Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.

The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang.  

According to reports, the ransomware group is using various Twitter handles to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims to pay to extend the publishing of their stolen data by 24 hours ($5,000), download the data ($200,000) or destroy all the data ($300,000). It's a strategy the LockBit 3.0 group already pioneered.

"It is not surprising BlackByte is taking a page out of LockBit's book by not only announcing a version 2 of their ransomware operation but also adopting the pay to delay, download, or destroy extortion model," says Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, who calls the market for ransomware groups "competitive" and explains LockBit is one of the most prolific and active ransomware groups globally.

Hoffman adds it is possible BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations.

"Although the double-extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams," she says. "It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted."

Oliver Tavakoli, CTO at Vectra, calls this approach an "interesting business innovation."

"It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach," he says.

John Bambenek, principal threat hunter at Netenrich, points out ransomware actors have played around with a variety of models to maximize their revenue.

"This almost looks like an experiment on if they can get lower tiers of money," he says. "I just don't know why anyone would pay them anything except for destroying all the data. That said, attackers, like any industry, are experimenting with business models all the time."

**Causing Disruption With Common Tactics**

BlackByte has remained one of the more common ransomware variants, infecting organizations worldwide and previously employing a worm capability similar to Conti's precursor Ryuk. But Harrison Van Riper, senior intelligence analyst at Red Canary, notes that BlackByte is just one of several ransomware-as-a-service (RaaS) operations that have the potential to cause a lot of disruption with relatively common tactics and techniques.

"Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful," he says. "The option to extend the victim's timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond, to name a couple of reasons."

Tavakoli says cybersecurity pros should view BlackByte less as an individual static actor and more as a brand that can have a new marketing campaign tied to it at any time; he notes the set of underlying techniques to carry off the attacks seldom change.

"The precise malware or entry vector utilized by a given ransomware brand may change over time, but the sum of techniques used across all of them are pretty constant," he says. "Get your controls in place, ensure you have detection capabilities for attacks which target your valuable data, and run simulated attacks to test your people, processes and procedures."

**BlackByte Targets Critical Infrastructure**

Bambenek says that because BlackByte has made some mistakes (such as an error with accepting payments in the new site), from his perspective it may be a little lower on the skill level than others.

"However, open source reporting says they are still compromising big targets, including those in critical infrastructure," he says. "The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline."

In February, the FBI and US Secret Service released a joint cybersecurity advisory on BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors.

BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing

To lessen burnout and prioritize staff resiliency, put people in a position to succeed with staffwide cybersecurity training to help ease the burden on IT and security personnel.

Cyberattacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organizations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cybersecurity world. But although cyber resiliency refers broadly to the ability of an organization to anticipate, withstand, and recover from cybersecurity incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organizations that focus exclusively on technology risk are overlooking an equally important element: people.

**People Are Vulnerable, but They Don't Have to Be**

People are often thought of as the weak link in cybersecurity. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cybersecurity technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organization, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organizations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritize the resiliency of their people just as highly as the resiliency of their technology.

Training the organization to recognize the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organizations will discover that their overall cyber-resiliency will improve significantly.

**Building the Necessary Support Systems**

The COVID-19 pandemic — and the resulting acceleration of digital transformation, cloud adoption, and remote work — perfectly encapsulates the need to prioritize people. Security teams have been in a pressure cooker since the pandemic began, constantly being asked to do more, account for additional variables, set up new capabilities. And of course, there is always a new vulnerability that catches the eye of a CEO or other senior leader and suddenly becomes a priority. These teams are tired, and burnout is a real concern. They need support from their organizations.

Because, as valuable as modern cybersecurity tools are, people still make the most important decisions —which means prioritizing the resiliency of those people is critical. Tired, overworked employees who don't feel appropriately valued by their employers are more prone to mistakes or lapses in judgment. It is important to maintain open dialogue with IT and security personnel to understand their needs. Employees who find themselves working 12-hour days again and again aren't just prone to mistakes. They're likely to leave for a better opportunity — one that lets them maintain a healthy work-life balance. Organizations must be prepared to hire and train new employees to help carry some of the load for teams already being tasked with making significant adjustments in the face of ongoing challenges.

