Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

A hardcoded password associated with the Questions for Confluence app has been publicly released, which will likely lead to exploit attempts that give cyberattackers access to all Confluence content.

Atlassian on Thursday urged organizations using its Questions for Confluence app to immediately update to the latest version of the software or to apply a mitigation measure to protect against a critical vulnerability in the product — one of three critical bugs disclosed by the vendor this week.

The "patch now" advice was prompted by the public disclosure of a hardcoded password associated with the Questions app that gives a remote, unauthenticated attacker a way to log into Confluence and access all content in the broader confluence-users group.

Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on projects that an organization might be working on, or on its customers and partners.

The Questions app meanwhile allows for a Q&A/crowdsourcing function within a given workspace.

The problem primarily impacts organizations using Questions for Confluence Server and Data Center versions 2.7.34, 2.7.35, and 3.0.2 of the app. However, even organizations using other versions of Confluence could potentially be affected, Atlassian said. The vulnerability does not affect the Questions for Confluence app for Confluence Cloud.

**Bracing for Exploits**

"The issue is likely to be exploited in the wild now that the hardcoded password is publicly known," Atlassian warned. "This vulnerability (CVE-2022-26138) should be remediated on affected systems immediately," the vendor said.

Atlassian disclosed the bug on Wednesday. The company described the issue as resulting from a Confluence user account that is created when the Questions for Confluence app is enabled either on Confluence Data Center or Confluence Server. The user account — with the username "disabledsystemuser" — is designed to help administrators migrating data from these apps to Confluence Cloud.

But the account is created with a hardcoded password that is added to the confluence-users group. This allows attackers to view and edit all non-restricted pages within the Confluence user-group by default, according to Atlassian. So, any attacker with knowledge of the password can log in remotely to the Confluence collaboration environment and access whatever content other users in the group can access, the software vendor said.

Soon after Atlassian's advisory Wednesday, a security researcher published the hardcoded password on Twitter, prompting Atlassian's urgent update Thursday.

The company's advisory provided details on how organizations can determine if they are affected by the vulnerability or might have already been compromised via an exploit targeting the flaw. Atlassian urged organizations to update to versions 2.7.38 or 3.0.5 of the software or to disable or delete the disabledsystemuser account.

Importantly, merely uninstalling the Questions for Confluence application would not remediate against the vulnerability because the disabledsystemuser account would still remain in place after the app is removed, Atlassian warned.

**Two Other Critical Vulnerabilities**

The other two critical vulnerabilities that were disclosed (CVE-2022-26136 and CVE-2022-26137) exist in multiple versions of almost all Atlassian products. These include Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Jira Server and Data Center, and Jira Service Management Server and Data Center.

CVE-2022-26136 is an authentication-bypass vulnerability in Java code called Servlet Filter for intercepting and processing HTTP requests from and to a client and a backend system. The vulnerability gives attackers a way to use a specially crafted HTTP request to bypass Servlet Filters that third-party apps might use to enforce authentication.

The same vulnerability also allows attackers to use specially crafted HTTP requests to trick users into executing arbitrary JavaScript in the user's browser.

Atlassian said it had been able to confirm such attacks are possible but has still not been able to determine all third-party apps that might be affected by the issue.

The flaw tracked as CVE-2022-26137 also exists in Servlet Filter and gives remote, unauthenticated attackers a way to access vulnerable applications by using a specially crafted HTTP request to trick users into requesting a malicious URL. Atlassian has released updated versions of its software for all affected products to address these vulnerabilities.

**Atlassian's Ongoing Cybersecurity Woes**

The latest flaws mark the second time in the past two months that organizations using Atlassian's technology have been forced to scramble to fix serious flaws in its products.

In early June, the company disclosed a critical remote code-execution vulnerability (RCE) impacting all supported versions of Confluence Server and Data Center. The bug (CVE-2022-26134) gave unauthenticated attackers a way to drop a Web shell on affected systems. It generated considerable concern because threat actors had already begun exploiting it by the time the company issued a fix for it.

Attackers quickly began actively exploiting the flaw to distribute a variety of malware, including Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit attack kit. Many of the attacks were automated in nature.

An analysis by Barracuda showed that 45% of attempts to exploit the vulnerability were from Russia-based IP addresses; 25% percent of the exploit attacks were from the US; and 11% originated from IP addresses in India.

Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open

Candiru attackers breached a news agency employee website to target journalists with DevilsTongue spyware, researchers say.

A zero-day vulnerability in Google Chrome was used by the established spyware group Candiru to compromise users in the Middle East — specifically journalists in Lebanon.

Avast researchers said attackers compromised a website used by news agency employees in Lebanon, and injected code. That code identified specific, targeted users and routed them to an exploit server. From there, the attackers collect a set of about 50 data points, including language, device type, time zone, and much more, to verify that they have the intended target.

At the very end of the exploit chain, the attackers drop DevilsTongue spyware, the team noted.

"Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru," the Avast researchers explained.

The original vulnerability (CVE-2022-2294), discovered by the same Avast team, was the result of a memory corruption flaw in WebRTC. Google issued a patch on July 4.

"The vulnerabilities discovered here are definitely serious, particularly because of how far-reaching they are in terms of the number of products affected — most modern desktop browsers, mobile browsers, and any other products using the affected components of WebRTC," James Sebree, senior staff research engineer with Tenable, said via email. "If successfully exploited, an attacker could potentially execute their own malicious code on a given victim's computer and install malware, spy on the victim, steal information, or perform any other number of nefarious deeds."

But, Sebree added, the original heap overflow flaw is complicated to exploit and won't likely result in widespread, generalized attacks.

"It's likely that any attacks utilizing this vulnerability are highly targeted," Sebree explained. "While it's unlikely that we will see generalized attacks exploiting this vulnerability, the chances are not zero, and organizations must patch accordingly."

Candiru (aka Sourgum, Grindavik, Saito Tech, and Taveta) allegedly sells the DevilsTongue surveillance malware to governments around the world. The Israeli company was founded by engineers who left NSO Group, maker of the infamous Pegasus spyware.

The US Commerce Department added Candiru to its "Entity List" last year, effectively banning trade with the company. The list is used to restrict those deemed to pose a risk to US national security or foreign policy.

Google Chrome Zero-Day Weaponized to Spy on Journalists

Luna, Black Basta add to rapidly growing list of malware tools targeted at virtual machines deployed on VMware's bare-metal hypervisor technology.

The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware's bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

"Infrastructure services like networking equipment and hosting infrastructure like ESXi can't easily be patched on demand," says Tim McGuffin, director of adversarial engineering at Lares Consulting. "Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once."

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

**The Cross-Platform Ransomware Threat**

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky's analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also uses multithreading to speed up the encryption process by getting all processors on the infected systems to work at the same time on the task.

Since surfacing in February, the operators of Black Basta have managed to compromise at least 40 organizations worldwide. Victims include organizations in the manufacturing and electronics sectors in the US and multiple other countries. Available telemetry suggests the threat actor could soon chalk up other hits across Europe, United States, and Asia, according to Kaspersky.

**A Target for Inflicting Wide Damage**

The proliferation of ransomware targeting ESXi systems poses a major threat to organizations using the technology, security experts have noted. An attacker that gains access to an EXSi host system can infect all virtual machines running on it and the host itself. If the host is part of a larger cluster with shared storage volumes, an attacker can infect all VMs in the cluster as well, causing widespread damage.

"If a VMware guest server is encrypted at the operating system level, recovery from VMware backups or snapshots can be fairly easy," McGuffin says. '\[But\] if the VMware server itself is used to encrypt the guests, those backups and snapshots are likely encrypted as well." Recovering from such an attack would require first recovering the infrastructure and then the virtual machines. "Organizations should consider truly offline storage for backups where they will be unavailable for attackers to encrypt," McGuffin adds.

Vulnerabilities are another factor that is likely fueling attacker interest in ESXi. VMware has disclosed multiple vulnerabilities in recent months. In February, for instance, the company disclosed five flaws — including important and critical ones — that affected ESXi (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050). The same month, VMware announced a heap overflow vulnerability in the technology (CVE-2021-22045), and there have been multiple other moderate to low severity flaws the company has disclosed over the past year or so, including a critical remote code execution flaw.

"In recent months, VMware ESXi had several notable vulnerability disclosures and patches, which might be why attackers have an increased interest in targeting those environments," says Joseph Carson, chief security scientist and advisory CISO at Delinea. Most of these virtual environments tend to have a strong backup and snapshot strategy. However, attackers can cause a significant impact if they can also deploy ransomware on the backup systems as well, he says.

Carson advocates that organizations running VMware conduct risk assessments and consistently check for known vulnerabilities and misconfigurations to ensure they are patched and configured correctly. They also need to ensure that Internet-facing systems have strong access controls in place to ensure only authorized employees have access to those systems.

Matthew Warner, chief technology officer and co-founder at Blumira, points to the Log4j vulnerability as another likely reason for the mushrooming attacker interest in ESXi environments. "VMware has an incredibly wide range of solutions that utilized Log4i and were impacted by this vulnerability," he says. VMware itself acted quickly to provide mitigation guidance. But it's likely that many ignored the mitigation advice and are now targets of ransomware purveyors, he says.

"There is almost never a situation where VMware Horizon should be Internet-facing," Warner says. "It opens up untold amounts of risk to the infrastructure." Blumira has run into several instances where VMware Horizon servers were exposed due to access control issues on the firewalls, not to purposeful exposure. "This serves as a good reminder that your DMZ and Internet exposure must be monitored on an ongoing basis within your environment," he advocates.

Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

The ever-evolving threat from phishing is growing more sophisticated as attackers design high-pressure situations and leverage ever-more-convincing social engineering tactics to increase their success rates.

This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.  

The hacker has posted documents on a forum that purport to contain information about some of Roblox's most popular games and creators, according to Motherboard. Additionally, some of the documents include individuals' personally identifiable information.  

But Roblox is hardly alone — it's just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises. 

In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that hackers have found a new way into the inbox by creating fake invoices in PayPal, leveraging the site's legitimacy to gain access.  

The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.

In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users were victims of back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns over multichannel phishing attacks are growing, with a particular focus on smishing and business text compromises.

Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.

**Phishing Lures Grow in Sophistication**

Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.

"We've seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks," he says. "We'll see more of these attacks that can snag more than one item from an end user."

Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.

"These are messages that look 'right' on the surface, that tap into ways of working," she says. "These types of subtle manipulations can be difficult for people to spot, and it's critical that workers be made aware of attackers' capabilities and propensities to operate in this manner."

Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.

"If it's something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited," she says. "Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software."

**Distributed Workforce Adds to Vulnerabilities**

Social engineering is inherently people-centric, and in today's hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.

Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.

"Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise," she says. "These trends have opened the door to a whole host of social engineering tactics and other cyber threats."

She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.

Fuchs agrees remote work has its challenges, including not being able to stop by IT's desk to ask about an email.

"But while working from home, distraction might play a role," he adds. "There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside."

**Deploying Advanced ML, AI Tech**

Fuchs argues IT policies must move away from static "allow and block lists" and move toward advanced AI.

"Static lists allow these legitimate services to be used for phishing," Fuchs says. "Advanced AL and ML can suss out what's real and what's not."

Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.

She adds that it's important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.

"Users are a critical line of defense against phishing and it's important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it," she says. "This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint."

Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.

From his perspective, a two-second check can often avoid disaster.

"The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands," he says.

Whether it's spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the user's inbox and more likely to be acted upon.

"Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, it's not likely to slow down," he warns.

Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In

With more staff working remotely, identity, authentication, and access have never been more important.

Last week, Thales announced that it had the signature of an agreement to acquire OneWelcome, a European leader in the fast-growing market of customer identity and access management (CIAM), for a total consideration of €100 million. Thales aims to capitalize on OneWelcome's strong cloud-native software-as-a-service (SaaS) product by extending its market footprint beyond Europe and selling it to existing Thales clients in North America and the Asia-Pacific region.

**Complementary Identity Acquisition**

OneWelcome's strong digital identity life-cycle management capabilities will complement Thales's existing identity services (secure credential enrollment, issuance and management, know your customer etc.). With this acquisition, Thales will be able to provide an expanded identity platform that will:

*   Be accessible to organizations of all sizes to manage internal and external identities
*   Quickly bring new businesses online
*   Improve operational efficiency and customer experience
*   Meet or exceed regulatory compliance requirements

It does look like CIAM is disappearing as a stand-alone pillar and is becoming a major pillar within larger vendors expanding cybersecurity portfolios. In addition to Thales' acquisition of OneWelcome, other notable ones include:

*   Ping Identity acquired Unbound ID in 2016.
*   SAP bought Gigya for $350 million in 2017.
*   Akamai acquired Janrain in 2019.

**CIAM of Interest to Technology Vendors in Various Sectors**

It's interesting that these acquisitions don't follow a pattern. Thales is arguably the biggest vendor in data security with its encryption capabilities. Ping was already a significant player in enterprise identity management/IDaaS before it added CIAM, and SAP, of course, has a huge enterprise resource planning (ERP) and customer relationship management (CRM) business. And Akamai is a content delivery network (CDN) that has been expanding its security offerings for the best part of a decade.

What they have in common, however, is that the acquirers all serve enterprise customers who deal with large numbers of customers in the consumer market and their interactions with them have moved increasingly online, making CIAM a vital part of their security toolkit. Think of CIAM as the place where identity management (IAM and IDaaS) meets CRM, enabling consumers to access online resources and learning from their behaviors to improve their experience and, hopefully, to drive more sales.

**Data Security and CIAM Convergence**

Thales is a major player in the data security space and the acquisition of OneWelcome helps it expand its identity portfolio.

It does seem that an increasing number of vendors are wanting to play in the identity space. Only last month, Microsoft expanded its capabilities in identity with the launch of Entra. The good growth potential of CIAM and clamor by big vendors to enter this space can help to explain why Omdia projects this market to increase from $8.1 billion in 2021 to $16.7 billion in 2026.

    

The world market for CIAM, by revenues ($ Millions). Source: Omdia’s Identity Authentication Access Market Tracker. 1H22

Thales Expands Cybersecurity Portfolio With OneWelcome Acquisition

Understanding the limitations of firewalls is important to protecting the organization from evolving threats.

Firewalls were born in the 1990s, alongside Windows 95 and Internet Explorer. They've been a staple of network security since, which prompts the question: Are firewalls still relevant? The determining factor is whether firewalls have grown with the changes we've seen in technology or if they've just stayed in line with the technology of the 1990s and early 2000s.

**How Firewalls Work & How They Don't**

Firewalls work primarily on the principle of deep packet inspection. Data packets are the units of information that constitute any type of Internet traffic, including Web traffic. They protect networks by checking the payload of every data packet trying to enter or leave a network and blocking any packets that contain malicious content. Content typically is defined as malicious through a series of rather complex policies and rules.

Today, data is almost always encrypted. Encryption ensures that good incoming and outgoing traffic is protected from prying eyes, but, unfortunately, it also hides bad incoming and outgoing traffic. Some firewalls can de-encrypt data packets, check their payload, and then re-encrypt them, but this process is computationally intensive and can bog down the network significantly. Also, this process is not always an available option given how many modern security protocols block the types of man-in-the-middle operations required for full-blown SSL inspection.

**Leveraging IP Addresses**

Indeed, deep packet inspection is becoming an antiquated security practice, but there are other ways to identify whether specific activity is malicious.

For example, some organizations blacklist malicious Web domains, then automatically block traffic from those sites, while others use tactics such as SIEM log analysis. However, these types of monitoring and alert systems are reactive: They tell you that you've been attacked, but don't block the malicious traffic that can cause an attack.

I staunchly believe in multifaceted security, with a simple set of three starting points:

1.  Don't reuse passwords.
2.  Regularly update your software.
3.  Use the truest lowest-common-denominator of Internet traffic — the IP address itself — to your advantage, as a key foundational tenet of your cyber security stack.

It's the third leg of that stool that can help ensure that your organization achieves a proactive posture when it comes to malicious traffic.

Since all traffic is identified by a unique IP address, focusing on IP is a simple way to identify and block any packets coming from or going to known malicious sources — without ever needing to check their contents. It doesn't matter if the data being transferred is encrypted or not.

Surprisingly to some, firewalls can't and don't perform this function very well because you need a very different hardware and software architecture to achieve deep packet inspection versus achieving IP filtering at scale.

**Conclusion**

While firewalls are a very important tool in organizations' security arsenals, it's important to align security solutions with security threats. As cyberattacks evolve, organizations should consider the kinds of tools that will be needed to complement and shore up firewall protection.

What Firewalls Can — and Can't — Accomplish

The CloudMensis spyware, which can lift reams of sensitive information from Apple machines, is the first Mac malware observed to exclusively rely on cloud storage for C2 activities.

A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.

All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.

**Spyware in the Cloud**

The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.

"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."

This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."

While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.

**Attribution, Victimology Remain a Mystery**

So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).

However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.

"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.

Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.

"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."

However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.

M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.

"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS \[to bypass security mitigations\]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."

**How to Protect Your Business from CloudMensis & Spyware**

To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.

Researchers also recommended turning on Apple's new Lockdown Mode feature.

"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."

Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.

"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."

Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene

Data science can be used to improve access to government assistance while reducing fraud.

During the pandemic, Black applicants for unemployment assistance in Wisconsin and North Dakota received benefits at approximately half the rate of their white counterparts. That's according to a June 2022 report by the Government Accountability Office (GAO), which looked at the impact of pandemic relief across four different states.

And this isn't an isolated case. It is an indication that, across the board, digital identity verification that relies on legacy data, systems, and documents don't treat people fairly, equitably, and with respect. Instead, they lock in the problems of the past. And unless we rethink systems from top to bottom and use advanced data science as the foundation for verifying identity, we risk making the same mistakes over and over again.

Today, digital identity verification is a fundamental part of the way government serves people. Government has to be able to distinguish between bad actors and those who are eligible for benefits. If we don't get this right, fraud will rise and people who are owed benefits won't get them. That's a true lose-lose.

**Identity Verification Shortcomings**

This dynamic became crystal clear in the pandemic. We know that individual scam artists and international fraud rings pocketed billions in relief money using synthetic fraud techniques, combining fake names with real Social Security numbers, and even donning wigs to successfully fool legacy systems.

And who suffers most? People who live in communities of color, new-to-country individuals, and others who have been historically underrepresented. Let's be clear — government identity infrastructure as we know it today is fragmented and broken. The pandemic shined a light on the extent to which legacy systems marginalize people who might have thin credit files, are underbanked, have limited broadband access, are rightfully hesitant about facial recognition, or lack government identification. When trying to verify their identities online, these people are met with roadblocks, friction, and long delays — a longstanding issue that has only recently gained mainstream attention.

Identity verification _is_ the gatekeeper to accessing and engaging in an online world, whether you're a homeowner with a lengthy credit history, an elderly individual applying for Medicare, a young entrepreneur looking to start their dream business, or an individual applying for unemployment benefits after getting laid off unexpectedly.

Of course, economic status, race, geography, and access to broadband have long dictated — and still do — the ease by which an individual can prove who they are or otherwise engage in modern society. According to the Consumer Financial Protection Bureau, approximately 45 million Americans, mostly Blacks and Hispanics, lack the traceable credit histories often used to prove identity. For the approximately 57 million people living in rural areas, having to take hours off of work and drive to an in-person facility to verify their identities is not an option. And an estimated 21 million Americans still lack broadband access, making it harder to complete applications that rely on video chat verification.

**3 Steps to Improve Digital Identity Verification**

These problems can't be solved overnight. But there are steps we can take in the near term to move toward accurate digital identity verification for all.

First, Congress should take steps — such as the Improving Digital Identity Act, now under consideration in both the House and Senate — to digitize common identity verification documents, including driver's licenses, birth certificates, and Social Security cards. We should move to ensure that government-issued data (numbers for Social Security, taxpayer identification, passport numbers, etc.) are made available to ease the burden on the public and service providers when verifying an individual's identity. Doing so will move our system away from a reliance on physical documents that are often lost, misplaced, or stolen and will offer more avenues to verify identity online.

Second, we need to design a system that combines machine learning, artificial intelligence, and data analytics to enable more efficient, more equitable verification. Historically underrepresented people often lack the government-issued IDs that current systems require. By combing through all information available — from applicant name to the device being used and more — we can verify good actors faster, flag fraudulent identities across systems, increase auto-approvals, and minimize fraud.

Third, we must protect public trust through transparency. The erosion of public trust hamstrings the use of innovations that can better combat ever-evolving fraud. An overreliance on intrusive (and error-prone) technologies like selfies can weaken this trust and cause significant backlash and public outcry over valid concerns like privacy and bias. Vendors partnering with the public sector must be transparent with their practices.

Without a real focus on equity, the fragmentation of identity across the US and the widening disparities across different populations will only grow. To move forward, we must think comprehensively in our approach when it comes to digital identity verification so that no one gets left behind.

Equitable Digital Identity Verification Requires Moving Past Flawed Legacy Systems

Google Cloud pledges experts and other resources to Health Information Sharing and Analysis Center, a community of healthcare infrastructure operators and owners.

The security-minded community of owners and operators of healthcare infrastructure just landed a big new member.

Google Cloud announced on Thursday that it has joined the Health Information Sharing and Analysis Center (Health-ISAC). It plans to share its considerable intelligence, best practices, and experts to help secure healthcare and public health sector (HPH) networks.

It is the first time that a cloud provider has joined the alliance, despite the fact that the industry sector has increasingly turned to cloud storage, centralized electronic medical records, and software-as-a-service applications.

"Joining Health-ISAC directly fits into our shared-fate model — as opposed to the traditional (and inherently flawed) shared responsibility model," Taylor Lehmann, director at the Office of the CISO at Google Cloud, tells Dark Reading. "We are taking an active stake in the security posture of our customers by offering our own technologies, people, resources, and lessons learned — and we encourage other hyperscalers to do the same."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading