In the latest iteration, Qakbot operators are using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.

Known for its constant evolution, Qakbot malware has returned with a new twist — the use of .DLL sideloading to execute the malicious file.

Researchers from Cyble recently warned that the threat group behind Qakbot (aka QBot) is after system credentials it can use to steal money through fraud, identity theft, and more. They added that Qakbot is very active at the moment.

Qakbot attacks rely on email phishing lures for initial access, the analysts said. But its latest iteration leverages DLL sideloading as a way to hide malware from detection. By including benign applications alongside malicious .DLL library files, the attackers are able to execute and deliver the malware payload undetected.

"The threat actors behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact," the Cyble team said in its latest report on Qakbot's activities. "Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Qakbot Is Back With a New Trick: DLL Sideloading

Security professionals can now achieve real-time protection for their workloads in minutes.

**BOSTON — July 25, 2022** — Aqua Security, the leading pure-play cloud native security provider, today announced the launch of out-of-the-box runtime protection with minimal configuration to stop attacks in real time on running workloads. Protection is composed of new curated and optimized default security controls, as well as advanced threat intel from observations of real attacks on cloud native environments. Both the controls and threat intel are the result of knowledge gained through years of securing customers’ live production environments. Customers can now apply this knowledge to achieve trusted and advanced runtime protection in minutes without requiring in-depth knowledge of their applications and environments.

Using eBPF technology and threat intel from cyber research team Aqua Nautilus to identify advanced threats, Aqua surfaces the most critical issues in real time while also implementing a set of controls to protect running workloads immediately, without disrupting the business.

“Aqua is transforming the runtime security paradigm,” said Amir Jerbi, CTO and co-founder, Aqua Security. “Traditional runtime security requires security teams to have a great deal of cloud native knowledge, and as a result has been slow to adopt. Aqua is removing this barrier to adoption by making cloud workload threat protection immediately effective and easy for security professionals.”

**Stopping Attacks in Real Time with Runtime Security  
**  
Recent data from Nautilus shows that one in three live attacks could be missed when relying exclusively on snapshot scanning of running workload images. Nautilus also found tens of thousands of instances of in-memory attacks and fileless attacks in a one-month period—attacks that would not be seen or stopped without kernel-level visibility.

Aqua’s detection of anomalous behavior goes beyond point-in-time snapshots and catches malicious behavior of known and unknown threats in real time—this includes both known CVEs and zero-day exploits that have yet to be discovered. The new default runtime controls are based on ongoing recommendations from Aqua Nautilus, who detect and analyze 80,000 attacks a month using Aqua’s open source eBPF-based threat detection engine, Aqua Tracee. The result is real-time visibility at the kernel level that alerts customers the moment an attacker breaches a running workload, reducing attackers’ dwell time from months to milliseconds.

The importance of runtime security in a platform is highlighted in Gartner’s Market Guide for Cloud Workload Protection Platforms (CWPP). According to Gartner, “CWPP offerings should start by scanning for known vulnerabilities and risks in development. At runtime, they should protect workloads from attack, typically using a combination of system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.”

Aqua’s Runtime Protection solution is part of Aqua’s fully integrated Cloud Native Application Protection Platform (CNAPP), the Aqua Platform. Customers of the Aqua Platform also have access to the entire, full set of customizable, advanced runtime capabilities if and when they decide to define and implement more stringent policies.

Key benefits of Aqua Runtime Protection include:

*   **Discover attacks immediately** with continuously updated kernel-level behavioral detection. Updates are based on cloud native threat research from Aqua Nautilus along with years of experience securing customer workloads in production.
*   **Respond faster and reduce attacker dwell time** by stopping attacks with pattern-based anti-malware in production and the option to block or delete malware on access.
*   **Simplify incident investigation** and rapidly determine the impact and attack path of a security incident with a detailed incident timeline including rich contextual information.

“Unlike overly complex runtime solutions, legacy solutions not designed for cloud-native applications, or solutions that can’t detect in real time, our goal with this release is to provide runtime security that is simple to deploy, giving you effective real-time security out-of-the-box,” said Jerbi. “What this boils down to is that, unlike alternative solutions, Aqua’s Platform will both detect sophisticated attacks and stop them in real time.”

Aqua’s out-of-the-box Runtime Protection is now available and will make an industry debut at AWS re:Inforce on July 26-27 in Boston at Booth 104. To learn more, visit Aqua’s YouTube.

**\*Gartner, “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 12 July 2021.**

**GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.**

**Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.**

**About Aqua Security**   
Aqua Security stops cloud native attacks and is the only company with a $1 Million Cloud Native Protection Warranty to guarantee it. As the pioneer and largest pure-play cloud native security company, Aqua helps customers unlock innovation and build the future of their business. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP), prioritizing risk and automating prevention, detection and response across the lifecycle. Founded in 2015, Aqua is headquartered in Boston and Ramat Gan, Israel, with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com.

Aqua Launches Out-of-the-Box Runtime Security with Advanced Protection against the Most Sophisticated Threats

Attackers are willing to replicate entire networks, purchase domains, and persist for months, not to mention spend significantly to make these campaigns successful.

The one-year anniversary of the Kaseya attack this month marks an appropriate time to look back at supply chain threats and what has — and has not — changed.

Let's start with what _has_ changed: more checklists. Oversight across code that's loaded across customer sites now involves far more paperwork, especially for managed service providers (MSPs). Leadership teams now realize the amount and complexity of code going in and out of their organizations and hope to get more eyes on it. Sadly, much of the new processes involve checking a box, rather than implementing technical cybersecurity steps that could make a difference in threat prevention. But we'll get to solutions for that in a moment.

What also has changed is the noted sophistication level of adversaries. A willingness to set up an entire replicated network, purchase domains, and persist for months and possibly years represents a significant increase in investment in concerted campaigns. Kaseya reminded us that everyone in the ecosystem is a target. We have always had cyberwarfare. Now we have more heavily funded, more vastly staffed attackers pounding on our supply chains (and everything else).

What has _not_ changed? The idea of using legitimate distribution of code to distribute illegitimate backdoors. As far back as at least 2002, attackers used Trojan-horse techniques to backdoor security tools and email servers. Hackers have always sniffed and surveyed customer and supplier environments to look for the mundane, the routine, the usual. It's there that they find unguarded corners to slip in malicious code, as humans are lulled into daily routines. Kaseya and especially SolarWinds show more complex, persistent techniques and they are very widely used enterprise apps, yet the supply chain attack idea has been around for decades.

Security techniques have not changed enough, which is why security focus is moving to more response and remediation. This leads to talking about solutions and where we go from here. Pointing to challenges is not meant to be disheartening. It's meant to be realistic, knowing we're all in this together.

I suggest three major avenues to explore that can be useful to address the security issues Kaseya made more noticeable.

**Change Your Technical Environment**

Move away from allowance of third-party actions without associated monitoring, most notably by adopting zero trust. Anyone touching an enterprise resource is untrusted. Period. Vendors, contractors, employees need the same level of multifactor authentication (MFA) and other security treatments.

In addition, monitor third parties more than you would anyone else. They have the privileged accounts. Yet you know far less about when your European automation company partner pushes out code in your environment than when Brian in Seattle releases your product to customers. Super-high alerting on these accounts is warranted to pick up anything suspicious, as early as possible.

On the code creation side, understanding that business still needs to move quickly despite heightened security, it's okay to keep working on small bursts of code (sprints) and move at a reasonable pace (biweekly releases). Yet know when it's smarter to pause for a security cross-check rather than push and ignore. Specific tactics could include time-boxing exactly when code may be pushed, from where and by whom. That alone can uncover suspicious code. The OWASP top 10 will identify the easier security issues. But for Kaseya-style attacks, you'll need to look for who or what is running a command on a server, for example, which is why more defined developer processes and roles can help.

And don't forget about trusted devices. Know which physical machines have the greatest access rights and consider pairing them with physical presence. The combination of zero trust, MFA, and device trust, together with tactics that keep developers safe, can all be beneficial.

