The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.

Source: 3D generator via Alamy Stock Photo

The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) is among the People's Republic's most cutting advanced persistent threats (APT). In a campaign stretching back to 2023, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it's been known for targeting US telcos, including T-Mobile USA, and ISPs in North America.

**Salt Typhoon's Arsenal of Malware**

With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.

There's Masol RAT — a cross-platform tool it's used against Linux servers from Southeast Asian governments — and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro's vice president of threat intelligence.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

"So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what's what," Clay says, because one instance of GhostSpider might look entirely different from another.

Besides its backdoors, the group also possesses a rootkit called Demodex, and Trend Micro has speculated that it might even have used Inc ransomware in some of its operations.

The diversity of Salt Typhoon's malware may be connected to the very nature of how it operates. According to the researchers, it is a structured organization of distinct, specialized teams. Its various backdoors, for example, are managed by different "infrastructure teams." The tactics, techniques, and procedures (TTPs) utilized in different attacks might vary significantly, with unique teams focusing in different geographic regions and industries — another reason why pinning down the Chinese APT has been so difficult over the years. "They are very sophisticated \[at\] gaining access, maintaining access, maintaining persistence, and wiping their tracks when they have done something to make it look like they were never there," Clay says.

Related:News Desk 2024: Can GenAI Write Secure Code?

**How Estries Gains Entry**

Earth Estries had been conducting long-term espionage attacks against governments and other targets since 2020. Around the middle of 2022, though, a switch flipped.

"In the past, they were doing a lot of phishing of employees," Clay recalls. "Now they're targeting Internet-facing devices using n-day vulnerabilities, finding any open ports \[or\] protocols, or applications that are running that they can exploit in order to gain access."

"N-day" refers to recently disclosed bugs that organizations might not have had a chance to patch yet. The group's favorite vulnerabilities have been dangerous (but now well-documented), including: 

*   The SQL injection bug CVE-2024-48788, which affects the Fortinet Enterprise Management Server (EMS)
    
*   CVE-2022-3236, a code injection issue in Sophos Firewalls
    

*   The four Microsoft Exchange vulnerabilities involved in ProxyLogon
    

"And we see this across the board," Clay notes. "Certainly, emails are still a big way to gain access to organizations, but it used to be 80%-plus \[of cases\]. I think now you're looking at a much smaller percentage of these attacks beginning with a phishing campaign."

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Chinese Island Hopping to Gov't Cyberattack Victims**

Often, Salt Typhoon doesn't exploit vulnerabilities directly in its target's network. Instead, it opts for a more tactful approach.

Since 2023, its victims have spanned no fewer than four continents — from countries as diverse as Afghanistan, India, Eswatini, and the US — with the greatest concentration being in Southeast Asia. These organizations have come from the telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a special emphasis on government agencies.

Not all of these organizations are necessarily the hackers' final destination, though. A nongovernmental organization (NGO), for example, may house interesting data worth stealing, or it might just provide a covert springboard for attacking a more important government agency. In 2023, for instance, researchers observed Salt Typhoon compromising consulting firms and NGOs that work with the US government and military, with the goal of more quickly and effectively breaching the latter.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Salt Typhoon Builds Out Malware Arsenal With GhostSpider

Amazon Web Services' identity and access management platform has added new features that help developers implement secure, scalable, and customizable authentication solutions for their applications.

Source: GK Images via Alamy Stock Photo

Amazon Web Services (AWS) has announced updates to Amazon Cognito, its identity and access management service for Web and mobile applications. The service allows developers to secure machine-to-machine authentication, enable role-based access to AWS resources, and create sign-in and sign-up experiences in applications. 

Cognito now supports passwordless login with managed login, enabling users to integrate passwordless authentication methods, including passkeys, email one-time-passwords, and SMS one-time-passwords. 

The new features include a developer-focused console experience that streamlines onboarding via a wizard and use-case specific recommendations. This allows developers to configure their sign-in options and follow the system-provided instructions to create the application's sign-in and sign-up pages. A new user pool, a user directory for authentication and authorization, is automatically created, according to the blog post announcing the new updates. Amazon Cognito also supports major application frameworks and offers detailed instructions for integrating them using standard OpenID Connect (OIDC) and OAuth open source libraries.

Amazon has updated the pricing structure for Cognito, adding user pool feature tiers: Lite, Essentials, and Plus. New user pools are created at the Essentials tier by default, and users can switch between tiers depending on their needs. 

The Lite tier includes user registration, password-based authentication, and social identity provider integration. The Essentials tier includes expanded authentication and access control features, including managed login and passwordless capabilities and enhanced security features. The Plus tier offers more security features, including threat protection capabilities against suspicious logins and compromised credential detection. 

Pricing is based on monthly active users. The Essentials and Plus tiers are available in all AWS regions where Cognito is available, except AWS GovCloud (US) regions. 

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

AWS Rolls Out Updates to Amazon Cognito

Cyberattackers have been targeting the online NFT marketplace with emails claiming to make an offer to a targeted user; in reality, clicking on a malicious link takes victims to a crypto-draining site.

Source: Mundissima via Alamy Stock Photo

Cyberattackers are targeting users of the OpenSea nonfungible token (NFT) platform with a phishing attack that lures users with the potential sale of items listed on the marketplace. The aim? Draining their cryptocurrency wallets dry.

Researchers at Cofense discovered the campaign, in which adversaries impersonate the OpenSea website and claim a user has a new offer on a listing on the site to try to bait them into clicking on a malicious link.

"The goal of the phishing scheme is to get recipients to connect their crypto wallets to the phishing page, which will drain their wallets," Cole Adkins of the Cofense Phishing Defense Center wrote in a post. "The phish presents itself as an offer on an NFT the recipient has listed on OpenSea, in hopes they will click on it and connect their wallet once redirected."

OpenSea is the largest marketplace for NFTs and thus "the go-to platform for many entry-level NFT enthusiasts looking to enter the crypto collectible market," who are likely unaware of the common tactics of phishers and thus can easily be fooled, he wrote.

The campaign demonstrates the speed with which attackers are targeting new and emerging technologies like NFT — which held little interest for people until OpenSea was launched in 2017 —  with custom campaigns tailored to their particular interests, he said. OpenSea marketplace currently has more than 2 million users with at least one transaction on the site, many of them enterprise users.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

**OpenSea Brand Impersonation for the Phishing Lure**

The attack begins when targeted victims receive an email that appears to come from OpenSea. To a savvy user, it would be a clear phish, as the sender address is "administrator\[at\]motordna\[dot\]io," and thus unrelated to the NFT marketplace. However, the branding in the content of the email mimics OpenSea using a look that's similar to the site, and it could fool someone not keeping an eye out for phishing clues, according to Cofense.

"By branding the email as OpenSea and employing the same email format used for an actual notification from the OpenSea NFT marketplace, the threat actor hopes to ease the recipient’s suspicion so they will click the button in the email body," Adkins wrote.

Recipients are prompted to hit an "Access Now" button to direct to a purported offer that's come on one of their items on the marketplace, demonstrating the use of social engineering that adds urgency and aims to instill excitement at the potential of a sale, he wrote.

Users that click on the button are directed to a fake OpenSea webpage that's also been designed by attackers to appear legitimate. The page shows that an offer has been made on an NFT owned by the victim and they must accept it quickly by connecting to their crypto wallet via a "Connect Wallet" button, or else lose their chance at a sale. Clicking presents the user with multiple ways to access the wallet, such as via a QR code or signing in with credentials. Once this step is complete, an attacker can control the wallet and any credentials associated with it.

Related:News Desk 2024: Can GenAI Write Secure Code?

**NFT in the Crosshairs**

The campaign is not the first time OpenSea has been targeted by a potential threat actor. A couple of years ago, an employee of one of the marketplace's email vendors, Customer.io, accessed and downloaded the company's email list, ostensibly for future phishing attacks. The cybercriminal group Marko Polo also has impersonated OpenSea as a way to target its users for fraud.

While NFT hasn't quite gone mainstream yet, attackers are increasingly targeting those interested in the novel technology to expand their attack surface. These attacks will likely ramp up as the technology gains popularity, according to Cofense. "This … highlights why recipients must stay vigilant and up to date with common phishing threats in order to protect their assets," Adkins wrote.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Cofense recommends that users of OpenSea and other NFT marketplaces use the same online hygiene as any other e-commerce user when navigating access to their accounts. Best practices for protecting assets include avoiding clicking on links in emails from addresses or users they don't recognize, and learning to recognize common phishing and social-engineering tactics. The company also recommends that OpenSea users should check the sender field of any email that purports to be from the marketplace for suspicious-looking addresses that could alert them to foul play.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OpenSea Phishers Aim to Drain Crypto Wallets of NFT Enthusiasts

Protection ranged from 0.38% to 50.57% for security effectiveness.

PRESS RELEASE

AUSTIN, Texas, Nov. 26, 2024 /PRNewswire/ -- CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent "Mini-Test" of Cloud Service Provider (CSP) Native Firewalls from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Security effectiveness protection ranged from 0.38% to 50.57%.

In today's cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP's marketplace. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization's ability to protect against cyber threats.

The CSP firewalls were tested against 522 exploits using Keysight's CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. Only known Common Vulnerabilities and Exposures (CVEs) from the last ten years with a severity of medium or higher were used to assess security effectiveness, usability, and protection. The exploit (CVE) types targeted servers and are typically relevant to cloud workload deployments.

"This was designed to be an entry level test," said Vikram Phatak, CEO of CyberRatings.org. "The exploits were straightforward; we didn't apply any evasions which is normally how attackers bypass security products. The number of missed exploits is concerning. Until cloud native firewalls demonstrate they have a higher level of security effectiveness to protect against cyber threats, we strongly recommend that customers consider third-party providers with a proven track record."

This test is part one of a two-part test. Part two will include a higher number of exploits, along with evasions and malware. The second part of the test will also compare cloud service provider native solutions against market leading third-party cloud network firewall providers.

The native firewalls were tested using Keysight's CyPerf v5.0 software testing platform. Enterprises can easily replicate the results with a 2-week free trial from Keysight. Further details of the strike library can be found here: https://www.keysight.com/us/en/products/network-test/cloud-test/cyperf.html

The test report is available for free at cyberratings.org.

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

SOURCE  CyberRatings.org

CyberRatings.org Announces Test Results for Cloud Service Provider Native Firewalls

Findings reveal growing cybersecurity risks in ecommerce, exposing vulnerabilities in PII handling and lack of basic security protections like HTTPS and WAFs

PRESS RELEASE  
PALO ALTO, Calif., Nov. 26, 2024 – CyCognito today released a special report on the security risks facing ecommerce platforms during the holiday shopping season, highlighting the growing threats to customer data as Black Friday and Cyber Monday drive a surge in online activity. The findings showed that, despite ecommerce sites handling more sensitive data than ever, vulnerabilities continue to persist—especially in web applications and interfaces. 

With the holidays fast approaching, both retailers and shoppers need to be prepared for the risks of the seasonal rush. As they race to meet shopping demands, attackers are ready to exploit vulnerabilities in ecommerce assets, potentially stealing personal information or causing major disruptions,” said Emma Zaballos, Senior Researcher, CyCognito. “It’s crucial for retailers to prioritize ongoing security checks, ensuring their websites are prepared well ahead of peak shopping days. Otherwise, the consequences could be a far worse gift than any shopper expected.”

For this report, CyCognito’s research team aggregated and analyzed ecommerce web application assets across its customer base from November 2023 to October 2024. All findings are anonymized and normalized. These customers span multiple industry verticals and include a mix of small, medium, and large enterprises across the globe, including Fortune 500 companies.

Key findings:

*   Ecommerce Sites Handling Sensitive Data at Risk
    
*   Widespread Lack of HTTPS and WAF Protections
    
*   PII-Exposing Assets Lacking Security Protections
    
*   Certificate Validity and Trust Issues  
    

To view the full report, please visit this link.

About CyCognito

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. For more information, visit https://www.cycognito.com/

CyCognito Report Highlights Rising Cybersecurity Risks in Holiday E-Commerce

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Source: santoelia via Alamy Stock Photo

COMMENTARY

If you drive an Internet-connected car, like I do, your real threat isn't a cop with a radar gun: It's your vehicle becoming a giant, metal snitch. Under your hood, through miles of circuitry, lies a dark secret: Data brokers are collecting every detail of your trip, from where you grab your morning coffee to that shortcut you take to avoid rush hour. They say it's for safety and a better driving experience, but regardless, the idea of our cars spying on us can be terrifying. However, before we admonish our all-seeing rides, we must be honest with ourselves — the convenience we opt into isn't the same as a full-blown invasion of privacy. 

I've been in cybersecurity for more than a decade, taking the fight to the worst threat actors and fending off market-shifting phishing attacks. I get the whole "privacy matters" spiel. But let's face it: We crave convenience and yet complete privacy on the road isn't always practical, especially when it comes to safety. 

My garage houses its own fleet of Teslas — three to be exact, including one for my teenage daughter (just to be clear, I'm not an Elon fanboy). I love these cars because they're packed with safety features that allow me to monitor and supervise our driving. This is important to me because teenagers and speeding go together like peanut butter and jelly. Age aside, who among us hasn't rolled through a stop sign in the wee hours? We all have imperfections, and for me and my family, that includes the occasional lapses in driving that I want to know about. 

Some folks might clutch their pearls at the thought of supporting tracking features, and in some cases they'd be right. I can scoff at the US Automobile Association's (USAA) attempt to totally track me with its SafePilot app just for an insurance discount. But Tesla's monitoring feature that lets me see where my daughter ghosts off to after curfew? Totally different.  

It's all about commonsense control. USAA wants to use my data to judge my driving and probably jack up costs down the road. Tesla's features, and others like it, skew toward safety and meaningful oversight (again, not an Elon fanboy).  

**Picking and Choosing Our Privacy Choices**

The point is, we're all picking and choosing when it comes to privacy, whether we know it or not. We crave convenience and control, even if it means sacrificing a bit of anonymity in the digital age. But is this the future we signed up for? Convenience at the expense of complete transparency? We willingly hand over our data to the tech giants — the Apples and Googles of the world — trusting them to be our benevolent data overlords. They assure us our information is anonymized, like a digital cloak of invisibility protecting our identities. And we just have to trust them. Here's the thing: I sleep soundly at night knowing my Internet-connected car's got my back (and my daughter's). 

That isn't to say this is a black-and-white issue. We do need a data reality check. Yes, personalized data collection can be a good thing. Suggesting that scenic rest stop on your road trip through Yosemite is super helpful. But the line gets blurry when that same data allows insurance companies to track your movements or marketers to manipulate you into buying an overpriced Chick-fil-A sandwich along your normal route home. 

In less safe, opted-in hands, our so-called anonymized data becomes a dystopian road map of our lives, influencing everything from insurance rates to targeted ads for the nearest repair shop (because, hey, after that questionable parking job, you must need one!). 

The bigger problem is the lack of transparency and accountability. Just how much anonymized data gets used for less helpful purposes remains unclear. We're quick to click "Accept" on those endless terms-of-service agreements faster than you can say "data breach." Suddenly, your reckless driving habits, gleaned from your helpful Internet-connected car, could torpedo your chances of getting an auto loan, or worse. It's like having a digital stalker whispering the worst, juiciest gossip about you to lenders. 

Even worse, malicious threat actors, particularly nation-state groups, lurk in these gray areas. They're exploiting vulnerabilities in data transmission protocols or storage systems to snag sensitive driver information — everything from real-time location to private conversations. This grants them a frightening level of control over individuals as well as the potential to disrupt critical infrastructure. 

**We Deserve a Say**

So, the next time you scoff at a car's "stalker" features, take a good look at your own smartphone, brimming with data-hungry apps. Maybe a little commonsense privacy hypocrisy is the price we pay for our self-driving, AI-powered future. In the meantime, we still deserve a say in how our data is used. We need stricter regulations and a healthy dose of skepticism toward "anonymous data" claims. Governments can incentivize research and development in secure data storage and anonymization techniques. This way, businesses can offer new services without compromising user privacy. 

Privacy isn't a luxury. It's a fundamental right. Let's not trade it away for the fleeting convenience of a perfectly optimized commute. This is a fight for our data, privacy, and the freedom to exist online without being constantly tracked and judged if we don't want it. Remember Rage Against the Machine? They're still my favorite band. I can't help but feel that one of their lyrics rings true here: "If we don't take action now, we settle for nothing later." If we don't take action now, we'll surrender our privacy bit by bit, until there's nothing left. 

**About the Author**

CEO & Co-Founder, Huntress

Kyle Hanslovan is CEO and co-founder of Huntress, where he protects 150,000 businesses and oversees millions of employees, and isn’t afraid to drop hot takes to disrupt herd mentality. He’s successfully raised nearly $200 million in venture capital and is passionate about entrepreneurship, innovation, radical candor, and social impact. Prior to this, he served 10 years in the US intelligence community and Air Force supporting offensive cyber operations. During this time, he won the World Series of hacking (DEF CON's CTF) and presented at most major cybersecurity conferences.

My Car Knows My Secrets, and I'm (Mostly) OK With That

The incident is typical of the heightened threats organizations face during the holidays, when most companies reduce their security operations staff by around 50%.

Source: Ned Snowman via Shutterstock

A disruptive ransomware attack on Blue Yonder, a supply chain management software provider for major retailers, consumer product companies, and manufacturers, highlights the heightened risk organizations face during the busy holiday season.

A Nov. 21 attack on Blue Yonder affected infrastructure that the company uses to host a variety of managed services for customers, which include 46 of the top 100 manufacturers, 64 of the top 100 consumer product goods makers, and 76 of the top 100 retailers in the world.

**Major UK Supermarket Chains Hit in Cyberattack**

Among those reportedly most affected by the attacks are Morrisons and Sainsbury's, two of the UK's largest supermarket chains. British media outlet The Grocer quoted a Morrisons spokesperson as describing the Blue Yonder attack as affecting the smooth delivery of goods to stores in the UK. Availability of some product lines at wholesale and convenience locations could drop to as low as 60% of normal availability, the media outlet reported.

In the US, Starbucks reported the Blue Yonder attack affecting a back-end process for employing scheduling and time-tracking. But besides that, there have been no confirmed reports so far of widespread disruptions resulting from the attack. Blue Yonder's US customers include Kimberly-Clark, Anheuser-Busch, Campbell's, Best Buy, Wegmans, and Walgreens.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

In its initial disclosure on Nov. 21, Blue Yonder said it experienced disruptions to its managed services hosted environment, which it determined was the result of a ransomware attack. The company said it was actively monitoring its Blue Yonder Azure public cloud environment but had not spotted any suspicious activity.

"Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process," a Blue Yonder spokesperson said in an emailed statement to Dark Reading. "We have implemented several defensive and forensic protocols" to mitigate the issue.

"We have notified relevant customers and will continue to communicate as appropriate. Additional updated information will be provided on our website as our investigation proceeds," the spokesperson added. The statement did not provide any kind of timeline by which it hopes to completely restore its systems.

**Ripple Effect From Blue Yonder Hack**

The fallout from the Blue Yonder attack is similar to that from other major supply chain attacks in recent times, including the ones on Progress Software's MOVEit file transfer software, Kaseya, WordPress, and Polyfill.io. In each instance, the threat actors behind the attacks managed to impact a broad swath of organizations by targeting a single trusted player in the software supply chain.

Related:Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

The Blue Yonder incident is also typical of the attacks that tend to happen around holidays and during weekends, when IT departments tend to be less than fully staffed. Research that Semperis conducted showed that 86% of ransomware victims over the past year were targeted either on a holiday or on a weekend. More than six in 10 respondents in the survey said they experienced a ransomware attack during a corporate event.

Semperis found that while most of the organizations in its survey maintained a round-the-clock security operations capability, some 85% scaled back security operations center (SOC) staffing levels by up to 50% outside normal business hours.

**Opening the Door to Cyberattacks**

"Despite widespread cybersecurity efforts, many organizations are unintentionally opening a door to ransomware by reducing their defenses during weekends and holidays," says Jeff Wichman, director of incident response at Semperis. "Attackers clearly expect this behavior and target these periods — as well as other material corporate events that might signal distracted or reduced defenses — to strike.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Wichman says the Semperis study looked at nearly 1,000 organizations in the US, the UK, France, and Germany. In each country, the vast majority of businesses reduce staffing by up to 50% on holidays and weekends. In Germany, 75% of organizations downsized staff by as much as 50% on holidays and weekends. "In security, you can’t wax or wane, and your defenses need to be constant" and around the clock, he says.

Wichman recommends that organizations maintain at least 75% of their regular staffing levels on holidays and weekend to maintain operational resiliency.

Nick Tausek, lead security automation architect at Swimlane, says incidents like the attack on Blue Yonder highlight why cyber hygiene is important at all times of the year, but especially so during the holiday season: "User training, frequent, comprehensive backups, and a tested disaster recovery plan are the three biggest protections against cybercriminals and ransomware operators during the busy holiday season."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

The anti-fraud plan calls for companies to create a pipeline for compiling attack information, along with formal processes to disseminate that intelligence across business groups.

Source: Romolo Tavani via Shuttertock

A data-focused approach to tackling phishing and business fraud promises significant reductions in the amount of phishing and phone-based fraud that companies — and their customers — face, but worries remain over whether fraudsters will adapt.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled its Phishing Prevention Framework on Nov. 19, a program consisting of best practices in data collection, defense, and customer communications that has already reduced the volume of phishing incidents — as measured by abuse complaints — in a pilot program with three banks. The framework cut the incidence of abuse complaints for those financial services firms in half and promises significant benefits for any business targeted by cybercriminals, if they implement certain best practices — such as security education and intelligence collection — included in the framework.

While FS-ISAC has released the framework for the financial services sector — where phishing is a pernicious problem — the techniques are broadly applicable, says Linda Betz, executive vice president of global community engagement at the organization.

"While the framework is tailored for financial institutions due to the sensitive nature of their operations, the strategies can benefit businesses across industries," she says. "For instance, cataloging communication channels and deploying anti-phishing technologies are broadly applicable and scalable solutions for any organization dealing with sensitive customer interactions or high volumes of transactional data."

The financial services sector is not the only industry plagued by phishing. In 2023, US consumers and businesses reported nearly 300,000 phishing-related crimes to the FBI, according to its annual Internet Crime Report. Phishing and pretexting — which differ in that the attacker surreptitiously joins an email thread — account for 31% and 40%, respectively, of all social engineering attacks, according to Verizon's "2024 Data Breach Investigations Report" (DBIR). Security awareness exercises have found that it takes less than 60 seconds for the first victims of a phishing campaign to click a link and enter their information.

**Focus on Sources, Not Transactions**

As part of its Phishing Prevention Framework, the FS-ISAC recommends that organizations create a data-focused process for handling abuse complaints and focus on maximizing the insights that can be learned from phishing campaigns. Companies should create a fraud and phishing intake pipeline that records critical information and an abuse box infrastructure that allows security and fraud teams to disseminate intelligence to other business groups, the report states.

Three banks that piloted the Phishing Prevention Framework all saw decreases in phishing abuse, but Bank A saw the most dramatic changes. Source: FS-ISAC's "Stop the Scams: A Phishing Prevention Framework for Financial Services" report

The key issue is that fraud reporting often focuses on preventing the bad transaction and spends little time on understanding how the activity originated, FS-ISAC's Betz says.

"Structuring the abuse box to glean that information from the customer helps the financial institution know where to focus to address the root cause and take actions to reduce the risk and prevent future attempts, then share the actionable intelligence across the organization and the sector," she says. "\[Companies\] should implement structured fraud reporting systems to capture actionable data, coordinate across relevant departments, and participate in industrywide threat intelligence platforms to help the entire sector understand the current tactics being used by fraudsters."

The framework also calls for cataloging all of the ways a business communicates with customers and partners, a potentially time-consuming process. While automation can help, collaborating internally across groups and with third parties is key, says Betz.

"Leveraging a succinct data collection survey including the type, origin, and results of the fraudulent activity can help establish any trends in the phishing attempts and better identify any weak areas within networks," she says.

**Keeping Up With Attackers**

While all the steps included in the framework are common sense approaches to anti-phishing, implementing them all will take time, says Betz. For that reason, the FS-ISAC has listed the actions along with a step number to prioritize defensive efforts.

Whether establishing the processes and technologies called for by the Phishing Prevention Framework will lead to fewer successful phishing campaigns or just force attackers to evolve remains to be seen, says Matthew Harris, senior product manager for fraud at OpSec Security, a brand protection and anti-fraud firm.

"One thing I've learned about dealing with fraudsters is that they'll pivot instantly, and the problem is that they'll pivot far faster than any other company can pivot," he says. "If they realize that there's a way that they can get better ROI, they'll do it."

Scammers are already moving toward phishing attacks that increasingly use voice calls. Phone-based phishing started as a minor issue in 2021 and now accounts for nearly a quarter (23%) of all phishing attacks, according to data collected by OpSec Security. Phone-based phishing includes SMS phishing — "smishing" — and phishing emails that include a fraudulent phone number.

Because there are fewer integrity checks on phone calls, cyberattackers will likely increasingly use the telecommunications channel in their scams, says OpSec's Harris.

"As email security ... has gotten more and more advanced, it becomes more and more difficult \[for a scammer\] to communicate a traditional email to a person," he says. "By pivoting away from email and toward a phone number, ... there's a good chance a person is going to pick up that phone \[giving them\] access to the victim directly."

For that reason, the final step of the FS-ISAC's framework includes collaborating with telecommunications firms to reduce the attack surface area through phone systems. Many providers have technologies or services, such as "Do Not Originate," on numbers that are inbound only, giving business customers additional controls, says FS-ISAC's Betz.

"Partnerships with telecommunications providers are increasingly collaborative, as these companies recognize the mutual benefits of reducing spam and phishing attacks," she says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Phishing Prevention Framework Reduces Incidents by Half

New analysis says law enforcement efforts against Russian-language ransomware-as-a-service (RaaS) infrastructure helped consolidate influence behind BlackBasta, but some experts aren't so sure the brand means that much.

Source: JK Sulit via Alamy Stock Photo

The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.

Since the spectacular law enforcement takedown of Conti's operations in 2022, the Russian-language ransomware landscape has been a bit in flux. Upending usual business operations further was the subsequent August 2023 takedown of Qakbot botnets, long relied upon by these groups to deliver their ransomware. The law enforcement action, called "Operation Duck Hunt," removed Qakbot malware from more than 700,000 infected machines. The Qakbot botnet takedown success would be short lived. Analysts started to see the it pop back up in cyberattacks just a couple of months later.

Even so, by January, BlackBasta has already pivoted and was observed using a competing botnet tool called Pikabot, along with an emerging new threat group, Water Curupira, which similarly used Pikabot to drop BlackBasta ransomware.

From there BlackBasta diversified into phishing, vishing, and social engineering, as well as buying entry into target networks from initial access brokers. But by last August, the ransomware group was using its own custom-developed malware, Cogscan, used to map victim networks and sniff out the most valuable data, as well as a .NET-based utility called Knotrock, used to execute ransomware.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**Are Law Enforcement Takedowns Against Ransomware Working?**

In a new report, RedSense cybersecurity analyst Yelisey Bohuslavskiy has provided a detailed look at the evolution of BlackBasta tactics, concluding that the group's requirement to adapt in the wake of large-scale law enforcement has made it a leader in the Russian-language ransomware space. In fact, Bohuslavskiy worries that the group is in a position to become an important partner of the Russian state. In the report, he used the example of the punishing rounds of cyberattacks against the healthcare sector this year and a potential bleak peek at what's to come.

"Considering the abnormality of 2024 high-profile attacks against healthcare, I am concerned about the potential liaison between BlackBasta and \[Russian nation-state threat actor\] Nobelium \[Midnight Blizzard\] and the Russian security apparatus in general," Bohuslavskiy tells Dark Reading. "While at this point, the connection is mostly MS Teams exploitation and some other TTPs and can not be confirmed, if in the future Russian ransomware groups will develop direct cooperation with the Russian state, this will result in tangible deterioration of the threat landscape."

Related:Leaky Cybersecurity Holes Put Water Systems at Risk

He predicts that BlackBasta and the hackers in its orbit will get increasingly sophisticated in their attacks in the months to come, namely social engineering attempts at compromising credentials.

