How critical is that vulnerability? University researchers are improving predictions of which software flaws will end up with an exploit, a boon for prioritizing patches and estimating risk.

Using machine learning trained on data from more than two dozen sources, a team of university researchers has created a model for predicting which vulnerabilities will likely result in a functional exploit, a potentially valuable tool that could help companies better decide which software flaws to prioritize.

The model, called Expected Exploitability, can catch 60% of the vulnerabilities that will have functional exploits, with a prediction accuracy — or "precision," to use classification terminology — of 86%. A key to the research is to allow for changes in certain metrics over time, because not all relevant information is available at the time a vulnerability is disclosed, and using later events allowed the researchers to hone the prediction's accuracy.

By improving the predictability of exploitation, companies can reduce the number of vulnerabilities that are deemed critical for patching, but the metric has other uses as well, says Tudor Dumitraș, an associate professor of electrical and computer engineering at University of Maryland at College Park, and one of the authors of the research paper published last week at the USENIX Security Conference.

"Exploitability prediction is not just relevant to companies that want to prioritize patching, but also to insurance companies that are trying to calculate risk levels and to developers, because this is maybe a step toward understanding what makes a vulnerability exploitable," he says.

The University of Maryland at College Park and Arizona State University research is the latest attempt to give companies additional information on which vulnerabilities could be, or are likely to be, exploited. In 2018, researchers from Arizona State University and USC Information Science Institute focused on parsing Dark Web discussions to find phrases and features that could be used to predict the likelihood that a vulnerability would be, or had been, exploited. 

And in 2019, researchers from data-research firm Cyentia Institute, the RAND Corp., and Virginia Tech presented a model that improved predications of which vulnerabilities would be exploited by attackers.

Many of the systems rely on manual processes by analysts and researchers, but the Expected Exploitability metric can be completely automated, says Jay Jacobs, chief data scientist and co-founder at Cyentia Institute.

"This research is different because it focuses on picking up all of the subtle clues automatically, consistently and without relying on the time and opinions of an analyst," he says. "\[T\]his is all done in real time and at scale. It can easily keep up and evolve with the flood of vulnerabilities being disclosed and published daily."

Not all the features were available at the time of disclosure, so the model also had to take into account time and overcome the challenge of so-called "label noise." When machine-learning algorithms use a static point in time to classify patterns — into, say, exploitable and nonexploitable — the classification can undermine the effectiveness of the algorithm, if the label is later found to be incorrect.

**PoCs: Parsing Security Bugs for Exploitability**

The researchers used information on nearly 103,000 vulnerabilities, and then compared that with the 48,709 proofs-of-concept (PoCs) exploits collected from three public repositories — ExploitDB, BugTraq, and Vulners — that represented exploits for 21,849 of the distinct vulnerabilities. The researchers also mined social-media discussions for keywords and tokens — phrases of one or more words — as well as created a data set of known exploits.  

However, PoCs are not always a good indicator of whether a vulnerability is exploitable, the researchers said in the paper. 

"PoCs are designed to trigger the vulnerability by crashing or hanging the target application and often are not directly weaponizable," the researchers stated. "\[W\]e observe that this leads to many false positives for predicting functional exploits. In contrast, we discover that certain PoC characteristics, such as the code complexity, are good predictors, because triggering a vulnerability is a necessary step for every exploit, making these features causally connected to the difficulty of creating functional exploits."

Dumitraș notes that predicting whether a vulnerability will be exploited adds additional difficulty, as the researchers would have to create a model of attackers' motives.

"If a vulnerability is exploited in the wild, then we know there is a functional exploit there, but we know other cases where there is a functional exploit, but there is no known instance of exploitation in the wild," he says. "Vulnerabilities that have a functional exploit are dangerous and so they should be prioritized for patching."  

Research published by Kenna Security — now owned by Cisco — and the Cyentia Institute found that the existence of public exploit code led to a sevenfold increase in the likelihood that an exploit would be used in the wild.

Yet prioritizing patching is not the only way the exploit prediction can benefit businesses. Cyber-insurance carriers could use exploit prediction as a way to determine the potential risk for policy holders. In addition, the model could be used to analyze software in development to find patterns that might indicate whether the software is easier, or harder, to exploit, Dumitraș says.

Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out

The cybercriminal crew has used 15 malware families to target travel and hospitality companies globally, constantly changing tactics over the course of its four-year history.