**Change Your Legal Safeguards**

Rather than checkbox that a vendor filled out a risk questionnaire, revisit your master services agreements (MSAs) with third parties. Clauses such as woeful misconduct, negligence, and unlimited liability are the source of fruitful conversations. These help walk through who can cover what, and where the gaps are, allowing necessary safeguards to occur somewhere (rather than nowhere). Align these agreements with your cybersecurity policy. The worst time to review your MSA is in the deadline-driven moments after an attack is discovered.

**Change Your Mentality**

Accept that even the most well-funded, advanced security organizations in the world are regularly attacked and breached. It's not if, it's when, which means it's how quickly can you recover. If you have no staff available for recovery, it's as bad as having no security monitoring in place.

Plan ahead with the mentality you will need people to sift and act and move on attack remediation. This makes it far less painful when you experience the next Kaseya. Vendor response approaches have improved, with customers giving Kaseya positive feedback on their transparency, communication, and sense of urgency in handling the threat discovery. This came after SolarWinds had to struggle through a far more sophisticated and multistage attack. SolarWinds opened a new line of vendor communications and other topics of discussion that later vendors could turn to as precedent.

For a simple starting point on all this, consider choosing one supplier providing the most amount of code updates. Practice the three steps above and hone to your unique environment and business requirements. Once you see gaps in your staff or solutions, take action, whether onboarding security specialists in-house or externally. After all, we're all in this together.

Getting Ahead of Supply Chain Attacks

Two previously unknown critical vulnerabilities within FileWave’s multiplatform MDM system could grant malicious actors access to the platform's most privileged user account.

Two vulnerabilities in FileWave's multiplatform mobile device management (MDM) system would have allowed malicious actors to bypass authentication mechanisms, taking control of the platform and the devices linked to it.

FileWave's MDM platform allows admins to push software updates to devices, lock them or even remotely wipe devices.

A report from Claroty's Team82 takes a closer look at CVE-2022-34907, an authentication bypass flaw, and CVE-2022-34906, a hard-coded cryptographic key — vulnerabilities that Filewave addressed with a recent update.

According to the report, the researchers discovered more than 1,100 different instances of vulnerable Internet-facing FileWave MDM servers across multiple industries, including in large enterprises, education, and government agencies.

**Buggy MDM Admin Web Server**

The platform's MDM Web server, written in Python, is a key component that allows the admin to interact with the devices and receive information from them.

"Since this service should be accessible to mobile devices at all times, it is usually exposed to the Internet, and handles both clients’ and admins’ requests," according to the report. "Its connectivity makes it a primary target in our research on this platform."

One of the back-end services on the server, the scheduler service, which schedules and executes specific tasks required by the MDM platform, uses a hard-coded shared secret function to grant access to the "super\_user" account — the platform’s most privileged user.

"If we know the shared secret and supply it in the request, we do not need to supply a valid user's token or know the user's username and password," the report says.

Also, by exploiting the authentication-bypass vulnerability, the team was able to achieve super\_user access and take full control over any Internet-connected MDM instance.

In a proof-of-concept exploit, the team was able to push a malicious package to all the devices in the system and then execute remote code to install fake ransomware across all of them.

"This exploit, if used maliciously, could allow remote attackers to easily attack and infect all Internet-accessible instances managed by the FileWave MDM, ... allowing attackers to control all managed devices, gaining access to users' personal home networks, organizations' internal networks, and much more," according to the Monday report.

Users should apply the patches as soon as possible to avoid becoming a victim of an attack, researchers warn.

**Attacks on Endpoints Rise**

There has been a rise in attacks against endpoint management products in recent years, including one of the more high-profile attacks targeting the Kaseya VSA.

In that attack, automation allowed a REvil ransomware gang affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream customers faster than most defenders could react.  

While mobile attacks have been occurring for years, the threat is rapidly evolving into sophisticated malware families with novel features, with attackers deploying malware with full remote access capabilities, modular design, and worm-like characteristics posing significant threats to users and their organizations.

Meanwhile, a survey released earlier this month by Adaptiva and and Ponemon Institute revealed the average enterprise now manages approximately 135,000 endpoint devices — a rapidly proliferating attack surface.

**Zero Trust Bolsters Endpoint Protection**

Organizations can improve endpoint management by implementing zero-trust policies for greater control, and using bring-your-own device (BYOD) security and MDM tools. But they must also take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

In addition, Claroty notes that creating temporary keys that are not stored in central repositories and that time out automatically could improve endpoint and MDM security, even for small businesses.

Critical Filewave MDM Vulnerabilities Allow Attackers Full Mobile Device Control

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

Environmental, social, and governance (ESG) considerations are hardly new topics when it comes to compliance reporting for financial services firms, but the impact of cybersecurity breaches on the governance component soon will gain a much higher profile for financial and non-financial organizations alike. Whether addressing privacy issues, the financial losses of ransomware, or business continuity from a governance perspective, cyber threats are putting ESG discussions at the forefront of board meetings and C-suite discussions around the globe.

The reporting changes US companies face could expand significantly due to recent rule modifications from the Securities and Exchange Commission's Chairman Gary Gensler. Cybersecurity governance reporting requirements similar to those for auditing and financial reporting found in the Sarbanes-Oxley Act of 2002 (SOX) would be a key component of the new regulations.

SOX governance requirements focus on helping protect investors from fraudulent financial reporting by corporations, while cybersecurity governance is designed to improve reporting on new and past cyberbreaches. Existing corporate governance, risk, and compliance (GRC) policies and procedures will not be sufficient to address these rules.

Alla Valente, a senior analyst at Forrester, characterizes the proposed SEC regulation modifications as "Sarbanes-Oxley light." The proposed rules state that companies need to report _material_ cybersecurity incidents within four days of identification, she notes. The problem is that "material" is not defined and varies by industry, so companies are left guessing when the clock starts to report incidents. This could lead to both over-reporting and under-reporting of cyber incidents, she says.

**Pressure Drives Cybersecurity Measures**

Complying with the proposed rules also could have a direct impact on an enterprise's ability to obtain cyber insurance, Valente notes. Despite the current chaos in the cyber insurance market that is driving prices up and coverage down while cyber insurers reduce inventory, these rule changes potentially can further increase pressure on companies to implement cybersecurity controls that they otherwise might not have instituted at this time. It also would require far more information on past breaches and how they are being managed and mitigated.

"Management's new role in reporting and cyber governance, and the boards' new responsibility to shed light on their expertise and oversight, will drive extra scrutiny on enterprise security programs," says Jason Hicks, field CISO at the cybersecurity consulting firm Coalfire.

"This puts the CISO on the hot seat," he continues. "It's also likely to drive boards to try and add executives with cybersecurity experience to their team. Given the small number of qualified people available, I could also see boards hiring their own consultants to advise them on cybersecurity risk and the adequacy of the company's security program.

"All of these areas will need to be factored into the governance portion of your ESG approach," Hicks adds. "Management is already responsible for managing cybersecurity risk, so this is not creating an entirely new class of responsibility, although it is making several changes to the burden and complexity."

**Transnationals Take Initiative**

Hicks notes that the way organizations view transparency and the cultural norms of a company's operating environments can play into how they respond. "The multinationals need to balance their approach given the different approaches globally."

Valente agrees. Europeans tend to be more proactive in defending against data breaches than American companies. The rules change could force domestic organizations to be more proactive, particularly when it comes to third-party risk management, a key security control.

"Once this becomes final, we will see an effort to be proactive. Some \[organizations\] will follow the letter of the law, and might be successful in the short term, but marginally," Valente says. "Others will follow the spirit of the law and use that as a means to improve, diversify, and make that proactive \[third-party\] risk management part of who they are. It'll be ingrained in their corporate DNA. Those are the organizations that are really going to thrive from this."

**Companies Can Get Started**

Steven Yadegari, CEO of the investment consulting firm FiSolve and former general counsel at the law firm Cramer Rosenthal McGlynn, says board members will look for specific reporting on cybersecurity. This will include quarterly reports focused on cybersecurity and meetings with individuals charged with oversight of the area, such as the CISO, leading the effort.

"The new rules would require formal risk assessments, specific controls, monitoring measures, and a reporting system of incidents. To the extent some of these areas are not addressed in existing programs, boards will want to understand how managers intend to comply with these potential requirements. Those conversations should be underway and should not wait for adoption of new rules," Yadegari says.

Many companies today are more carefully managing their vendors and overseeing their policies and procedures, he notes. This is particularly true of third-party service providers and suppliers that might have contact with an enterprise's sensitive information.

"It behooves companies to ensure they have a robust cybersecurity program and third-party risk management (TPRM) program, which will in turn provide comfort to companies who rely on their services," Yadegari says.

While the final language of the proposed SEC rule changes has yet to be made public, the proposed language can be found here.

Understanding Proposed SEC Rules Through an ESG Lens

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

A hardcoded password associated with the Questions for Confluence app has been publicly released, which will likely lead to exploit attempts that give cyberattackers access to all Confluence content.

Atlassian on Thursday urged organizations using its Questions for Confluence app to immediately update to the latest version of the software or to apply a mitigation measure to protect against a critical vulnerability in the product — one of three critical bugs disclosed by the vendor this week.

The "patch now" advice was prompted by the public disclosure of a hardcoded password associated with the Questions app that gives a remote, unauthenticated attacker a way to log into Confluence and access all content in the broader confluence-users group.

Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on projects that an organization might be working on, or on its customers and partners.

The Questions app meanwhile allows for a Q&A/crowdsourcing function within a given workspace.

The problem primarily impacts organizations using Questions for Confluence Server and Data Center versions 2.7.34, 2.7.35, and 3.0.2 of the app. However, even organizations using other versions of Confluence could potentially be affected, Atlassian said. The vulnerability does not affect the Questions for Confluence app for Confluence Cloud.

**Bracing for Exploits**

"The issue is likely to be exploited in the wild now that the hardcoded password is publicly known," Atlassian warned. "This vulnerability (CVE-2022-26138) should be remediated on affected systems immediately," the vendor said.

Atlassian disclosed the bug on Wednesday. The company described the issue as resulting from a Confluence user account that is created when the Questions for Confluence app is enabled either on Confluence Data Center or Confluence Server. The user account — with the username "disabledsystemuser" — is designed to help administrators migrating data from these apps to Confluence Cloud.

But the account is created with a hardcoded password that is added to the confluence-users group. This allows attackers to view and edit all non-restricted pages within the Confluence user-group by default, according to Atlassian. So, any attacker with knowledge of the password can log in remotely to the Confluence collaboration environment and access whatever content other users in the group can access, the software vendor said.

Soon after Atlassian's advisory Wednesday, a security researcher published the hardcoded password on Twitter, prompting Atlassian's urgent update Thursday.

The company's advisory provided details on how organizations can determine if they are affected by the vulnerability or might have already been compromised via an exploit targeting the flaw. Atlassian urged organizations to update to versions 2.7.38 or 3.0.5 of the software or to disable or delete the disabledsystemuser account.

Importantly, merely uninstalling the Questions for Confluence application would not remediate against the vulnerability because the disabledsystemuser account would still remain in place after the app is removed, Atlassian warned.

**Two Other Critical Vulnerabilities**

The other two critical vulnerabilities that were disclosed (CVE-2022-26136 and CVE-2022-26137) exist in multiple versions of almost all Atlassian products. These include Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Jira Server and Data Center, and Jira Service Management Server and Data Center.

CVE-2022-26136 is an authentication-bypass vulnerability in Java code called Servlet Filter for intercepting and processing HTTP requests from and to a client and a backend system. The vulnerability gives attackers a way to use a specially crafted HTTP request to bypass Servlet Filters that third-party apps might use to enforce authentication.

The same vulnerability also allows attackers to use specially crafted HTTP requests to trick users into executing arbitrary JavaScript in the user's browser.

Atlassian said it had been able to confirm such attacks are possible but has still not been able to determine all third-party apps that might be affected by the issue.

The flaw tracked as CVE-2022-26137 also exists in Servlet Filter and gives remote, unauthenticated attackers a way to access vulnerable applications by using a specially crafted HTTP request to trick users into requesting a malicious URL. Atlassian has released updated versions of its software for all affected products to address these vulnerabilities.

**Atlassian's Ongoing Cybersecurity Woes**

The latest flaws mark the second time in the past two months that organizations using Atlassian's technology have been forced to scramble to fix serious flaws in its products.

In early June, the company disclosed a critical remote code-execution vulnerability (RCE) impacting all supported versions of Confluence Server and Data Center. The bug (CVE-2022-26134) gave unauthenticated attackers a way to drop a Web shell on affected systems. It generated considerable concern because threat actors had already begun exploiting it by the time the company issued a fix for it.

Attackers quickly began actively exploiting the flaw to distribute a variety of malware, including Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit attack kit. Many of the attacks were automated in nature.

An analysis by Barracuda showed that 45% of attempts to exploit the vulnerability were from Russia-based IP addresses; 25% percent of the exploit attacks were from the US; and 11% originated from IP addresses in India.

Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open

Candiru attackers breached a news agency employee website to target journalists with DevilsTongue spyware, researchers say.

A zero-day vulnerability in Google Chrome was used by the established spyware group Candiru to compromise users in the Middle East — specifically journalists in Lebanon.

Avast researchers said attackers compromised a website used by news agency employees in Lebanon, and injected code. That code identified specific, targeted users and routed them to an exploit server. From there, the attackers collect a set of about 50 data points, including language, device type, time zone, and much more, to verify that they have the intended target.

At the very end of the exploit chain, the attackers drop DevilsTongue spyware, the team noted.

"Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru," the Avast researchers explained.

The original vulnerability (CVE-2022-2294), discovered by the same Avast team, was the result of a memory corruption flaw in WebRTC. Google issued a patch on July 4.

"The vulnerabilities discovered here are definitely serious, particularly because of how far-reaching they are in terms of the number of products affected — most modern desktop browsers, mobile browsers, and any other products using the affected components of WebRTC," James Sebree, senior staff research engineer with Tenable, said via email. "If successfully exploited, an attacker could potentially execute their own malicious code on a given victim's computer and install malware, spy on the victim, steal information, or perform any other number of nefarious deeds."

But, Sebree added, the original heap overflow flaw is complicated to exploit and won't likely result in widespread, generalized attacks.

"It's likely that any attacks utilizing this vulnerability are highly targeted," Sebree explained. "While it's unlikely that we will see generalized attacks exploiting this vulnerability, the chances are not zero, and organizations must patch accordingly."

Candiru (aka Sourgum, Grindavik, Saito Tech, and Taveta) allegedly sells the DevilsTongue surveillance malware to governments around the world. The Israeli company was founded by engineers who left NSO Group, maker of the infamous Pegasus spyware.

The US Commerce Department added Candiru to its "Entity List" last year, effectively banning trade with the company. The list is used to restrict those deemed to pose a risk to US national security or foreign policy.

Google Chrome Zero-Day Weaponized to Spy on Journalists

Luna, Black Basta add to rapidly growing list of malware tools targeted at virtual machines deployed on VMware's bare-metal hypervisor technology.

The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware's bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

"Infrastructure services like networking equipment and hosting infrastructure like ESXi can't easily be patched on demand," says Tim McGuffin, director of adversarial engineering at Lares Consulting. "Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once."

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

**The Cross-Platform Ransomware Threat**

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky's analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also uses multithreading to speed up the encryption process by getting all processors on the infected systems to work at the same time on the task.

Since surfacing in February, the operators of Black Basta have managed to compromise at least 40 organizations worldwide. Victims include organizations in the manufacturing and electronics sectors in the US and multiple other countries. Available telemetry suggests the threat actor could soon chalk up other hits across Europe, United States, and Asia, according to Kaspersky.

**A Target for Inflicting Wide Damage**

The proliferation of ransomware targeting ESXi systems poses a major threat to organizations using the technology, security experts have noted. An attacker that gains access to an EXSi host system can infect all virtual machines running on it and the host itself. If the host is part of a larger cluster with shared storage volumes, an attacker can infect all VMs in the cluster as well, causing widespread damage.

"If a VMware guest server is encrypted at the operating system level, recovery from VMware backups or snapshots can be fairly easy," McGuffin says. '\[But\] if the VMware server itself is used to encrypt the guests, those backups and snapshots are likely encrypted as well." Recovering from such an attack would require first recovering the infrastructure and then the virtual machines. "Organizations should consider truly offline storage for backups where they will be unavailable for attackers to encrypt," McGuffin adds.

Vulnerabilities are another factor that is likely fueling attacker interest in ESXi. VMware has disclosed multiple vulnerabilities in recent months. In February, for instance, the company disclosed five flaws — including important and critical ones — that affected ESXi (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050). The same month, VMware announced a heap overflow vulnerability in the technology (CVE-2021-22045), and there have been multiple other moderate to low severity flaws the company has disclosed over the past year or so, including a critical remote code execution flaw.

"In recent months, VMware ESXi had several notable vulnerability disclosures and patches, which might be why attackers have an increased interest in targeting those environments," says Joseph Carson, chief security scientist and advisory CISO at Delinea. Most of these virtual environments tend to have a strong backup and snapshot strategy. However, attackers can cause a significant impact if they can also deploy ransomware on the backup systems as well, he says.

Carson advocates that organizations running VMware conduct risk assessments and consistently check for known vulnerabilities and misconfigurations to ensure they are patched and configured correctly. They also need to ensure that Internet-facing systems have strong access controls in place to ensure only authorized employees have access to those systems.

Matthew Warner, chief technology officer and co-founder at Blumira, points to the Log4j vulnerability as another likely reason for the mushrooming attacker interest in ESXi environments. "VMware has an incredibly wide range of solutions that utilized Log4i and were impacted by this vulnerability," he says. VMware itself acted quickly to provide mitigation guidance. But it's likely that many ignored the mitigation advice and are now targets of ransomware purveyors, he says.

"There is almost never a situation where VMware Horizon should be Internet-facing," Warner says. "It opens up untold amounts of risk to the infrastructure." Blumira has run into several instances where VMware Horizon servers were exposed due to access control issues on the firewalls, not to purposeful exposure. "This serves as a good reminder that your DMZ and Internet exposure must be monitored on an ongoing basis within your environment," he advocates.

Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

The ever-evolving threat from phishing is growing more sophisticated as attackers design high-pressure situations and leverage ever-more-convincing social engineering tactics to increase their success rates.

This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.  

The hacker has posted documents on a forum that purport to contain information about some of Roblox's most popular games and creators, according to Motherboard. Additionally, some of the documents include individuals' personally identifiable information.  

But Roblox is hardly alone — it's just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises. 

In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that hackers have found a new way into the inbox by creating fake invoices in PayPal, leveraging the site's legitimacy to gain access.  

The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.

In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users were victims of back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns over multichannel phishing attacks are growing, with a particular focus on smishing and business text compromises.

Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.

**Phishing Lures Grow in Sophistication**

Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.

"We've seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks," he says. "We'll see more of these attacks that can snag more than one item from an end user."

Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.

"These are messages that look 'right' on the surface, that tap into ways of working," she says. "These types of subtle manipulations can be difficult for people to spot, and it's critical that workers be made aware of attackers' capabilities and propensities to operate in this manner."

Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.

"If it's something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited," she says. "Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software."

**Distributed Workforce Adds to Vulnerabilities**

Social engineering is inherently people-centric, and in today's hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.

Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.

"Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise," she says. "These trends have opened the door to a whole host of social engineering tactics and other cyber threats."

She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.

Fuchs agrees remote work has its challenges, including not being able to stop by IT's desk to ask about an email.

"But while working from home, distraction might play a role," he adds. "There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside."

**Deploying Advanced ML, AI Tech**

Fuchs argues IT policies must move away from static "allow and block lists" and move toward advanced AI.

"Static lists allow these legitimate services to be used for phishing," Fuchs says. "Advanced AL and ML can suss out what's real and what's not."

Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.

She adds that it's important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.

"Users are a critical line of defense against phishing and it's important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it," she says. "This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint."

Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.

From his perspective, a two-second check can often avoid disaster.

"The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands," he says.

Whether it's spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the user's inbox and more likely to be acted upon.

"Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, it's not likely to slow down," he warns.

Source

DARKReading