"I would advise preparing for defending different social engineering against endpoints with a focus on credentials," Bohuslavskiy adds. "Cisco, Fortinet, and Citrix credentials are definitely the main focus of BlackBasta now. I would also look at GitHub repositories and other open repositories that an enterprise may have, as we are seeing these actors hunting for them."

This is good news for cyber defenders. Social engineering is a much less efficient way to disseminate ransomware versus a botnet blast, Bohuslavskiy adds.

"To my opinion, the most important thing is that law enforcement action is working," he says. "The transition shows a slow but steady movement from botnets to social engineering, even for traditionalists like BlackBasta. And by all means, social engineering is inferior to botnets in dissemination."

Related:Going Beyond Secure by Demand

Bohuslavskiy points to the Conti group's foray into a massive experiment with call centers filled with people conducting social engineering cyberattacks, adding that it turned out to be a flop.

"Trickbot, Emotet, and Qbot were the ultimate sources of ransomware delivery for the entirety of the Russian-speaking domain, and by now, all of them are down due to law enforcement action," he says. "No substitute has come since. However, we should be aware that the leadership of the groups also understands this, and therefore, they will try to double down on developing new botnets. This is why I predict that BlackBasta's plays with social engineering will be short-lived."

**Russian-Language Ransomware Coordination**

Expert ransomware negotiator Ed Dubrovsky, COO and partner at Cypfer, isn't sure it's that simple. In his experience, he explains, these Russian RaaS operations are highly decentralized groups of individual hackers with a complex organizational structure. Assigning cooperation between groups and the Russian state implies a level of operational coordination he hasn't seen.

When one group is taken down by law enforcement, individual talent easily flows to another brand, in his view.

"We tend to bunch them up together into a named group like BlackBasta, which is nothing more than an umbrella structure offering software and infrastructure solutions and some adjacent services," Dubrovsky says. "They are completely dependent on the affiliates, aka franchisees, to actually conduct attacks. So to claim that there is cooperation between nation-state actors and a ransomware 'brand' or 'franchise' is almost equivalent to saying McDonald's is working with state actors because they have a McDonald's in Russia."

He suggests it's more likely individuals shuffling around ransomware trade secrets driven purely by return on investment rather than commitment to any specific group or specific fear of law enforcement.

It's also important to note that "Russian-speaking" doesn't necessarily mean "Russian threat actors" when it comes to the hackers circulating around these RaaS operations, Ngoc Bui, cyber expert with Menlo Security says.

"Many Dark Web forums and illicit communities predominantly use the Russian language, but this doesn’t necessarily mean all participants are Russian," she explains. "This distinction is critical when interpreting predictions about increased coordination."

She adds there is a "golden rule" among these adversaries.

"As long as operations don’t target Russia or its allies, they are often overlooked," she says. "This tolerance can make Russia an appealing environment for cybercriminals to operate, whether or not direct state coordination is involved."

Beyond assigning specific tactics to various brands, Dubrovsky urges cybersecurity teams to focus on protecting their systems from increasingly well-funded and well-trained Russian-speaking ransomware adversaries. The entire threat landscape has been exploding since 2013, and he views its "further deterioration" predicted by Bohuslavskiy as an obvious given.

"Could we say that this will accelerate even more due to the resources available to \[threat actors\] and certainly nation-states? Absolutely," Dubrovsky adds. "Would/could it be directly correlated because of observed TTPs? Not sure this will ever be conclusive. The real question is how do we defend against threat actors with increasing resources and capabilities to cause more impact."

BlackBasta Ransomware Brand Picks Up Where Conti Left Off

In a "new class of attack," the Russian APT breached a target in Washington, DC, by credential-stuffing wireless networks in close proximity to it and daisy-chaining a vector together in a resourceful and creative way, according to researchers.

Source: Science Photo Library via Alamy Stock Photo

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**A Cyberattack Chained Through Multiple Orgs**

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

**Beware Thy (Wi-Fi) Neighbors**

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\\ProgramData\\, and improve detection of data exfiltration from Internet-facing services running in an environment.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading