A SaaS-specific security solution can help security teams make sure apps and usage are both secure, reducing the chances of a breach.

**Question: How can you keep your SaaS applications secure in the face of employee turnover?**

**Noam Shaar, CEO and Co-Founder of Wing Security:** In short, you need the right tools.

The fluidity of today's workforce and the accelerated pace at which people change jobs creates new cybersecurity challenges for companies. The average worker in the United States will work for 12 employers over their career, with the typical tenure just over four years. Each employee who exits will leave a trail of external access points that create potential vulnerabilities.

When employees switch companies and roles, access points are left open. Bad actors can use this access to infiltrate networks and steal valuable assets, including proprietary information and financial data. According to a poll from OneLogin, an identity management firm, nearly one-quarter of IT decision-makers said a failure to deprovision employees from corporate applications contributed to a data breach. Of those, 47% said more than 10% of all data breaches resulted from ex-employees.

Organizations likely have multiple exposed accounts that can provide entry points for malicious activity. In one high-profile case, a former engineer at Cisco was sentenced to two years in prison for compromising the company's network after he left, deleting thousands of Webex accounts. This, of course, is just one of the known incidents.

While many software-as-a-service (SaaS) applications offer built-in security controls, businesses should not assume they remain secure because they come from a big-name vendor. Threat actors often conspire or sell attack methods to break into these systems, or they will take advantage of organizations they already can access.

A SaaS security solution can help security teams understand who uses all of these applications and make sure the apps and usage are both secure. This not only strengthens overall security, it can quickly show gaps often left by offboarding. Best practices include:

*   **Use tools to watch for inconsistencies.** Multiple products being used by a large number of people often reveals a pattern of use. When behavior steps out from that norm, it is often a sign that something is amiss. Leverage a tool that can monitor this behavior and alert your team when necessary.
*   **Weed your garden.** It's critical to mitigate risks by getting rid of unaccessed apps — there's no use for them, and they create a potential opening. When it comes to apps, the company motto should be, "If they're not being used, we probably don't need them."
*   **Automate offboarding tasks where possible.** HR staff must keep tight rein during employee offboarding. One important task is notifying the technology team to discontinue access, which can easily be automated with a security and monitoring solution. While HR members still will want to notify technology leaders, having safeguards in place can eliminate gaps just in case that process gets overlooked.

SaaS applications have improved efficiency and expanded remote work capability, but employees no longer want to spend their entire careers with a single company. The rising number of applications and rate of turnover has increased risk. This risk can be managed with the correct tools and processes, but too many organizations have yet to change their mindset.

How Can I Protect My SaaS Apps Amid Employee Turnover?

The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.

A Linux-focused malware dubbed Shikitega has emerged to target endpoints and Internet of Things (IoT) devices with a unique, multistage infection chain that results in full device takeover and a cryptominer.

Researchers at AT&T Alien Labs who spotted the bad code said that the attack flow consists of a series of modules. Each module not only downloads and executes the next one, but each of these layers serves a specific purpose, according to a Tuesday posting from Alien Labs.

For instance, one module installs Metasploit’s “Mettle” Meterpreter, which allows attackers to maximize their control over infected machines with the ability to execute shell code, take over webcams and other functions, and more. Another is responsible for exploiting two Linux vulnerabilities (CVE-2021-3493 and CVE-2021-4034) to achieve privilege-escalation as root and achieve persistence; and yet another executes the well-known XMRig cryptominer for mining Monero.

Further notable capabilities in the malware include the use of the "Shikata Ga Nai" polymorphic encoder to thwart detection by antivirus engines; and the abuse of legitimate cloud services to store command-and-control servers (C2s). According to the research, the C2s can be used to send various shell commands to the malware, allowing attackers full control over the target.

**Linux Malware Exploits on the Rise**

Shikitega is indicative of a trend toward cybercriminals developing malware for Linux — the category has skyrocketed in the past 12 months, Alien Labs researchers said, spiking 650%.

The incorporation of bug exploits is also on the rise, they added.

"Threat actors find servers, endpoints, and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads," according to the posting. "New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach."

On a related note, Linux is becoming a popular target for ransomware, too: A report from Trend Micro this week identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

**How to Protect Against Shikitega Infections**

Terry Olaes, director of sales engineering at Skybox Security, said that while the malware might be novel, conventional defenses will still be important to thwart Shikitega infections.

"Despite the novel methods used by Shikitega, it is still reliant on tried-and-true architecture, C2, and access to the Internet, to be fully effective," he said in a statement provided to Dark Reading. "Sysadmins need to consider appropriate network access for their hosts, and evaluate the controls that govern segmentation. Being able to query a network model to determine where cloud access exists can go a long way toward understanding and mitigating risk to critical environments."

Also, given the focus that many Linux variants put on incorporating security bug exploits, he advised companies to, of course, focus on patching. He also suggested incorporating a tailored patching-prioritization process, which is easier said than done.

"That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape," he said. "Organizations should ensure they have solutions capable of quantifying the business impact of cyber-risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses, such as exposure-based risk scores."

He added, "They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation."

Next-Gen Linux Malware Takes Over Devices With Unique Tool Set

APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance.

A well-resourced advanced persistent threat (APT) group aligned with Iran's Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and active since 2015 is targeting perceived threats to the Iranian government with sophisticated cybercriminal and surveillance operations, based on social engineering and fraudulent trust relationships.  

APT42, believed to be a subset of APT35/Charming Kitten/Phosphorus, uses highly targeted spear-phishing and social-engineering techniques in which they get victims to trust them, according to a blog post and detailed report (PDF) by Mandiant released Wednesday.

The goal is to exploit those relationships to steal personal info and credentials, after which the group then moves deeper into corporate networks, or targets colleagues or family of the victim to steal yet more data and perform other nefarious activities.

APT42 also engages in surveillance by installing Android spyware on mobile devices to keep a constant eye on targets. This is to ensure "regime stability by monitoring, and subsequently even arresting, those they deem to be a threat to the regime," Mandiant researchers told Dark Reading.

Threat actors also sometimes use Windows malware to complement these primary methods of attack, researchers said. Indeed, APT42 is capable of conducting multiple types of operations at any given time, Mandiant researchers told Dark Reading, which is somewhat unique. The group has already been identified as the perpetrator in about 30 known campaigns — a number that Mandiant suspects is a low estimate.

"Not only does APT42 conduct 'traditional' cyber-espionage activity targeting organizations in order to obtain information of strategic relevance to the Iranian government, the group also conducts targeted surveillance operations against individuals," researchers said in an email interview.

In terms of threats to the private sector, "APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest," they told Dark Reading. "They also change their targeting patterns over time as Iranian government priorities change."

Here at home, current and former US government officials and researchers at think tanks and in academia involved in Iran-relevant policy-making or research already have been targets of APT42, and this activity is not likely to cease, researchers said. In fact, the group may even cast a wider net and extended its activities to government contractors working on the same Iran-related issues, researchers told Dark Reading.

**3 Stages of Threat Activity**

APT42 has three main areas of threat activity. Initial compromise is done via credential harvesting, using targeted spear-phishing campaigns that emphasize developing trust with the victim beforehand. This is done by impersonating journalists or other professionals that a victim might trust or want to connect with.

The group then uses this entry method to collect multifactor authentication (MFA) codes so they can bypass security protections and pursue deeper access to the networks, devices, and the accounts of employers, colleagues, and relatives to steal information that might be relevant to the government.

The second key activity of the group is to conduct surveillance operations through Android mobile malware that tracks locations, monitors communications, and keeps track of the activities of dissidents and other people of interest to the government.

Finally, the group also has in its arsenal a raft of malware, including custom backdoors and other "lightweight" tools that it uses for operations that go beyond credential harvesting, researchers said.

**Connections to Other Threat Groups**

The state-backed APT has been on the radar screen for security researchers since it commenced operations in 2015. It's tracked via a number of nomenclatures by different companies, including TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), and ITG18 (IBM).

APT42 also has connections to and is likely a subset of APT35, the prolific group better known as Charming Kitten, but it has a different set of goals, researchers said.

Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the United States and Middle East to steal data to support the Iranian military and government operations. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability, researchers said.

**Specific, Agile State-Sponsored Cyber Campaigns**

Over the years, researchers have identified specific campaigns linked to APT42 and occasionally attributed to APT35/Charming Kitten/Phosphorus, due to the complexity of tracking the group's numerous operations, and the differences in how threat actors are identified.

A phishing campaign tied to APT42 and dubbed "Operation SpoofedScholars" occurred last year, with the group impersonating scholars with the University of London's School of Oriental and African Studies (SOAS). The operation targeted individuals focused on Middle East affairs in the United States and the United Kingdom to gain access to personal email inboxes.

Earlier this year, APT42 impersonated a legitimate British news organization in a February campaign targeting professors in Belgium and the United Arab Emirates that had ties to local governments or relatives holding dual citizenship in Iran, according to Mandiant. The activity obtained the personal email credentials of its targets, luring them by using a customized PDF document that invited them to an online interview, but instead linking them to a Gmail credential-harvesting page.

In addition to targeting scholars and journalists, APT42 also shows versatility and agility in its operations, researchers said. It was among threat groups that jumped on the bandwagon of targeting researchers in the pharmaceutical sector during the COVID-19 pandemic, with a campaign that occurred in its initial phase in March 2020, according to Mandiant.

"This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran," researchers said.

**Who's at Risk?**

Iran, like China and Russia, has a raft of threat actors at its service to conduct malicious cyber activity against organizations and individuals that the government has identified are threats. Its current offensive stance and rising cyber conflict with the United States is due to the unique position in geopolitics that the country currently occupies, Mandiant researchers told Dark Reading.

"The combination of regional tensions, the nuclear deal's negotiations, and domestic unrest about economic and social issues create an environment in which a group such as APT42 thrives," researchers said.

The group’s ability to pivot depending on the intentions of the government will continue to pose an immediate threat to both individuals and organizations globally, with global events and local politics continuing to drive operations and targeting priorities, Mandiant researchers said.

Iran-Linked APT Cozies Up to 'Enemies' in Trust-Based Spy Game

Here are a few measures your organization can implement to minimize fraudulent behavior and losses.

Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

**Understand Contributors to Fraudulent Behavior**

According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.

**Create a Web of Fraud Detectors**

There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one's means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.

Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.

**Create and Maintain Strong Internal Controls**

There are many aspects about an employee's personal life that an employer can't control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.

Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.

When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they're boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can't control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don't discover this fact until it's too late.

Some Employees Aren't Just Leaving Companies — They're Defrauding Them

A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.

Did you know that the BlackCat ransomware group has successfully breached more than 60 organizations in a couple of months? Government, healthcare, or public utilities — the group has made it abundantly clear that everyone is a target and will demand ransoms that can reach into the millions. Our own research shows that the BlackCat cybergroup favors exploiting vulnerabilities found in Windows operating systems, Exchange servers, and Secure Mobile Access products. Let's break down their tactics and ways to defend against their attacks. 

**Who is BlackCat?**

BlackCat (also known as AlphaV, AlphaVM, ALPHV, ALPHV-ng, or Noberus) is a relative newcomer to the ransomware scene but quickly gained notoriety during its first active months. Discovered in November 2021, the group was feared for its sophistication. Experts and researchers believe the group may be associated with other advanced-persistent threat (APT) groups like Conti, DarkSide, Revil, and BlackMatter.

**BlackCat: The Brief**

BlackCat has been observed to have the knowledge to exploit these five vulnerabilities: CVE-2016-0099 (High), CVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523 (Critical).  
\[1\]CVE-2021-34473 and CVE-2021-34523, are both critical vulnerabilities found in Microsoft Exchange Server and require immediate remediation.

Although CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 have high severity scores, they should still take priority in patching efforts for their potential use in vulnerability chaining attacks and have multiple known threat actor associations.

CVE-2019-7481 is an SQL injection vulnerability that impacted SonicWall SMA100 version 9.0.0.3 and earlier. As this version is longer supported by the vendor, an immediate version upgrade is advised.

**How BlackCat Operates**

BlackCat's entry into an organization's network begins by leveraging stolen access credentials. At the pace security breaches occur, it is difficult to gauge how many credentials are stolen or leaked to the public every year, but about 20,000 (or 50%) of security incidents in 2021 were initiated by stolen credentials. 

After initial access is made, BlackCat or similar ransomware groups silently collect information, mapping the entire network and manipulating accounts for deeper access. Vendor-specific ransomware is then created based on the intelligence gathered during the initial phase of the attack, and security/backup systems are disabled or made to appear to be functioning as expected. The final step is to execute the ransomware and drop ransom notes on their unsuspecting victims.

**Notable Characteristics**What sets BlackCat apart from other ransomware groups is its ability to create highly tailored executables for their intended target that contribute to its reputation for sophisticated attack patterns across environments.

BlackCat develops its tools with the Rust programming language which brings greater stability and integration possibilities. By taking advantage of command-line-driven and human-operated code, BlackCat brings a higher level of configuration.

Its ransomware can then encrypt victims' data with four types of encryption methods. The code can be deployed across different platforms, including Linux and Windows-based systems.

BlackCat also engages in the practice of selling its services to others, or more commonly known as ransomware-as-a-service. Although BlackCat is the first known group to develop its ransomware with the Rust programming language, its use is now becoming common in threat circles. The group is further known for its speedy data encryption, which gives victims a smaller window and fewer chances of preventing prolonged damage and disruption to their services. The group's public leak site makes it simple for users to search their database of stolen information by victim name, password, and document type.

**How Organizations Can Prevent a BlackCat Attack**The ransomware group is quickly becoming the preferred ransomware-as-a-service provider for many threat actors today. Although the true extent of BlackCat's havoc may never fully be known, more than 60 incidents involving the group have pushed the FBI to release an advisory warning of the group's potential danger.

Keeping this information in mind, here are some actions businesses and organizations can take to protect themselves from a ransomware attack.

Patch vulnerabilities that are known to be exploited by the group, like the ones listed at the top of this article. Make sure unused network ports are properly protected.

Deploy multi-factor authentication for all users, require consistent identity verification, and routinely refresh passwords.

Regularly perform attack surface management scans to identify exposures within organization assets like servers, applications, and cloud-connected deployments.

Consider a professional penetration test of company networks to find unknown exposures.

Maintain separate backup data to avoid contamination in the event of a ransomware attack.

Although the threat landscape evolves and BlackCat's methods adapt over time, organizations have a responsibility to consistently monitor their networks and patch vulnerabilities accordingly. Many vulnerabilities, like CVE-2016-0099 found in Microsoft Windows, have been known for years and yet are exploited today. When it comes to ransomware groups, give them an inch, and they will take a mile.

Everything You Need To Know About BlackCat (AlphaV)

The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.

A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.

According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.

In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.

ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.

"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."

**Worok's Custom Toolset**

Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.

Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).

For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.

While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.

"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."

**Few Links to Other Groups**

While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.

"\[W\]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."

For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.

"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.

Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools

What under-the-hood details of newly discovered attack control panel tells us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.  

Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.

There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that's been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey. 

Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.

The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.

Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That's because these attacks are notoriously difficult to detect or prevent with standard security controls. 

**Backdoor Attackers Diversify Their Attack Assets**

PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.

"A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data," the report explained. "Newer versions of the malware encode these different campaigns as campaign IDs."

**But Cyberattackers Will Actively Profile Victims**

At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.

"The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed," the report said, explaining this indicates targeting for cryptomining opportunities. "On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts."

The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.

**Resale Is an Important Part of Backdoor Monetization**

The way that the control panel's user options are set up offered researchers a lot of information about the group's "workflow and commercial strategy," the report said. For example, some filtering options were labeled "Sell" and "Sell 2" with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.

"This probably means that TA505 can not immediately earn a profit from exploiting those particular victims," according to the report. "Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals."

The PTI report said that based on the researchers' observations, the group's internal structure was "surprisingly disorganized" but that its members still "carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector."

The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.

Nevertheless, the backdoor attackers aren't perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.

"The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy," the report said. "After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505's backdoor attacks."

The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it's associated with Raspberry Robin infections.

TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks

Hours after Los Angeles Unified School District hit with ransomware attack, CISA issued an alert that threat actors are actively targeting the education sector.

As the school year kicks off across the country, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to districts that threat actor group Vice Society is targeting their systems.

The notice comes just hours after the Los Angeles Unified School District confirmed it was the target of a successful ransomware attack over the weekend. The K-12 school district, the second-largest in the US, has not yet recovered its systems fully, with its main student portal login page out of service, according to local parents speaking to Dark Reading. A district voicemail instructed parents to reset their students' passwords in person or via calling a telephone line, which was seeing hold times of greater than half an hour this morning, parents reported.

"Since the identification of the incident, which is likely criminal in nature, we continue to assess the situation with law enforcement agencies," the LAUSD said in a statement.

CISA explained school districts are attractive targets for ransomware operators because of their vast troves of personal student data stored in their systems.

The advisory added that Vice Society activity can be traced back to summer 2021, and that the group uses a variety of ransomware variants including Hello Kitty/Five Hands, Zeppelin, and others.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Actions speak louder than words, especially when you're dealing with a mime. So what's going on here? We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Sept. 28, 2022:

*   Email _\[email protected\]_ with the subject line "The Edge September 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

**Last Month's Winner**

Congratulations, Rachel Rawlings, system administrator at Penn Medicine, for winning last month's "Up a Tree" cartoon contest. Rachel's clever caption appears below.  
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Mime's the Word

The founder of Let's Encrypt and an EFF technologist, Eckersley devoted his life's work to making the Internet safer and more secure.

Peter Eckersley, beloved technologist with the Electronic Frontier Foundation (EFF), was a groundbreaking cybersecurity force for online privacy and fairness; he passed Sept. 2 following a brief illness.

Notably, Eckersley founded Let's Encrypt, an organization responsible for the internet's shift from insecure HTTP connections to HTTPS to protect users from threats at the network level. The EFF estimates about 90% of total webpage visits currently use HTTPS.

Eckersley's contributions to the field also include building a tool called Switzerland, which alerts users when their ISP is interfering with Web traffic; net neutrality advocacy; and much more, the EFF announcement explained.

Most recently, he founded a firm called AI Objectives Institute to monitor the malicious use of artificial intelligence (AI) and machine learning (ML).

"The impact of Peter's work on encrypting the web cannot be understated," the EFF announcement said. "Peter's vision, audacity, and commitment made the web, and the world, a better place. We will miss him."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading