fox released CloudFox, a command-line security tool that helps penetration testers and security practitioners find potential attack paths within their cloud infrastructures.

The main inspiration for CloudFox was to create something like PowerView for cloud infrastructure, Bishop Fox consultants Seth Art and Carlos Vendramini wrote in a blog post announcing the tool. PowerView, a PowerShell tool used to gain network situational awareness in Active Directory environments, provides penetration testers with the ability to enumerate the machine and the Windows Domain.

For example, Art and Vendramini described how CloudFox could be used to automate various tasks penetration testers perform as part of an engagement, such as looking for credentials associated with Amazon Relational Database Service (RDS), tracking down the specific database instance associated with those credentials, and identifying the users who have access to those credentials. In that scenario, Art and Vendramini noted that CloudFox can be used to understand who — whether specific users or user groups — could potentially exploit that misconfiguration (in this case, the exposed RDS credentials) and carry out an attack (such as stealing data from the database).

The tool currently only supports Amazon Web Services, but support for Azure, Google Cloud Platform, and Kubernetes is on the road map, the company said.

Bishop Fox created a custom policy to use with the Security Auditor policy in Amazon Web Services that grants CloudFox all the necessary permissions. All CloudFox commands are read-only, meaning that executing them will not change anything in the cloud environment.

"You can rest assured that nothing will be created, deleted, or updated," Art and Vendramini wrote.

Some commands include:

*   Inventory: Figure out which regions are used in the target account and provide the rough size of the account by counting the number of resources in each service.
*   Endpoints: Enumerates service endpoints for multiple services at the same time. Output can be fed into other tools, such as Aquatone, gowitness, gobuster, and ffuf.
*   Instances: Generates a list of all public and private IP addresses associated with the Amazon Elastic Compute Cloud (EC2) instances with names and instance profiles. Output can be used as input for nmap.
*   Access-keys: Returns a list of active access keys for all users. This list would be useful for cross-referencing a key to figure out which in-scope account the key belongs to.
*   Buckets: Identifies the buckets in the account. There are other commands that can be used to inspect the buckets further.
*   Secrets: Lists secrets from AWS Secrets Manager and AWS Systems Manager (SSM). This list can also be used to cross-reference secrets to find out who has access to them.

"Finding attack paths in complex cloud environments can be difficult and time consuming," Art and Vendramini wrote, noting that most tools to analyze cloud environments focus on security baseline compliance. "Our primary audience is penetration testers, but we think CloudFox will be useful for all cloud security practitioners."

Bishop Fox Releases Cloud Enumeration Tool CloudFox

In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.

Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.

**A Pair of Zero-Day Vulnerabilities**

The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.

"No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. "It’s recommended that you deploy the patch as soon as possible."

Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) noted that it's likely being deployed in a tidy exploit chain package.

"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," he wrote in his Patch Tuesday blog post. "Once they do, additional code executes with elevated privileges to take over a system."

This is one for everyone to patch quickly, he stressed: "Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks."

The other zero-day bug (CVE-2022-23960) exists in Windows 11 for ARM64-based Systems. Microsoft didn't provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that it's a processor-based speculative execution issue of the sort made infamous with the Spectre and Meltdown attacks. A successful exploit would give attackers access to sensitive information.

"This \[is\] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems," he noted. "This vulnerability is a variant of Spectre v2 which has reinvented itself on numerous occasions and has affected various processor architectures since its discovery in 2017."

He added, "This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening."

**Five Critical Bugs for September**

As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.

The most concerning of these is likely CVE-2022-34718, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.

"That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "Definitely test and deploy this update quickly."

It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.

"If a system doesn’t need the IPsec service, disable it as soon as possible," said Action1's Walters. "This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have."

The other two wormable bugs, CVE-2022-34722 and CVE-2022-34721, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.

Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. "However, all Windows Servers are affected because they accept both V1 and V2 packets," he wrote. "There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable."

The final two critical bugs (CVE-2022-34700 and CVE-2022-35805) both exist in Dynamics 365 (On-Premises), and "could allow an authenticated user to perform SQL injection attacks and execute commands as db\_owner within their Dynamics 356 database," Childs explained. They have a CVSS score of 8.8.

**Other Vulnerabilities of Note**

As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (CVE-2022-34724, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.

While there's no chance of code execution, the bug should be treated as critical, he added. "With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises," Childs said.

Rapid7's Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, and CVE-2022-38009).

And there's a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (CVE-2022-34731; CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, and CVE-2022-35840).

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," Greg Wiseman, product manager at Rapid7, explained in the analysis.

Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDI's Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys' Jogi also pointed out that while September's Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is "likely on track to surpass 2021, which patched 1,200 CVEs in total."

Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

Password compromise led to unauthorized access to a customer contract search tool over a five-month window, according to the company.

U-Haul said attackers were able to compromise two individual passwords and access the company's customer contract tool, exposing customer names and driver's license or state identification numbers.

Attackers had unauthorized access from Nov. 5, 2021, to April 5, 2022, U-Haul said. Once the breach was discovered, U-Haul changed the affected passwords and launched an investigation, the company explained on Sept. 9.

"The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts," according to U-Haul's notice of the cybersecurity incident. "None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool."

**U-Haul's Password Security Panned**

Experts like Sami Elhini, with Cerberus Sentinel, panned U-Haul's lack of password security.

"Ultimately, this is an identity management issue," Elhini explained in an emailed statement. "Determining you have a resolved identity based on a successful one-factor authentication is not only blissfully ignorant, but also potentially civilly and criminally negligent."

Lior Yaari, CEO of Grip Security was also withering in his assessment of U-Haul's cybersecurity.

"The passwords compromised in this U-Haul attack were clearly not governed or protected properly," Yaari said in an emailed statement. "There are probably other passwords that may have already been compromised that U-Haul, and hundreds of other companies, are unaware of and will not become aware of, until another breach like this occurs.”  

**Improving Password Protections**

While the precise approach might very across sectors and organizations, Yaari said the industry needs to stop repeating the same mistakes and relying on employees as an effective defense against cyberattack.

"The additional safeguards companies take to prevent password compromise will likely fail, and this type of breach will be repeated over and over again," Yaari added. "Rather than adding more Band-Aids, the industry needs to take a fresh approach that removes the burden of securing passwords from employees."

U-Haul Customer Contract Search Tool Compromised

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Facebook lead-generation forms are being repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers.

Attackers are piggybacking on the power of the Facebook brand by using emails that look like they're coming from Facebook Ads Manager. The idea is to lure victims into coughing up credentials and credit card information on a Facebook lead generation form.

According to a Tuesday report by the security research team at Avanan, attackers are sending phishing messages that appear to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim the victim is not complying with the company's ad policies and that the ad account will be disabled if the target doesn't appeal the phony violation.

    

The Facebook Ads phishing message. Source: Avanan

The "appeal form" link leads to a credential harvesting site that uses a real Facebook lead-generation form to collect passwords and credit card information.

**Abusing the Facebook Ads System**

An interesting aspect to the campaign is that rather than using a harvesting site hosted on a sketchy IP somewhere, attackers are gaming the Facebook ads system to create lead-generation forms with malicious intent. Doing so kills two birds with one stone: First of all, it fools a lot of automated checks for malicious links used by email platforms. Using legitimate sites is what the Avanan team refers to as the Static Expressway.

"Hackers are leveraging sites that appear on static Allow Lists," explained Jeremy Fuchs, cybersecurity researcher for Avanan, in the report. "That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Additionally, using Facebook Ads forms also offers a high degree of verisimilitude for any of the eight billion advertising users that Facebook works with who are already familiar with the Ads Manager platform and the lead-generation forms it produces.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

**Tell-Tale Signs of 'Brandjacking'**

Fuchs wrote that while the sites used in this credential harvesting campaign appeared to be legitimate, there is a red flag in the phishing messages they uncovered: Typically, these are coming from Outlook accounts such as \[email protected\]look.com.

Additionally, the physical address footer in the emails are wrong. But if users didn't notice these details, they could easily be foiled by this ploy.

According to research released earlier this year, brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources. Facebook is a particular favorite among phishers to impersonate. A report released by Vade this spring found Facebook was the No. 1 impersonated brand last year, edging out perennial favorite Microsoft for the top spot.

According to Abnormal Security research detailing data from the first half of 2022, email attacks increased by 48% in that timeframe, with more than 1 in 10 attacks impersonating well-known brands. Some 256 individual brands were impersonated, with LinkedIn and Microsoft appearing to be the favorites so far in 2022.

Cyberattackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Avast ye! Come up with a cybersecurity-themed caption for the cartoon, above, and if it's Dark Reading editors' favorite, you'll win a $25 Amazon gift card. We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Oct. 12, 2022:

*   Email _\[email protected\]_ with the subject line "Dark Reading September Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congrats, Brian N., because a $25 Amazon gift card is heading your way. The infosec pro's clever caption for last month's "Vicious Cycle" cartoon contest appears below:.

    

Thanks to all who played!

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Shiver Me Timbers!

Siemplify veterans introduce Cloud Security Orchestration and Remediation platform, backed by high-profile investors including YL Ventures, Tiger Global, and CEOs of CrowdStrike and CyberArk

**TEL AVIV, Israel - September 13, 2022** -- Opus Security, a Cloud Security Orchestration and Remediation startup, today announced $10 million in seed funding led by YL Ventures with participation from Tiger Global and renowned security executives and serial entrepreneurs, including George Kurtz, co-founder, CEO and President of CrowdStrike; Udi Mokady, co-founder, Chairman and CEO of CyberArk; Dan Plastina, former Head of AWS Security Services; Oliver Friedrichs, co-founder and former CEO of Phantom Cyber, acquired by Splunk; and Alon Cohen, co-founder and former CTO of Siemplify, acquired by Google Cloud, among others.

Opus, the first holistic solution for managing and orchestrating cloud security response and remediation processes, was founded by experienced security professionals, Meny Har, CEO and Or Gabay, CTO, who were part of the founding team and leadership of SOAR pioneer Siemplify (acquired by Google). Customers expressed an acute need for a new security orchestration platform that can empower cloud security teams to reap the value of automation, gain control and lead remediation efforts across the entire organizational cloud environment using best practices and proven methodologies that can be implemented instantly, cutting down the time from detection to mitigation and conserving valuable resources.

“Organizations should not have to prioritize security over business continuity, and already strained SecOps teams are ill-equipped to handle the nuanced decisions demanded of them,” said Dan Plastina, former Head of Security Services at AWS. “Opus’ founders have built a platform that cloud-native security leadership demands — maximizing cloud security automation while retaining and enhancing business benefits.”

In recent years, revolutionary cloud security solutions created a higher level of visibility into potential threats. With more findings and more visibility, security operations had to expand from detection and response, and venture into risk reduction. This expansion and the shift-left mindset necessitated the involvement of a growing number of stakeholders across the organization, including security teams, DevOps/application teams and business owners.

Lacking comprehensive tools, built-in automation, or streamlined processes to remediate risk, security teams are left with manual, time-consuming processes and no clear understanding of who owns this risk, who can mitigate it, when automation is “safe” and how they should delegate tasks accordingly, leaving numerous gaps unresolved.

“When it comes to cloud response and remediation, we’re still stuck with ad-hoc techniques developed on the fly,” said Srinath Kuruvadi, Head of Cloud Security at Netflix. “There is a huge opportunity to bring context-aware standardization to cloud automation that appeals to SecOps and DevOps teams, with precise risk reduction metrics. Opus’ founders have the right skills and an extensive background in SOAR-like technologies to tackle this important space.”

Aware of the concerning challenges and skill gaps in cloud security, Opus is set to transform the way response and remediation are done in the cloud. Opus has built a singular, overarching platform that connects existing cloud and security tools and relevant stakeholders, and orchestrates the entire response and remediation process across all organizational environments based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging automation to the highest degree, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest. With instant visibility and mapping of remediation metrics, Opus removes blind spots and provides security and business executives with immediate and tangible insights into the state of their risk.

“The massive transition to the cloud has created a need for a new and different type of security orchestration platform, one that minimizes organizational risk and excels at leveraging the countless automation opportunities in the cloud,” said Meny Har, co-founder and CEO of Opus. “The growing number of stakeholders that are now an inherent part of the security operations process should be connected and working together to reduce risk.”

“The proliferation of cloud-focused security solutions has dramatically raised organizational awareness to the scope of their risk surface,” said John Brennan, Senior Partner at YL Ventures. “While visibility in the cloud has greatly improved, customers now express the need for a dedicated solution to address the drastically increasing number of alerts. I cannot imagine a better convergence of an expert team solving a market-wide problem that they understand intimately. Meny and Or have leveraged their unique experience at Siemplify to build the industry’s first cloud-native remediation orchestration and automation platform.”

For more information on how to reimagine your remediation efforts in the cloud, go to opus.security.

**Additional Quotation**

“The shift-left trend has necessitated a revised approach to remediation,” said Gerhard Eschelbeck, former CISO at Google. “Organizations need to bridge skill and resource gaps and create an orchestrated, automated alignment process across all teams. Traditional manual tasks and friction between teams result in heightened risk and jeopardize business continuity.”

**About Opus Security**

Opus is a singular, overarching Cloud Security Orchestration and Remediation platform, transforming the way remediation is conducted in the cloud. Opus empowers cloud security teams to see beyond alerts and threats and gain control, knowledge, and capabilities to resolve them. Opus integrates with existing security tools and orchestrates the entire remediation process across all stakeholders and organizational environments, based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging selective automation, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest, cutting down the time from detection to mitigation and conserving valuable resources. Finally, Opus provides security and business executives with immediate and tangible insights based on remediation metrics, with comprehensive visibility into the state of their risk. For more information on how to reimagine your remediation in the cloud, visit opus.security.

**About YL Ventures**

YL Ventures funds and supports brilliant Israeli cybersecurity entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages five funds with $800M in total assets under management. The firm accelerates the evolution of portfolio companies via a powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of experts, providing tailored guidance and hands-on support on all critical company-building domains. The firm's track record includes investments in Israeli cybersecurity unicorns such as Axonius and Orca Security, as well as successful, high-profile portfolio company acquisitions by major corporations including Palo Alto Networks, Microsoft, CA and Proofpoint. For more information, visit ylventures.com.

Source

DARKReading