The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.

A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.  

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

**EvilProxy: An Evolution**

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

**Acquiring the Service**

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John\_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

**Connections to Recent Supply Chain Cyberattacks**

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.

EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA

Ransomware in particular poses a major threat, but security vendors say there has been an increase in Linux-targeted cryptojacking, malware, and vulnerability exploits as well, and defenders need to be ready.

Linux may not quite stack up to Windows when it comes to the raw number of attacks against systems running the operating system, but threat actor interest in Linux-based servers and technologies has ramped up significantly recently.

That's likely in response to growing enterprise use of Linux infrastructures — especially in the cloud — to host mission critical applications and data, according to a report from Trend Micro this week. The firm identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

The report also said that researchers from the company spotted 1,961 instances of Linux-based ransomware attack attempts on its customers in the first six months of 2022 versus 1,121 in 1H, 2021.

**Surging Linux, VMware ESXi Ransomware Attacks**

The increase was consistent with Trend Micro's previous observations about threat actors broadening their efforts to target Linux platforms and ESXi servers, which many organizations use to manage virtual machines and containers.

The security vendor has described the trend as being spearheaded by the operators of the REvil and DarkSide ransomware families, and gaining momentum with the release of a LockBit ransomware variant for Linux and VMware ESXi systems last October.

Earlier this year, Trend Micro researchers observed yet another variant called "Cheerscrypt" surfacing in the wild that also targeted ESXi servers. And, several other security vendors have reported observing other ransomware such as Luna and Black Basta that can encrypt data on Linux systems.

Ransomware is currently the biggest, but not the only, threat targeting Linux systems. A report that VMware released earlier this year noted an increase also in cryptojacking and the use of remote-access Trojans (RATs) designed to attack Linux environments.

The company for instance discovered that threat actors are using malware such as XMRig to steal CPU cycles on Linux machines to mine Monero and other cryptocurrencies.

"Cryptomining malware on Linux saw an increase in the first half, likely from the fact that cloud-based crypto-mining has seen growth by malicious actors perpetrating this threat," notes Jon Clay, vice president of threat intelligence with Trend Micro.

VMware's report also observed expanded use of tools such as Cobalt Strike to target Linux systems and the emergence of a Linux implementation of Cobalt Strike called "Vermilion Strike."

Like Trend Micro, VMware too noted an increase in the volume and sophistication of ransomware attacks on Linux infrastructure — especially host images for workloads in virtual environments. The company described many of the ransomware attacks against Linux systems as targeted, rather than opportunistic, and combining data exfiltration and other extortion schemes.

**An Entry Point to High-Value Enterprise Environments**

Windows continues to be — by far — the most heavily targeted operating system, simply because of the size of its installed base. Clay says of the 63 billion threats that Trend Micro blocked for customers in the first half of 2022, only a very small percentage were Linux-based. Though there were millions of Linux threat detections in 1H, 2022, there were billions of attacks on Windows systems over the same period, he says.

But the growing attacks on Linux systems are troubling because of how Linux is starting to be utilized within critical areas of the business computing infrastructure. VMware pointed out in its report that Linux is the most common operating system across multicloud environments, and 78% of the most popular websites are powered by Linux. Thus, successful attacks on these systems could cause considerable harm to the organization’s operations.

"Malware targeting Linux-based systems is fast becoming an attacker's way into high-value, multi-cloud environments," VMware warned.

Even so, security protections might be lagging, Clay points out.

"Threat actors are seeing opportunities to attack this operating system as it is more common to see it running critical areas of a business operation," he says. "Because historically it hasn’t seen a lot of threats target it, security controls may be missing or not enabled properly to protect it."

**Protecting Linux Environments**

Linux administrators need to first of all follow standard security best practices to secure their systems, researchers say, such as keeping systems patched, minimizing access, and conducting regular scans.

Mike Parkin, senior technical engineer at Vulcan Cyber, says it's significant to note the major differences in how Linux- and Windows-based systems are used when assessing risk and managing patching. Linux systems are usually servers found both on-premises and in cloud deployments. While there are a lot of Windows servers, there are far more Windows desktops, and those are often what gets targeted, with the servers then being compromised from that initial Windows toehold.

Further, Linux user awareness around social engineering should be an organizational focus.

"Linux system administrators are, hopefully, less likely to fall for typical phishing and social engineering attacks than the general population," Parkin says. "But the standard advice applies — users need to be trained to be part of the solution rather than part of the attack surface."

Clay meanwhile says the first thing organizations need to do is to inventory all the Linux-based systems they’re running and then look to implement a Linux-based security approach to protect against different threats.

"Ideally, this would be part of a cybersecurity platform where they could deploy security controls automatically as Linux systems come online and model their controls for Windows-based systems," he says. "Ensure this includes technologies like machine learning, virtual patching, application control, integrity monitoring, and log inspection."

Defenders Be Prepared: Cyberattacks Surge Against Linux Amid Cloud Migration

Managed firewalls are increasingly popular. This post examines the strengths and weaknesses of managed firewalls to help your team decide on the right approach.

The recent remote work explosion driven by the COVID pandemic has forced many organizations to reconsider how they provide network security. The incredible proliferation of potential attack vectors and constantly changing types of attacks present in such a heavily distributed computing environment mean that keeping firewalls up to date has become a burden on security teams that's heavier than ever.

Firewall configurations are a touchy subject. Every network security professional has their preferred hardware and software, and we can all share horror stories about challenges we've experienced in their absence.

In this article, I'll examine the pros and cons of managed firewalls (MFWs) to help make the decision a little easier for your team.

**What Are Managed Firewall Services?**

MFW services typically provide on-demand, administration, monitoring, maintenance, and management of your firewall. These services are available for both cloud-based and on-premises firewalls.

The typical MFW service provider will offer services such as:

*   Firewall system health monitoring and alerting
*   Service and incident management
*   Software lifecycle management (updates, patches, etc.)
*   Security policy implementation, reporting, analysis and remediation
*   System vulnerability checks and security reviews
*   Network traffic monitoring

"Think of a managed firewall service as bringing in an expert, rather than outsourcing. You're partnering with someone with decades of experience and advanced training on your infrastructure in order to secure every last packet. Network security is hard, and a lot of times the easiest way to achieve your requirements is through a specialist." **—Eddie Doyle, Cybersecurity Evangelist, Check Point**

**What Are the Pros and Cons of Managed Firewall Services?**

**Pros**

MFW services offer the following potential benefits:

*   **Greater expertise:** Providers will generally have experts in your preferred hardware and software already on staff, speeding implementation.
*   **Reduced staff burden:** Outsourced providers maintain their own certifications and trainings, and they take over all equipment and software updates. This allows your team to focus on more strategic areas that can add greater value to the organization.
*   **Faster incident response:** Service-level agreements (SLAs) can ensure immediate incident response without adding additional organizational head count or off-hour team load.
*   **Proactive security:** MSPs typically devote significant attention to threat intelligence monitoring in order to adjust your protection as events and updates warrant. Doing so takes the burden off of your internal team.
*   **Reduced update burden:** Hardware, software, and firmware updates are time-consuming chores. MSPs will keep your equipment up to date and save your team time.
*   **Improved manufacturer support:** MFW providers often have direct manufacturer connections due to the volume of devices they operate. For an organization that may not have a large volume of equipment, an MSP may be able to improve issue resolution.
*   **Easier scale:** Growing organizations may be able to scale their protection more quickly and more cost-effectively using an MFW provider by eliminating hiring and equipment purchase processes.
*   **Improved backup and recovery:** An MFW provider will often have access to significant backup and recovery resources (including on-call staff) that can result in faster restore times than internal resources.
*   **Compliance expertise:** Industries with complex regulatory and/or data-handling requirements such as healthcare or payment processing can often use an MFW provider with regulated industry experience.

**Cons**

MFW services may not be good solutions for organizations that have concerns in the following areas:

*   **Small size:** Organizations with smaller budgets, lower traffic volumes, or more streamlined networks may find managing their firewalls internally is more cost effective.
*   **Strict data access requirements:** Organizations with strict compliance and data security may find that the liability of individuals from outside the organization potentially accessing sensitive data is too great. Public companies, for example, may find that providers accessing logs represent a privileged disclosure.
*   **Security context:** If your organization runs particularly complex operations, or is subject to novel attacks, an outsourced provider may not have enough context regarding your internal infrastructure to understand the severity level of alerts they are seeing.
*   **Knowledge loss:** Network security is an important IT function. If you fully outsource your firewall with the intent of reducing staff, your organization may lose significant internal capabilities knowledge.

**The Co-Managed Firewall Option**

To minimize some of the cons and other objections, it's also possible to subscribe to a co-management model. Many providers offer shared responsibility programs that allow the organization to maintain full access and perform their own administrative tasks as desired or required. While this can increase complexity, it can also offer increased flexibility.

I hope the above has helped you determine whether a managed firewall service is right for your organization. If you're struggling with your network security, or want to know if it's time to make a change, visit Atlantic Data Security.

**About the Author**

    

Eric Anderson is a cybersecurity architect, instructor, and evangelist at Atlantic Data Security. He's been working in technology and network security since 1985, loves sharing his experiences and insights, and frequently speaks on security issues.

The Pros and Cons of Managed Firewalls

Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

Enterprises are investing in multiple cloud solutions to fuel growth and transform legacy applications into something more universally usable. However, the path to success can be fraught with missteps and unknowns that can create excessive risk. Cloud environments are often stitched together using APIs, custom coding, and other methods that add complexity.

That growing complexity has the potential to substantially increase risk and open organizations up to cyberattacks, and complexity further increases as more services and capabilities are added, compounding risk. Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

**Establish Situational Awareness**

Business management expert Peter Drucker famously wrote, "You can't manage what you don't measure," and measurement is one of the most important tools for successfully managing a complex cloud environment. Organizations must take the critical step of measuring their infrastructure by establishing an inventory of systems, applications, and users.

There are numerous ways to measure, ranging from manually performing inventory to using automated tools to help with the process. Most firms settle on a mix of both. Selecting the appropriate management and monitoring tools is challenging, especially in hybrid and multi-cloud environments. Those environments use APIs to integrate dissimilar technologies and usually have their own monitoring and management tools and multiple tools can obscure situational awareness, which creates additional risk.

Properly remediating risk requires creating a single source of truth, which means that new management and monitoring tools must be deployed. Those tools should provide a unified and centralized view of the organization’s infrastructure, while also tearing down the silos created by dissimilar tools. However, people often create a false equivalency between multiple-cloud deployments and managing multiple datacenters, which can lead to selecting the wrong tools. The tools and skillsets differ between cloud and datacenter management, which can lead to missteps that will derail implementation. Organizations may have to purchase new tools or turn to experts to integrate the tools.

**Minimizing Mistakes**

In the rush to deploy cloud solutions, many may overlook what may be obvious to seasoned professionals. Reducing errors means defining objectives and building plans. Those deploying to the cloud must have a clear understanding of the business case, who the stakeholders are, and the desired results.

The flexibility and speed of the cloud make it easy to overlook security leading practices. Establishing those practices requires plans that incorporate cybersecurity at the earliest possible moment. Without proper cybersecurity controls, actions such as establishing a new feature or granting access will increase the attack surfaces and the associated risk.

Simply adding external users can lead to unexpected cybersecurity issues and can expand potential attack surfaces. Case in point is when an organization grants external access to a vendor or partner. Organizations must carefully consider the overall impact of granting that access and if that third party can make unauthorized changes, or access proprietary information, as well as how those user credentials are being secured.

Leading practices include defining security policies, deploying multifactor authentication, auditing access and being aware of threat environments. Some organizations will need to train in-house staff or turn to external experts to ensure that cyber issues are addressed and resolved before they have an impact.

**Building a Continuous Process**

Clouds are very fluid and allow changes to be accomplished quickly. New services can often be enabled with a simple command or click of the mouse. However, that fluidity can create unexpected complexity. What's more, change can have a cascading impact that brings additional risk and complexity to cloud management.

Mitigating risk using a set-and-forget approach is no longer appropriate for securing the cloud; organizations must make risk mitigation as fluid as the cloud. What's more, developers today have the power to constantly change, update, and expand the cloud environment. Accelerated change means that organizations need to be proactive and establish controls and policies to reduce risk.

By adopting continuous processes that insert controls into the development and deployment process, organizations can inject security into the development process. However, keeping security controls up to date can be an onerous task, which ultimately reduces the velocity of enabling change. Here, automation reduces the burden associated with cybersecurity in the cloud.

There are numerous tools that automatically validate code, perform testing of new code, and identify potential problems in real-time. Those tools leverage automation so that interference with the creative process is kept to a minimum. This type of automation does not simply enhance the security of the cloud environment, it will also enhance its resiliency and uptime.

Embracing multicloud, hybrid, or public cloud solutions does not have to be a step into the unknown. Enterprises can ease the transition to the cloud and avoid unnecessary risk by implementing policies, controls, and leveraging automation at the outset of cloud adoption. Having a proper handle on managing the cloud helps when further mitigating risk. What’s more, with the proper tools in place, enterprises may be able to expose additional opportunities, which in turn can help to grow the business.

3 Critical Steps for Reducing Cloud Risk

The US government and the Open Source Security Foundation have released guidance to shore up software supply chain security, and now it's up to developers to act.

Lessons learned from the SolarWinds software supply chain attack were translated into concrete guidance this week when the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practices framework for developers to avoid future supply chain attacks.

Besides the US government's recommendations, developers also received npm Best Practices from the Open Source Security Foundation, to establish supply chain security open source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."  

OpenSSF's announcement, meanwhile, noted that the npm code repository has grown to include 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry's proactive approach, but Burch adds that it's now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation for the implementation of software bills of materials (SBOMs).

"What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security," Burch said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.

According to an advisory from cybersecurity firm Redacted, there has been a "troubling" rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.

The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

"While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them," the researchers noted in the Friday post.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.

**The BianLian Ransomware Attack Flow**

To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.

In a campaign observed by Redacted, once in, BianLian most often utilized standard "living off the land" (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.

In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this "simple but effective" backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.

"BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network," the report stated.

BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.

The group's emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.

**Ransomware Runs Wild**

Acronis' mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.

Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.

The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.

"Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens," the report said.

The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.

Researchers Spot Snowballing BianLian Ransomware Gang Activity

Our digital future depends on the choices we make today. We need to invest in cybersecurity technologies and skills so that humanity can control its future.

As we observe the evolution of the war in Ukraine, particularly the use of cyberwarfare, we are presented with many questions about the long-term evolution of the cybersecurity landscape. Likewise, we've seen the pandemic bring about the rapid acceleration of digitalization — its place in our lives is no longer in question. But before plunging headfirst into this technological race, should we not ask ourselves where this evolution might be taking us of in terms of cybersecurity?

Based on the trends we're seeing develop in 2022, we have several diverging roads ahead of us. For a moment, let's take a look at four possible scenarios that could emerge over the next 20 years. The one in which we end up will be the result of choices we make right now about how to regulate and implement cybersecurity measures and countermeasures; perhaps this will inspire us to do things differently.

**1\. Peace in the Digital Space, for the Common Good**

In 2040, due to technological breakthroughs caused by intense research and a worldwide awareness of the importance of preserving this now vital new space, the digital space is declared a "common good of humanity" by the United Nation's General Assembly. It is therefore protected by international conventions that prohibit its militarization, respect privacy, and enforce a high level of security to eliminate criminal action. A special agency based on the model of the WHO or the UNHCR is created to protect it.

**2\. A Balance of Power in Digital Space**

In 2040, through global investment and regulation, the digital space has become a vital area with a high level of security. Only the most powerful states are able to confront each other in this digital space — and at great expense. They do so with restraint because their societies and economies, as well as global trade, would suffer from a deterioration of digital security (just as today, aerial combat is rare, due to the high price of modern fighter planes and the high utilization of airspace by citizen travelers). Cybercrime would have disappeared because of the cost and the expertise it requires. The digital space would be globally inaccessible to non-state players. A Digital Security Council would be created, with the great digital powers as its only permanent members.

**3\. Digital Insecurity on a Controlled Scale**

Digital insecurity is present in 2040 as it is today, but it remains on a small scale and does not call into question the model we know. States adopt positions, establish regulations, and implement policy incentives to strengthen the level of security. They do so while continuously conducting offensive actions to preserve their interests, even if it means destabilizing what they are building. Cybercrime persists by exploiting vulnerabilities and reusing offensive techniques and tools developed by states, but its impact is sustainable, both politically and economically, thanks to cyber insurance. Unfortunately, as in the material space, the weakest — i.e., vulnerable users, small businesses, and fragile states — are the first victims.

**4\. The Global Digital Space Collapses, Regional Alternatives Rise**

A few years after a wave of global-scale attacks which in some cases generated major human and economic consequences, the unfettered expansion of the digital space has resulted in total collapse by 2040. The global model has become untenable, due to uncontrolled data localization, technological monopolies dictating conditions, toothless international law, and ineffective national rights. It is therefore deeply questioned by states and citizens. New spaces, based on a national or regional approach, have been built. Beyond the legal aspects, they rely on differentiated technologies to avoid systemic effects. Quality and safety are regulated, potentially at the expense of price and innovation, and interfaces are controlled. By losing its universal specificity, the digital space has aligned itself with the physical space, for better or for worse.

**What's Likely?**

The first scenario, resolutely optimistic and therefore unlikely, is nevertheless plausible and would allow everyone to take advantage of the benefits of digital technology. Many precedents currently exist to safeguard areas such as Antarctica or the deep seabed, and these have continued to be respected, so why not the digital space? More broadly, a high level of confidence in the digital space allows technological acceleration to address the major challenges of our time, particularly around healthcare and energy.

The beginnings of the fourth scenario are already perceptible with the balkanization of China and Russia. In that scenario, insecurity both of state and of cybercriminal origin has not disappeared — it has increased further in the most fragile regions, which we are seeing today with cyberattacks on Ukraine, Taiwan, and other rivals.

Obviously, the future is unwritten, and the most likely scenario will be a combination of the four. One certainty remains: the need to invest in cybersecurity technologies and skills so that humanity can control its future. If we can create a world where cybersecurity is global and digital systems are impervious to attack, we can establish a safe place for international commerce, communications, and community to flourish.

4 Scenarios for the Digital World of 2040

Infections attributed to the USB-based worm have taken off, and now evidence links the malware to Dridex and the sanctioned Russian cybercriminal group Evil Corp.

Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.

Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury sanctioned the Russia-based Evil Corp for developing Dridex in 2019.

They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.

"The results show that they are similar in structure and functionality," Kevin Henson, a malware reverse engineer at IBM Security, wrote in the analysis. "Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks."

**Raspberry Robin Takes Flight**

Security firm Red Canary first analyzed and named Raspberry Robin in May. Soon after, it came to the attention of other researchers, including IBM Security.

The worm spreads quickly throughout internal networks, hitchhiking on USB devices passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Security's managed clients in targeted industries seeing infection attempts.

However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the FakeUpdates malware, typically a precursor to ransomware used by Evil Corp.

FakeUpdates, also known as SocGhoulish, masquerades as a legitimate software update, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victim's computer.

Microsoft noted at the time that FakeUpdates is usually attributed to an access broker that the company tracks as DEV-206. If Evil Corp is distributing FakeUpdates through existing Raspberry Robin infections as suspected, it suggests a close partnership between the access broker and Evil Corp.

Historical analysis indicates that the Raspberry Robin activity can be traced as far back as September 2021. The malware is typically used against manufacturing, technology, oil and gas, and transportation industries.

Raspberry Robin Malware Connected to Russian Evil Corp Gang

Thousands of corporate mobile apps developed by businesses for use by their customers contain hardcoded AWS tokens that can be easily extracted and used to access the full run of corporate data stored in cloud buckets.

Thousands of customer-facing Android and iOS mobile apps — including banking apps — have been found to contain hardcoded Amazon Web Services (AWS) credentials that would allow cyberattackers to steal sensitive information from corporate clouds.

Symantec researchers uncovered 1,859 business apps that use hardcoded AWS credentials, specifically access tokens. Of these, three-quarters (77%) contain valid AWS access tokens for logging into private AWS cloud services; and close to half (47%) contain valid AWS access tokens that also crack open millions of private files housed in Amazon Simple Storage Service (Amazon S3) buckets.

That means that a malicious-minded user of the app could easily extract the tokens and be off to the data-theft races, tapping into the cloud resources of the businesses that created the applications.

**Thanks, Mobile Software Supply Chain**

This unfortunate state of affairs is thanks to a mobile code supply chain issue, Symantec researchers said — vulnerable components that allow developers to embed hardcoded access tokens.

"We discovered that over half (53%) of the apps were using the same AWS access tokens found in other apps," they said in an analysis on Sept. 1. "Interestingly, these apps were often from different app developers and companies. \[Eventually\] the AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps."

The firm found that these shared, hardcoded AWS tokens are used by in-house app developers for a variety of reasons, including downloading or uploading large media files, recordings, or images from the company cloud; accessing configuration files for the app; collecting and storing user-device information; or accessing individual cloud services that require authentication, such as translation services. However, the tokens' reach into the cloud is often far greater than the developer may realize.

"The problem is, often the same AWS access token exposes all files and buckets in the Amazon S3 cloud, often corporate files, infrastructure files and components, database backups, etc.," according to the analysis. "Not to mention cloud services beyond Amazon S3 that are accessible using the same AWS access token."

As an example, one of the apps uncovered by the analysis was created by a B2B company that offers an intranet and communication platform. It also provides a mobile software-development kit (SDK) for customers to use to access the platform.

"Unfortunately, the SDK also contained the B2B company's cloud infrastructure keys, exposing all of its customers' private data on the B2B company's platform," Symantec researchers noted, adding that they notified all organizations using vulnerable apps of the issue. "Their customers' corporate data, financial records, and employees' private data was exposed. All the files the company used on its intranet for over 15,000 medium-to-large-sized companies were also exposed."

The same situation held true for a collection of mobile banking apps on iOS that rely on the AI Digital Identity SDK for authentication. The SDK embeds AWS tokens that could be used to access private authentication data and keys belonging to every banking and financial app using it, as well as 300,000 banking users' biometric digital fingerprints used for authentication, and other personal data (names, dates of birth, and more).

"Apps with hardcoded AWS access tokens are vulnerable, active, and present a serious risk," Symantec researchers concluded. "\[And\] this is not an uncommon occurrence."

****Avoiding Cloud Compromise via Mobile Apps****

Organizations can take steps to ensure that the apps they build for their customers don't unwittingly offer a path to cyberespionage, according to Scott Gerlach, co-founder and CSO at StackHawk.

"Adding DevSecOps tools, like secret scanning, to continuous integration/continuous development pipelines (CI/CD) can help ferret out these types of secrets when building software," he noted in a statement. "And it's critical that you understand how to manage and securely provision AWS and other API keys/tokens to prevent unwarranted access."

From a design perspective, developers can also replace hardcoded credentials with API calls to a repository or software as-a-service (SaaS) vault, or to use temporary tokens, according to Tony Goulding, cybersecurity evangelist at Delinea.

"\[That way\] they can pull a credential or key down in real-time that doesn't persist on the device, in the app, or a local config file," he said in a statement. "An alternative approach is to use the AWS STS service to provision temporary tokens to grant access to AWS resources. They're similar to their long-term brethren except they have a short lifespan that's configurable — as little as 15 minutes. Once they expire, AWS won't recognize them as valid, preventing an illicit API request using that token."

AWS Tokens Lurking in Android, iOS Apps Crack Open Corporate Cloud Data

Threat hunters can help build defenses as they work with offensive security teams to identify potential threats and build stronger threat barriers.

Over the last few years, an influx of high-profile industry security issues (PDF) have placed offensive tactics among the top priorities for corporations to help mitigate the risk of a potential attack. With many companies opting to continue remote and hybrid working environments, potential security risks cannot go ignored or be left to chance, and an emphasis on developing greater defensive security tactics, working in tandem with offensive security teams, is essential for identifying behaviors of potential threats and building stronger barriers against evolving challengers.

Threat hunting, in particular, has emerged as a must-have security component for companies. It encompasses the tasks of identifying patterns of threat behaviors and hunting for anomalies and changes occurring in an environment based on suspicious activity — with the goal of building defenses to combat threats.

But what makes a successful threat-hunting program? The reality is that identifying suspicious activity may not be as straightforward as it seems. It requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life.

**Hunting for the Right Skills**

Threat hunting requires a human touch to thoroughly review suspicious patterns and scour the environment for threats that haven't yet been identified by a company's existing security tooling and processes. It's a heavily strategic game of cat and mouse to find potential adversaries and advanced persistent threats (APTs), predict their next move, and stop them in their tracks.

A successful threat hunter needs to have a thorough understanding of their environment, the known threats their team has faced, and the ability to problem-solve and think critically about hidden avenues adversaries could take to gain access. In a way, this is the ultimate detective work, and it becomes the building blocks for designing better defensive protocols. Investing in the right people on the team and fostering a culture of open communication is essential.

To receive leads or hunt ideas, Adobe's threat-hunting team has created a messaging bot app that security teams, such as the security operations center or incident response, can use to have seamless collaboration with the hunt team. Once hunts are completed, hunt reports are shared with the cross-functional security teams and relevant stakeholders to improve the existing security posture of the organization.

The hunt team works hand-in-hand with the detection function to help improve current methods and input new data based on emerging tactics used by adversaries. They also collaborate closely with the team responsible for central operational security data to help identify gaps, misconfigurations, and bolster enrichments to help security teams utilize that data more effectively.

However, while threat hunting tends to mainly rely on manual processes, automated processes and machine learning can certainly aid in the hunting effort. Aggregated data analytics can help to quickly find anomalies in data patterns within a company's network, shortening the time teams need to spend combing through data.

At Adobe, we are building multiple UEBA (user and entity behavior analytics) pipelines using machine learning and advanced data analytics to review large volumes of log data and help us spot anomalies that indicate a user's or entity's behavior change. These anomalies are turned into hunt leads (or alerts) after further enrichment and correlation for human review and escalation when needed.

**Stopping Adversaries in their Tracks**

With the right team in place, security teams can begin mapping out their plan of attack and strategy to identify APTs:

*   Rally behind a hypothesis of how adversaries could potentially gain access to the network
*   Create a clear goal for the program (e.g., reducing time adversaries spend in the network, reduce the number of high-impact threats, etc.)
*   Analyze data for anomalies and work cross-team to build new, improved defenses

Not all threat-hunting campaigns will be equally successful, so it's just as important to create a plan for tailoring threat-hunting programs as your company collects more insights on current data trends and adversaries. Be honest with your teams about what's working, what isn't, and new ways to leverage machine learning and other tools to support your goals.

When combined with offensive tactics, threat hunting is a valuable addition to your security efforts. It should be viewed as an ever-evolving strategic approach to identify potential issues, and an essential component of a successful, comprehensive security program.

Source

DARKReading