Luna, Black Basta add to rapidly growing list of malware tools targeted at virtual machines deployed on VMware's bare-metal hypervisor technology.

The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware's bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

"Infrastructure services like networking equipment and hosting infrastructure like ESXi can't easily be patched on demand," says Tim McGuffin, director of adversarial engineering at Lares Consulting. "Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once."

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

**The Cross-Platform Ransomware Threat**

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky's analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also uses multithreading to speed up the encryption process by getting all processors on the infected systems to work at the same time on the task.

Since surfacing in February, the operators of Black Basta have managed to compromise at least 40 organizations worldwide. Victims include organizations in the manufacturing and electronics sectors in the US and multiple other countries. Available telemetry suggests the threat actor could soon chalk up other hits across Europe, United States, and Asia, according to Kaspersky.

**A Target for Inflicting Wide Damage**

The proliferation of ransomware targeting ESXi systems poses a major threat to organizations using the technology, security experts have noted. An attacker that gains access to an EXSi host system can infect all virtual machines running on it and the host itself. If the host is part of a larger cluster with shared storage volumes, an attacker can infect all VMs in the cluster as well, causing widespread damage.

"If a VMware guest server is encrypted at the operating system level, recovery from VMware backups or snapshots can be fairly easy," McGuffin says. '\[But\] if the VMware server itself is used to encrypt the guests, those backups and snapshots are likely encrypted as well." Recovering from such an attack would require first recovering the infrastructure and then the virtual machines. "Organizations should consider truly offline storage for backups where they will be unavailable for attackers to encrypt," McGuffin adds.

Vulnerabilities are another factor that is likely fueling attacker interest in ESXi. VMware has disclosed multiple vulnerabilities in recent months. In February, for instance, the company disclosed five flaws — including important and critical ones — that affected ESXi (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050). The same month, VMware announced a heap overflow vulnerability in the technology (CVE-2021-22045), and there have been multiple other moderate to low severity flaws the company has disclosed over the past year or so, including a critical remote code execution flaw.

"In recent months, VMware ESXi had several notable vulnerability disclosures and patches, which might be why attackers have an increased interest in targeting those environments," says Joseph Carson, chief security scientist and advisory CISO at Delinea. Most of these virtual environments tend to have a strong backup and snapshot strategy. However, attackers can cause a significant impact if they can also deploy ransomware on the backup systems as well, he says.

Carson advocates that organizations running VMware conduct risk assessments and consistently check for known vulnerabilities and misconfigurations to ensure they are patched and configured correctly. They also need to ensure that Internet-facing systems have strong access controls in place to ensure only authorized employees have access to those systems.

Matthew Warner, chief technology officer and co-founder at Blumira, points to the Log4j vulnerability as another likely reason for the mushrooming attacker interest in ESXi environments. "VMware has an incredibly wide range of solutions that utilized Log4i and were impacted by this vulnerability," he says. VMware itself acted quickly to provide mitigation guidance. But it's likely that many ignored the mitigation advice and are now targets of ransomware purveyors, he says.

"There is almost never a situation where VMware Horizon should be Internet-facing," Warner says. "It opens up untold amounts of risk to the infrastructure." Blumira has run into several instances where VMware Horizon servers were exposed due to access control issues on the firewalls, not to purposeful exposure. "This serves as a good reminder that your DMZ and Internet exposure must be monitored on an ongoing basis within your environment," he advocates.

Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

The ever-evolving threat from phishing is growing more sophisticated as attackers design high-pressure situations and leverage ever-more-convincing social engineering tactics to increase their success rates.

This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.  

The hacker has posted documents on a forum that purport to contain information about some of Roblox's most popular games and creators, according to Motherboard. Additionally, some of the documents include individuals' personally identifiable information.  

But Roblox is hardly alone — it's just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises. 

In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that hackers have found a new way into the inbox by creating fake invoices in PayPal, leveraging the site's legitimacy to gain access.  

The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57% increase in phishing attacks from trusted services between the fourth quarter of 2021 and the first months of 2022.