Learning to recognize signs of burn-out in your people, talking openly about burnout and how you are addressing it, and encouraging a culture of well-being will make for a more resilient team. After all resiliency is about recovery, in both people and technology.

**Never Overlook the Importance of People**

Too many organizations today view people as replaceable, but organizations that want to remain steadfast in the face of today's threat landscape should recognize the value of a happy, motivated, well-trained, and well-rested workforce. Cyber-resiliency isn't just about having the right technology in place to deal with modern attackers, but about empowering people to make the right decisions, and ensuring that they have the knowledge and support they need to make them. Overlook the importance of people at your own peril —even with automation on the rise, they remain the backbone of a successful business.

Cyber Resiliency Isn't Just About Technology, It's About People

Filling cybersecurity roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cybersecurity skills shortage, but most of them take time. Cybersecurity education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organizational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organization in the entertainment industry recently found itself in such a position. Its primary cybersecurity staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organization's environment was left vulnerable. In a scarce talent market, the organization faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

**Finding Skills in Scarcity**

According to a 2021 ESG report, 57% of organizations have been impacted by the global cybersecurity skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cybersecurity staff burnout and attrition.

In this climate, more companies are turning to third parties for cybersecurity staff reinforcement. According to a NewtonX study, 56% of organizations are now subcontracting up to a quarter of their cybersecurity staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, A Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cybersecurity staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organization's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

The reasons companies seek staff augmentation services vary. A hiring freeze may prevent an increase in head count, even as the need for extra help persists. A staff member's shoes may need to be filled during a temporary leave of absence. A project may require support for a year or two, but not long enough to justify hiring a permanent employee. A company may need staffing services while seeking a replacement for an outgoing staff member.

**Trying Out a New Role**

Another motivation for companies to seek temporary staff augmentation is the opportunity to explore the value and benefit of new roles. Hiring a full-time employee is a time- and resource-intensive endeavor involving recruiting, interviewing, background checks, and other HR activities, followed by onboarding and training. In addition, new employees take time to ramp up: According to Human Panel, it takes five to eight months for a new hire to reach full productivity. On top of everything, there's the risk of the employee not working out — a Bamboo HR survey found that 31% of people have left a job within the first six months.

These are just some of the reasons companies often want to try out the idea of a new role before formally opening one, and strategic staffing services allow that flexibility. Recently, an organization came to us unsure if it really needed a firewall engineer, so we placed an engineer there for a six-month engagement. Once the customer realized the value of the role, it opened head count for an internal position and we worked together in the candidate search.

**What to Look for in Staff Augmentation Services**

Choosing your staff augmentation provider wisely is important in ensuring a successful engagement. One factor to consider is the investment the provider puts into its people. Traditional staffing agencies act merely as a broker between the staff resource and the client organization and rarely invest in training or career development of their staff resources.

A better option is to seek a cybersecurity-focused services provider that fills positions from its bench of in-house experts, rather than subcontractors. This offers many positive aspects: Consultants are more likely to receive training, benefits, and support for technical certifications, and to come from a culture of security — all of which make for a higher-quality engagement. Look for a provider that fosters an open team environment of knowledge-sharing — as a client, you will benefit from the knowledge of the entire team in the provider's pool.

**Talent Pool**

Reeling from its sudden employee departure, the entertainment organization needed a replacement. It reached out to us and within 48 hours, we provided a qualified engineer. Our consultant began filling in for day-to-day operations and resumed the unfinished projects. When the time came, our engineer also assisted with the interview process, helping to select a qualified candidate to permanently fill the role. By the end of the engagement, several projects were complete and a new employee who knew the necessary technologies was installed.

Staff augmentation isn't the whole answer to the cyber-skills crisis. Organizations still need to ensure they have a talent pool of cybersecurity expertise for future years. But when the need arises, a strategic staffing residency is gaining more recognition as an effective way to procure the necessary cybersecurity expertise fast and flexibly, without the risks or cumbersome process of full-time employment.

**About the Author**

    

Aaron Mullinax serves as VP | Architecture and Integration for CBI, A Converge Company and brings more than 28 years of information security experience to his role. He is responsible for helping to shape the vision of the area under his leadership by strengthening organizational defenses across people, process and technology.

Easing the Cyber-Skills Crisis With Staff Augmentation

The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access.

An analysis of China-backed advanced persistent threat (APT) actor APT41's activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems.

Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance. 

So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China, India, Taiwan, and Vietnam. 

The security vendor concluded that the actual number of APT41's victims could be much higher, based — among other things — on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.

**Puzzling Payload Deployment Strategy for Cobalt Strike**

One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.

In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.

Nikita Rostovcev, an analyst within Group-IB's APT research team, says it's unclear why APT41 might have adopted the strategy but surmises it may be an attempt at remaining under the radar.

"We do not fully know why the attackers chose this method because SQLmap has a large data transfer limit, which means it was done intentionally, most likely in order to prevent its detection," he says.

However, detecting the ruse is not difficult, especially considering that the payload was encoded in Base64 at the end, he adds: "This is a unique finding. We have not seen any other attackers use this method in their attacks."

**SQL Injection & Dual-Use Tools**

Group-IB's analysis shows the threat actors had shifted tactics for initial access, performing SQL injection attacks using the SQLmap tool to gain a foothold to some target organizations. SQLmap automatically discovers and exploits SQL vulnerabilities. The SQL injection attacks allow APT41 actors to gain command shell access on some targeted servers.

The tactic marks a deviation from APT41's usual pattern of using phishing, watering-hole attacks, and stolen credentials as an initial access vectors.

APT41 mainly went after databases with information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form. In total, APT41 actors attacked 86 vulnerable websites and applications belonging to the targeted organizations, and they were able to compromise half of them via SQL injection.

"Typically, attackers from APT41 are interested in information about existing users and their accounts and any data that can be used for further lateral movement," Rostovcev says.

Once the threat actor has gained access to a target network it has been known to deploy numerous other custom tools to carry out its mission. In its report earlier this year, Cybereason identified some of these tools as DeployLog, for deploying the threat group's main kernel-level rootkit, an initial payload called Spyder Loader; a tool for storing payloads called StashLog; and one for privilege escalation dubbed PrivateLog.

In the 2021 campaigns that Group-IB investigated, it discovered APT41 actors using tools such as Acunetix's Web vulnerability scanner, Nmap, and OneForAll, and pen-testing tools such as subdomain3, subDomainsBrute, and Sublist3r.

"All these utilities — except Acunetix — are available to the public and used not only in hacker's attacks but in penetration tests, for example," Rostovcev says.

Rostovcev describes the tools as falling into multiple categories, including those that can be used to look for hidden directors and forgotten backup archives, and those for scanning ports and the services running on them.  

**A Prolific & Persistent State-Sponsored Threat Actor**

APT41 (aka Winnti, Wicked Panda, Barium, and Blackfly) is a well-known APT group that first surfaced in 2010 with attacks on the likes of Google and Yahoo. The group is believed to be working on behalf of the Chinese government — or at least with its tacit support. Some have described APT41 as representing a collection of cyber threat actors carrying out directives from China's intelligence agencies. 

Though the US government indicted five APT41 members in 2020 and multiple security vendors have chronicled its activities and TTPs, the threat actor has continued its activities unfazed. The Cybereason report shows that APT41 stole hundreds of gigabytes of sensitive data from 30 organizations in North America in a recent cyber-espionage campaign.

China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload

Lazarus continues to expand an aggressive, ongoing spy campaign, using fake Coinbase job openings to lure in victims.

North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apple's M1 chip.

The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase.

According to ESET's warning on Twitter, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apple's new M1 chipset.

ESET researchers started investigating Operation In(ter)ception nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaign's primary goal was espionage, although it also found instances of the attackers using a victim's email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.

The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has escalated in recent months. ESET published a detailed white paper on the tactic by Lazarus two years ago.

**Risk Mitigated by Apple**

Ironically, the appealing Coinbase job posting targets technically oriented people.

"We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the 'dream job' offer from Coinbase," Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.

"The certificate has been revoked, so it's not possible to execute it until the user adds it to allowed applications," he said. "Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate."

The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.

Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.

"North Korea has been able to acquire skills that may be required to craft really fast," says Grotto, who is now director of the Center for International Security and Cooperation at Stanford University's program on geopolitics, technology and governance. "They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes."

Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip

Information on the attributed cyberattacks conducted since the beginning of the Russia-Ukraine war shows that a handful of groups conducted more than two dozen attacks.

Over the past eight months, at least five Russian state-sponsored or cybercriminal groups have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.  

In February, state-sponsored groups such as Gamaredon, Sandworm, and Fancy Bear used wiper programs in an attempt to damage infrastructure and sabotage computer systems, researchers at Trustwave say in a new research note. Those attacks lasted three months, using credential stealers to gain access to systems. 

Fancy Bear and Sandworm are under orders from the Main Directorate of the General Staff of the Armed Forces (GRU), with Gamaredon being directed by Russia's Federal Security Service (FSB), researchers noted.

Other cybercriminal groups with links to Russia are also taking part in the cyberattacks on Ukrainian targets, with regular cyber-espionage operations attempting to steal information and establish footholds in various systems for later use, Trustwave's report states. This includes two groups in particular, known as Ember Bear (aka UNC2589) and Invisimole, which are known cybercriminal groups that may also collaborate with the Russian government, according to Trustwave's report.

While citing the maxim that "we don't know what we don't know," Karl Sigler, security research manager at Trustwave SpiderLabs, believes that Russia is being more obvious about its attacks.

"They are not trying to hide their location," he says. "They want people to know the attribution, and for that reason, I don't think we are missing as much as we did this time last year. We are really seeing blatant activity."

Cybersecurity experts have closely analyzed Russia's cyber strategy during its invasion of Ukraine to gauge the risk posed by cyberattacks and malware, used to augment and support the physical invasion. Attacks preceded the actual invasion on Feb. 24, and have continued as Russia dug into eastern Ukraine and the Crimean peninsula.

    

Operational timeline of Russian attacks linked to Russia-Ukraine conflict. Source: Trustwave

"Without a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military," Trustwave states in the analysis. "With Ukraine being targeted by a variety of cyberattacks, we can clearly see that government assets, critical infrastructure, media, and private sector organizations are highly lucrative targets for attackers, and even legitimate penetration tools can be hijacked and used as weapons."

**Wipers & More: Shifting Attack Strategies**

Russia's cyber-operations strategy has changed over the initial six months of its invasion into Ukraine.

The destructive attacks mainly happened in the first few months of the war, Trustwave's Sigler says. Both Gamaredon and Sandworm targeted Ukrainian companies and government agencies with a variety of wiper programs. 

Gamaredon, aka Primitive Bear and Armageddon, conducted three attacks in February 2022, including the HemeticWiper data-wiping attack, where the group used a a stolen digital certificate from Hermetica Digital to bypass some security measures and targeted high-profile Ukrainian organizations. Sandworm (aka Black Energy), targeted Ukrainian groups with additional destructive attacks, such as CaddyWiper and Industroyer2.  

These destructive attacks appear to have lasted only a few months. Russia likely thought that the war would be quickly won, so used the operations to hamper Ukrainian resistance, Sigler says.

"They focused on a taking lot of things offline, hoping that the disruption would be enough to tilt the scales and really bring about a quick end to the conflict," he says. "So I think that, as the conflict has stretched out over the months, they are more focused on gathering intel to inform next steps."

While the three advanced persistent threats (APTs) — Gamaredon, Sandworm, and Fancy Bear — have been linked to the cyberwar attacks, Trustwave's report notes that two others have also ramped up activity. Cozy Bear is conducting operations for Russia's Foreign Intelligence Service (SVR), while DragonFly (aka Energetic Bear) is linked to the FSB.

Russia has also used cybercriminal groups as sort of an online militia with a focus on stealing information and gaining access to systems, according to the report. Invisimole and Ember Bear have both cooperated with the Russian government, carrying out out cyber-espionage operations against a variety of targets, including the LoadEdge attack against Ukrainian government agencies and another operation, dubbed GrimPlant, that infiltrated government agencies and installed backdoors.

"Malware used in the attacks usually provide backdoor access with webcam and microphone captures, keylogging, and the possibility to download and install additional components," the Trustwave report states. "Exfiltrated data includes operating system information, documents, pictures and stored passwords from web browsers and software."

While the destructive attacks have seemingly paused, according to the report, the espionage attacks are ongoing.

5 Russia-Linked Groups Target Ukraine in Cyberwar

How critical is that vulnerability? University researchers are improving predictions of which software flaws will end up with an exploit, a boon for prioritizing patches and estimating risk.

Using machine learning trained on data from more than two dozen sources, a team of university researchers has created a model for predicting which vulnerabilities will likely result in a functional exploit, a potentially valuable tool that could help companies better decide which software flaws to prioritize.

The model, called Expected Exploitability, can catch 60% of the vulnerabilities that will have functional exploits, with a prediction accuracy — or "precision," to use classification terminology — of 86%. A key to the research is to allow for changes in certain metrics over time, because not all relevant information is available at the time a vulnerability is disclosed, and using later events allowed the researchers to hone the prediction's accuracy.

By improving the predictability of exploitation, companies can reduce the number of vulnerabilities that are deemed critical for patching, but the metric has other uses as well, says Tudor Dumitraș, an associate professor of electrical and computer engineering at University of Maryland at College Park, and one of the authors of the research paper published last week at the USENIX Security Conference.

"Exploitability prediction is not just relevant to companies that want to prioritize patching, but also to insurance companies that are trying to calculate risk levels and to developers, because this is maybe a step toward understanding what makes a vulnerability exploitable," he says.

The University of Maryland at College Park and Arizona State University research is the latest attempt to give companies additional information on which vulnerabilities could be, or are likely to be, exploited. In 2018, researchers from Arizona State University and USC Information Science Institute focused on parsing Dark Web discussions to find phrases and features that could be used to predict the likelihood that a vulnerability would be, or had been, exploited. 

And in 2019, researchers from data-research firm Cyentia Institute, the RAND Corp., and Virginia Tech presented a model that improved predications of which vulnerabilities would be exploited by attackers.

Many of the systems rely on manual processes by analysts and researchers, but the Expected Exploitability metric can be completely automated, says Jay Jacobs, chief data scientist and co-founder at Cyentia Institute.

"This research is different because it focuses on picking up all of the subtle clues automatically, consistently and without relying on the time and opinions of an analyst," he says. "\[T\]his is all done in real time and at scale. It can easily keep up and evolve with the flood of vulnerabilities being disclosed and published daily."

Not all the features were available at the time of disclosure, so the model also had to take into account time and overcome the challenge of so-called "label noise." When machine-learning algorithms use a static point in time to classify patterns — into, say, exploitable and nonexploitable — the classification can undermine the effectiveness of the algorithm, if the label is later found to be incorrect.

**PoCs: Parsing Security Bugs for Exploitability**

The researchers used information on nearly 103,000 vulnerabilities, and then compared that with the 48,709 proofs-of-concept (PoCs) exploits collected from three public repositories — ExploitDB, BugTraq, and Vulners — that represented exploits for 21,849 of the distinct vulnerabilities. The researchers also mined social-media discussions for keywords and tokens — phrases of one or more words — as well as created a data set of known exploits.  

However, PoCs are not always a good indicator of whether a vulnerability is exploitable, the researchers said in the paper. 

"PoCs are designed to trigger the vulnerability by crashing or hanging the target application and often are not directly weaponizable," the researchers stated. "\[W\]e observe that this leads to many false positives for predicting functional exploits. In contrast, we discover that certain PoC characteristics, such as the code complexity, are good predictors, because triggering a vulnerability is a necessary step for every exploit, making these features causally connected to the difficulty of creating functional exploits."

Dumitraș notes that predicting whether a vulnerability will be exploited adds additional difficulty, as the researchers would have to create a model of attackers' motives.

"If a vulnerability is exploited in the wild, then we know there is a functional exploit there, but we know other cases where there is a functional exploit, but there is no known instance of exploitation in the wild," he says. "Vulnerabilities that have a functional exploit are dangerous and so they should be prioritized for patching."  

Research published by Kenna Security — now owned by Cisco — and the Cyentia Institute found that the existence of public exploit code led to a sevenfold increase in the likelihood that an exploit would be used in the wild.

Yet prioritizing patching is not the only way the exploit prediction can benefit businesses. Cyber-insurance carriers could use exploit prediction as a way to determine the potential risk for policy holders. In addition, the model could be used to analyze software in development to find patterns that might indicate whether the software is easier, or harder, to exploit, Dumitraș says.

Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out

The cybercriminal crew has used 15 malware families to target travel and hospitality companies globally, constantly changing tactics over the course of its four-year history.

Another threat actor targeting hospitality, hotel, and travel organizations has re-emerged during the busy summer travel season: a smaller, financially motivated player named TA558.  

According to new research from Proofpoint, the group has been around since 2018 but is stepping up its attacks this year, targeting Portuguese and Spanish speakers located in Latin America, as well as targets in western Europe and North America.

Spanish, Portuguese, and occasional English-language emails use reservation-themed lures with business-relevant themes (such as hotel-room bookings) to distribute malicious attachments or URLs.

Proofpoint researchers have counted 15 different malware payloads, most frequently remote access Trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on malware.

These malware families occasionally overlap with command-and-control (C2) domains, with the most frequently observed payloads including Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

The report explains that in recent years, TA558 has shifted tactics, starting to use URLs and container files to distribute malware.

"TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021," according to the report. "Typically, URLs led to container files such as ISOs or zip files containing executables."

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, explains this is likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the Internet by default.

"This actor is unique in that they have used the same lure themes, language, and targeting since Proofpoint first identified them in 2018," she tells Dark Reading.

However, she points out they often change tactics, techniques, and procedures (TTPs) and have used different malware payloads over the course of their activity.

"This suggests the actor is actively changing and responding to what works best or is most effective in achieving initial infection, using tactics and malware widely used by a variety of threat actors," she says.

She explains like many threat actors in the threat landscape, TA558 has pivoted away from macros in attachments to using other filetypes and URLs to distribute malware.

"It is likely other actors targeting these industries will use similar techniques that we described previously," she says.

Threat actors have pivoted away from macro-enabled documents attached directly to messages to deliver malware, increasingly using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.

DeGrippo says the increase in activity by TA558 this year is not indicative of an increase of activity targeting the travel/hospitality industries in general.

"However, organizations in these industries should be aware of the TTPs described in the report, and ensure employees are trained to identify and report phishing attempts when identified," she advises.

**Travel Industry in Threat Actor Crosshairs**

Attacks against travel-related websites began to rise months ago as the industry recovered from COVID-19, a July report from PerimeterX indicated, with competitive scraping-bot requests increasing dramatically in Europe and Asia.

As the coronavirus pandemic ebbs and consumers look to resume annual vacation plans, fraudsters are refocusing their efforts from financial services to the travel and leisure industries, according to TransUnion's latest quarterly analysis.

Multiple cybercrime groups have been spotted this year selling stolen credentials and other sensitive personal information pilfered from travel-related websites, with the methods of malicious actors evolving due to the concentration on personally identifiable information.

Summertime Blues: TA558 Ramps Up Attacks on Hospitality, Travel Sectors

Cybersecurity is the largest current tech skills gap; closing it requires a concerted effort to upskill existing staff.

Cybersecurity challenges are exacerbated by a talent shortage in the cybersecurity workforce. In 2021, for example, there were more than 500,000 open cybersecurity jobs in the US alone. But the gap goes beyond "just" filling empty positions; there is also a gap between what existing staff know about cybersecurity and a never-ending onslaught of new cyberthreats.

Pluralsight’s "2022 State of Upskilling Report," which surveyed 760 technology learners and leaders on the most current trends in skill development, found that cybersecurity was the top personal skills gap among 43% of respondents. Further, 44% of respondents noted that cybersecurity skills gaps are the greatest current risk to their organization.

With the rate at which the cybersecurity landscape is changing, historical knowledge and time-worn methods rarely solve for the increasing complexity of today’s threats. Business leaders must take responsibility for providing their technologists with the tools and training they need to keep organizations safe and secure.

Indeed, businesses need to act quickly and aggressively to keep their technology teams apprised of current cybersecurity trends and threats.

**Large Majority Want to Improve Their Skills**

This may seem overwhelming, but the good news is that technologists are eager to bolster their tech skills. According to our report, 91% of respondents want to improve their tech skills. Technologists are also demanding that their organizations provide them with the means to do so: 48% of respondents say they have considered changing jobs because they weren’t given sufficient resources to upskill, and 75% of respondents said that their organization’s willingness to dedicate resources to developing tech skills affects their plans to stay with the organization.

Here are some recommendations for upskilling your technology teams to create an airtight cybersecurity program:

1.  **Provide the right resources:** The first step is to arm cybersecurity professionals with resources such as on-demand cybersecurity training, hands-on learning opportunities to understand both red and blue team perspectives, and flexible upskilling options that fit in with cybersecurity pros’ busy schedules. Cybersecurity training should not be optional for _anyone_ within your organization, let alone your cybersecurity experts, but it needs to be administered in a reasonable and effective way.
2.  **Create continuous learning opportunities:** Your cybersecurity teams will never be done learning how to outsmart bad actors and how to future-proof your organization’s cybersecurity program. New cybersecurity strategies are constantly being developed to stay ahead of attacks. For example, the Zero-trust architecture is gaining traction in public and private businesses alike, ushering in new standard operating procedures for security teams. Staying abreast of cybersecurity trends takes more than superficial knowledge, however; it requires coordinated action in the form of testing, implementation, and evaluation to achieve long-term cybersecurity success.
3.  **Create a culture of learning:** By making learning part of the fabric of the organization, your tech teams can take a proactive, rather than a reactive, approach to cybersecurity. This means that your organization must have programmatic steps in place to constantly renew cybersecurity knowledge and best practices.

The bottom line is that the need for cybersecurity skills will only increase. The need for skilled cybersecurity pros also will grow. Organizations that prepare for the future of their security programs, rather than scrambling to block attackers only in the present, will be the best prepared to take on the latest threats.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How to Upskill Tech Staff to Meet Cybersecurity Needs

**SAN FRANCISCO, Aug. 17, 2022 —** The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

**Premier Member Quote**

**Capital One**

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

*   Chris Nims, EVP of Cloud & Productivity Engineering at Capital One

**General Member Quotes**

**Akamai**

"Improving the security of open source software — so central to the internet ecosystem — is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk_._ As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

*   Robert Blumofe, EVP and CTO, Akamai

**Kasten by Veeam**

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

*   Gaurav Rishi, Vice President of Products and Partnerships at Kasten by Veeam

**Scantist**

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

*   Dr. Liu Yang，Professor at Nanyang Technological University, Singapore and Co-Founder of Scantist

**SHE BASH**

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

*   Cameron Banowsky, Co-founder and CTØ, SHE BASH

**Socket Security**

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

*   Feross Aboukhadijeh, Founder and CEO, Socket Security

**Sysdig**

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

*   Edd Wilder-James, Vice President, Open Source Ecosystem at Sysdig

**Timesys**

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

*   Atul Bansal, CEO of Timesys

**ZTE Corporation**

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

*   Xiang Shuming, Director of OSS Compliance and Security Governance, ZTE Corporation

Additional Resources

*   View the complete list of the 89 OpenSSF members
*   Watch the recent August OpenSSF Town Hall
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Source

DARKReading