See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

5 Surprising Cyberattacks AI Stopped This Year

Results from phishing simulation campaigns highlight the five most effective types of phishing email.

**Woburn, MA – June 28, 2022 —** Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks.

According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.

To provide further insight into this type of threat, Kaspersky analyzed data gathered from a phishing simulator provided voluntarily by users\[1\]. Integrated into Kaspersky Security Awareness Platform, this tool helps companies check if their staff can distinguish a phishing email from a real one without putting corporate data at risk. An administrator chooses from the set of templates, mimicking common phishing scenarios or creates a custom template, then sends it to the group of employees without pre-warning them and tracks the results. A large number of users clicking the link is a clear indication that additional cybersecurity awareness training is required.

According to recent phishing simulation campaigns, the five most effective types of phishing email are:

*   Subject**:** Failed delivery attempt - Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
*   Subject: Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18%
*   Subject: Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18%
*   Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
*   Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%

Other phishing emails that gained a significant number of clicks include reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).

Alternatively, emails that threaten the recipient or offer instant benefits appeared to be less “successful.” A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.

_“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,”_ comments Elena Molchanova, head of security awareness business development at Kaspersky. _“Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing.”_

To prevent data breaches, and any related financial and reputational losses caused by phishing attacks, Kaspersky recommends the following for businesses:

*   Remind your employees about the basic signs of phishing emails. A dramatic subject line, mistakes and typos, inconsistent sender addresses and suspicious links;
*   If there is any doubt about the received email, check the format of attachments before opening them and the link accuracy before clicking. This can be achieved by hovering over these elements - make sure the address looks authentic and the attached files are not in an executable format;
*   Always report phishing attacks. If you spot a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email. This will allow your cybersecurity team to reconfigure anti-spam policies and prevent an incident;
*   Supply your employees with basic cybersecurity knowledge. Education should be aimed at changing the behavior of learners and teaching them how to deal with threats. As a major cybersecurity vendor, Kaspersky possesses a relevant base of information on real attacks and continuously supplements its Security Awareness Trainings in accordance with the current threat landscape;
*   Since phishing attempts can be confusing, and there’s no guarantee of avoiding all accident clicks, protect your working devices with reliable security. Choose a solution that provides anti-spam capabilities, tracks suspicious behavior, and creates a backup copy of your files in case of ransomware attacks. Anti-phishing protection is included in some security solutions, even for small and very small businesses, such as Kaspersky Small Office Security.

Kaspersky Reveals Phishing Emails That Employees Find Most Confusing

The clever, interactive phishing campaign is a sign of increasingly complex social-engineering attacks, researchers warn.

A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebook's Messenger chatbot feature.

That's according to an analysis from Trustwave SpiderLabs. Karl Sigler, senior security research manager there, tells Dark Reading that the campaign is notable for its interactivity, and how much more complex the social-engineering aspects of phishing campaigns have gotten.

"You don't just click on a link and then be prompted to download an executable — most people are going to understand that's an attack and not click on it," he explains. "In this attack, it's a link that leads you to a tech-support-type channel asking for information that you would expect tech support to ask for, and that ramping up of the social-engineering aspect is relatively new with these types of campaigns."

**Interactive & Seemingly Legitimate: A New Face of Phishing**

According to the research, the attacks start with emails, as they often do. The emails claim that user pages will be terminated in 48 hours due to a violation of Facebook's community standards — a savvy lure, researchers pointed out, given that the social-media giant has been vocal about its efforts to clamp down on rules-breakers.

The sender, purporting to be from Facebook's support team, claims to be giving users a chance to appeal, and offers an "Appeal Now" button to click directly from the email. If one hovers over the button, the URL uses Meta's legitimate URL-shortening service (which uses the convention "m.me"). If users click, they're taken to a real Messenger conversation with a chatbot.

The chatbot claims to be a representative of the Facebook support team, and presents another "Appeal Now" button to victims. The embedded link takes users to a new tab to a website hosted in Google Firebase.

"Firebase is an application development software that provides developers with a variety of tools to help build, improve, and grow the app \[making it\] easy for anyone to create and publish webpages," according to Trustwave's Tuesday analysis. "Spammers take advantage of this availability, and in this case, they built a website disguised as a Facebook 'Support Inbox,' where the user can purportedly appeal the supposed deletion of their page."

On this page, now-victims are asked to enter their email address or mobile number, first and last name, and page name. An additional text box for a phone number is displayed even though a mobile number is already being asked in the first text box. After pressing a "Submit" button, a pop-up window appears asking for the victims' passwords.

All of the data is of course sent directly to the cybercrooks' database.

The last link of the attack chain involves a bogus two-factor authentication gambit — users are presented with a pop-up box asking for a code, and are told they'll be sent a one-time password, which the attackers do since they've been able to capture victims' email and phone data.

Finally, the page will then redirect to the actual Facebook Help Center.

**Bolstering Trustability in Phishing**

One of the aspects that makes this campaign so effective is the fact that chatbots are a common feature of digital marketing and live support these days, and people are not inclined to be suspicious of their contents, especially if they come from a seemingly genuine source.

"The campaign uses the actual Facebook chat mechanism," Sigler says. "When you click the link in the email and it takes you literally to Facebook, and you can see your account profile up top, you can see that it's Facebook, you can look at the URL and it's got the nice little lock up-top that lends trust. The supporting says Page support. They've given me a case number. And that's often enough to break down those the barriers that a lot of people put up to identify the red flags associated with phishing."

Sigler warns that attacks like these can be especially risky for business-page owners in particular.

"This could be leveraged very well in a targeted-type of attack," he notes. "If I know an organization has standardized on specific messaging clients, whether it's Skype or Teams or Signal, I can start to craft a campaign specific to that messaging platform."

Cybercriminals can cause plenty of damage for business users with Facebook credentials and phone numbers, Sigler adds.

"If the person who is in charge of your social networking falls for this type of scam, suddenly, your entire business page may be defaced, or they could leverage access to that business page to gain access directly to your customers using the legitimacy of that Facebook presence," he explains. "They'll also probably go after additional network access and data."

**Phishing Defense with User Awareness Training: Still Effective**

The use of valid infrastructure to propagate such attacks is a sign of things to come in phishing, Sigler notes.

"A lot of times, these types of attacks will use cloned sites or those typosquatted domains that look like Facebook, but it's actually 'Facebock,' let's say," he says. "Going forward, we're going to continue to see a trend of attacks coming from traditionally valid sources, and it's going to be harder and harder to distinguish these campaigns because of that legitimacy level that they're piggybacking on top of."

That said, it's worth noting that this particular campaign was not without its suspicious red flags. For instance, the emails have grammatical problems, such as the improper capitalization of the word "Page," and the missing period at the end of the third sentence, researchers pointed out. And in the email header, the sender is named as "Policy Issues," but the sender domain does not belong to Facebook. It is also evident in the email's Received headers and sender IP address that it was not sent by the social media platform.

There are also problems when users are taken to the purported support page.

"Closer inspection of the profile owning the page will reveal that this is not an actual support page," according to the research. "The profile used is just a normal business/fan page with zero followers and no posts. Even though this page may seem unused, it had a 'Very Responsive' badge which Facebook defines as having a response rate of 90% and responds within 15 minutes. It even sported a Messenger logo as its profile picture to appear legitimate."

"While this type of attack is a little bit clumsy from my point of view, and I think a lot of people would see through it because of the red flags, I think that this is a start and I think that they're going to get much more clever," Sigler warns.

Thus, the best defense is to focus on user phishing training, Sigler advocates.

"More than 95% of compromises are initially started with somebody clicking on the wrong link in a phishing email," Sigler notes. "Hopefully organizations are having ongoing security awareness training, because the only thing you can do to patch for this type of attack is educate your users. So, it's important to revisit your security-awareness program, to take a look at what you're currently teaching your employees and users about phishing attacks, and make sure that it's up-to-date and includes some of these more complex campaigns."

Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign

Google Analytics has been found to be in violation of GDPR privacy laws by Italy — the third country to ban it.

Italian regulators have decided to ban the use of Google Analytics, citing the US government's easy access to consumer data, which puts the service in violation of European Union General Data Protection Regulation (GDPR) laws.

That means that millions of users' online behavior will no longer be visible to the SEO platform.

Italy's Privacy Guarantor found that a collection of user IP addresses, as well as browsing and operating system, screen resolution, and selected language, in addition to the date and time the user visited a site, was being transferred to the US by Google Analytics without GDPR\-mandated privacy protections.

Website operators inside Italy have 90 days to review their Google Analytics use to ensure data privacy compliance, the Privacy Guarantor ruled.

The ruling follows similar actions taken by French and Austrian authorities.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Analytics Continues to Lose SEO Visibility as Bans Continue

Researchers this week said they had observed criminals using a new and improved version of the prolific malware, barely three months after its authors announced they were quitting.

The authors of "Raccoon Stealer," one of the most prolific information stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia's subsequent investigation showed the authors of the malware had been selling the new version via their Telegram channel since at least May 17.

Sekoia said its analysis showed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The focus of the effort appears to have been on improving the stealer’s performance and efficiency. At its core, the new Raccoon Stealer remains a classic information stealer, with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit card data, and autofill forms from most modern browsers. The malware can steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask, and Coinomi.

**New and Improved**

Sekoia found Raccoon Stealer V2 to also feature capabilities — such as a file grabber for all disks and a built-in file downloader — for exfiltrating files for compromised systems and loading other software on the systems. Additional capabilities include screenshot capturing, keystroke logging, and application enumeration. "It's worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis \[or\] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25. The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer's developers initially distributed it via a malware-as-a-service model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, criminals began distributing it in other ways as well, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using "droppers-as-a-service" to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to systems infected with Raccoon Stealer. The security vendor surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware's command and control infrastructure.

**Resurfacing on Cue**

In January 2022, Bitdefender's Cyber Threat Intelligence Lab observed the operators of the widely used RIG Exploit Kit include Raccoon Stealer in their kit. However, when Raccoon Stealer's developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan. Recently, criminals have also used fake installers for legitimate software — such as VPNs from F-Secure and Proton — to distribute Raccoon Stealer.

In a report last week, Bitdefender predicted that Raccoon Locker would return despite the setback that pushed the developers to ceasing operations in March. It's an assessment that Sekoia shared this week. "We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads," Sekoia said.

'Raccoon Stealer' Scurries Back on the Scene After Hiatus

The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.

A previously unknown Chinese-speaking advanced persistent threat (APT) is exploiting the ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware, researchers said — with the end goal of taking over building-automation systems (BAS) and moving deeper into networks.

That's according to researchers at Kaspersky ICS CERT, who said that the infections affected industrial control systems (ICS) and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks came to light in October but appear to date back to March 2021.

"We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries," according to Kaspersky's Monday analysis.

In this specific spate of attacks, Kaspersky observed a unique set of tactics, techniques, and procedures (TTPs) linking the incidents together, including attackers compromising BAS engineering computers as their initial access point. Researchers noted this is an unusual move for an APT group, despite proof-of-concept malware being available for such platforms.

"Building-automation systems are rare targets for advanced threat actors," said Kirill Kruglov, security expert at Kaspersky ICS CERT, in the alert. "However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures."

The attacks also threaten the physical integrity of buildings, researchers warned. BAS infrastructure unites operational features, such as electricity, lighting, HVAC systems, fire alarms, and security cameras, so they can be managed from a single management console.

"Once a BAS is compromised, all processes within that are at risk, including those relating to information security," according to Kaspersky's alert about the attacks.

In a real-world example of this rare kind of attack, last December a building automation engineering firm suddenly lost contact with hundreds of its BAS devices, including light switches, motion detectors, shutter controllers, and others — after being locked down with the system's own digital security key, which the attackers hijacked. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.  

**ProxyLogon Leads to ShadowPad Malware in Stealthy Infections**

In many cases, the cyberattackers exploited the ProxyLogon remote code-execution (RCE) vulnerability in MS Exchange (CVE-2021-26855), the firm added. When used in an attack chain, the exploits for these ProxyLogon could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server.

ProxyLogon was disclosed in March 2021 after being exploited as a zero-day bug by a Chinese state-sponsored group that Microsoft calls Hafnium — but soon a dizzying array of threat groups piled on to exploit the issue to enable different kinds of attacks.

In this case, once in, the APT deploys the ShadowPad remote access Trojan (RAT) — a popular backdoor and loader used by various Chinese APTs. According to previous analysis from Secureworks, ShadowPad is advanced and modular, first deployed by the "Bronze Atlas" threat group in 2017. "A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals," the report noted.

Kaspersky researchers said that in the BAS attacks, "The ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software."

Specifically, the malware originally masqueraded as the mscoree.dll file, which is a Microsoft library file essential for the execution of "managed code" applications written for use with the .NET Framework. As such, the malware was launched by the legitimate AppLaunch.exe application, which itself was executed by creating a task in the Windows Task Scheduler. Last fall, the attackers switched to using the DLL-hijacking technique in legitimate software for viewing OLE-COM objects (OleView). The Windows Task Scheduler is also used in the newer approach. In both cases, using such living-off-the-land tools (i.e., legitimate native software) means that the activity is unlikely to raise any system-intrusion flags.

After the initial infection, the attackers first sent commands manually, then automatically, to deploy additional tools. Researchers said those included the following:

*   The CobaltStrike framework (for lateral movement)
*   Mimikatz (for stealing credentials)
*   The well-known PlugX RAT
*   BAT files (for stealing credentials)
*   Web shells (for remote access to the Web server)
*   The Nextnet utility (for scanning network hosts)

"The artifacts found indicate that the attackers stole domain-authentication credentials from at least one account in each attacked organization (probably from the same computer that was used to penetrate the network)," according to Kaspersky. "These credentials were used to further spread the attack over the network … we do not know the ultimate goal of the attacker. We think it was probably data harvesting."

**How to Protect Against APT Attacks Targeting BAS, Critical Infrastructure**

The attacks develop "extremely rapidly," Kaspersky said, so early-state detection and mitigation is key to minimizing damage. The researchers recommended the following best practices to protect industrial infrastructure, including BAS footprints:

*   Regularly update operating systems and any application software that are part of the enterprise's network. Apply security fixes and patches to operational-technology (OT) network equipment such as BAS, as soon as they are available.
*   Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
*   Use OT network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.
*   Provide dedicated OT security training for IT security teams and OT engineers.
*   Provide the security team responsible for protecting ICS with up-to-date threat intelligence.
*   Use layered security solutions for OT endpoints and networks.

China-Backed APT Pwns Building-Automation Systems with ProxyLogon

Swarms of breach attempts against the Atlassian Confluence vulnerability are likely to continue for years, researchers say, averaging 20,000 attempts daily as of this week.

Since it was first identified on June 2, the Atlassian Confluence remote code-execution (RCE) vulnerability tracked as CVE-2022-26134 has attracted the repeated attention of threat actors. Now, after peaking at up to 100,000 attack attempts daily on targets, cyberattackers have settled at a steady rate of 20,000 malware injection shots per day, launched from around 6,000 IPs.

Researchers at Akamai observed that attacks on the Atlassian Confluence bug are mainly focused in the commerce, high tech, and financial services sectors, and range from probing to malware injection in hopes of installing cryptominers and webshells.

"What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks," a Tuesday Akamai report on the Atlassian Confluence vulnerability said. "As we have seen with similar vulnerabilities, this CVE-2022-26134 \[bug\] will likely continue to be exploited for at least the next couple of years."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Atlassian Confluence Exploits Peak at 100K Daily

Creating temporary keys that are not stored in central repositories and time out automatically could improve security for even small businesses.

While multifactor authentication, single-sign-on infrastructure, and stronger password requirements have improved the security of most enterprise identity and access management (IAM) environments, the longevity of passwords continues to pose problems for businesses, especially in granting temporary access to contractors and third-party partners.

A variety of vendors are trying to solve this problem. Last week, for example, data-security firm Keeper Security announced one-time shared passwords that allow companies to grant third-party partners temporary access to data and resources without adding them to the company's overall IT environment. The approach allows specific types of documents to be shared to a single user device, automatically removing access when the time expires.

The business case is all about securing access granted to contractors, says Craig Lurey, chief technology officer and co-founder of Keeper Security.

"We get asked constantly to allow short term, temporary access to third parties without requiring them to onboard as a licensed user," he says. "With this new feature, there is not 20 steps anymore. It is just instant, but preserving that encryption, simplifying the secure-sharing process, and eliminating the need to send private information over text messages."

**Credential Theft Is Big Business**

Supply chain breaches, stolen credentials, and the proliferation of software keys and secrets continue to undermine IT and data security. In March, secrets-detection firm GitGuardian found that developers leaked 50% more credentials, access tokens, and API keys in 2021, compared to 2020. Overall, 3 out of every 1,000 commits exposed a sensitive password, key, or credential, the company said at the time.

Failing to protect software secrets, user passwords, and machine credentials can lead to compromises of application infrastructure and development environments. Attackers have increasingly targeted identities and credentials as a way to gain initial access to corporate networks. Last week, for example, software security firm Sonatype discovered that at least five malicious Python packages attempt to exfiltrate secrets and environment variables for Amazon environments.

"It remains yet to be known who the actors behind these packages are and what is their ultimate goal," Sonatype stated in an advisory on the issue. "Were the stolen credentials being intentionally exposed on the web or a consequence of poor OpSec practices?"

**How Zero-Knowledge Encryption Protects Credentials**

Managing the access credentials for data means avoiding centralized storage of sensitive keys — a security advantage of zero-knowledge encryption (ZKE) — and regularly expiring keys so that former contractors, partners, and employees no longer have access to data. ZKE breaks up keys in specific ways, using both cryptography and tokenization, to prevent any device or database from having all the necessary information to reconstitute the master keys to unlock data.

    

Source: Keeper Security

The move to de-emphasize master passwords and keys is part of the cybersecurity industry's effort to create a passwordless security infrastructure. Yet, in the end, most enterprises rely on some sort of password to secure massive stores of keys or unlock cloud IAM services, says Lurey.

"Every year, the platforms try to come up with new schemes to bury the password, \[but\] at the end of the day, those platforms still rely on passwords, especially for account recovery," he says. "There is a growing number of passwords and secrets that everyone has to deal with, whether you are on the tech side and you have to deal with API keys and software secrets, or on the personal side and the growing number of sites that require personal or private information."

Creating a zero-knowledge way of managing secrets and offering one-use, temporary passwords requires significant design effort and a move away from the consolidation among large brands that are assuming the mantles of identity providers, Lurey says.

"The reason why the password continues to be popular is because it is something that you have that can be used to encrypt and decrypt data at the end of the day," he says. "The passkeys, which are just passwords, are being stored by Apple, Google, and Microsoft, so those are being synched with other devices and onboard devices, but how do you sync those secrets — it is basically a rabbit hole of authentication issues."

**The Passwordless Path Ahead**

The focus on ZKE is relatively new, and the vast majority of companies protect their secrets using key management systems, says Andras Cser, vice president and principal analyst for security and risk at Forrester Research. The focus on passwordless technologies typically involves biometrics, QR-code-based authentication, pushing authentication tokens to mobile devices, and sending one-time passwords via e-mail or text message, he says.

"Because of phishing issues, OTP and passwordless is slowly replacing the static password for authentication. Identity management and governance (IMG) to onboard, review, and off-board contractors and third parties for access is very important in this flow," Cser says.

Whether ZKE takes off will likely depend on whether third-party identity services using de facto standards, such as the FIDO2 and WebAuthn passwordless standards, gain popularity. In a white paper acknowledging the slow adoption of FIDO and the future integration with WebAuthn, the FIDO Alliance outlined what its passwordless future would look like, using mobile devices as standardized authenticators and allowing credentials to be synced across devices.

The changes will make "FIDO the first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability," the white paper stated.

Can Zero-Knowledge Crypto Solve Our Password Problems?

Developers need to think like WAF operators for security. Start with secure coding and think of Web application firewalls not as a prophylactic but as part of the secure coding test process.

A key approach to shifting security left is moving perimeter-focused security solutions down the stack by placing them in front of services and other infrastructure components, such as containers and container orchestration systems or API management systems and gateways.

While this does allow for more granular security, it's not a free lunch for developers. Just saying "The WAF will stop it" subverts the entire thinking and purpose of shifting left. Rather, developers must move from thinking of Web application firewalls (WAFs) as a prophylactic, to instead thinking of WAFs as a crucial part of their secure coding test process. Here's how they can accomplish that.

**The Explosion of WAFs and Cloud-Native Software**

While many companies still deploy WAF appliances, the fastest-growing segment of this market is WAF software that runs in the cloud. With the rise of cloud-native architectures and ephemeral infrastructure, more organizations are putting WAFs deeper into their application stacks — right in front of microservices. Some are even using WAFs for internal protection to enact robust zero-trust frameworks. So, the new reality is, developers are far more likely to come into close contact with WAFs today than at any point in the past. That said, WAFs at the microservice level are not foolproof.

**Before Deploying the WAF: Secure Coding Is Critical**

To start, developers must create applications under the assumption that all security controls can and will fail. This is important because it encourages them to build applications that are secure by default. Secure coding means using basic design principles — like code minification to obscure code — while ensuring that all variables and calls are checked against the OWASP Top 10 vulnerability list. There are dozens of ways that attackers can exploit poorly written code, including SQL injection, cross-site scripting, broken access controls, and file upload vulnerabilities.

A key part of this effort is to ensure developers are running linters and formatting checkers against all code. Usually, you will want developers to run code through software composition analysis (SCA) to identify risky dependencies and libraries that require updates. A secure coding process and mentality is more critical now because cloud-native microservices have turned security inside out.

At this point, the application security or DevSecOps teams run the code against some sort of simulation and add the WAF. For many developers, this is the end of the story. They assume, "We have deployed a WAF. We're safe now." They are wrong. Increasingly, the applications developers ship microservices, linked via APIs. Developers "own" their microservices and APIs and are responsible for security. The microservices and APIs may have highly specific rules and optimizations that can impact WAF behaviors and policies. Each application is different, and many unique APIs emerge.

For microservices, developers tend to rapidly ship code and make faster iterations on microservices because those smaller applications are loosely coupled and do not impact other applications. That makes for greater agility but also greater security risk if the changes are not run through the same cumbersome security process as observed at application launch.

**Learning to Think Like a WAF Operator**

Developers should always ask themselves before they ship code, "How will this impact my WAF coverage and security posture?" This question is good because it teaches them to think about how WAFs are working and not working — in other words, threat modeling.

Threat modeling is critical because there are known ways that attackers work around WAFs or exploit WAF weaknesses. For example, by default, Kubernetes exposes APIs for services and connections. Locking down Kubernetes APIs without messing up functionality is notoriously difficult, particularly if you're changing the applications and service calls in the applications on a regular basis. Recently, Shadowserver Foundation calculated that 84% of Kubernetes APIs servers had left themselves exposed to detection on the public Internet.

Understanding a WAF is a key precursor to threat modeling and, by extension, thinking like a firewall operator. Some WAF comprehension is tacit knowledge. For instance, tuning a WAF to limit false positives and false negatives to an acceptable level remains challenging. Developers looking to shift left can piggyback on experienced WAF operators to learn the tuning process and, in turn, better understand how the WAF responds to real-world traffic. Today, some organizations also deploy machine learning to help developers easily tune their WAFs by making rule and policy suggestions based on unsupervised learning across multiple WAFs.

**Better WAF Comprehension Leads to More Secure Code**

Even better, good WAF comprehension also transfers over into more secure coding. Developers that intimately understand WAFs — and have hands-on experience tuning them — benefit from tacit knowledge that is difficult to teach, and experience that goes beyond Open Web Application Security Project (OWASP} checklists. An equally good practice is, in a safe environment, to have developers work alongside red-team members to see how a smart attacker might compromise their apps and bypass default WAF settings.

The bottom line is simple: Developers, take time to know your WAF and learn its weaknesses. WAF wisdom will help you write secure code now and save your apps from being hacked in the future.

A WAF Is Not a Free Lunch: Teaching the Shift-Left Security Mindset

Like a hydra, every time one ransomware gang drops out (REvil or Conti), plenty more step up to fill the void (Black Basta).

After a 2021 beleaguered by ransomware, attack volumes continue to balloon in 2022. In fact, a report issued Tuesday indicates that in just the first three months of this year, the volume of ransomware detections almost doubled the total volume reported for all of last year. 

The increasingly high numbers came in spite of what appeared to be the downfall of a major ransomware group at the end of 2021: REvil. This serves as a testament to the persistence of criminal actors in reforming, rebranding, and regrouping their criminal gangs to profit handsomely off of ransomware tactics.

This persistence has been studied most recently by security researchers who have noted the rapid rise of the Black Basta ransomware gang in the past two months, quickly following the emergence of the LAPSUS$ group earlier in the year.

**Ransomware 2022 Volumes: Up, Up, Up**

The numbers today come by way of the quarterly "Internet Security Report" from WatchGuard Threat Lab, which examines Q1 2022 threat trends. Researchers with the firm report that unique ransomware detections in the first three months of the year were triple the volume of the same time period in 2021. Meantime, Q1 2022 ransomware volume equaled more than 80% of the total volume recorded in all of 2021.

“Based on the early spike in ransomware this year and data from previous quarters, we predict 2022 will break our record for annual ransomware detections,” says WatchGuard chief security officer Corey Nachreiner, noting that the last annual high-water mark for ransomware volume came back in 2018.

**LAPSUS$ Steps Up in the Underground Economy**

The report from his team explains that even in the face of high-profile arrests and charges made by US and Russian authorities in late 2021 and early 2022 that resulted in the disruption of the prolific REvil ransomware gang, the ransomware hits keep coming. Their analysis shows that REvil’s disruption “opened the door” for LAPSUS$ to emerge in a big way.

“The LAPSUS$ group made global headlines with their double-extortion ransomware techniques that caused cybersecurity decision-makers to take notice,” the report states. “The group was known to hire employees of organizations to steal information from the inside and then use extortion techniques to blackmail victim organizations. Their victim list also put decision makers on notice. Microsoft, Nvidia, Samsung, Ubisoft, Okta, and T-Mobile are all victims of LAPSUS$.”

This kind of resurgence of new groups should dampen security teams' celebrations of the demise of groups like REvil and Conti, which in May were reported to have shut down their operations. Stats from NCC Group show a slight dip in attacks that month, with a warning that other heads of the ransomware gang Hydra were already starting to emerge.

**Black Basta: New Kid on the Ransomware Block**

Most recently, the Black Basta ransomware gang has surged into the scene. Earlier in the month, two separate reports from Uptycs and NCC Group showed that Black Basta was targeting ESXi-based systems and servers among other victims, and leveraging the Qbot malware family (aka Qakbot) to maintain persistence on networks it goes after. 

"While Black Basta isn't the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations," said Jake Williams, executive director of cyber threat intelligence at SCYTHE, in a statement provided to Dark Reading. "Use of commodity malware like Qakbot demonstrates that there is no such thing as a 'commodity' malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware."

Meantime, an advisory report from the Cybereason Nocturnus research team last week offered further details about Black Basta’s tactics, techniques, and procedures. They deemed the threat from the group to be highly severe, as it has victimized more than 50 companies in English-speaking countries worldwide since April. Researchers said the hallmark of the firm is its use of double extortion – i.e., stealing sensitive files and information and using it to extort victims by threatening publication of the details unless a ransom is paid. The amounts asked for are often in the millions.

The sudden rise of Black Basta has some speculating that the group is actually just a regrouping of the two most recently disbanded groups.

“Due to their rapid ascension and the precision of their attacks, Black Basta is likely operated by former members of the defunct Conti and REvil gangs, the two most profitable ransomware gangs in 2021,” says Lior Div, CEO of Cybereason.

Source

DARKReading