In June, Microsoft 365 and Outlook customers were targeted with voicemail-themed emails as phishing lures, while QuickBooks users were victims of back-to-back campaigns in June and July, including a vishing scam targeting small businesses. And, indeed, concerns over multichannel phishing attacks are growing, with a particular focus on smishing and business text compromises.

Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.

**Phishing Lures Grow in Sophistication**

Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.

"We've seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks," he says. "We'll see more of these attacks that can snag more than one item from an end user."

Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.

"These are messages that look 'right' on the surface, that tap into ways of working," she says. "These types of subtle manipulations can be difficult for people to spot, and it's critical that workers be made aware of attackers' capabilities and propensities to operate in this manner."

Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.

"If it's something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited," she says. "Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software."

**Distributed Workforce Adds to Vulnerabilities**

Social engineering is inherently people-centric, and in today's hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.

Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.

"Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise," she says. "These trends have opened the door to a whole host of social engineering tactics and other cyber threats."

She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.

Fuchs agrees remote work has its challenges, including not being able to stop by IT's desk to ask about an email.

"But while working from home, distraction might play a role," he adds. "There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside."

**Deploying Advanced ML, AI Tech**

Fuchs argues IT policies must move away from static "allow and block lists" and move toward advanced AI.

"Static lists allow these legitimate services to be used for phishing," Fuchs says. "Advanced AL and ML can suss out what's real and what's not."

Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.

She adds that it's important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.

"Users are a critical line of defense against phishing and it's important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it," she says. "This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint."

Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.

From his perspective, a two-second check can often avoid disaster.

"The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands," he says.

Whether it's spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the user's inbox and more likely to be acted upon.

"Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, it's not likely to slow down," he warns.

Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In

With more staff working remotely, identity, authentication, and access have never been more important.

Last week, Thales announced that it had the signature of an agreement to acquire OneWelcome, a European leader in the fast-growing market of customer identity and access management (CIAM), for a total consideration of €100 million. Thales aims to capitalize on OneWelcome's strong cloud-native software-as-a-service (SaaS) product by extending its market footprint beyond Europe and selling it to existing Thales clients in North America and the Asia-Pacific region.

**Complementary Identity Acquisition**

OneWelcome's strong digital identity life-cycle management capabilities will complement Thales's existing identity services (secure credential enrollment, issuance and management, know your customer etc.). With this acquisition, Thales will be able to provide an expanded identity platform that will:

*   Be accessible to organizations of all sizes to manage internal and external identities
*   Quickly bring new businesses online
*   Improve operational efficiency and customer experience
*   Meet or exceed regulatory compliance requirements

It does look like CIAM is disappearing as a stand-alone pillar and is becoming a major pillar within larger vendors expanding cybersecurity portfolios. In addition to Thales' acquisition of OneWelcome, other notable ones include:

*   Ping Identity acquired Unbound ID in 2016.
*   SAP bought Gigya for $350 million in 2017.
*   Akamai acquired Janrain in 2019.

**CIAM of Interest to Technology Vendors in Various Sectors**

It's interesting that these acquisitions don't follow a pattern. Thales is arguably the biggest vendor in data security with its encryption capabilities. Ping was already a significant player in enterprise identity management/IDaaS before it added CIAM, and SAP, of course, has a huge enterprise resource planning (ERP) and customer relationship management (CRM) business. And Akamai is a content delivery network (CDN) that has been expanding its security offerings for the best part of a decade.

What they have in common, however, is that the acquirers all serve enterprise customers who deal with large numbers of customers in the consumer market and their interactions with them have moved increasingly online, making CIAM a vital part of their security toolkit. Think of CIAM as the place where identity management (IAM and IDaaS) meets CRM, enabling consumers to access online resources and learning from their behaviors to improve their experience and, hopefully, to drive more sales.

**Data Security and CIAM Convergence**

Thales is a major player in the data security space and the acquisition of OneWelcome helps it expand its identity portfolio.

It does seem that an increasing number of vendors are wanting to play in the identity space. Only last month, Microsoft expanded its capabilities in identity with the launch of Entra. The good growth potential of CIAM and clamor by big vendors to enter this space can help to explain why Omdia projects this market to increase from $8.1 billion in 2021 to $16.7 billion in 2026.

    

The world market for CIAM, by revenues ($ Millions). Source: Omdia’s Identity Authentication Access Market Tracker. 1H22

Thales Expands Cybersecurity Portfolio With OneWelcome Acquisition

Understanding the limitations of firewalls is important to protecting the organization from evolving threats.

Firewalls were born in the 1990s, alongside Windows 95 and Internet Explorer. They've been a staple of network security since, which prompts the question: Are firewalls still relevant? The determining factor is whether firewalls have grown with the changes we've seen in technology or if they've just stayed in line with the technology of the 1990s and early 2000s.

**How Firewalls Work & How They Don't**

Firewalls work primarily on the principle of deep packet inspection. Data packets are the units of information that constitute any type of Internet traffic, including Web traffic. They protect networks by checking the payload of every data packet trying to enter or leave a network and blocking any packets that contain malicious content. Content typically is defined as malicious through a series of rather complex policies and rules.

Today, data is almost always encrypted. Encryption ensures that good incoming and outgoing traffic is protected from prying eyes, but, unfortunately, it also hides bad incoming and outgoing traffic. Some firewalls can de-encrypt data packets, check their payload, and then re-encrypt them, but this process is computationally intensive and can bog down the network significantly. Also, this process is not always an available option given how many modern security protocols block the types of man-in-the-middle operations required for full-blown SSL inspection.

**Leveraging IP Addresses**

Indeed, deep packet inspection is becoming an antiquated security practice, but there are other ways to identify whether specific activity is malicious.

For example, some organizations blacklist malicious Web domains, then automatically block traffic from those sites, while others use tactics such as SIEM log analysis. However, these types of monitoring and alert systems are reactive: They tell you that you've been attacked, but don't block the malicious traffic that can cause an attack.

I staunchly believe in multifaceted security, with a simple set of three starting points:

1.  Don't reuse passwords.
2.  Regularly update your software.
3.  Use the truest lowest-common-denominator of Internet traffic — the IP address itself — to your advantage, as a key foundational tenet of your cyber security stack.

It's the third leg of that stool that can help ensure that your organization achieves a proactive posture when it comes to malicious traffic.

Since all traffic is identified by a unique IP address, focusing on IP is a simple way to identify and block any packets coming from or going to known malicious sources — without ever needing to check their contents. It doesn't matter if the data being transferred is encrypted or not.

Surprisingly to some, firewalls can't and don't perform this function very well because you need a very different hardware and software architecture to achieve deep packet inspection versus achieving IP filtering at scale.

**Conclusion**

While firewalls are a very important tool in organizations' security arsenals, it's important to align security solutions with security threats. As cyberattacks evolve, organizations should consider the kinds of tools that will be needed to complement and shore up firewall protection.

What Firewalls Can — and Can't — Accomplish

The CloudMensis spyware, which can lift reams of sensitive information from Apple machines, is the first Mac malware observed to exclusively rely on cloud storage for C2 activities.

A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.

All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.

**Spyware in the Cloud**

The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.

"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."

This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."

While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.

**Attribution, Victimology Remain a Mystery**

So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).

However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.

"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.

Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.

"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."

However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.

M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.

"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS \[to bypass security mitigations\]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."

**How to Protect Your Business from CloudMensis & Spyware**

To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.

Researchers also recommended turning on Apple's new Lockdown Mode feature.

"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."

Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.

"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."

Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene

Data science can be used to improve access to government assistance while reducing fraud.

During the pandemic, Black applicants for unemployment assistance in Wisconsin and North Dakota received benefits at approximately half the rate of their white counterparts. That's according to a June 2022 report by the Government Accountability Office (GAO), which looked at the impact of pandemic relief across four different states.

And this isn't an isolated case. It is an indication that, across the board, digital identity verification that relies on legacy data, systems, and documents don't treat people fairly, equitably, and with respect. Instead, they lock in the problems of the past. And unless we rethink systems from top to bottom and use advanced data science as the foundation for verifying identity, we risk making the same mistakes over and over again.

Today, digital identity verification is a fundamental part of the way government serves people. Government has to be able to distinguish between bad actors and those who are eligible for benefits. If we don't get this right, fraud will rise and people who are owed benefits won't get them. That's a true lose-lose.

**Identity Verification Shortcomings**

This dynamic became crystal clear in the pandemic. We know that individual scam artists and international fraud rings pocketed billions in relief money using synthetic fraud techniques, combining fake names with real Social Security numbers, and even donning wigs to successfully fool legacy systems.

And who suffers most? People who live in communities of color, new-to-country individuals, and others who have been historically underrepresented. Let's be clear — government identity infrastructure as we know it today is fragmented and broken. The pandemic shined a light on the extent to which legacy systems marginalize people who might have thin credit files, are underbanked, have limited broadband access, are rightfully hesitant about facial recognition, or lack government identification. When trying to verify their identities online, these people are met with roadblocks, friction, and long delays — a longstanding issue that has only recently gained mainstream attention.

Identity verification _is_ the gatekeeper to accessing and engaging in an online world, whether you're a homeowner with a lengthy credit history, an elderly individual applying for Medicare, a young entrepreneur looking to start their dream business, or an individual applying for unemployment benefits after getting laid off unexpectedly.

Of course, economic status, race, geography, and access to broadband have long dictated — and still do — the ease by which an individual can prove who they are or otherwise engage in modern society. According to the Consumer Financial Protection Bureau, approximately 45 million Americans, mostly Blacks and Hispanics, lack the traceable credit histories often used to prove identity. For the approximately 57 million people living in rural areas, having to take hours off of work and drive to an in-person facility to verify their identities is not an option. And an estimated 21 million Americans still lack broadband access, making it harder to complete applications that rely on video chat verification.

**3 Steps to Improve Digital Identity Verification**

These problems can't be solved overnight. But there are steps we can take in the near term to move toward accurate digital identity verification for all.

First, Congress should take steps — such as the Improving Digital Identity Act, now under consideration in both the House and Senate — to digitize common identity verification documents, including driver's licenses, birth certificates, and Social Security cards. We should move to ensure that government-issued data (numbers for Social Security, taxpayer identification, passport numbers, etc.) are made available to ease the burden on the public and service providers when verifying an individual's identity. Doing so will move our system away from a reliance on physical documents that are often lost, misplaced, or stolen and will offer more avenues to verify identity online.

Second, we need to design a system that combines machine learning, artificial intelligence, and data analytics to enable more efficient, more equitable verification. Historically underrepresented people often lack the government-issued IDs that current systems require. By combing through all information available — from applicant name to the device being used and more — we can verify good actors faster, flag fraudulent identities across systems, increase auto-approvals, and minimize fraud.

Third, we must protect public trust through transparency. The erosion of public trust hamstrings the use of innovations that can better combat ever-evolving fraud. An overreliance on intrusive (and error-prone) technologies like selfies can weaken this trust and cause significant backlash and public outcry over valid concerns like privacy and bias. Vendors partnering with the public sector must be transparent with their practices.

Without a real focus on equity, the fragmentation of identity across the US and the widening disparities across different populations will only grow. To move forward, we must think comprehensively in our approach when it comes to digital identity verification so that no one gets left behind.

Equitable Digital Identity Verification Requires Moving Past Flawed Legacy Systems

Google Cloud pledges experts and other resources to Health Information Sharing and Analysis Center, a community of healthcare infrastructure operators and owners.

The security-minded community of owners and operators of healthcare infrastructure just landed a big new member.

Google Cloud announced on Thursday that it has joined the Health Information Sharing and Analysis Center (Health-ISAC). It plans to share its considerable intelligence, best practices, and experts to help secure healthcare and public health sector (HPH) networks.

It is the first time that a cloud provider has joined the alliance, despite the fact that the industry sector has increasingly turned to cloud storage, centralized electronic medical records, and software-as-a-service applications.

"Joining Health-ISAC directly fits into our shared-fate model — as opposed to the traditional (and inherently flawed) shared responsibility model," Taylor Lehmann, director at the Office of the CISO at Google Cloud, tells Dark Reading. "We are taking an active stake in the security posture of our customers by offering our own technologies, people, resources, and lessons learned — and we encourage other hyperscalers to do the same."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Becomes First Cloud Operator to Join Healthcare ISAC

A study of the unregulated dark markets shows that the vast majority of malware, exploits, and attacker tools sell for less than $10, giving would-be criminals a fast entry point.

Would-be cybercriminals can easily buy advanced tools, common exploits, and stolen credentials on underground markets for a few dollars — a low barrier to entry for novices, according to a study of 33,000 Dark Web marketplaces.

According to new analysis from HP Wolf Security and researchers at Forensic Pathways, there are plenty of bargains to be had. Out of the 174 exploits found advertised on the Dark Web, 91% cost less than $10, while 76% of the more than 1,650 advertisements for malware have a similar price.

Other common attacker assets also have similarly low prices: The average cost, for example, for stolen credentials for accessing a Remote Desktop Protocol (RDP) instance is just $5.

While more advanced malware groups use private forums to trade zero-day exploits, the available credentials, exploits, and tools on offer in the wider underground economy allow novices to quickly create a credible toolset, says Alex Holland, senior malware analyst at HP and primary author of the report.

Novice cybercriminals "can use a freely available open source tool, and — as long as you are skilled enough to encrypt, use a packer, use techniques to evade defenses — then that tool will do a perfectly good job," he says.

    

The vast majority of exploits and malware are sold on the Dark Web for less than $10. Source: HP's The Evolution of Cybercrime report.

The study of Dark Web marketplaces analyzed approximately 33,000 active sites, forums, and marketplaces over a two-month period, finding that the market for basic tools and knowledge is well entrenched, and attracting new customers all the time.

The increase in the number of threat actors could mean businesses will find their operations targeted even more than they are today, according to Michael Calce, HP Security Advisory Board member and former hacker (aka MafiaBoy). HP brought in criminologists and former hackers to help put the study in context.

"Today, only a small minority of cybercriminals really code, most are just in it for the money — and the barrier to entry is so low that almost anyone can be a threat actor," Calce says in the report. "That's bad news for businesses."

To protect themselves from the swelling ranks of cyberattackers, HP recommends that companies do the basics, using automation and best practices to reduce their attack surface area. In addition, businesses need to regularly conduct exercises to help plan for and respond to the worst-case attacks, as attackers will increasingly attempt to limit executives choices following an attack to make ransom payments the best worst option.

"If the worst happens and a threat actor breaches your defenses, then you don't want this to be the first time you have initiated an incident response plan," Joanna Burkey, chief information security officer at HP, says in the report. "Ensuring that everyone knows their roles, and that people are familiar with the processes they need to follow, will go a long way to containing the worst of the impact."

**Cybercrime Convergence: Nation-State Tactics Blend With Financial Campaigns**

The report also found that advanced actors are becoming more professional, using increasingly destructive attacks to scale up the pressure on victims to pay. At the same time, financially motivated cybercriminals groups continue to adopt many of the tactics used by high-end nation-state threat actors.

These especially focus on living-off-the-land attacks where the attacker uses system administration tools to avoid endpoint-detection systems that would otherwise flag malware, according to HP.

While the shift likely comes from the transfer of knowledge as cybercriminals become more skillful and learn the latest tactics used by advanced persistent threats, a number of groups are also blending nation-state activities—such as cyberespionage — and cybercriminal activities aimed at turning a profit. The leak of text messages from the Conti group highlighted that the members occasionally conducted operations at the request of at least two Russian government agencies.

**Ransomware Is Here to Stay**

Elsewhere in the report, researchers note that ransomware gangs will focus on timing their attacks to put the most pressure on organizations, such as attacking retailers during the holiday seasons, the agriculture sector during harvest seasons, or universities as students return to school. 

Ransomware has declined in the first half of the year for various reasons, but HP sees the trend as temporary.

"We don't see ransomware going away, but we do see it evolving over time," Holland says. "Ransomware attacks will actually become more creative."

**Enforcing Ethics on the Dark Web**

The study also found that trust continues to be a major problem for Dark Web markets in the same way that online businesses have had to deal with fraud and bad actors. The Dark Web, of course, has facets that make trust even harder to come by: A website on the anonymous Tor network, for example, has an average lifespan of 55 days, according to the researchers.

To ensure that vendors and customers play fair, the marketplaces have adopted many of the same strategies as legitimate businesses. Vendors are usually required to offer a bond of thousands of dollars to ensure trust. Customers can leave ratings on every marketplace. And escrow payments have become commonplace, with 85% of transactions using escrow payment systems.

The Market Is Teeming: Bargains on Dark Web Give Novice Cybercriminals a Quick Start

Identify your business's security posture and head off ransomware attacks with third-party risk management and vendor security assessments.

On Dec. 11, 2021, Kronos, a workforce management company that services over 40 million people in over 100 countries, received a rude awakening when it realized its Kronos Private Cloud was compromised by a ransomware attack. This was just the beginning of a series of events to follow. Still to this day, millions of employees are short hundreds or even thousands of dollars as the Kronos software fails to reconcile following the attack.

But by understanding the impact of this ransomware attack, and the methods behind it, companies can better plan and tighten their cybersecurity protection efforts to prevent or minimize the effects of such attacks in the future.

**How the Kronos Ransomware Attack Happened**

Like many other companies that have suffered ransomware attacks in recent years, Kronos has been sparse on the details. Its press release simply states it became aware of "unusual activity impacting UKG solutions using Kronos Private Cloud" and "took immediate action" and determined it was a ransomware attack.

In ransomware attacks, computer systems become infected with malicious software that locks or encrypts access to files or data until a ransom is paid. But these ransoms can be quite steep and there's no guarantee that access will be returned. In the case of Kronos, there are reports that the ransom was paid, yet it took over a month before the system was fully restored and even longer for customers to try to reconcile their data in the aftermath.

Ransomware can spread in a variety of ways, including through phishing emails or from visiting an infected website. And with the threat landscape constantly evolving, new methods of infection are emerging, such as Web server exploitation. In general, the strategy of bad actors is to target the weakest link. And often that weakest link is human — i.e., it's Jesse in finance who was fooled by spam and clicked the wrong link.

In the case of Kronos, we may not know exactly how the breach occurred, but the impact was felt far and wide. Not only did it harm the finances and reputation of Kronos itself, but it did significant harm to all the businesses and organizations that relied on Kronos as a third-party vendor.

**The Fallout**

Kronos is used by tens of thousands of different companies and organizations across multiple sectors for tracking work hours and issuing paychecks. The attack in question affected 2,000 of those businesses, and it happened during one of the most chaotic times of the year — in December, when bonuses tend to be due and when employees really count on their paychecks being dependable.

Just imagine how much of a mess your business would be in if all employee payroll data went missing for weeks. Companies had to try to create temporary manual workarounds, and many employees missed paychecks over the holidays. Then once the system was back online, there was the job of entering that manual data and reconciling records. This was costly in financial terms as well as in terms of time and morale.

Note how the impact of this attack didn't just hurt Kronos, but the many businesses that relied on Kronos software, not to mention the employees of those businesses.

This is a prime example of third-party risk.

As much as your company might have all of its cybersecurity ducks in a row, your company is still at risk if you rely on a vendor that has security gaps. Protecting your organization from a ransomware attack similar to the one that happened to Kronos means going beyond just protecting your organization from malware. You must ensure that all vendors you rely on are accurately assessed for security risks as well.

**Managing Third-Party Risk**

To help remove third-party risks, and keep you from experiencing a similar ransomware attack to Kronos, here are the key steps to understanding and managing your third-party risks:

**Step 1: Identify your vendors:** You need to know who all your vendors are before you can perform a risk analysis. For some organizations, the list may be small. For others, it can take a while to track down and catalog all vendors.

**Step 2: Analyze risk for each vendor:** Assess the security posture of each vendor and determine the relative risk they pose to your critical operations and infrastructure.

**Step 3: Prioritize vendors based on risk:** Once you understand the risk associated with each vendor, you can categorize vendors based on their overall importance to your business and any potential threats they pose. This will help you address the most critical issues first or determine where a shift in vendor prioritization would be more beneficial.

**Step 4: Monitor continuously:** Just checking in with each vendor once is not enough. With all businesses these days, technology and configurations are constantly evolving, as is the threat landscape. Continuous monitoring of third-party risk will alert you if something changes and enable you to act accordingly.

Cybersecurity threats will always be top of mind as the threat landscape evolves and cybercriminals use new attack vectors. However, staying ahead of these threats with proper third-party risk management, vendor security assessments, and identifying the security posture of your own business will help to prevent you from being the next headline news of a ransomware attack victim.

The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next

The cyber campaign, aimed at siphoning funds, uses an improved version of the malware, which can adjust infection paths based on recognized antivirus software.

Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.

According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit "proof of ownership of missing documents."

In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.

"Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload," the report, issued Thursday, notes.

The Evilnum backdoor, first observed in 2020, can be used for data theft, reconnaissance, or to load additional payloads — it's often a fixture in cyber-espionage campaigns.

**Evilnum: Under Active Development**

Based on Proofpoint's analysis, the malware also contains multiple evasion mechanisms and is under ongoing development.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says this suggests the threat actors may incorporate new features of the malware to evade detection and improve efficacy in the campaigns.

"The use of Microsoft Word and .LNK files to launch malware, as well as other different delivery methods, allows the actor to experiment with what works or has a higher likelihood of achieving an infection," she adds.

She points out most targets generally have a potential financial windfall for the threat actor, and notes DeFi is a new, loosely regulated industry with many new technologies that may not be fully vetted or secured.

"It's an emerging, target-rich environment for threat actors to potentially benefit from," she says, adding that this particular campaign is targeting European organizations.

**Emerging DeFi Industry a Prime Cyber Target**

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out the DeFi industry is still relatively new and reliant on open source platforms.

She explains open source means the source code is publicly available, which makes it easier for cybercriminals to identify potential flaws.

"Cybercriminals may also be drawn to the billions of dollars held within DeFi platforms," she adds.

Additionally, Hoffman says many DeFi platforms have cross-chain bridges, allowing users to transfer funds across multiple blockchains easily.

"This inadvertently allows malicious actors to disburse their stolen funds across multiple blockchains quickly," she says.

Hoffman says DeFi developers are learning "the hard way" that security needs to be a part of the development process from the beginning.

"The developers must address all security flaws and protect people's funds if they want continuous buy-in," she says. "Otherwise, the market will likely flop. Until these vulnerabilities are addressed, there will likely be more opportunistic attackers looking to make fast cash."

**Growing Pool of Victims as Investment in DeFi Rises**

DeGrippo adds that more people are aware of and investing in decentralized finance and cryptocurrency resources, so there is an increasing pool of potential victims for threat actors to target.

"Additionally, they may use different lure themes to target cryptocurrency-related products and services," she says.

She explains it's important that these organizations ensure employees are trained to identify and report suspicious emails.

From a technology perspective, they can also "restrict the use of container files such as ISO and LNK files, especially those downloaded from the internet," she says, and "block RTF files from being downloaded or accessed from Word where applicable."

The eponymous group behind Evilnum malware has been targeting financial institutions since its emergence in 2018 and has steadily evolved its methods, adopting a Python remote access Trojans (RATs) to carry out well-crafted spear-phishing attacks.

Source

DARKReading