The rapidly growing Atlas Intelligence Group relies on cyber-mercenaries to carry out its missions.

A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model.

Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.

What makes the threat actor different from the myriad others with similar offerings is the fact that the operators themselves appear to be entirely outsourcing the actual hacking activities to independent cyber-mercenaries who have no direct connection to the operation. For instance, when a client purchases AIG's DDoS, data theft, or malicious spam services, the group advertises for and hires independent contractors to execute the actual tasks. That's unlike most threat groups. which recruit and maintain the same team of hackers for different campaigns.

**A Model for OpSec**

AIG's model appears designed to ensure a high level of operations security for its leaders by keeping them segregated from those doing the criminal hacking activity, according to Cyberint.

"AIG is the first group I've seen that is using this business model," says Shmuel Gihon, security researcher with Cyberint. "Every team has its leaders, and every team has key members. But here it's different: we have one leader that controls everything and everyone."

AIG's business model appears designed to take advantage of the growing number of hacker-for-hire groups that have begun surfacing all over the world in recent years. The groups, many of which operate out of India, Russia, or the United Arab Emirates, specialize in breaking into target networks, stealing data, and carrying out a variety of other malicious activities on behalf of the clients who hire them. One example of such a group is Russia-based "Void Balaur," a cyber-mercenary group that researchers at Trend Micro and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint's analysis of AIG's activities shows it is being run by a secretive individual using the handle "Mr. Eagle." This individual appears responsible for initiating all AIG campaigns and plans. Cyberint has so far been able to identify at least four other individuals that are operating under this leader, and who are responsible for tasks such as advertising the group's services, communicating with customers, and operating its Telegram channels.

"What makes them different is the fact that they are very good \[at\] making themselves anonymous and approaching this operation as entrepreneurs and not as technical people," Gihon says. The group's behavior suggests the core members — or at least its leader — were red teamers or malicious hackers that have decided to lead rather than operate.

"They have been around in the darknet and in the cybercrime industry for a while and observed how things are operating," he added.

**Telegram Communications**

Cyberint said it has observed the group use three different Telegram channels, with thousands of subscribers between them, for its operations.

One of the channels is a marketplace for leaked databases. The databases appear to belong to organizations in different sectors such as government, finance, manufacturing, and technology, from around the world. The collection of databases on sale via the Telegram channel suggests that AIG isn't focusing on any specific region or sector. Rather, the group appears to be targeting organizations that it thinks might be valuable for potential buyers.

Some of the databases are available for as little as 15 euros and contain information such as email and physical addresses, phone numbers, and other information likely of interest to distributors of malicious spam, spear-phishing groups, and hacktivists.

"AIG claims that these databases are exclusive, so the assumption is that they obtained it \[via\] their contractors," Gihon says. Given the low price, it is unlikely that AIG obtained them from a third-party and is reselling them, he says.

AIG has a second Telegram channel that it uses to publish ads for various hacking services that it might be looking for, and where hackers have an opportunity to bid for contracts. The channel serves as the threat group's source for finding malware developers, social engineers, red teamers, and other cyber-mercenaries.

AIG's third Telegram channel, which serves as its communication channel, is where the group posts announcements, lists of intended targets, and other information. The threat actor also maintains an e-commerce store where people can purchase AIG's services and stolen databases using cryptocurrency.

Gihon says AIG's business model gives it a level of flexibility that other threat groups do not have.

"The leader is not bound to any one of the members because they are all contractors," he says. "So, while other groups have their ups and downs given the fact that they are the same group of people most of the time, Mr. Eagle has the privilege to hire the best of the best anytime," he says. "This could make this team very lethal in the end game."

'AIG' Threat Group Launches With Unique Business Model

Law enforcement hopes that retuning ransom payments to impacted businesses will demonstrate that working with the feds following a cybersecurity breach is "good business."

Two healthcare companies — one in Kansas and another in Colorado — are about to have about $500,000 in combined ransomware payments returned, after the Department of Justice was able to follow a cryptocurrency trail back to Maui operators and seize the extorted funds. 

The Federal Bureau of Investigation seized the Maui-connected cryptocurrency accounts back in May and is now working through the courts with the Department of Justice to return the money to its victims. Maui is a strain of ransomware with ties to the North Korean state that focuses its crippling cyberattacks on healthcare and public health organizations. 

The returned ransom success story is meant to serve as a signal to other targeted organizations that working with law enforcement following a cybersecurity incident is "good business," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in a statement about the court filing. 

"The FBI is dedicated to working with our federal and private sector partners to disrupt nation-state actors who pose a critical cyber-threat to the American people,” FBI Cyber Division Assistant Director Bryan Vorndran said about the recovered Maui ransomware payments. "We will continue to pursue these malicious cyber-actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Recoup $500K From Maui Ransomware Gang

CHICAGO, July 20, 2022 /PRNewswire/ -- **Data-centric Security Market** **size is projected to grow from an estimated value of USD 4.2 billion in 2022 to USD 12.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 23.9% from 2022 to 2027** **according to a new report by MarketsandMarkets™.** The need to secure most sensitive information (credit card numbers, intellectual property, or medical records), stringent compliances and regulations; the need to secure sensitive data on cloud, and growing data breach incidents is driving the growth of data-centric security market across the globe.

**_Browse in-depth TOC on_** **"Data-centric Security Market"  
362 – Tables  
41 – Figures  
269 – Pages**

**Download Report Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1504980

**By component, the services segment to register the highest growth rate during the forecast period**

Based on component, data-centric security services have witnessed a growing demand in recent years. The services segment includes various services that are required to deploy, execute, and maintain data-centric security platforms in organizations. Enterprises need support from service providers to enhance their data management, policy control, auditing & reporting, data protection, and for maintaining the governance over various silos. Professional service providers help enterprises in deploying data centric security software and solutions and managing all the queries in the product life cycle.

The professional services are offered through professionals, specialists, or experts to support the business. These services include consulting, designing and development and implementation, and support services. The latest techniques, strategies, and skills adopted by the professionals are said to be helping organizations in adopting data centric security features. They also offer customized implementation and risk assessment and assist with the deployment via industry-defined best practices.

With the increasing demand for data-centric security solutions in high-growth markets such as APAC and MEA, there is a significant demand for training and education services to spread awareness about various data-centric security solutions.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=1504980

**Based on organization size, the SMEs segment to grow at the highest CAGR during the forecast period**

By organization size, the data centric security market is sub-segmented into large enterprises and SMEs. SMEs use data centric security solutions to reduce data fraud while enhancing the customer experience. The growing usage of mobile devices has influenced the data transfer over business networks to personal devices, such as mobile phones and laptops. Hence, this helps in increasing the fraudulent data, cyberattacks, data losses, and threat of personal data thefts. These rising security issues have made way for SMEs to focus their concerns on data centric security. Although, SMEs have to consider their limited budget, the comprehension of corporate information being an important consideration, makes them use data discovery and classification, data protection, and data governance solutions. Moreover, these solutions are available at economical pricing in the cloud deployment type. In the coming years, data centric security solutions are expected to witness high adoption among SMEs, all over the region.

**North America to hold the largest market share in 2022**

North America is estimated to account for the highest market share in the data-centric security market in 2022. The region comprises some of the key vendors that offer data-centric security solutions and services; some of them are Informatica, IBM, Broadcom, Micro Focus, Varonis Systems, Forcepoint, among others. By country, the US is expected to hold the largest market share owing to the growing data breach incidents. Implementing these technologies enables large amounts of data to be operated upon, which has resulted in widespread adoption of cloud-based solutions and investments in the data-centric security market. North America is a highly regulated region in the world with numerous regulations and compliances, such as the Federal Energy Regulatory Commission (FERC), HIPAA, PCI DSS, and SOX, across verticals. All these factors contribute to the high market share.

**Speak to Research Expert:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1504980

The major Players in data-centric security market are Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Market Players**

Key and innovative vendors in the data-centric security market include Informatica (US), IBM (US), Broadcom (US), Micro Focus (US), Varonis Systems (US), Talend (US), Orange Cyberdefense (France), Forcepoint (US), Imperva (US), NetApp (US), Infogix (US), PKWARE (US), Seclore (US), Fasoo (South Korea), Protegrity (US), Egnyte (US), Netwrix (US), Digital Guardian (US), HelpSystems (US), BigID (US), Securiti (US), SecuPi (US), Concentric.AI (US), Lepide (US), NextLabs (US), SealPath (Spain), Nucleus Cyber (US), and Dathena (Singapore).

**Browse Adjacent Markets:** Information Security Market Research Reports & Consulting

**Related Reports:**

**Data Discovery Market** by Component, Functionality, Organization Size, Deployment Mode, Application, Vertical (BFSI, Healthcare and Life Sciences, Telecommunications and IT, Manufacturing), and Region - Global Forecast to 2025

**Serverless Security Market** by Service Model (BaaS and FaaS), Security Type (Data, Network, Perimeter, and Application), Deployment Mode (Public and Private), Organization Size (SMEs and Large enterprises), Vertical, and Region - Global Forecast to 2026

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Data-Centric Security Market Worth $12.3B by 2027 - Exclusive Report by MarketsandMarkets™

Unsecured voice traffic, skyrocketing adoption of Teams-centric enterprise collaboration tools widen enterprise cybersecurity gaps and increase risk of breach.

**_Chicago, IL – July 20, 2022_** – Mutare, Inc., the market leader in solutions to protect voice network traffic, today released a new industry **Voice Network Threat Survey** that reveals serious shortcomings in enterprise security protections against voice network attacks. With responses from cybersecurity and networking professionals at RSAC 2022 and Cisco Live, Mutare found that nearly half (47%) of organizations experienced a vishing (voice phishing) or social engineering attack in the past year. More troubling, most are unaware of the volume of unwanted voice traffic (phone calls) traversing their voice network, or the significance of threats lurking in unwanted traffic, which includes robocalls, spoof calls, scam calls, spam calls, spam storms, vishing, smishing and social engineering.

Mutare’s **Index of Unwanted Voice Traffic** shows that across all industries nine percent of all calls (or, voice traffic) received by businesses are unwanted. Moreover, 45% of all unwanted traffic is tied to nefarious activity, while 55% is tied to nuisance activity. Remarkably, more than one-third of respondents to the **Voice Network Threat Survey** (38%) said their organizations do not collect any data on the amount of inbound, unwanted, and potentially malicious voice traffic hitting their organizations. Of those that do collect such data, 23% of respondents estimated that 5% to 10% of inbound calls were unwanted, followed by 15% of respondents who estimated that over 10% of inbound calls were unwanted, and 10% of respondents who estimated that over 20% of calls were unwanted.

The biggest source of security risk stems from employee errors, according to 43% of survey respondents. That ranking was followed by the risk from email (36%), endpoints (35%), data networks (17%), data storage (12%), and applications/core systems (9%). Only 10% of respondents cited their voice networks and phone systems as the biggest source of security risk in their organizations, reinforcing a widespread lack of awareness about this problem.

More than one-third (36%) of respondents cited security awareness training as the top solution to protect voice networks from Vishing (voice vishing) and Smishing (SMS phishing) attacks. That approach was followed by traffic firewalls (34%), spam blockers (26%), training for vishing attacks (20%), training for social engineering (23%), and threat detection (13%). In addition, more than one-fourth of survey respondents (26%) were unsure about which tools were being used to protect their voice networks, and 9% said their organizations had no solutions in place whatsoever to protect their voice networks.

Other findings from the survey included:

*   More than four-in-five respondents (81%) agreed or strongly agreed that their organizations identified vishing, smishing, social engineering, and robocalls as major security threats
*   For those organizations that received voice attacks in the past year, nearly one-third (32%) involved SMS/text scams, followed by attacks on collaboration platforms such as Cisco WebEx and Microsoft Teams (16%), and voice networks (14%). 35% of respondents were unsure about what types of attacks had struck their organizations.
*   The responsibility for overseeing voice security was almost evenly divided between responses for the Security Team with 38%, and the Network Team with 37%. In addition, 15% of respondents cited the Unified Communications/Collaboration/Voice Team as being responsible for their company’s voice network security.

The Mutare Voice Network Threat Survey was taken by more than 150 onsite attendees at tech industry trade shows in June 2022. More than half of respondents (54%) came from the Technology and Innovation industry, followed by Government (12%), Education (9%), Financial Services (7%), Healthcare (5%), and Legal (3%). The largest group of respondents came from midlevel specialists and managers at 44%, followed by senior executives (27%), entry-level employees (13%), and C-level execs (9%).

For more information about the survey results, please visit: https://www.mutare.com/executive-report-voice-network-threat-survey-2022/.

For more information about the company, please visit: https://www.mutare.com/.

**About Mutare**

For three decades, Mutare has empowered organizations to reimagine a better way to connect. Today, through our transformative digital voice and text messaging solutions, we make communications with colleagues, customers, and prospects simple, secure, and effective. And that means more time and less stress for your employees, a positive experience for your customers, and improved bottom-line results for your organization. Our forward-looking leadership team is made up of dedicated, experienced individuals who care about transforming business communications and improving the lives of others. Ultimately, Mutare is dedicated to making a difference for all our stakeholders – team members, customers, partners, and communities. We are change makers.

Mutare Voice Network Threat Survey Shows Nearly Half of Organizations Experienced Vishing or Social Engineering Attacks in Past Year

Security pros' experience with transparency and evaluating third-party partners positions them to act as key environmental, social, and governance advisers.

With new reporting requirements looming, information security leaders' expertise positions them as key collaborators in improving their companies' environmental, social, and governance (ESG) posture.

The fundamental principle behind ESG is that transparency is required to understand whether business partners are ethical and making a positive impact in the world, but ESG has become something of a catch-all term for the qualities that companies want to see in their business partners.

Security underpins key aspects of ESG. Companies want to do business with organizations that are either advancing the cause of security and privacy or are at least not doing harm. How transparent companies are before, during, and after a breach tells you a lot about their corporate character. A data breach may be called a privacy responsibility or a security responsibility, but, at the end of the day, it’s a social responsibility.

**Security Incidents**

There are two common information security practices that can help organizations rise to meet the challenges of ESG transparency.  

The first is the sharing of information regarding security incidents.

When a breach occurs, ethical companies do more than just comply with regulations that require notification to affected individuals. They publicly share details about what happened, how they were able to recover, and the corrective measures they put in place. Companies going above and beyond publish relevant TTPs (tactics, techniques, and procedures) or IoCs (indicators of compromise) to help protect other organizations from falling victim to the same threats or threat actors.

An example of exemplary behavior in this space was the SolarWinds and FireEye incident. When FireEye (now known as Trellix) was breached, the organization shared information publicly. This enabled thousands of potential victims to identify threat indicators and respond in their own environments.

**Vulnerability Disclosures**

The second information security practice that can benefit ESG efforts relates to vulnerability disclosures. Organizations need to know if their business partners have been affected by zero-day vulnerabilities such as Log4j. A partner that proactively alerts the organizations it does business with that such a flaw exists in its systems, and then commits to addressing it, gets a high ESG grade. Partners that don't respond to requests for information about a vulnerability or that say such information is proprietary should be avoided.

There is a tremendous opportunity for security leaders to highlight how the valuable work they’re doing also improves their organizations' ESG profiles, and to help their teams understand and evaluate how well their business partners are doing along those same lines.

Consider developing baseline requirements or even a custom metric. Ask yourself and your business partners: What is your average time between identification and disclosure of incidents or breaches? How many disclosures have you made in a given timeframe?

Data points such as time to disclose and time to remediate can be rolled up into a kind of security-related "ESG credit score" to provide visibility. Once you’ve done this for your security requirements, it can be easily replicated across the other ESG domains.

A connected platform can be used to operationalize the assessment and monitoring of your supply chain ESG health. After you understand and can measure what's most important in your business relationships, you can help identify where there is room for improvement and help steer your company toward more ethical partnerships.

Environmental, sustainability, social, and governance issues are among the most visible and popular ways to evaluate business ethics today — and it’s not hard to imagine that the scope of what people care about will expand to other areas. Take this opportunity to coach business leaders on the importance of creating a culture of transparency and model what good governance looks like around identifying, drafting, reviewing, and approving disclosure material. Consider these and additional ways you and your team can add value to their organizations as ESG continues to gain momentum.

What InfoSec Pros Can Teach the Organization About ESG

The LAPSUS$ group emerged with a big splash at the end of 2021, targeting companies, including Okta, with a "reckless and disruptive" approach to hacking.

The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime.  

However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.

A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools.

"Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity news cycle was chaotic," the report notes.

**Chaos, Lack of Logic Part of the Plan**

"You could absolutely call LAPSUS$ 'a little punk rock,' but I try to avoid making bad actors sound that cool," notes Claire Tills, senior research engineer at Tenable. "Their chaotic and illogical approaches to attacks made it much harder to predict or prepare for the incidents, often catching defenders on the back foot."

She explains that perhaps due to the group’s decentralized structure and crowdsourced decisions, its target profile is all over the place, which means organizations can’t operate from the "we're not an interesting target" point of view with actors like LAPSUS$.

Tills adds that it’s always hard to say whether a threat group has disappeared, rebranded, or just gone temporarily dormant.

"Regardless of whether the group identifying themselves as LAPSUS$ ever claims another victim, organizations can learn valuable lessons about this type of actor," she says. "Several other extortion-only groups have gained prominence in recent months, likely inspired by LAPSUS$’s brief and boisterous career."

As noted in the report, extortion groups are likely to target cloud environments, which often contain sensitive, valuable information that extortion groups seek.

"They are also often misconfigured in ways that offer attackers access to such information with lower permissions," Tills adds. "Organizations must ensure their cloud environments are configured with least-privilege principles and institute robust monitoring for suspect behavior."

As with many threat actors, she says, social engineering remains a reliable tactic for extortion groups, and the first step many organizations will need to take is assuming they could be a target.

"After that, robust practices like multifactor and passwordless authentication are critical," she explains. "Organizations must also continuously assess for and remediate known-exploited vulnerabilities, particularly on virtual private network products, Remote Desktop Protocol, and Active Directory."

She adds that while initial access was typically achieved through social engineering, legacy vulnerabilities are invaluable to threat actors when seeking to elevate their privileges and move laterally through systems to gain access to the most sensitive information they can find.

**LAPSUS$ Members Likely Still Active**

Just because LAPSUS$ has been quiet for months does not mean the group is suddenly defunct. Cybercrime groups often go dark to stay out of the spotlight, recruit new members, and refine their TTPs.

"We would not be surprised to see LAPSUS$ resurface in the future, possibly under a different name in an effort to distance themselves from the infamy of the LAPSUS$ name," says Brad Crompton, director of intelligence for Intel 471’s Shared Services.

He explains that even though LAPSUS$ group members have been arrested, he believes the group’s communication channels will stay operational and that many businesses will be targeted by threat actors once affiliated with the group.

"Additionally, we may also see these previous LAPSUS$ group members develop new TTPs or potentially create spinoffs of the group with trusted group members," he says. "However, these are unlikely to be public groups and will probably enact a higher degree of operational security, unlike their predecessors."

**Money as the Main Motivator**

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity provider, explains that cybercriminals are motivated by money while nation-states are motivated by national goals. So, while LAPSUS$ isn't playing by the rules, its actions are somewhat predictable.

"The most dangerous aspect, in my opinion, is that most organizations have spent the last five or more years developing symmetric defensive strategies based on threat actors with reasonably well-defined definitions and goals," he says. "When a chaotic threat actor is introduced into the mix, the game tilts and becomes asymmetric, and my main concern about LAPSUS$ and other similar actors is that defenders haven't really been preparing for this type of threat for quite some time." 

He points out LAPSUS$ relies heavily on social engineering to gain an initial foothold, so assessing your organization's readiness to social engineering threats, both on the human training and technical control levels, is a prudent precaution to take here.

Ellis says while the stated goals of LAPSUS$ and Anonymous/Antisec/Lulzsec are very different, he believes they will behave similarly in the future as threat actors.

He says the evolution of Anonymous in the early 2010s saw various subgroups and actors rise to prominence, then fade away, only to be replaced by others that replicated and doubled down on successful techniques.

"Perhaps LAPSUS$ has vanished completely and forever," he says, "but, as a defender, I wouldn't rely on this as my primary defensive strategy against this type of chaotic threat."

Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists

The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

The Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) recently released a joint Cybersecurity Advisory (CSA) focusing on the Karakurt data extortion group, an emerging organization known for stealing company data and demanding ransom to avoid public exposure. The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.

So, what does this mean for businesses, both small and large?

Karakurt actors have long engaged in various tactics, techniques, and procedures (TTPs), that create considerable challenges for defense and mitigation. While the targets of Karakurt have not reported their data and files compromised, they have reported falling victim to ransom requests ranging from $25,000 to $13 million in Bitcoin.

**The Move Toward Data Decryption**

Karakurt is the new face of ransomware, taking advantage of poor encryption. Historically, ransomware did not care about the encryption used to protect the data because it did not decrypt the original data. Instead, it took existing encrypted data and made it unusable to the victim. Eventually, organizations began conducting proper backups and therefore stopped paying the ransom requested. As a result, ransomware entities have upped their game and are beginning to decrypt data.

Why is it so easy for these criminals to decrypt data? The answer is the use of a single key to encrypt all records and store the key in an unprotected environment. All it takes for an attacker is to find the key and they will have access to all an organization's data.

How can organizations mitigate this risk? One solution is OTP (one-time pad), as it is necessary to keep classified data safe and can be easily adopted. A big advantage for OTPs is that not only are they extremely secure, they are incredibly easy for organizations to integrate into their wider authentication strategies.

**OTP and Beyond**

OTPs may have been born before digital computing, but they continue to represent an unbeatable cryptographic standard. OTPs include a system where a private key is used by random generation and significantly helps prevent access to breaches. The key is employed only once in order to securely encrypt data, and will be decrypted by the recipient by utilizing a corresponding one-time pad and key. Even if an attacker or criminal group like Karakurt were to obtain a valid set of login credentials, it would be unable to breach the system.

Beyond OTP, and when examining Karakurt's TTPs, it's vital for organizations to review current encryption policies and technologies deployed, as well to ensure there are no open vulnerabilities to be exploited. In addition, the application of newer quantum-resistant approaches will mitigate potential short- and long-term harm. The time is now to take these proactive steps. Quantum computers can decipher cryptographic keys and create threats, much like Karakurt is known for.

Cybercriminals are becoming increasingly creative and organizations must be prepared with measures that will do the most to protect their most valuable assets: their data. It's time for organizations to take a look at security measures currently in place and act accordingly. Once adequate measures are in place, the problem with cyberattacks will become the ability to detect attacks rather than worrying about control and minimizing the damage.

How to Mitigate the Risk of Karakurt Data Extortion Group's Tactics, Techniques, and Procedures

One of the announcements out of the National Cyber Workforce and Education Summit on July 19 was the 120-day Cybersecurity Apprenticeship Sprint.

Despite all the ways people enter the cybersecurity industry -- obtaining industry certifications, going through a bootcamp program, taking courses at a school as part of a degree (or certificate) program, shifting over from related technical fields, or self-study to learn the necessary skills -- hiring managers say they are having difficulty filling open cybersecurity roles.

"With approximately 700,000 cybersecurity positions open, America faces a national security challenge that must be tackled aggressively," the White House said in a **press release** on Monday, announcing Tuesday's National Cyber Workforce and Education Summit.

Led by National Cyber Director Chris Inglis, the July 19 summit brought together government officials and private-sector executives to brainstorm solutions and educational initiatives to fill open cybersecurity positions across the country.

Will apprenticeships help make a dent in the problem? One of the announcements that came out of the July 19 summit was the **Cybersecurity Apprenticeship Sprint**. The departments of Labor and Commerce unveiled the 120-day sprint to promote the Registered Apprenticeship model to help develop and train the cybersecurity workforce.

The Registered Apprenticeship model is "an industry-driven, high-quality career pathway where employers can develop and prepare their future workforce, and individuals can obtain paid work experience with a mentor, classroom instruction and a portable, nationally recognized credential," according to a **Department of Labor press release**. These apprenticeship programs are registered at a state or federal level.

There are currently 714 registered apprenticeship programs and 42,260 apprentices in cybersecurity-related occupations, according to the Labor Department. The goal of this sprint is to recruit employers, industry associations, labor unions, educational providers, community-based organizations, and others to establish more.

**Developing the Workforce**

Apprenticeships fill a real gap in hiring, says Will Carlson, director of content for Cybrary. People have the opportunity to gain firsthand experience in the field, find mentors, land a job, and validate whether this is the career for them. Employers get a talent pool where they can learn more about the candidate over a period of time before extending any longer-term offers.

"People often mention, 'I can't get an entry-level job to get the experience for an entry-level job.' \[Apprenticeships\] help remove a significant blocker to growing the capacity and capability gaps in the market," Carson says.

Historically, many professions have relied on apprentices to teach the necessary skills of the trade and develop a workforce. Something similar can work for cybersecurity, says Larry Whiteside, Jr, co-founder and president of Cyversity. Current programs train people on specific tools and skills and then send them out to apply for jobs, hoping the training and skills align to the needs of the hiring organization. The apprenticeship, on the other hand, provides on-the-job training.

"The training and skills that the person acquires directly relates to the organization that needs the skills," Whiteside says.

It’s important to note that apprenticeships are different from internships, as apprenticeships take a more direct approach to skills development, Whiteside says.

"Over the years, internships have gotten a negative connotation due to organizations' lack of programmatic ways to train and utilize cyber interns," he says. Interns have historically been treated as a person who can be assigned to work on tasks that the rest of the team didn’t have time to do.

The apprenticeship model is a "far more well-established, entry-level mechanism that has years of proven teaching and training mechanisms applied to it," Whiteside says.

**Key Elements for a Successful Program**

An apprenticeship is not a complicated program; all it needs to include is training, mentorship, and a paid job, says Tony Bryan, executive director at CyberUp, noting that training should include both on-the-job and any other related instruction. The point is to create a standard process with clear expectations so that both the apprentice and the manager have "guardrails" on what the first six to 12 months should look like.

Employers should get meaningful tasks accomplished while providing beneficial experience to interns, Carlson says. Instead of increasing the organization’s risk by placing someone new to the field in a high-risk role, the program should be structured so that the apprentices get real-world experience in lower-risk roles.

A program should provide employers with a "step-by-step, competency-based plan to onboard new cyber talent," says Dan Weeks, director of employer partnerships at Fullstack Academy. Many organizations are unclear on what a reasonable timeline is for new hires to take on key cyber tasks. A program like this makes it easier to measure the candidate’s progression in gaining those skills and identifying areas that need extra help.

**Setting Up the Program**

However, setting up a good apprenticeship program requires planning. Employers need to determine what skills they expect the apprentice to end up with at the end of their apprenticeship period in order to create "a pathway for success," Whiteside says. Organizations should have a defined goal or identify specific skills to develop and align the apprenticeship program accordingly.

The hardest part is creating the organizational culture to enable this process, finding the candidates, and funding the initiative, Whiteside says.

Costs for starting up an apprenticeship can range from $25,000 to $250,000, taking into account multiple factors, such as the size of the organization, the number of staff required to support the program, how training is delivered, and whether there are any existing processes that can be used, says Bryan.

Many organizations partner with third-party intermediaries such as CyberUp to register the program, establish requirements for hiring, bring in candidates to interview, and manage the program. Having a partner can also help shorten hiring cycles because they are proactively recommending future apprentices.

"When constructed well, \[apprenticeships\] allow organizations the chance to address the broader skill gap in our market by providing skills and opportunities for those wanting to enter the space," says Carlson. "Getting more people in the field to address the capacity and capability needs of the space is a win for all involved."

Tackling the Cybersecurity Workforce Challenge With Apprentices

More than 311 local eateries have been breached through online ordering platforms MenuDrive, Harbortouch, and InTouchPOS, impacting 50K records — and counting.

A massive Magecart e-skimmer campaign has siphoned off the payment records of hundreds of restaurants by attacking their online payment platforms. Targets include MenuDrive, Harbortouch, and InTouchPOS, according to a new advisory.

So far, researchers at Insikt Group, Recorded Future's threat research division, Magecart attackers have posted more than 50,000 stolen order payment records from at least 311 restaurants — and they're offering them for sale on the underground Web. Researchers warn they expect that number to rise.

The report added that the compromised records include payment card data, as well as billing and contact details.

The three platforms in question are a departure from Magecart's usual target, the Magento e-commerce platform. During the pandemic, many local restaurants rushed to implement online ordering and payment, and they may not be paying attention to patching vulnerabilities or shoring up security in general for their new lines of business.

"Cybercriminals often seek the highest payout for the least amount of work," the Tuesday Magecart campaign report said. "This has led them to target restaurants' online ordering platforms; when even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which allows cybercriminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ongoing Magecart Campaign Targets Online Ordering at Local Restaurants

The gang's members have moved into different criminal activities, and could regroup once law-enforcement attention has simmered down a bit, researchers say.

Two months after the infamous Conti ransomware gang ceased operations, several of its members remain as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

Separately, they remain as dangerous to organizations as they used to be as members of a single gang, according to Intel 471. Its researchers have been tracking Conti actors as they have moved in different directions since the group dissolved in May. 

The cessation of operations appears to be a bid by the group's operators to distance themselves from the brand more than anything else. In a new report, the threat intelligence firm speculates that once law-enforcement attention around the Conti group wanes, it's likely that its now-scattered members will regroup and form another criminal organization similar in structure to the original.

"In order to defend their enterprises, security practitioners need to understand how cybercriminals organize their operations," says Brad Crompton, director of intelligence for Intel 471's shared services group. "Even though Conti is defunct, former operators are still using similar \[tactics, techniques, and procedures\], which means security teams can still use their prior strategies in stopping similar attacks rather than ignoring them altogether in light of Conti's demise."

**Most-Destructive Ransomware Group**

The Conti group is widely regarded within the security industry as one of the most destructive ransomware operations of all time. The predominantly Russia-based group first surfaced in 2020, and has used a variety of tactics to break into victim networks — including via spear-phishing campaigns, stolen Remote Desktop Protocol credentials, software vulnerabilities, and poisoned software.

The FBI estimated that by January, the gang had collected some $150 million in ransom payouts from more than 1,000 victims worldwide—including more than 400 in the US. The scale of its destruction prompted the US State Department in May to announce a $10 million reward for information leading to the identification and/or location of key individuals of the gang. The State Department offered another $5 million for information leading to the arrest and conviction of individuals participating in attacks involving Conti ransomware incidents.

**Leaking a Window into Conti's Operations**

In May, a Ukrainian member of the gang publicly released a big trove of Conti's internal conversations after the Conti team officially announced its support for the Russian government's invasion of Ukraine. Information from that leak, and another previous leak in September 2021 showed the Conti ransomware operation was structured along the lines of a formal business complete with a physical office, scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions. 

The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) earlier assessed that Conti's developers used a ransomware-as-a-service model to distribute their malware. But instead of taking a cut of the ransom from affiliates — as is usually the case with ransomware-as-a-service — Conti's developers paid attackers a flat fee for deploying their malware on victims' networks.

Significantly, the leaks also appeared to confirm widely held suspicions about a link between Conti's developers and Russia's Federal Security Service (FSB).

**Rebrand & Regroup?**

In mid-May, Conti's developers seemingly abruptly began shutting down infrastructure — such as admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to the high level of attention it had managed to attract from law enforcement and media. A few weeks later, it also shut down a site it had used to name-and-shame victims that refused to pay a ransom. 

One analysis by AdvIntel at the time concluded that the group's main actors had already put in place plans to continue the operation under various guises a few months before its official shutdown.

The Black Basta ransomware gang, which started operations in April, or one month before Conti's official exit from the ransomware scene appears to be one such operation. Intel 471 said its analysis of the group's activities show that Black Basta's infrastructure — such as its payment and data leak sites, its payment site, recovery portals, and communication and negotiation methods — have overlaps with Conti's operations.

Intel 471 also  has identified two other ransomware operations — BlackByte and Karakurt — that have similar, significant overlaps with Conti and in fact may simply be rebranded Conti operations. In addition, some Conti affiliates and managers have forged alliances with other ransomware teams, including Ryuk, Maze, LockBit 2.0, BlackCat, Hive, and HelloKitty. According to Intel 471, it is possible also that other actors could use leaked Conti source code to developer their own ransomware and decryption tools.

Source

DARKReading