Another threat actor targeting hospitality, hotel, and travel organizations has re-emerged during the busy summer travel season: a smaller, financially motivated player named TA558.  

According to new research from Proofpoint, the group has been around since 2018 but is stepping up its attacks this year, targeting Portuguese and Spanish speakers located in Latin America, as well as targets in western Europe and North America.

Spanish, Portuguese, and occasional English-language emails use reservation-themed lures with business-relevant themes (such as hotel-room bookings) to distribute malicious attachments or URLs.

Proofpoint researchers have counted 15 different malware payloads, most frequently remote access Trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on malware.

These malware families occasionally overlap with command-and-control (C2) domains, with the most frequently observed payloads including Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

The report explains that in recent years, TA558 has shifted tactics, starting to use URLs and container files to distribute malware.

"TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021," according to the report. "Typically, URLs led to container files such as ISOs or zip files containing executables."

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, explains this is likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the Internet by default.

"This actor is unique in that they have used the same lure themes, language, and targeting since Proofpoint first identified them in 2018," she tells Dark Reading.

However, she points out they often change tactics, techniques, and procedures (TTPs) and have used different malware payloads over the course of their activity.

"This suggests the actor is actively changing and responding to what works best or is most effective in achieving initial infection, using tactics and malware widely used by a variety of threat actors," she says.

She explains like many threat actors in the threat landscape, TA558 has pivoted away from macros in attachments to using other filetypes and URLs to distribute malware.

"It is likely other actors targeting these industries will use similar techniques that we described previously," she says.

Threat actors have pivoted away from macro-enabled documents attached directly to messages to deliver malware, increasingly using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.

DeGrippo says the increase in activity by TA558 this year is not indicative of an increase of activity targeting the travel/hospitality industries in general.

"However, organizations in these industries should be aware of the TTPs described in the report, and ensure employees are trained to identify and report phishing attempts when identified," she advises.

**Travel Industry in Threat Actor Crosshairs**

Attacks against travel-related websites began to rise months ago as the industry recovered from COVID-19, a July report from PerimeterX indicated, with competitive scraping-bot requests increasing dramatically in Europe and Asia.

As the coronavirus pandemic ebbs and consumers look to resume annual vacation plans, fraudsters are refocusing their efforts from financial services to the travel and leisure industries, according to TransUnion's latest quarterly analysis.

Multiple cybercrime groups have been spotted this year selling stolen credentials and other sensitive personal information pilfered from travel-related websites, with the methods of malicious actors evolving due to the concentration on personally identifiable information.

Summertime Blues: TA558 Ramps Up Attacks on Hospitality, Travel Sectors

Cybersecurity is the largest current tech skills gap; closing it requires a concerted effort to upskill existing staff.

Cybersecurity challenges are exacerbated by a talent shortage in the cybersecurity workforce. In 2021, for example, there were more than 500,000 open cybersecurity jobs in the US alone. But the gap goes beyond "just" filling empty positions; there is also a gap between what existing staff know about cybersecurity and a never-ending onslaught of new cyberthreats.

Pluralsight’s "2022 State of Upskilling Report," which surveyed 760 technology learners and leaders on the most current trends in skill development, found that cybersecurity was the top personal skills gap among 43% of respondents. Further, 44% of respondents noted that cybersecurity skills gaps are the greatest current risk to their organization.

With the rate at which the cybersecurity landscape is changing, historical knowledge and time-worn methods rarely solve for the increasing complexity of today’s threats. Business leaders must take responsibility for providing their technologists with the tools and training they need to keep organizations safe and secure.

Indeed, businesses need to act quickly and aggressively to keep their technology teams apprised of current cybersecurity trends and threats.

**Large Majority Want to Improve Their Skills**

This may seem overwhelming, but the good news is that technologists are eager to bolster their tech skills. According to our report, 91% of respondents want to improve their tech skills. Technologists are also demanding that their organizations provide them with the means to do so: 48% of respondents say they have considered changing jobs because they weren’t given sufficient resources to upskill, and 75% of respondents said that their organization’s willingness to dedicate resources to developing tech skills affects their plans to stay with the organization.

Here are some recommendations for upskilling your technology teams to create an airtight cybersecurity program:

1.  **Provide the right resources:** The first step is to arm cybersecurity professionals with resources such as on-demand cybersecurity training, hands-on learning opportunities to understand both red and blue team perspectives, and flexible upskilling options that fit in with cybersecurity pros’ busy schedules. Cybersecurity training should not be optional for _anyone_ within your organization, let alone your cybersecurity experts, but it needs to be administered in a reasonable and effective way.
2.  **Create continuous learning opportunities:** Your cybersecurity teams will never be done learning how to outsmart bad actors and how to future-proof your organization’s cybersecurity program. New cybersecurity strategies are constantly being developed to stay ahead of attacks. For example, the Zero-trust architecture is gaining traction in public and private businesses alike, ushering in new standard operating procedures for security teams. Staying abreast of cybersecurity trends takes more than superficial knowledge, however; it requires coordinated action in the form of testing, implementation, and evaluation to achieve long-term cybersecurity success.
3.  **Create a culture of learning:** By making learning part of the fabric of the organization, your tech teams can take a proactive, rather than a reactive, approach to cybersecurity. This means that your organization must have programmatic steps in place to constantly renew cybersecurity knowledge and best practices.

The bottom line is that the need for cybersecurity skills will only increase. The need for skilled cybersecurity pros also will grow. Organizations that prepare for the future of their security programs, rather than scrambling to block attackers only in the present, will be the best prepared to take on the latest threats.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How to Upskill Tech Staff to Meet Cybersecurity Needs

**SAN FRANCISCO, Aug. 17, 2022 —** The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

**Premier Member Quote**

**Capital One**

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

*   Chris Nims, EVP of Cloud & Productivity Engineering at Capital One

**General Member Quotes**

**Akamai**

"Improving the security of open source software — so central to the internet ecosystem — is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk_._ As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

*   Robert Blumofe, EVP and CTO, Akamai

**Kasten by Veeam**

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

*   Gaurav Rishi, Vice President of Products and Partnerships at Kasten by Veeam

**Scantist**

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

*   Dr. Liu Yang，Professor at Nanyang Technological University, Singapore and Co-Founder of Scantist

**SHE BASH**

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

*   Cameron Banowsky, Co-founder and CTØ, SHE BASH

**Socket Security**

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

*   Feross Aboukhadijeh, Founder and CEO, Socket Security

**Sysdig**

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

*   Edd Wilder-James, Vice President, Open Source Ecosystem at Sysdig

**Timesys**

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

*   Atul Bansal, CEO of Timesys

**ZTE Corporation**

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

*   Xiang Shuming, Director of OSS Compliance and Security Governance, ZTE Corporation

Additional Resources

*   View the complete list of the 89 OpenSSF members
*   Watch the recent August OpenSSF Town Hall
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain

The curated detection feature for Chronicle SecOps Suite provides security teams with actionable insights on cloud threats and Windows-based attacks from Google Cloud Threat Intelligence Team.

Organizations are increasingly relying on threat intelligence data to understand the sheer volume and complexity of security threats. On that note, Google Cloud has announced the general availability of the "curated detection" capability for its Chronicle security analysis platform to give organizations insights into the latest security threats.

The new feature, as part of the Chronicle SecOps Suite, pipes Google’s own threat intelligence data into an automated detection service that provides security teams with up-to-date insights on cloud threats -- such as attacks against cloud systems, attempts to exfiltrate data, and misconfigured systems -- and Windows-based attacks -- such as ransomware, remote-access tools, information stealers, data exfiltration, suspicious activity, and misconfigurations.

The service provides security teams with “high quality, actionable, out-of-the-box threat detection content curated, built, and maintained by the Google Cloud Threat Intelligence team," said Benjamin Chang, a Google Cloud software engineer. "By surfacing impactful, high-efficacy detections, Chronicle can enable analysts to spend time responding to actual threats and reduce alert fatigue."

The information from the detection service can be integrated with authoritative data sources, such as from the organization’s identity access management (IAM) systems and configuration management databases, to give security teams more context. Customers who used curated detections during public preview were able to detect malicious activity and take actions to prevent threats earlier in their life cycle, Chang said.

Microsoft provides similar capabilities via Microsoft Sentinel. Security teams are understaffed and overstressed, trying to keep up with an evolving threat landscape and managing the growing volume of alerts. Through these partnerships security teams have a shot at quickly identifying, investigating, and responding to threats.

Google Cloud Adds Curated Detection to Chronicle

The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.

A zero-day security vulnerability in Google's Chrome browser is being actively exploited in the wild.

The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now.

The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google's advisory.

Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn't validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that's not expected by the application.

"This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution," according to MITRE.

Other details of the bug are scant — Google usually restricts details until a quorum of users have applied the updates.

Still, “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” reads the alert, so users should patch now.

This is the fifth actively exploited zero-day vulnerability disclosed in Chrome in 2022. The previous four were: CVE-2022-0609 (February), CVE-2022-1096 (March), CVE-2022-1364 (April), and CVE-2022-2294 (July).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Chrome Zero-Day Found Exploited in the Wild

The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

The increased sophistication of cyberattacks makes them more widely damaging and difficult to prevent.

The Russian-supported Conti group's recent attack against Costa Rica led the country to declare a national emergency. The attack impacted the country's Ministry of Finance and many other government institutions, affecting — at minimum — payroll schedules and the nation's foreign trade. Conti not only doubled its ransom demand but also stated its intention to overthrow the government by means of a cyberattack.

This incident has demonstrated the massive implications that attacking an entire nation can have. It's a stark example of the risks affecting critical infrastructure — and it must be a reminder of how essential it is to strengthen cybersecurity postures. But it also further underscores the importance of public-private partnership. When entire countries are affected by cyberattacks, it's a clear sign that no person (or nation) is an island — we must work together.

**Growth of Attacks Against Critical Infrastructure**

That is just the latest example of attacks against critical infrastructure. There have been a number of attacks — for example, against Ukraine and oil loading facilities in Europe. The US has also suffered, with the targeting of the Colonial Pipeline being just one prominent example. That's not to mention the countless hospitals, water treatment plants, and other critical infrastructure that have been hit by ransomware in the past year. Satellite communications, wind turbines, and even medical institutions have been targeted.

These attacks are being made possible by the increased sophistication of criminal technologies. In the public sector, there's a convergence of advanced persistent threats (APT) and cybercrime. Cybercriminals are investing more in the reconnaissance and weaponization phases of an attack.

Another worry for the public sector in 2022 is aggressive attack code. Ransomware is one example, and another is wiper malware, which is being added to ransomware campaigns. These attack strategies previously affected IT, but now they're also starting to affect OT and the public sector.

With today's IT/OT convergence, there's no longer an air gap between IT and OT — areas that were once inaccessible are now open to risk. Government organizations may think they don't have OT, but they need to consider devices like security cameras, sensors linked to the HVAC system, smart buildings, and other OT with an IoT footprint.

Cybercriminals also are going after critical infrastructure directly these days — more so than we've seen before — and we're seeing cybercriminals adopting the playbooks of nation-state actors, which means more sophisticated and destructive attacks.

**The Need for Public-Private Partnership**

Cybercrime is playing an increasing role in geopolitical conflict, and as attacks proliferate against critical infrastructure, it can put lives at risk. We cannot afford to wait and see.

Fighting cybercrime is a team effort, with law enforcement, cybersecurity specialists, and legislators collaborating with businesses and the general public to combat cybercrime using cyber threat intelligence.

Threat intelligence includes dynamic technology that uses data collection and analysis gathered from threat history to block and remediate cyberattacks. Threat intelligence is based on cybercriminals' tactics to develop crucial procedures for an organization's overall security architecture.

Working together is the only way to stay ahead of today's cyber threats, which are becoming more complex and aggressive — for example, ransomware attacks migrating to an affiliate-based, as-a-service model. Furthermore, the cybercrime supply chain has mushroomed, and there are so many moving parts and actors at each step that tracking them down and stopping them requires serious, worldwide, joint efforts.

One example is the World Economic Forum's Partnership against Cybercrime. This international, multistakeholder collaboration has united many leading organizations from numerous sectors, both private and public, to address the growing challenge of cybercrime.

**Signs of Success**

We've seen some great successes come from these collaborative efforts. The Department of Justice led a coordinated international law enforcement action to disrupt NetWalker ransomware, resulting in the arrest of a NetWalker affiliate who received a seven-year jail sentence. The DoJ also arrested two people for conspiring to launder at least $3.6 billion worth of cryptocurrency stolen from a virtual currency exchange.

Collaboration led to the takedown of Emotet, one of the most prolific malware operations in recent history. And Interpol's partnership with private sector companies led to the recent takedown of a business email compromise (BEC) scam ring in Nigeria that attacked thousands of companies around the world. These examples are just the beginning. More work and constant vigilance and innovation are needed.

**Act Together, Act Now**

In today's threat environment, where whole countries can be hamstrung by well-constructed cyberattacks, security cannot succeed if each entity hoards its cybersecurity information. Recent examples demonstrate the need for global threat intelligence — and that there's no time to waste. Shared data and partnership can lead to more effective responses and help partners more accurately predict future techniques to deter criminals' efforts. Now is the time to join with law enforcement and other entities to present a united defense to protect critical infrastructure against cybercrime.

When Countries Are Attacked:  Making the Case for More Private-Public Cooperation

A suspected Iranian threat actor known as UNC3890 is gathering intel that could be used for kinetic strikes against global shipping targets.

A Persian-speaking threat group has been discovered targeting industries ranging from healthcare to energy, with a particular focus on the shipping sector.  

According to a report from Mandiant, which named the group UNC3890, the campaign uses email-borne social-engineering lures and a watering hole hosted on a login page of a legitimate Israeli shipping company to disguise the activity. While it targets mainly Israeli victims, the report advised that targets also include multinational companies, suggesting that the threat could have a global impact.

Credential-stealing could allow the threat actor to gain initial access to a targeted organization for espionage purposes, according to the firm. For example, the credentials may allow the actor to connect to a victim’s Office 365 mailbox and steal all the victim’s email correspondence, thus gaining valuable insights about the victim and their organization’s activity.

"We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we believe was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components," the report notes.

Mandiant senior analyst Ofir Rozmann says the interest this actor shows in the shipping sector is most concerning, since the intelligence it gathers may be leveraged for more aggressive efforts, like kinetic warfare operations.

"While we don’t what exact data the attackers gained access to, compromising a shipping company’s website and gathering intel on its users may have provided the attackers with data about cargo’s contents, when it’s being sent and its location over time," he explains. "This sort of data is important if Iran wishes to conduct kinetic operations targeting these shipments."

Furthermore, this type of access may also be used to send phishing emails from within the organization, bolstering legitimacy and compromising more mailboxes and/or computers, or affecting downstream customers.

**A Taste for Custom Malware**

The group, which operates an interconnected network of command-and-control (C2) servers, spoofs legitimate services including Office 365, and social networks LinkedIn and Facebook, with phishing lures that include fake job offers and fake commercials for AI-based robotic dolls.

Once a victim is compromised, the group delivers two proprietary pieces of malware, which Mandiant dubbed Sugarush and Sugardump.

Sugarush is a backdoor that establishes a reverse shell over TCP to a hardcoded C2 address, according to the new analysis.

Sugardump meanwhile is used for harvesting credentials from Chrome, Opera, and Edge Chromium browsers, which can also exfiltrate stolen data via Gmail, Yahoo, and Yandex email services.

According to the report, several versions of Sugardump have been observed, with the first dating back to 2021, which stored credentials without exfiltrating them. Later versions use either SMTP or HTTP for C2 communications, and they have more advanced credential-harvesting functionality.

Other tools used by UNC3890 include Unicorn for PowerShell-type attacks, the Metasploit framework, and NorthStar C2, which is a publicly available open source C2 framework developed for penetration testing and red teaming.

"In addition, we identified an UNC3890 server that hosted several .ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals," the report says. "It is possible they were targeted by UNC3890, or used as lures in a social-engineering effort."

The group has been in operation since at least late 2020 and is currently perceived as an active threat.

**Espionage for Many Outcomes**

Rozmann adds intelligence collection is a key component of any state-sponsored activity since it can help keep the leadership and Iranian intelligence agencies informed when strategizing/making plans against their targets.

"While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," according to Mandiant's analysis.

Whether it remains covert or is leveraged for more overt operations, the intel opens up options for a threat actor. For example, targeting the government sector may provide access to sensitive strategic, political, or defense-related data that can be beneficial for future negotiations, exposed/sold, or leveraged against the victims.

**Attribution to Iran's Government?**

While UNC3890 is almost certainly based in Iran, "we don’t have enough evidence to determine whether this is a state-backed threat," Rozmann notes. "However, it is plausible, based on the actor’s geographical focus, the targeted sectors and the focus on intelligence collection."

He adds that a typical cybercrime gang that's financially motivated would probably be interested in other information, such as bank accounts, and use other methods, such as ransomware attacks.

"Furthermore, it would target a broader spectrum of sectors and geographies in an effort to maximize potential profit," he says.

The United States, United Kingdom, and Australia have all recently warned that attacks from Iran-linked cyberattack groups have been ramping up operations.

The Iranian state has been blamed for many prior efforts targeting civilians in Israel, including attacks on water infrastructure and on an insurance company.

In June, Microsoft disabled the Iran-linked Lebanese hacking group Polonium after it discovered the threat actors abusing its OneDrive personal storage service. Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says — all of which offered an avenue to carry out downstream supply chain attacks.

'Operation Sugarush' Mounts Concerning Spy Effort on Shipping, Healthcare Industries

The state-sponsored group particularly targets organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses, researchers say.

The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years.

That's the word from Recorded Future's the Insikt Group, which also found that the intelligence collection is likely used to support human rights abuses orchestrated by the Chinese Communist Party (CCP).

RedAlpha (aka Deepcliff or Red Dev 3) specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational at a "high tempo" since at least 2015, Insikt researchers note, though it didn't spark the notice of security researchers until 2018. And since 2019, the activity has ramped up even further, analysts say.

"Over the past three years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other … organizations," according to a blog post on Tuesday from Insikt.

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, analysts said. In many cases, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

In particular, the APT has been observed directly targeting ethnic and religious minorities such as the Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. In short, the targets align closely with Chinese interests. Thus, the idea is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

Casey Ellis, founder and CTO at Bugcrowd, says that the intel gleaned can be weaponized not just for guiding kinetic or physical strikes against the persons of interest but also for counter-messaging meant to undermine their activities.  

"China has an enormous population of very astute technologists, a vast security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D," he says. "Data stolen for nation-state espionage isn't, for example, likely to be used for fraud if the threat actor is Chinese. The main threat, as is true for most nation-state threat actors, is dis/misinformation, weaponized memes, and subversive propaganda through social networks and traditional media."

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including Yahoo (135 typosquatted domains), Google (91 typosquatted domains), and Microsoft (70 typosquatted domains).

"Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity," the researchers note. "This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning.  

**Sprawling Phishing Infrastructure**

According to Insikt's analysis, the group maintains large clusters of operational infrastructure, beyond the hundreds of phishing domains that imitate and spoof specific organizations.

The researchers say that other consistent characteristics of the group's efforts include the use of \*resellerclub\[.\]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.  

Phil Neray, vice president of cyber-defense strategy at CardinalOps, says that this kind of large footprint allows for significant espionage outcomes, which is one of the hallmarks of Chinese APTs.

"China has been a top nation-state threat for many years, given their strategic use of cyber-espionage to obtain expertise in key technologies such as biotech, semiconductors, defense, and energy, by stealing proprietary intellectual property from the West," he says. "They've also targeted PII in attacks against government organizations such as the Office of Personnel Management (OPM) and large health insurance organizations like Anthem, which were two of the largest data breaches in history."   

**Phishing Is Phishing Is Phishing**

The tactics in this case are tried and true, even if the perpetrators occupy "top-tier" status in the cybercrime pantheon.

"When it comes to phishing, threat actors at all levels generally rely on conventional aesthetic-based tactics to lure in their victims," Darren Guccione, CEO and co-founder at Keeper Security, tells Dark Reading. "Innocent people who are not trained on phishing prevention generally focus on the 'pinstripes' of the email. This means that the aesthetics they are familiar with, such as the logo and colors of a humanitarian, think tank, or government site, are used to lure them into a malicious link or form field."

It's important, however, not to underestimate the fallout from this familiar social-engineering approach. 

"Cybersecurity threats which ultimately result in breaches due to weak passwords, stolen credentials, or phishing emails are pervasive," Guccione says. "They can have devastating and long-term adverse consequences, particularly when a broad-scope espionage campaign is used to support human rights abuses."

Any organization should bolster user awareness and employ basic defenses to avoid being on the hook from phishing, Guccione adds.

"We tend to believe what we see, which is why aesthetics and a compelling user interface often trump awareness of a nefarious and incorrect URL," he notes. "The key to training is to ensure users are checking that the URL matches the authentic website. A password manager that can automatically identify when a site's URL doesn't match is a critical tool for preventing the most common password-related attacks, including phishing and credential stuffing."

CardinalOps' Neray adds that when it comes to civil-society targets specifically, "Organizations of all sizes must protect themselves by deploying continuous monitoring at all levels of their infrastructures — endpoints, network, cloud, identity — and ensuring they have SOC detection policies in place that match the latest adversary techniques employed by Chinese attackers, as documented in the MITRE ATT&CK framework."

Source

DARKReading