Penetration testing not only serves to triage and validate other defect discovery activities, it informs risk management activities, such as threat modeling and secure design.

As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.

Pentesting validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way, organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.

However, modern DevSecOps teams need more speed and flexibility than what traditional pentesting engagements can deliver. Incremental pentesting programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.

With the needs of DevSecOps teams in mind, penetrating testing-as-a-service (PTaaS) is seeing a higher profile.

**Development Teams Align Pentesting with DevSecOps**

PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align penetration testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pentest engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.

Andrew Obadiaru, Cobalt's CISO, says that end users of this offering are security and development teams who are looking to align pentesting more closely to their DevSecOps processes.

"These are teams who are pentesting beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset, or a specific vulnerability across an asset," he says.

The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.

"Focused pentesting allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production," Obadiaru adds.

**Incremental Pentesting a Risk-Based Effort**

John Steven, CTO at ThreatModeler, an automated threat modeling provider, says part of the prioritization that occurs with incremental penetration testing should be the alignment of test scope with new features and release promises.

"This creates natural alignment between delivery and security priority and focus," he explains. "Additionally, there's a quick benefit: defect studies indicate that where code churns, bugs — and vulnerability — are more likely to be found."

Steven adds that "the dirty secret" is that all penetration testing is incremental.

"Exhaustively testing even a small system would take months," he says. "Taking an incremental posture on penetration first acknowledges that the effort is 'risk-based', prioritizing that which is most impactful and likely."

Second, it allows the activity to fit more closely within the cadence of delivery, so that its results can be acted on with a minimum (if any) exposure time of vulnerable systems in production.

"Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make," he adds.

Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pentesting has been the "point-in-time" nature of the tests.

"At some pre-defined period of time, the test is completed against the then-current version of the application and a report is delivered," he says.

The challenge is that development changes significantly over the course of years, and often by the time a pentest is completed and the report is delivered, the information is already out of date due to application changes.

"By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround," Gerry explains.

This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.

**Automation Aids Continuous Testing**

Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services, says that continuous testing, given resource constraints faced by the infosec community, will require an approach that maximizes use of testers and offloads work that can be automated.

"Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security," Rowland says.

As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.

"This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents," Rowland notes.

Obadiaru adds that while pentesting is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex.

"Security tools will need to remain strong and keep up with heightened demands," he says. "It's likely we'll also see increased use of pentesting in non-traditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance."

**PTaaS Offers Real-Time Insights**

Gerry notes that in the past few years, there's been an increased shift from traditional pentesting to PTaaS.

"Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements," he says.

He explains by leveraging a PTaaS offering, security teams gain the ability to view results in real time via a SaaS platform, integrate pentesting into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.

"Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced," Gerry says. "Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective."

Rowland says as organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organization, the role of offensive security has become increasingly integrated and central to the success of the security strategy.

"Since the tactics of the adversary and attacks surface are dynamic, offensive security must continuously validate that the program is keeping pace," he explains. "Regular testing is necessary to drive and validate adjustments to defenses based new intelligence, architectural changes, or the introduction of new assets."

Steven believes that many people think of penetration testing in an "attacker-centric" way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.

"We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile," he says. "Still others handled mainframe and OS-level penetration testing."

He says as applications move to the cloud, penetration testing and the teams servicing that activity must adapt.

"The cloud isn't a single monolith — it's several major providers, each with tens or hundreds of specific APIs and control sets," Steven adds. "Penetration testers will have to use tools to discover sprawling cloud-based assets, no longer confined to a datacenter or IP range, and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers."

Pentesting Evolves for the DevSecOps World

After a high-profile 2017 breach and a Holiday Inn ransomware hit earlier this year, IHG confirms that its booking channels and applications have been disrupted in yet another cyberattack.

InterContinental Hotels Group (IHG) has disclosed its systems have been breached — again — and that its booking systems and applications have been "significantly disrupted" since Sept. 5.

UK-based IHG operates 17 iconic hospitality brands, including Holiday Inn, Crowne Plaza, and Candlewood Suites. This is the third compromise the massive hotel company has had since 2017.

"IHG is working to fully restore all systems as soon as possible, and to assess the nature, extent, and impact of the incident," explained IHG in a notification of the cyberattack. "We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."

In the previous attack, the company's point-of-sale systems were compromised, allowing cybercriminals to steal customer credit-card details for guests across 1,200 hotels. Then, in a less sweeping incident, just last month the Holiday Inn in Istanbul was reportedly the victim of a LockBit ransomware attack.

**Three Attacks Is a Trend**

It's likely the three separate attacks are connected, Justin Vaughan-Brown with Deep Instinct said in an emailed statement. 

"Unfortunately, this is not the first cyberattack that Holiday Inn has experienced, with breaches in 2017 and one last month in Istanbul," Vaughan-Brown noted. "Once cybercriminal groups know that an organization can be breached, it can encourage further attacks."

Some follow-on attacks are simple copycat cybercrimes, while others are carried out for bragging rights — i.e., to demonstrate the ability to pull off the same caper better or faster than the competition, Vaughan-Brown explained.

**Hot Hotel Data**

Any organization, like a hotel chain, that holds onto massive amounts of valuable, personal data will continue to be a prime target for cyberattacks, Erfan Shadabi, a cybersecurity expert with Comforte AG explained in a statement provided to Dark Reading.

"Consumer-based industries such as travel and entertainment, retail, and financial services definitely apply, as they collect sensitive information on large swathes of their customers and prospects," Shadabi explained. "The reason is simple: threat actors want that data for personal gain."

Holiday Inn Owner InterContinental Has a Breach Trend

Continued collaboration will help win the fight as cybersecurity remains a national priority. International and public-private cooperation is helping stem the damage from ransomware threats and cyberattacks.

As a cybersecurity leader, a large part of my job involves defending companies against cybercrime; the rest is spent figuring out how I can take the fight to the cybercriminals. You'll hear many people say things like "the threat landscape is always changing" or "cybercrime never sleeps." What they really mean is that cybercrime is a global problem — it affects every industry and every time zone. This is why I believe this is a fight we can only win by collaborating across public and private sectors, taking advantage of the skill sets, expertise, and jurisdictions our combined forces offer.

**The Power of Collaboration in Action**

My journey as a cybercrime fighter has led me into some unusual spaces. Back in early 2020, I helped co-found the CTI League, a volunteer organization that works to defend the healthcare industry from cybercriminals. The CTI League peaked at around 2,000 members, with several hundred members originating from governments and agencies all over the world, representing 80 different countries.

The power of collaboration like this cannot be understated. We were able to track and report vulnerabilities in a matter of hours and/or dismantle threats in a matter of days. Taking down malicious sites became a matter of a quick conversation, while engaging law enforcement involved little more than a quick shout-out or visiting a private channel. The league showed that it was possible to work across borders, organizations, and with governments all over the world.

**Borderless Expertise — The Private Sector's Advantage**

The cybersecurity industry has grown immensely over the past 10 years, and has continued to try to keep pace with cybercriminals. Some of the brightest minds working on the most advanced technologies have made it possible to gather risk signals, detect threats, and help prevent attacks everywhere, including for government agencies and global nongovernmental organizations. The depth of the private sector's expertise, and, in some cases, the capabilities of organizations' themselves to throttle cybercriminal infrastructure, cannot be overstated. It's key to staying on top of a global, borderless ransomware problem.

This diversification of expertise and the skill sets that are needed to succeed in such a fast-moving, competitive environment means that operationally, the private sector will always be faster, more agile and more focused than the public sector, which is generally spread much thinner and consequently limited to a number of select, specialized priority missions. This means that the private sector will always have a different, likely broader view of the threat landscape than the public sector and, consequently, broader operation scope, too. This puts the private sector in a unique position where it can help inform and expand missions undertaken by the public sector. Missions like taking on the entire cybercrime ecosystem.

**The Public Sector's Governance Opportunity**

Governmental agencies have the ability to not only centralize insights, findings, and investigative groups, but they can levy the kinds of broad policy enforcements that can change the way the industry and organizations operate. A good example of this is the "Know Your Customer" (KYC) rules enforced on financial institutions.

KYC enforcement has made a huge impact on financial crimes, and is starting to have an impact on ransomware where exchanges agree to enforce them properly. Governance initiatives like this can help the public sector improve its security posture, mitigate modern risks, and improve efficiency. By uniting lawmakers and enforcement agencies, the public sector can change the course of the industry and the landscape in which criminals and private sector outfits operate.

**Joining Forces to Combat Cybercrime**

Combining the capabilities of both groups and attacking the very ecosystem that they thrive in is the only way we are going to beat cybercriminals at their game. There is already a precedent for this kind of success.

For the last year, I have also been a member of the IST Ransomware Task Force (RTF), a group of industry experts who dedicate time to fighting the scourge of ransomware. Led by the Institute of Security and Technology (IST), the RTF works across industry sectors and collaborates closely with policy makers, law enforcement, and other agencies to ensure that we both protect our nation and take the fight to the threat actors who profit from this crime.

Since publishing its inaugural report, we have seen good progress, as 88% of the recommendations that were in the report have seen some implementation. The complete status of report recommendations can be read here (PDF). Just as encouragingly, Director Jen Easterly of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Agency (CISA) made it clear that the US government's Joint Ransomware Task Force would include a significant role for the private sector, and the IST Ransomware Task Force specifically.

We still have much work ahead of us. Ransomware is not just the well-known names we read about in the papers, names such as Conti, LockBit, and Ryuk. These are just façades — brands that hide an ecosystem of criminals who move around and change their tactics on a regular basis, because it's profitable. Until we join together and attack that profitability, whether it's through driving up the cost of doing business or seizing their ill-gotten gains, we won't disrupt their businesses. I do believe we can do it, though. There's more of us than there are of them, and we are just as dedicated and passionate as they are — perhaps more so because we are fighting for the common good of organizations everywhere.

Together, we can take away the tools they use to build their software. We can identify and restrict the places that provide them with sanctuary, and we can reach out and empty their pockets, destroying their lifestyle. By hitting at the very heart of what makes them successful — criminal enterprises — we can disrupt every ransomware group at once, ultimately crushing them entirely. However, we should expect these criminals to look for different schemes, and that's why building lasting partnerships to keep the pressure on the whole ecosystem will be so important.

Fighting Ransomware Takes an Army: Our Public & Private Sector Soldiers Join Forces

A SaaS-specific security solution can help security teams make sure apps and usage are both secure, reducing the chances of a breach.

**Question: How can you keep your SaaS applications secure in the face of employee turnover?**

**Noam Shaar, CEO and Co-Founder of Wing Security:** In short, you need the right tools.

The fluidity of today's workforce and the accelerated pace at which people change jobs creates new cybersecurity challenges for companies. The average worker in the United States will work for 12 employers over their career, with the typical tenure just over four years. Each employee who exits will leave a trail of external access points that create potential vulnerabilities.

When employees switch companies and roles, access points are left open. Bad actors can use this access to infiltrate networks and steal valuable assets, including proprietary information and financial data. According to a poll from OneLogin, an identity management firm, nearly one-quarter of IT decision-makers said a failure to deprovision employees from corporate applications contributed to a data breach. Of those, 47% said more than 10% of all data breaches resulted from ex-employees.

Organizations likely have multiple exposed accounts that can provide entry points for malicious activity. In one high-profile case, a former engineer at Cisco was sentenced to two years in prison for compromising the company's network after he left, deleting thousands of Webex accounts. This, of course, is just one of the known incidents.

While many software-as-a-service (SaaS) applications offer built-in security controls, businesses should not assume they remain secure because they come from a big-name vendor. Threat actors often conspire or sell attack methods to break into these systems, or they will take advantage of organizations they already can access.

A SaaS security solution can help security teams understand who uses all of these applications and make sure the apps and usage are both secure. This not only strengthens overall security, it can quickly show gaps often left by offboarding. Best practices include:

*   **Use tools to watch for inconsistencies.** Multiple products being used by a large number of people often reveals a pattern of use. When behavior steps out from that norm, it is often a sign that something is amiss. Leverage a tool that can monitor this behavior and alert your team when necessary.
*   **Weed your garden.** It's critical to mitigate risks by getting rid of unaccessed apps — there's no use for them, and they create a potential opening. When it comes to apps, the company motto should be, "If they're not being used, we probably don't need them."
*   **Automate offboarding tasks where possible.** HR staff must keep tight rein during employee offboarding. One important task is notifying the technology team to discontinue access, which can easily be automated with a security and monitoring solution. While HR members still will want to notify technology leaders, having safeguards in place can eliminate gaps just in case that process gets overlooked.

SaaS applications have improved efficiency and expanded remote work capability, but employees no longer want to spend their entire careers with a single company. The rising number of applications and rate of turnover has increased risk. This risk can be managed with the correct tools and processes, but too many organizations have yet to change their mindset.

How Can I Protect My SaaS Apps Amid Employee Turnover?

The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.

A Linux-focused malware dubbed Shikitega has emerged to target endpoints and Internet of Things (IoT) devices with a unique, multistage infection chain that results in full device takeover and a cryptominer.

Researchers at AT&T Alien Labs who spotted the bad code said that the attack flow consists of a series of modules. Each module not only downloads and executes the next one, but each of these layers serves a specific purpose, according to a Tuesday posting from Alien Labs.

For instance, one module installs Metasploit’s “Mettle” Meterpreter, which allows attackers to maximize their control over infected machines with the ability to execute shell code, take over webcams and other functions, and more. Another is responsible for exploiting two Linux vulnerabilities (CVE-2021-3493 and CVE-2021-4034) to achieve privilege-escalation as root and achieve persistence; and yet another executes the well-known XMRig cryptominer for mining Monero.

Further notable capabilities in the malware include the use of the "Shikata Ga Nai" polymorphic encoder to thwart detection by antivirus engines; and the abuse of legitimate cloud services to store command-and-control servers (C2s). According to the research, the C2s can be used to send various shell commands to the malware, allowing attackers full control over the target.

**Linux Malware Exploits on the Rise**

Shikitega is indicative of a trend toward cybercriminals developing malware for Linux — the category has skyrocketed in the past 12 months, Alien Labs researchers said, spiking 650%.

The incorporation of bug exploits is also on the rise, they added.

"Threat actors find servers, endpoints, and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads," according to the posting. "New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach."

On a related note, Linux is becoming a popular target for ransomware, too: A report from Trend Micro this week identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

**How to Protect Against Shikitega Infections**

Terry Olaes, director of sales engineering at Skybox Security, said that while the malware might be novel, conventional defenses will still be important to thwart Shikitega infections.

"Despite the novel methods used by Shikitega, it is still reliant on tried-and-true architecture, C2, and access to the Internet, to be fully effective," he said in a statement provided to Dark Reading. "Sysadmins need to consider appropriate network access for their hosts, and evaluate the controls that govern segmentation. Being able to query a network model to determine where cloud access exists can go a long way toward understanding and mitigating risk to critical environments."

Also, given the focus that many Linux variants put on incorporating security bug exploits, he advised companies to, of course, focus on patching. He also suggested incorporating a tailored patching-prioritization process, which is easier said than done.

"That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape," he said. "Organizations should ensure they have solutions capable of quantifying the business impact of cyber-risks with economic impact factors. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses, such as exposure-based risk scores."

He added, "They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them, how urgent it is to remediate, and what options are there for said remediation."

Next-Gen Linux Malware Takes Over Devices With Unique Tool Set

APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance.

A well-resourced advanced persistent threat (APT) group aligned with Iran's Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and active since 2015 is targeting perceived threats to the Iranian government with sophisticated cybercriminal and surveillance operations, based on social engineering and fraudulent trust relationships.  

APT42, believed to be a subset of APT35/Charming Kitten/Phosphorus, uses highly targeted spear-phishing and social-engineering techniques in which they get victims to trust them, according to a blog post and detailed report (PDF) by Mandiant released Wednesday.

The goal is to exploit those relationships to steal personal info and credentials, after which the group then moves deeper into corporate networks, or targets colleagues or family of the victim to steal yet more data and perform other nefarious activities.

APT42 also engages in surveillance by installing Android spyware on mobile devices to keep a constant eye on targets. This is to ensure "regime stability by monitoring, and subsequently even arresting, those they deem to be a threat to the regime," Mandiant researchers told Dark Reading.

Threat actors also sometimes use Windows malware to complement these primary methods of attack, researchers said. Indeed, APT42 is capable of conducting multiple types of operations at any given time, Mandiant researchers told Dark Reading, which is somewhat unique. The group has already been identified as the perpetrator in about 30 known campaigns — a number that Mandiant suspects is a low estimate.

"Not only does APT42 conduct 'traditional' cyber-espionage activity targeting organizations in order to obtain information of strategic relevance to the Iranian government, the group also conducts targeted surveillance operations against individuals," researchers said in an email interview.

In terms of threats to the private sector, "APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest," they told Dark Reading. "They also change their targeting patterns over time as Iranian government priorities change."

Here at home, current and former US government officials and researchers at think tanks and in academia involved in Iran-relevant policy-making or research already have been targets of APT42, and this activity is not likely to cease, researchers said. In fact, the group may even cast a wider net and extended its activities to government contractors working on the same Iran-related issues, researchers told Dark Reading.

**3 Stages of Threat Activity**

APT42 has three main areas of threat activity. Initial compromise is done via credential harvesting, using targeted spear-phishing campaigns that emphasize developing trust with the victim beforehand. This is done by impersonating journalists or other professionals that a victim might trust or want to connect with.

The group then uses this entry method to collect multifactor authentication (MFA) codes so they can bypass security protections and pursue deeper access to the networks, devices, and the accounts of employers, colleagues, and relatives to steal information that might be relevant to the government.

The second key activity of the group is to conduct surveillance operations through Android mobile malware that tracks locations, monitors communications, and keeps track of the activities of dissidents and other people of interest to the government.

Finally, the group also has in its arsenal a raft of malware, including custom backdoors and other "lightweight" tools that it uses for operations that go beyond credential harvesting, researchers said.

**Connections to Other Threat Groups**

The state-backed APT has been on the radar screen for security researchers since it commenced operations in 2015. It's tracked via a number of nomenclatures by different companies, including TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), and ITG18 (IBM).

APT42 also has connections to and is likely a subset of APT35, the prolific group better known as Charming Kitten, but it has a different set of goals, researchers said.

Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the United States and Middle East to steal data to support the Iranian military and government operations. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability, researchers said.

**Specific, Agile State-Sponsored Cyber Campaigns**

Over the years, researchers have identified specific campaigns linked to APT42 and occasionally attributed to APT35/Charming Kitten/Phosphorus, due to the complexity of tracking the group's numerous operations, and the differences in how threat actors are identified.

A phishing campaign tied to APT42 and dubbed "Operation SpoofedScholars" occurred last year, with the group impersonating scholars with the University of London's School of Oriental and African Studies (SOAS). The operation targeted individuals focused on Middle East affairs in the United States and the United Kingdom to gain access to personal email inboxes.

Earlier this year, APT42 impersonated a legitimate British news organization in a February campaign targeting professors in Belgium and the United Arab Emirates that had ties to local governments or relatives holding dual citizenship in Iran, according to Mandiant. The activity obtained the personal email credentials of its targets, luring them by using a customized PDF document that invited them to an online interview, but instead linking them to a Gmail credential-harvesting page.

In addition to targeting scholars and journalists, APT42 also shows versatility and agility in its operations, researchers said. It was among threat groups that jumped on the bandwagon of targeting researchers in the pharmaceutical sector during the COVID-19 pandemic, with a campaign that occurred in its initial phase in March 2020, according to Mandiant.

"This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran," researchers said.

**Who's at Risk?**

Iran, like China and Russia, has a raft of threat actors at its service to conduct malicious cyber activity against organizations and individuals that the government has identified are threats. Its current offensive stance and rising cyber conflict with the United States is due to the unique position in geopolitics that the country currently occupies, Mandiant researchers told Dark Reading.

"The combination of regional tensions, the nuclear deal's negotiations, and domestic unrest about economic and social issues create an environment in which a group such as APT42 thrives," researchers said.

The group’s ability to pivot depending on the intentions of the government will continue to pose an immediate threat to both individuals and organizations globally, with global events and local politics continuing to drive operations and targeting priorities, Mandiant researchers said.

Iran-Linked APT Cozies Up to 'Enemies' in Trust-Based Spy Game

Here are a few measures your organization can implement to minimize fraudulent behavior and losses.

Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

**Understand Contributors to Fraudulent Behavior**

According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.

**Create a Web of Fraud Detectors**

There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one's means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.

Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.

**Create and Maintain Strong Internal Controls**

There are many aspects about an employee's personal life that an employer can't control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.

Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.

When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they're boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can't control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don't discover this fact until it's too late.

Some Employees Aren't Just Leaving Companies — They're Defrauding Them

A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.

Did you know that the BlackCat ransomware group has successfully breached more than 60 organizations in a couple of months? Government, healthcare, or public utilities — the group has made it abundantly clear that everyone is a target and will demand ransoms that can reach into the millions. Our own research shows that the BlackCat cybergroup favors exploiting vulnerabilities found in Windows operating systems, Exchange servers, and Secure Mobile Access products. Let's break down their tactics and ways to defend against their attacks. 

**Who is BlackCat?**

BlackCat (also known as AlphaV, AlphaVM, ALPHV, ALPHV-ng, or Noberus) is a relative newcomer to the ransomware scene but quickly gained notoriety during its first active months. Discovered in November 2021, the group was feared for its sophistication. Experts and researchers believe the group may be associated with other advanced-persistent threat (APT) groups like Conti, DarkSide, Revil, and BlackMatter.

**BlackCat: The Brief**

BlackCat has been observed to have the knowledge to exploit these five vulnerabilities: CVE-2016-0099 (High), CVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523 (Critical).  
\[1\]CVE-2021-34473 and CVE-2021-34523, are both critical vulnerabilities found in Microsoft Exchange Server and require immediate remediation.

Although CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 have high severity scores, they should still take priority in patching efforts for their potential use in vulnerability chaining attacks and have multiple known threat actor associations.

CVE-2019-7481 is an SQL injection vulnerability that impacted SonicWall SMA100 version 9.0.0.3 and earlier. As this version is longer supported by the vendor, an immediate version upgrade is advised.

**How BlackCat Operates**

BlackCat's entry into an organization's network begins by leveraging stolen access credentials. At the pace security breaches occur, it is difficult to gauge how many credentials are stolen or leaked to the public every year, but about 20,000 (or 50%) of security incidents in 2021 were initiated by stolen credentials. 

After initial access is made, BlackCat or similar ransomware groups silently collect information, mapping the entire network and manipulating accounts for deeper access. Vendor-specific ransomware is then created based on the intelligence gathered during the initial phase of the attack, and security/backup systems are disabled or made to appear to be functioning as expected. The final step is to execute the ransomware and drop ransom notes on their unsuspecting victims.

**Notable Characteristics**What sets BlackCat apart from other ransomware groups is its ability to create highly tailored executables for their intended target that contribute to its reputation for sophisticated attack patterns across environments.

BlackCat develops its tools with the Rust programming language which brings greater stability and integration possibilities. By taking advantage of command-line-driven and human-operated code, BlackCat brings a higher level of configuration.

Its ransomware can then encrypt victims' data with four types of encryption methods. The code can be deployed across different platforms, including Linux and Windows-based systems.

BlackCat also engages in the practice of selling its services to others, or more commonly known as ransomware-as-a-service. Although BlackCat is the first known group to develop its ransomware with the Rust programming language, its use is now becoming common in threat circles. The group is further known for its speedy data encryption, which gives victims a smaller window and fewer chances of preventing prolonged damage and disruption to their services. The group's public leak site makes it simple for users to search their database of stolen information by victim name, password, and document type.

**How Organizations Can Prevent a BlackCat Attack**The ransomware group is quickly becoming the preferred ransomware-as-a-service provider for many threat actors today. Although the true extent of BlackCat's havoc may never fully be known, more than 60 incidents involving the group have pushed the FBI to release an advisory warning of the group's potential danger.

Keeping this information in mind, here are some actions businesses and organizations can take to protect themselves from a ransomware attack.

Patch vulnerabilities that are known to be exploited by the group, like the ones listed at the top of this article. Make sure unused network ports are properly protected.

Deploy multi-factor authentication for all users, require consistent identity verification, and routinely refresh passwords.

Regularly perform attack surface management scans to identify exposures within organization assets like servers, applications, and cloud-connected deployments.

Consider a professional penetration test of company networks to find unknown exposures.

Maintain separate backup data to avoid contamination in the event of a ransomware attack.

Although the threat landscape evolves and BlackCat's methods adapt over time, organizations have a responsibility to consistently monitor their networks and patch vulnerabilities accordingly. Many vulnerabilities, like CVE-2016-0099 found in Microsoft Windows, have been known for years and yet are exploited today. When it comes to ransomware groups, give them an inch, and they will take a mile.

Everything You Need To Know About BlackCat (AlphaV)

The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.

A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.

According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.

In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.

ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.

"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."

**Worok's Custom Toolset**

Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.

Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).

For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.

While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.

"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."

**Few Links to Other Groups**

While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.

"\[W\]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."

For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.

"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.

Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools

What under-the-hood details of newly discovered attack control panel tells us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.  

Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.

There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that's been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey. 

Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.

The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.

Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That's because these attacks are notoriously difficult to detect or prevent with standard security controls. 

**Backdoor Attackers Diversify Their Attack Assets**

PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.

"A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data," the report explained. "Newer versions of the malware encode these different campaigns as campaign IDs."

**But Cyberattackers Will Actively Profile Victims**

At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.

"The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed," the report said, explaining this indicates targeting for cryptomining opportunities. "On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts."

The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.

**Resale Is an Important Part of Backdoor Monetization**

The way that the control panel's user options are set up offered researchers a lot of information about the group's "workflow and commercial strategy," the report said. For example, some filtering options were labeled "Sell" and "Sell 2" with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.

"This probably means that TA505 can not immediately earn a profit from exploiting those particular victims," according to the report. "Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals."

The PTI report said that based on the researchers' observations, the group's internal structure was "surprisingly disorganized" but that its members still "carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector."

The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.

Nevertheless, the backdoor attackers aren't perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.

"The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy," the report said. "After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505's backdoor attacks."

The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it's associated with Raspberry Robin infections.

Source

DARKReading