CREST provides commercially defensible scoping, delivery, and sign-off
recommendations for penetration tests.

ROSELAND, N.J., Aug. 1, 2022 /PRNewswire/ — CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognized and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

"A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe," explained Rowland Johnson, CREST President. "It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed, and signed off."

Across the globe it is widely acknowledged that the definitions, practices, and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterize a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organizations that are looking to procure penetration testing services and organizations that deliver penetration testing services.

Only when the following three elements are satisfied will the CREST Defensible Penetration Test be commercially defensible:

— The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies  
— The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency  
— The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides — CREST (crest-approved.org)

About CREST

CREST is an international not-for-profit, membership body representing the global cyber security industry. Its goal is to help create a secure digital world for all by quality assuring its members and delivering professional certifications to the cyber security industry.

CREST accredits almost 300 member companies, operating across dozens of countries, and certifies thousands of professionals worldwide. It works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.

CREST members undergo a rigorous quality assurance process and employ competent professionals. Organizations buying their cyber security services from CREST members do so with confidence.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CREST Defensible Penetration Test Released

A Justice Department official testifies to a House committee that the cyberattack is a "significant concern."

Testimony provided by a Justice Department official to the US House of Representatives late last week has revealed that law enforcement is investigating a cyberattack on the federal courts' record-management system, reportedly launched by three hostile nation-states.

Head of the DoJ's National Security Division Matt Olsen told the committee that the incident, first discovered in March, is a "significant concern," according to Reuters.

While unable to offer more specific information about the nations behind the cyberattack, Olsen added his division is focused on China, Russia, Iran, and North Korea, Reuters said.

"While I can't speak directly to the nature of the ongoing investigation of the type of threats that you've mentioned regarding the effort to compromise public judicial dockets, this is of course a significant concern for us given the nature of the information that's often held by the courts," Olsen said during his testimony.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ: Foreign Adversaries Breach US Federal Court Records

Customers across several European countries are urged to update credentials in the wake of the attack that affected a gas-pipeline operator and power company.

Following a July 25 announcement that its subsidiaries had been breached in a ransomware attack, Encevo, an energy supplier based in Luxembourg, followed up a few days later with an update that teams were currently investigating the extent of the damage done.   

Now, new reports say the BlackCat ransomware group has posted 150GB of data on its extortion site, purportedly stolen from Encevo, including contracts, passports, bills, and emails — and the group is threatening to release them within hours if the ransom isn't paid. 

BlackCat has emerged as a formidable ransomware actor, formed with members from infamous, and now defunct, groups that include BlackMatter and REvil. 

The attack specifically affected natural gas-pipeline operator Creos and the energy supplier Enovos, Encevo assured users supply would not be disrupted as a result of the attack but recommended that customers update their login details as soon as possible, "insofar the respective sites/portals are accessible," the company said in its statement about the cyberattack.

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us for the moment."  

It added, "Once again we apologize to our customers for inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat

Canary tokens — also known as honey tokens — force attackers to second-guess their potential good fortune when they come across user and application secrets.

With nearly half of all breaches involving external attackers enabled by stolen or fake credentials, security firms are pushing a high-fidelity detection mechanism for such intrusions: canary tokens.

Canary tokens, a subset of honey tokens, are manufactured access credentials, API keys, and software secrets that, when used, trigger an alert that someone is attempting to use the fake secret. Because the credentials are not real, they would never be used by legitimate workers, and so any attempt to access a resource using the canary token is a high-confidence sign of a compromise.

Last week, secrets-management firm GitGuardian released a version of the technology, _ggcanary_, as an open source project on GitHub. The project, tailored to Amazon Web Services (AWS) credentials, is designed to give developers a simple-to-use tool to detect attacks on their software development pipeline, says Henri Hubert, lead developer for GitGuardian's Secrets Team.

"You can put them almost everywhere," he says. "The best place to put them is in the CI/CD pipeline or in your artifacts used in that pipeline, such as Docker images. But you can also put them in your private repositories and your local environment. You can put them almost anywhere that is related to your developers' work."

    

Credentials are a popular target of theft. Source: 2022 Data Breach Investigations Report, Verizon

As the use of cloud services and APIs have taken off, attackers have increasingly targeted such infrastructure with stolen credentials and API tokens. The average company uses more than 15,000 APIs, tripling in the past year, while malicious attacks on those APIs have jumped seven-fold, according to research released in April. In addition, nearly 50% of all breaches not otherwise due to user error or misuse make use of credentials, according to Verizon's "2022 Data Breach Investigations Report" (DBIR). 

**Tripwires Slow Down Attacks**

Unsurprisingly, more companies are using canary tokens to create digital minefields for which attackers need to be wary or otherwise get caught. By seeding file servers, development servers, and personal systems with files that contain credentials or links that can act as tripwires, companies make lateral movement within their systems much more hazardous for attackers, says Haroon Meer, founder and CEO of Thinkst, a cybersecurity consultancy that created its own infrastructure for canary devices and tokens, including servers, sensors, and credentials.

Yet, attackers really have no choice: They cannot ignore potential legitimate credentials during an intrusion, he says.

"If they happen to find AWS credentials or the keys to someone's Kubernetes cluster, attackers have to try it — it's really hard for them to not to use those," Meer says. "And if you get notified the moment that they try it, then you shrink the exposure window so dramatically because you are not finding out months later after they have done everything to you."

Thinkst's Meer likes to point to comments from penetration testers and red teams that highlight the utility of canary tokens. Attackers have to always second guess any cache of credentials, API keys, or software secrets that they find, and that slows them down, tweeted Shubham Shah, a bug hunter, penetration tester, and chief technology officer at attack-surface management startup Assetnote.

"The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal," Shah said. "If the aim is to increase the time taken for attackers, canary tokens work well."

GitGuardian's _ggcanary_ focuses on Amazon Web Services because of the popularity of the platform and of the infrastructure-as-code management platform, Terraform. In its best-practices document, Amazon highlights that control of AWS access keys equals control of all AWS resources.

"Anyone who has your access keys has the same level of access to your AWS resources that you do," Amazon stated in its "Best practices for managing AWS access keys" document. "Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well."

**Everyone Likes Canaries**

Companies such as Thinkst, GitGuardian and Microsoft are aiming to make canary tokens much easier to deploy — often in minutes.

Yet defenders are not the only ones to find uses for canaries. Attackers have also started using canary tokens as a way to detect when defenders analyze their malware.

In a recent report of an attack by the Iran-linked group MuddyWater, Cisco's Talos Intelligence group noted the simple usage of canary tokens. The initial malware — a Visual Basic script — sends two requests for the same canary token to validate a compromise. If only a single request is detected, which would likely happen during sandboxed execution or during analysis, then the malware does not run.

"A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis," stated Cisco's threat intelligence team in an advisory. "Automated sandboxed systems would typically execute the malicious macro generating the token requests."

Credential Canaries Create Minefield for Attackers

"Bruggling" emerges as a novel technique for pilfering data out from a compromised environment — or for sneaking in malicious code and attack tools.

Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path.

To wit: Bookmarks can be abused to siphon out reams of stolen data from an enterprise environment, or to sneak in attack tools and malicious payloads, with little risk of being detected.

David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of broader research into how attackers can abuse browser functionality to smuggle data out from a compromised environment and carry out other malicious functionality.

In a recent technical paper, Prefer described the process as "bruggling" — a portmanteau of browser and smuggling. It's a novel data exfiltration vector that he demonstrated with a proof-of-concept (PoC) PowerShell script called "Brugglemark" that he developed for the purpose.

**The Fine Art of Bruggling**

"There's no weakness or vulnerability that is being exploited with the synchronization process," Prefer stresses. "What this paper hones in on is the ability to name bookmarks whatever you want, and then synchronize them to other signed-in devices, and how that very convenient, helpful functionality can be twisted and misused in an unintended way."

An adversary would already need access — either remote or physical — to the environment and would have already infiltrated it and collected the data they want to exfiltrate. They could then either use stolen browser synchronization credentials from a legitimate user in the environment or create their own browser profile, then access those bookmarks on another system where they've been synchronized to access and save the data, Prefer says. An attacker could use the same technique to sneak malicious payloads and attack tools into an environment.

The benefit of the technique is, put simply, stealth.

Johannes Ullrich, dean of research at the SANS Institute, says data exfiltration via bookmark syncing gives attackers a way to bypass most host and network-based detection tools. To most detection tools, the traffic would appear as normal browser synch traffic to Google or any other browser maker. "Unless the tools look at the volume of the traffic, they will not see it," Ullrich says. "All traffic is also encrypted, so it is a bit like DNS over HTTPs or other 'living off the cloud' techniques," he says.

**Bruggling in Practice**

In terms of how an attack might be carried out in the real world, Prefer points to an example where an attacker might have compromised an enterprise environment and accessed sensitive documents. To exfiltrate the data via bookmark synching, the attacker would first need to put the data into a form that can be stored as bookmarks. To do this, the adversary could simply encode the data into base64 format and then split the text into separate chunks and save each of those chunks as individual bookmarks.

Prefer discovered — through trial and error — that modern browsers allow a considerable number of characters to be stored as single bookmarks. The actual number varied with each browser. With the Brave browser, for example, Prefer discovered he could synchronize, very quickly, the entirety of the book _Brave New World_ using just two bookmarks. Doing the same with Chrome required 59 bookmarks. Prefer also discovered during testing that browser profiles could synchronize as many as 200,000 bookmarks at a time.

Once the text has been saved as bookmarks and synchronized, all that the attacker would need to do is sign into the browser from another device to access the content, reassemble it, and decode it from base64 back into the original text.

"As for what kind of data could be exfiltrated via this technique, I think that's up to the creativity of an adversary," Prefer says.

Prefer's research was primarily focused on browser market share leader Google Chrome — and to a lesser extent on other browsers such as Edge, Brave, and Opera, which are all based on the same open source Chromium project that Chrome is built upon. But there's no reason why bruggling won't work with other browsers such as Firefox and Safari, he notes.

**Other Use Cases**

Significantly, bookmark syncing is not the only browser function that can be abused this way, Prefer says. "There are plenty of other browser features that are used in synchronization that could be misused in a similar way, but would require research to investigate," he says. As examples, he points to autofills, extensions, browser history, stored passwords, preferences, and themes, which can all be synchronized. "With a bit of research, it might turn out that they can also be abused," Prefer says.

Ullrich says Prefer's paper was inspired by earlier research that showed how browser extension syncing could be used for data exfiltration and command and control. With that method, however, a victim would have been required to install a malicious browser extension, he says.

**Mitigating the Threat**

Prefer says organizations can mitigate the risk of data exfiltration by disabling bookmark syncing using Group Policy. Another option would be to limit the number of email domains that are allowed to sign in for syncing, so attackers would not be able to use their own account to do it.

"\[Data loss protection\] DLP monitoring that an organization already performs can be applied here as well," he says.

Bookmark syncing would not work very well if the syncing happened at a slower speed, Ullrich says. "But being able to sync 200,000+ bookmarks, and only seeing some speed throttling after 20,000 or 30,000 bookmarks makes this \[very\] valuable," he says.

Thus, browser makers can make things harder for attackers for instance by dynamically throttling bookmark syncing based on factors like the age of an account or logins from a new geographic location. Similarly, bookmarks that contain base64 encoding could be prevented from syncing, as well as bookmarks with excessive names and URLs, Prefer says.

Chromium Browsers Allow Data Exfiltration via Bookmark Syncing

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Something peculiar seems to be happening high up in the treetops. Any ideas what it could be? Send us your caption ideas for the above cartoon, and the winner of The Edge's August contest will receive a $25 Amazon gift card. 

We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, August 24, 2022.

**Last Month's Winner**

And .... he does it again! AgCredit IT director Allen Campbell, who won our May "Flower Power" contest, captured the most votes for his caption for last month's contest, "On Guard." A $25 gift card is on the way for his clever caption, below. Thank you to everyone who participated.

    

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Up a Tree

Tech companies play a vital role in global communication, which has profound effects on how politics, policies, and human rights issues play out.

The idea of mixing work and politics has always been a fraught topic, and understandably so. Most companies have customers — and employees — on both ends of the political spectrum, and remaining neutral is often the only way to make sure all parties feel respected and comfortable. They say never to discuss religion or politics at a dinner party; well, the same rule could be applied to the marketplace or workplace. 

The problem is, "politics" is a word that covers a vast expanse of topics, and at some point everyone — even company leaders — need to draw a line. Neutrality isn't always an option. 

Consider, for example, a hypothetical infrastructure bill making its way through Congress. This is politics we likely wouldn't discuss at work for a number of reasons. It might be a sensitive topic; there will likely be extreme positions on both sides of the aisle about whether the bill should be passed, adjusted, or blocked completely. Is it essential for a business to take a public stance on this? Except for a few niche businesses, probably not. Companies can (and often should) remain neutral. 

But what about when it's an issue of human rights? Of war? Genocide? These topics, on a global stage, are often considered politics, but they likely affect a huge percentage of customers in much more profound ways than other issues we consider politics. The decision of whether to remain neutral, therefore, is much more complicated. Some companies choose to take a political stance; others insist on "staying in their lane" and focusing only on their products or services. 

But there, of course, is the rub: the products and services. What if a company's product or service directly affects, benefits, or connects to the issue at hand? Is a neutral stance really possible at that point? Or does neutral mean complicit? 

Tech companies, in particular, must reckon with this question. We can't pretend the products we create aren't used on a global stage, for all kinds of uses — some positive and some downright nefarious. But if our tools are used by, say, governments to commit war crimes, can we really say we're neutral? 

**How Are Your Tools Being Used?**

We must do more. Some of the behemoths of the tech industry have obscene amounts of power over culture, communications, laws, and policies worldwide. With that kind of power, neutrality is impossible. But what exactly does this mean? It means tech companies need to take more ownership of how their tools are being used. 

That could start with something as simple as withdrawing business. If a company is selling products or services to an entity that is knowingly committing harm — and, worse, using those products or services to do so — that company has chosen a side. They are not neutral. Tech companies need to recognize this and make the hard decisions to pull out of these kinds of business relationships. 

My own company recently did just this. We believe we have a responsibility to stand with the people of Ukraine, against Russia, and we have taken steps accordingly. We no longer do business with companies in support of Russia, and we offer our services for free for those actively supporting, or on the ground in, Ukraine. To do otherwise would be tantamount to supporting the Russian invasion; there simply is no neutral option. 

Why do business leaders seem to think that if profit is involved, morality ceases to exist? That mentality belies the real reasoning behind so-called neutrality: If profit is involved, many leaders simply don't care about anything else. It also reveals a certain short-sightedness because, let's be honest, losing profit in the short term for a reason like this will often actually help your business in the long term. Customers care about these things, and they don't take kindly to businesses supporting egregious acts of violence. 

But the imperative goes further than this. So many tech companies today play a vital role in global communication, which has profound effects on how politics, policies, and real human rights issues play out. And yet these companies — social media companies, content platforms, and the like — all still seem to want to remain as neutral as possible. We can't have it both ways. Neutrality inevitably will favor one side or another. As the writer, Nobel laureate, and Holocaust survivor Elie Wiesel summed up so succinctly: "Neutrality helps the oppressor, never the victim." 

We are living in the age of all things digital, in the transformation of every aspect of global society at the hands of technical innovation. This is powerful — thrilling, even — and can truly make this world a better place. That's why so many of us got into tech in the first place, isn’t it? For that hope. That thrill. But it will matter little, or not at all, if the technological advances we make just add fuel to a fire of hate, authoritarianism, or war. We must take responsibility for the technology we're creating; companies must do more. We must use the incredible tools at our disposal to help the oppressed and give up this fruitless quest to be forever "neutral." Neutrality is cowardice.

For Big Tech, Neutrality Is Not an Option — and Never Really Was

Identity and access management was front and center at AWS re:inforce this week.

Amazon emphasized identity and access management during its AWS re:Inforce Security conference in Boston this week. Among announcements for GuardDuty Malware Detection and Amazon Detective for Elastic Kubernetes Service (EKS), Amazon Web Services executives highlighted the launch of IAM Roles Anywhere from earlier this month, which enables AWS Identity and Access Management (IAM) to run on resources outside of AWS. With IAM Roles Anywhere, security teams can provide temporary credentials for on-premises resources.

IAM Roles Anywhere enables on-premises servers, container workloads, and applications to use X.509 certificates for the temporary AWS credentials, which can use the same AWS IAM roles and policies. "IAM Roles provides a secure way for your on-premises servers, containers, applications, to obtain temporary AWS credentials," AWS VP of Platforms Kurt Kufeld said.

Creating temporary credentials is an ideal alternative when they are only needed for short-term purposes, Karen Haberkorn, AWS director of product management for identity, said during a technical session.

"This extends IAM Roles so you can use them and workloads running outside of AWS that lets you tap into all the power of AWS services wherever your applications are running," Haberkorn said. "It lets you manage access to AWS services in the exact same way you are doing today for applications that run in AWS, for applications that run on premises, at the edge — really anywhere."

Because IAM Roles Anywhere enables organizations to configure access the same way, it reduces training and provides a more consistent deployment process, Haberkorn added. "And yes, it means a more secure environment," she said. "It's more secure because you no longer having to manage the rotation and the security of any long-term credential that you might have used for on-premises applications in the past."

**New IAM Identity Center**

Amazon also announced that it has renamed its AWS Single Sign-On offering "AWS Identity Center." Principal product manager Ron Cully explained in a blog post this week that the name change is to better reflect its full set of capabilities and to support customers who in recent years have shifted to a multi-account strategy. AWS is also looking to "reinforce its recommended role as the central place to manage access across AWS accounts and applications," Cully wrote.

While AWS hasn't announced any technical changes to AWS Identity Center, Cully said that it has emerged as the "front door into AWS." AWS Identity Center handles all authentication and authorization requests, and now processes half a billion API calls per second.

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, noted that AWS underscored IAM throughout the 2-day conference. "AWS gave signs that it considers identity the frontline to security and privacy in the cloud," he said. "I think they are going to continue to bring in partners so that AWS is the single source of truth about who authorized users are and what privileges they can have."

AWS Focuses on Identity Access Management at re:Inforce

While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.

Attackers play favorites when looking at which software vulnerabilities to target, according to researchers from Palo Alto Networks.

Nearly one in three, or 31%, of incidents analyzed by Unit 42 in its 2022 "Incident Response Report" resulted from attackers gaining access to the enterprise environment by exploiting a software vulnerability. Six CVE categories accounted for more than 87% of vulnerabilities being exploited: ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), Log4j, ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), multiple vulnerabilities in SonicWall and Fortinet products, and a vulnerability in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539).

In 55% of incidents where Unit 42 was able to identify the vulnerability, the attackers had targeted ProxyShell. Just 14% of those cases involved Log4j. Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 for the report.

While attackers continue to rely on older, unpatched vulnerabilities, many are looking at new vulnerabilities as well. Scanning for vulnerabilities is not a difficult task, so attackers begin scanning for systems with a newly disclosed vulnerability as soon as they learn about them.

"The 2021 Attack Surface Management Threat Report \[released in April\] found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," the company said in blog post accompanying the incident response report. "In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough."

As an example, researchers detected scanning and exploitation attempts targeting the authentication bypass vulnerability in F5 BIG-IP appliances (CVE-2022-1388) 2,552 times within 10 hours.

Exploiting software vulnerabilities was the second most common attack method, according to the Unit 42 analysis. The top access vector was phishing. Brute-force credential attacks, primarily targeting Remote Desktop Protocol, rounded out the top three. These three attack vectors made up more than three-quarters of incidents (77%) analyzed in the incident response report.

Attackers Have 'Favorite' Vulnerabilities to Exploit

Dark Reading's digest of other "don't-miss" stories of the week — including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move.

Being a cybersecurity-focused news team is a busy business, and we can't always bring you all the news that's fit to print in a given week. That's why we've developed our weekly digest that rounds up all of the things that we couldn't get to, in case you missed it (ICYMI).

This week, we go deep into the world of the cybercrime underground, and how these markets and the complex relationships typically function.

ICYMI, read on for the following stories from the Dark Web:

*   **Raspberry Robin USB Worm Linked to Evil Corp.**
*   **Initial Access Brokers Are Now Actively Targeting MSPs**
*   ****Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source****

**Raspberry Robin USB Worm Linked to Evil Corp.**

Raspberry Robin, a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, has been marshalled into service to enable a campaign that appears to track with Evil Corp. tactics.

According to an updated alert from Microsoft on Thursday, existing, dormant Raspberry Robin infections are being used by a known initial access broker (tracked by the tech giant as DEV-0206) to deploy the FakeUpdates malware, which in turn fetches additional code.

At this point, Evil Corp. takes over, according to the analysis. In this stage, FakeUpdates delivers Cobalt Strike and other hallmarks of "pre-ransomware," before deploying a custom in-house ransomware payload such as WastedLocker, PhoenixLocker, or Macaw.

"Around November 2021, \[Evil Corp.\] started to deploy the LockBit 2.0 … payload in their intrusions," according to the post. "The use of a RaaS payload by the Evil Corp. activity group is likely an attempt … to avoid attribution to their group, which could discourage payment due to their sanctioned status."

DEV-0206 and Evil Corp. have worked together for a while, Microsoft notes, but the initial access was before achieved via malvertising. The connection to Red Raspberry is new and notable, according to the researchers.

"We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country," says Katie Nickels, director of intelligence at Red Canary, which first discovered the threat in 2021. "Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin."

**Initial Access Brokers Are Now Actively Targeting MSPs**

Initial access brokers (IABs) are a key piece of the underground economy; they break into networks, establish backdoors, then rent that access to fellow nefarious types. Researchers at Huntress this week revealed a new twist: IABs actively hawking access to a managed service provider (MSP) as a way to get to their downstream customers.

Huntress CEO Kyle Hanslovan came across an ad on an underground forum offering just such access, boasting that the rental would include an "in" to the networks of at least 50 of the MSP's customers.

MSPs were, infamously, the target for the Kaseya fiasco, which resulted in more than 5,000 organizations suffering REvil ransomware attacks.

MSPs remain an attractive supply chain target for attackers of all types, as flagged by US federal agencies in May. A warning for MSPs and their customers noted that MSPs in multiple countries (including Australia, Canada, New Zealand and the UK) were likely being actively targeted.

**Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source**

The infostealing baddie known as Luca Stealer is about to become more prevalent on the cybercrime scene, researchers are warning, thanks to the source code being revealed online.

Researchers at Cyble said this week that the developer of the Rust-coded malware decided to openly post the source code on cybercrime forums and on GitHub on July 3, in hopes of burnishing a fledgling reputation as a malware coder. It's an odd move in a world where custom malware can be rented out at a premium.

Less than a month later, there are already more than 25 Luca Stealer samples making the rounds, developed by multiple threat actors. And there will likely be even more, given that the original author continued to update the GitHub code, and has provided helpful tips on how to modify it for crime and profit.

Luca Stealer has a host of concerning capabilities, including the ability to lift data from Chromium-based browsers, exfiltrate files, and steal information from messaging applications and cryptowallets. In current observed campaigns, cybercriminals are especially going after crypto enthusiasts, according to Cyble.

Source

DARKReading