An attacker is using the tool to deploy a cryptominer and the Tsunami DDoS bot on compromised systems.

Source: TippaPatt via Shutterstock

A threat actor is dropping a cryptominer and distributed denial-of-service (DDoS) malware on Oracle WebLogic Servers using "Hadooken."

Researchers at Aqua Nautilus spotted the malware when it hit one of their honeypots last month. Their subsequent analysis showed Hadooken to be the main payload in an attack chain that began with the threat actor brute-forcing its way into the administration panel of Aqua's weakly protected WebLogic honeypot. It appears Hadooken's authors named the malware after the iconic Surge Fist move in the Street Fighter series of video games.

Once inside the Aqua system, the attacker downloaded Hadooken to it using two nearly functionally identical scripts — a Python script and a "c" shell script — with one likely acting as a backup for the other. Aqua found both scripts designed to run Hadooken on the compromised honeypot and to then delete the file.

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Aqua's lead researcher, Assaf Morag, said in a report. "It then moves laterally across the organization or connected environments to further spread the Hadooken malware."

**A Valuable Target**

Oracle's WebLogic Server allows customers to build and deploy Java applications. Thousands of organizations — including some of the world's largest banking and financial services companies, professional services firms, healthcare entities, and manufacturing companies — have deployed WebLogic. These deployments include modernizing their Java enterprise application environment, deploying Java apps in the cloud, and building Java microservices. Critical vulnerabilities, including those that have enabled complete takeover of WebLogic Server, have made the technology a frequent target for attacks over the years. Configuration errors, such as weak passwords and Internet-exposed admin consoles, have exacerbated the risks around the platform.

In Aqua's honeypot attack, the threat actor gained initial access to the WebLogic server by brute-forcing past the security vendor's deliberately weak password. Hadooken then dropped two executable files: Tsunami, a malware used in numerous DDoS attacks going back at least a decade; and a cryptominer. In addition, Aqua found the malware creating multiple cron jobs — which schedule commands or scripts to run automatically at specific intervals or times — to maintain persistence on the compromised system.

**Potential for More Trouble**

Aqua's analysis showed no sign of the adversary actually using Tsunami in the attack, but the security vendor didn't rule out the possibility of that happening at a later stage. Equally likely is the possibility that the attacker could tweak Hadooken relatively easily to target other Linux platforms, Morag tells Dark Reading. "At the moment we've only seen indications the attackers are brute-forcing their way to WebLogic Servers," Morag says. "But based on other attacks and campaigns, we assume the attackers won't limit themselves to WebLogic."

It's also likely that the attackers won't limit themselves to cryptocurrency and DDoS malware in future Hadooken campaigns. Aqua's static analysis of the malware showed links in the code to Rhombus and NoEscape ransomware, but no actual use of the code during the attack on its honeypot. Aqua found the threat actor using two IP addresses, one in Germany and the other in Russia, to download Hadooken on compromised systems. The German IP address is one that two other threat groups — TeamTNT and Gang 8220 — have used in previous campaigns, but there is nothing to suggest they are linked to the Hadooken campaign, Aqua said.

The company recommends that organizations consider using mechanisms like infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security and configuration tools, runtime security tools, and container security tools to mitigate threats like Hadooken.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Hadooken' Malware Targets Oracle's WebLogic Servers

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Socially Savvy Scattered Spider Traps Cloud Admins in Web

Law enforcement seized electronics containing special hacking tools and software as well as a substantial amount of cash in the raids.

Source: Olaf Schuelke via Alamy Stock Photo

Six men — one Singaporean and the other five Chinese — were arrested in raids conducted by Singapore's law enforcement and charged in court yesterday for their suspected involvement in illicit cyber activities.

Singapore police officers raided multiple residential site across the island, seizing electronic devices such as laptops and mobile phones, as well as cash.

The five Chinese nationals arrested are believed to be involved in a global syndicate and face charges related to the Computer Misuse Act 1993. The Singaporean man was charged with abetting unauthorized access to websites.

"We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities," the Singapore police said in a statement. "We will deal severely with perpetrators."

All six men will be held as the police continue to look into each individual's network of contacts and how they were connected to their various syndicates.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Singapore Arrests 6 Suspected Members of African Cybercrime Group

Most investors aren't demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.

Source: Illia Uriadnikov via Alamy Stock Photo

It was a tale of two startups.

"A company that I invested in — about, oh, five years ago — happened to be in the proptech \[property technology\] space," said David Rose, managing partner at Rose Tech Ventures, during a panel at Cybertech NYC last week. The property tech startup he was referring to helped people build their credit by paying their rent with credit cards. "So it was a really cool company, \[and\] it was going great. And then it turned out they had been hit by scammers, who were setting up fake buildings and fake credit cards, using them \[for fraud\]. And the entire company blew up because of that."

Another company from one of Rose's protégés had a similar idea and business model, but because the company had better security, it was able to grow. "So you see a company that had really interesting ideas, demonstrated a great potential, smart guys, but the company got killed because of cyber," Rose noted.

Startups are valued for their forward thinking, their financials, and their talent. No investment negotiation has ever broken down over the issue of cyber preparedness. Yet, clearly, an incident can be catastrophic to a promising but volatile new business, and anecdotal evidence suggests investors and founders alike are starting to take that risk seriously.

**The Threat to Startups**

Volt Typhoon, the Chinese advanced persistent threat (APT) du jour, has compromised critical infrastructure providers of every kind — Internet service providers, electric utilities, wastewater treatment, energy, and more — on multiple continents, targeting military organizations along the way. Its attacks are of the highest caliber among known APTs. But a few weeks ago, it went after a different type of prey: a startup.

Versa Networks attracted a lot of attention with its secure access service edge (SASE) software-as-a-service offering and earned $120 million in pre-IPO funding in October 2022. Less headline-grabbing was a bug in its software-defined wide area networking (SD-WAN) technology (CVE-2024-39717). The vulnerability — rated as "high" severity with a CVSS score of 7.2 — allowed Volt Typhoon to push a custom, credential-grabbing Web shell through the Versa Director platform, allowing the attackers to breach four Versa customers in the United States and one in India.

Though attacks and breaches can happen to any company, startups like Versa Networks, security camera firm Verkada — which was fined $3 million by the FTC last month following its breach where attackers took over customer cameras — and Rose's proptech failure are particularly vulnerable. Like any small or medium-sized businesses, they might struggle with budgets and resource allocation. More so than other businesses, though, startups sell excitement and promise. Where a typical business might aim to be secure, but simply lack the money and manpower to do it right, startups that aim to move fast and break things might simply deprioritize a cost that does not incur growth.

As Rose told Dark Reading at Cybertech, "In the case of the company that I mentioned, it \[cybersecurity\] hadn't even occurred to them. They were thinking about the upside \[of the business\], not the downside."

Unfortunately, the answer to securing startups isn't straightforward.

**When Startups Need to Think About Security**

When established companies shift their attention to beefing up their cybersecurity, they typically invest in personnel, training, and layered security software (among other things). But as Rose points out, "Virtually no founders we are speaking with are facing cyber security challenges because they don't have any product!"

Startup security is a more nuanced matter which largely rests on timing, explains Bob Ackerman, founder and managing director of the early-stage VC company AllegisCyber.

"When you're looking at a stage zero startup, security probably is not the number one consideration. It's, 'Is this a good idea?', 'Can this team perform?', 'Is there actually a business here?' But as companies gather steam, establish critical mass, the consequences of getting cybersecurity wrong increase," Ackerman says.

"Usually a mid-stage or later-stage company has enough cybersecurity questions for it to be obvious that we need a security team, a security program, \[and\] a security budget as well," says Will Lin, author of The VC Field Guide. "If I were to force a number, I would say that for companies over, say, 3,000 employees, it starts becoming more of a key topic for investors."

Lin cautions, though, that needs vary widely across companies of different kinds.

"You might find very, very large organizations — even above 3,000 people, for example — that have a tiny, three-person-or-less security team, and then you might find a small organization of 200 people spending quite a lot per year on security. Security budgets and programs and everything tends to be more reactive than \[saying\] 'Obviously, the next step of the company is we need to do X, Y, Z," Lin explains.

The variation occurs not just due to size and maturity, Ackerman adds, but also industry.

"Maybe a financial services company is going to have cyber risk exposure, and so \[be\] aware of it from a very early stage, particularly in sectors like financial services, where there is a lot of personally identifiable information, or anything in supply chain, where a compromise could be disruptive and have an adverse consequence," he says.

**Nudging Security to a Higher Priority**

According to a February survey from business insurance company Embroker, more than two thirds of founders have experienced a cyberattack against one of their businesses.

Founders seem to be extra cautious about security. In the survey, 86% reported owning some kind of cyber insurance, and 71% were considering additional security protections in addition to having insurance. About a third (31%) of the respondents reported being more concerned with security than they were the year prior.

Those who aren't thinking about cybersecurity may be nudged into doing something by the investors themselves. As Rose points out, "One of the things that we have on our standard investor checklist when we do full-on due diligence is: What is your cybersecurity plan? How is it going to work? Actually, in many cases, it's the first time anybody ever asked the startup founder about security."

He continues, "I would be very happy if they have something in their deck — at least in their appendix to their deck — which would say: 'Here's our thoughts, here's our plan, here's our vulnerability.' Just tell me that you've actually given more than two-and-a-half minutes worth of thought to the subject, and you will be ahead of 95% of other companies."

More mature, later-stage startups need to start making material investments, and hiring for executive positions, he explains, "And if you're a platform business that is open to the public, and you've got any kind of money going anywhere, then you damn well better have a really serious plan."

"If the world was under my control, I would say: Yes, as a startup founder with no paying clients until next year, I want you thinking about building in security from day one. But because that doesn't tie out to dollars day one — and startups are always pressed for dollars, always trying to move fast and break things — that's a very hard sell," he admits.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

When Startup Founders Should Start Thinking About Cybersecurity

PRESS RELEASE

SAN MATEO, Calif. — Sept. 10, 2024 — QuSecure™, Inc., a leader in post-quantum cryptography (PQC), today announced it has been selected for the United States Army Small Business Innovation Research (SBIR) project titled “Enhanced Post-Quantum Cryptography Suite for Tactical Networks.” 

This SBIR Phase II award further establishes QuSecure as a leading provider of Federal PQC solutions. The contract scope of work is organized to further enhance QuProtect™, the industry’s first end-to-end PQC software-based solution that enables organizations to springboard from cryptographic discovery and non-compliant algorithm detection straight to full quantum-resilience with live encryption management, continuous monitoring, vulnerability and alerting capabilities – all which can be achieved without the need to rip-and-replace current infrastructure.

“This project, in addition to all of our work and traction across all U.S. military branches, further validates that QuSecure is setting the standard for Federal PQC requirements,” said Pete Ford, Head of Federal Operations at QuSecure. “Serving the Government with this important U.S. Army project will provide Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO), so the U.S. Government can better protect and manage against classical, AI, and quantum computing threats to cryptography, bringing true resilience to the nation’s most secure encrypted communications for decades to come.”

This award is one of several that QuSecure has won in the past two years to address the most pressing PQC challenges being faced by the U.S. Government.

The recent landmark NIST PQC standards announcement was preceded by extensive government action over the past three years, with the aim of establishing U.S. leadership in protecting the nation’s digital assets form ongoing Harvest Now Decrypt Later (HNDL) attacks. The U.S. Government’s urgency to move toward a quantum safe future has been established with the recent actions taken by Congress and the White House. The Endless Frontiers Act set up a Technology and Innovation Directorate at the National Science Foundation, along with a $100 billion budget to research emerging technologies over five years, including quantum computing and post-quantum cryptography. Additionally, in December 2022 President Biden signed the Quantum Computing Cybersecurity Preparedness Act, a law that requires the Office of Management and Budget to prioritize federal agencies’ adoption of crypto-agile PQC as part of a greater migration effort to Zero Trust Network Access (ZTNA).

QuSecure’s QuProtect software is available now for testing and deployment. This suite offers a comprehensive, end-to-end quantum-security-as-a-service architecture that combines Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO) with zero-trust, next-generation quantum-resilient technology, cloud systems, edge devices, and satellite communications to protect networks against today’s cyberattacks and future quantum threats, all with minimal disruption to existing systems.

About QuSecure

QuSecure is a leader in quantum-safe cybersecurity with a mission to use the advent of quantum computing to act as a catalyst to fix the foundation of data security infrastructure. The QuProtect platform requires no quantum technologies to defend against quantum, AI, and classical threats to encryption, and can be purchased through the AWS marketplace or through direct outreach to QuSecure, Accenture, Dell, Cisco, or Carahsoft. QuSecure is proud to have more successful post-quantum cryptography deployments than any other organization in the world, and the technology is currently deployed with government, banking, telecommunications, and infrastructure customers across the globe. QuSecure’s quantum-resilient and crypto-agile solutions provide an easy transition path to quantum resiliency anytime, anywhere, on any device, and across any organization.

The company’s QuProtect solution is the industry’s first cryptographic-agility platform that facilitates the upgrade to PQC and beyond. You can Book a No-Obligation Two Hour CISO Road Mapping Workshop with QuSecure’s experts to get started on your PQC Migration planning and to take the QuProtect Software for a test drive.

US Army Selects QuSecure Solution for 'Enhanced Post-Quantum Cryptography Suite for Tactical Networks' Project

PRESS RELEASE

DELRAY BEACH, Fla., Sept. 10, 2024 /PRNewswire/ -- The global Security Testing Market size is projected to grow from USD 14.5 billionin 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™.

One of the key factors promoting the security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities. However, the organizations, being in the digitalized world are getting more and more dependent on the digital applications that require the identification of the system's security risks and their resolution before the potential exploitation of such risks by the attackers which is becoming the new crucial practice. This rising concern pushes organizations to adopt the security testing process in order to guard their systems, data, and reputation from the possible breaches.

Request Sample Pages@ https://www.marketsandmarkets.com/requestsampleNew.asp?id=150407261

Based on the application testing tools, SAST accounts for the highest market size during the forecast period.

The adoption of Static Application Security Testing (SAST) tools is increasing as organizations prioritize secure software development. SAST tools enable developers to identify and fix security vulnerabilities early in the coding process, reducing the risk of security flaws in production. This shift is driven by the growing emphasis on integrating security into the software development lifecycle (SDLC) and the need to comply with stringent security standards. As a result, more companies are adopting SAST tools to enhance code security, improve development efficiency, and ensure that applications are robust against cyber threats from the outset.

By Application security testing type, web application security testing accounts for the highest market size during the forecast period.

The adoption of web application security testing is growing as organizations increasingly rely on web-based platforms for business operations and customer interactions. With the rise in cyber threats targeting web applications, such as SQL injection and cross-site scripting (XSS), companies are prioritizing security testing to identify and mitigate vulnerabilities before they can be exploited. This proactive approach is driven by the need to protect sensitive data, ensure compliance with regulations, and maintain customer trust in an environment where web applications are a critical part of the business landscape.

Inquire Before Buying@ https://www.marketsandmarkets.com/Enquiry\_Before\_BuyingNew.asp?id=150407261

By Region, Asia Pacific will grow at the highest CAGR during the forecast period.

The adoption of security testing services in the Asia Pacific region is rapidly increasing due to the region's expanding digital economy and the rising threat of cyberattacks. As businesses in Asia-Pacific embrace digital transformation and cloud computing, the need to identify and address vulnerabilities in their systems has become crucial. Regulatory pressures and growing awareness of cybersecurity risks are also driving organizations to invest in security testing solutions to ensure the resilience of their IT infrastructure and protect sensitive data from breaches. This trend is further fueled by the region's diverse and complex threat landscape, prompting a proactive approach to cybersecurity.

Top Key Companies in Security Testing Market:

IBM (US), HCLTech (India), Synopsys (US), OpenText (UK), Cigniti (US), Qualitest (UK), Intertek (UK), DXC Technology (US), eInfochips (US), Checkmarx (US), HackerOne (US), Invicti (US), DataArt (US), Cobalt Labs (US), Trustwave (US), Contrast Security (US), Veracode (US), Qualys (US), OffSec (US), NCC Group (UK), GitHub (US), Bugcrowd (US), Applause (US), Rapid7 (US), Parasoft (US), BreachLock (US), ImmuniWeb (Switzerland), Pentest People (UK), SafeAeon (US), and REDTEAM.PL (Poland) are the key players and other players in the Security Testing Market.

Browse Adjacent Market: Information Security Market Research Reports & Consulting

Browse Other Reports:

Blockchain Security Market - Global Forecast to 2029

IoT Security Market - Global Forecast to 2029

Exposure Management Market\- Global Forecast to 2029

Next-Generation Firewall Market\- Global Forecast to 2028

Digital Signature Market\- Global Forecast to 2028

Get access to the latest updates on Security Testing Companies and Security Testing Industry

About MarketsandMarkets™ 

MarketsandMarkets™ has been recognized as one of America's best management consulting firms by Forbes, as per their recent report.

MarketsandMarkets™ is a blue ocean alternative in growth consulting and program management, leveraging a man-machine offering to drive supernormal growth for progressive organizations in the B2B space. We have the widest lens on emerging technologies, making us proficient in co-creating supernormal growth for clients.

Earlier this year, we made a formal transformation into one of America's best management consulting firms as per a survey conducted by Forbes.

The B2B economy is witnessing the emergence of $25 trillion of new revenue streams that are substituting existing revenue streams in this decade alone. We work with clients on growth programs, helping them monetize this $25 trillion opportunity through our service lines - TAM Expansion, Go-to-Market (GTM) Strategy to Execution, Market Share Gain, Account Enablement, and Thought Leadership Marketing.

Built on the 'GIVE Growth' principle, we work with several Forbes Global 2000 B2B companies - helping them stay relevant in a disruptive ecosystem. Our insights and strategies are molded by our industry experts, cutting-edge AI-powered Market Intelligence Cloud, and years of research. The KnowledgeStore™ (our Market Intelligence Cloud) integrates our research, facilitates an analysis of interconnections through a set of applications, helping clients look at the entire ecosystem and understand the revenue shifts happening in their industry.

To find out more, visit www.MarketsandMarkets™.com or follow us on Twitter, LinkedIn and Facebook.

Security Testing Market Worth $43.9B by 2029

PRESS RELEASE

REDDING, Calif., Sept. 10, 2024 /PRNewswire/ -- According to a new market research report titled, 'SCADA Market by Type (Monolithic SCADA Systems, Distributed SCADA Systems, Networked SCADA Systems), Component (Hardware, Software, Services), Deployment Mode, End-use Industry (Oil & Gas, Automotive, F&B)—Global Forecast to 2031.

The rising adoption of automated technologies across Europe and Asia-Pacific, the advent of Industry 5.0, the growing demand for smart and digitized production processes, and the increasing emphasis on industrial automation are key factors driving the growth of SCADA. However, the high initial investment requirements for SCADA implementation are restraining the growth of this market.

Furthermore, the growing adoption of wireless sensor networks and the proliferation of smart factories are expected to generate growth opportunities for the players operating in this market. However, the risk of cyberattacks is a major challenge impacting market growth. Furthermore, the rising adoption of Industry 4.0 technologies and the increasing reliance on Human-Machine Interface (HMI) systems are prominent trends in the SCADA market.

Advent of Industry 5.0 Boosting the Demand for Scada Systems 

Industry 5.0, also known as the Fifth Industrial Revolution, is a new and emerging phase of industrialization that builds upon the principles of Industry 4.0 but emphasizes the human touch and the integration of human skills with advanced technologies. Industry 4.0 focused on technologies such as the Internet of Things and big data, whereas Industry 5.0 seeks to involve human, environmental, and social aspects.

As Industry 5.0 promotes enhanced collaboration between humans and machines, there is an increasing demand for sophisticated automation and control systems capable of effectively bridging the gap between these elements. SCADA systems facilitate real-time monitoring and control of industrial processes, playing an important role in enabling seamless interactions between humans and machines. They offer the necessary infrastructure for incorporating human input and feedback into automated workflows, thereby optimizing performance and efficiency. With Industry 5.0 driving the adoption of advanced technologies, the requirement for comprehensive monitoring and control solutions to ensure seamless integration and coordination is growing. SCADA systems have significantly improved the reliability and capability of automation. Centralized SCADA systems are increasingly utilized for decision-making in hazardous situations to prevent accidents in complex infrastructure. These systems oversee and manage entire sites, support informed decision-making, enhance efficiency, and minimize downtime. The advantages provided by SCADA systems, coupled with the escalating need to maintain the integrity and reliability of critical infrastructure, are driving market growth.

Governments are actively supporting industrial automation and digitalization initiatives. For example, in January 2021, the President of Spain introduced three new plans for SMEs (2021-2025)—the Connectivity Plan, the Strategy to Promote 5G Plan, and the National Strategy for Artificial Intelligence. These plans are part of the Spain 2025 Digital Agenda and aim to advance the development and deployment of SCADA systems across various industries. By enhancing capabilities and driving digital transformation, these initiatives are increasing demand for SCADA systems and contributing to market growth.

SCADA Market Analysis: Key Segmental Findings

*   By Type: In 2024, the networked SCADA systems segment is expected to account for the largest share of 47.5% of the SCADA market. Moreover, this segment is projected to register the highest CAGR of 8.2% during the forecast period from 2024 to 2031.
    
*   By Component: In 2024, the hardware segment is expected to account for the largest share of 55.9% of the SCADA market. However, the software segment is estimated to record the highest CAGR during the forecast period from 2024 to 2031.
    
*   By Deployment Mode: In 2024, the on-premise deployments segment is expected to account for the dominant share of the SCADA market. However, the cloud-based deployments segment is anticipated to register the highest CAGR of 10.5% during the forecast period from 2024 to 2031.
    
*   By End-use Industry: In 2024, the manufacturing segment is expected to account for the major share of 26.4% of the SCADA market. However, the automotive segment is slated to record the highest CAGR of 10.7% during the forecast period from 2024 to 2031.
    

Get A Glimpse Inside: Request Sample Pages \- https://www.meticulousresearch.com/request-sample-report/cp\_id=5186

Geographic Analysis:

By geography, the SCADA market is segmented into North America, Europe, Asia-Pacific, Latin America, and the Middle East & Africa. In 2024, North America is estimated to account for the largest share of 32.1% of the SCADA market. The North America SCADA market is expected to reach $5,488.3 million by 2031.

The industrial sector has seen extensive implementation of automation systems, especially in North America. Manufacturers in this region are increasingly deploying advanced automation technologies in their operations. North American countries are competing with their Asian and European counterparts to position themselves as key manufacturing centers, with the goal of lowering costs related to importing goods. The high labor costs in the U.S. are a primary impetus for the adoption of process control systems, such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution System), and DCS (Distributed Control System). These systems are instrumental in reducing the need for human oversight and management of automation processes.

Key market players are focusing on developing SCADA solutions with advanced features tailored for various industrial applications, including oil & gas, power, utilities, automotive, electronics, and F&B. For example, in October 2022, Emerson Electric Co. (U.S.) introduced Movicon.NExT 4.2, an advanced automation platform designed for seamless integration with field devices and enterprise systems. This software provides the data and insights necessary for achieving operational excellence across diverse applications in discrete and hybrid manufacturing sectors, including F&B, packaged consumer goods, energy, infrastructure, building automation, and machine automation.

Furthermore, in October 2022, AtomTech (U.S.) expanded its North American presence by launching AtomTech Canada. This move addresses the growing demand for automation, cybersecurity, SCADA, and IIoT 4.0 solutions across industries such as automotive, medical equipment, and warehouse logistics. Such developments support the growth of the SCADA market in the region during the forecast period.

Have specific research needs? Request a customized research report:- https://www.meticulousresearch.com/request-customization/cp\_id=5186

Asia-Pacific: The Fastest-growing Regional Market

The SCADA market in Asia-Pacific is poised to register the highest CAGR during the forecast period. In 2024, China is expected to account for the major share of the SCADA market in Asia-Pacific. Asia-Pacific generates significant growth opportunities for the adoption of industrial process control solutions, given its extensive and diverse manufacturing sector. Traditionally, manual or semi-automatic control processes have characterized industrial production in the region. However, advanced automation solutions are becoming essential for achieving the flexibility required in high-volume production lines, thereby enhancing overall operational efficiency.

Asia-Pacific is a prominent manufacturing hub across multiple sectors, including automotive, electronics, consumer goods, pharmaceuticals, and more. This manufacturing prominence is a significant driver of automation technology adoption in the region. SCADA solutions are increasingly being adopted in countries such as China, Japan, South Korea, and India, driven by efforts to modernize manufacturing facilities and the need for SCADA software to interface with Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and Human-Machine Interface (HMI) components. The focus on improving process efficiencies and reducing production costs further fuels market growth, enabling operators to analyze and make decisions from remote locations.

The rapid advancement of automation and artificial intelligence (AI) is having a profound impact on economies in the APAC region. Asiais expected to be the fastest-growing automation market, driven by factors such as population growth, urbanization, economic development, rising wages, and decreasing costs associated with automated industrial technologies. The increasing awareness of advanced industrial control solutions, including SCADA systems for comprehensive manufacturing process monitoring, is a key driver of this market growth.

The U.K. Continues to Dominate the SCADA Market in Europe

In 2024, the U.K. is expected to account for the largest share of the SCADA market in Europe. Several factors are driving the adoption of industrial control systems in the U.K., including the expansion of the manufacturing industry, stringent manufacturing and industrial safety regulations, increased diversity in consumer products, growing awareness of automated systems, and rising labor costs. Many enterprises and industries in the U.K. are increasingly adopting automated machines and control solutions to enhance operational process monitoring. Key sectors such as oil & gas, power, automotive, F&B, electronics, and semiconductors are leading the way in implementing industrial control systems. In response to the evolving needs of these industries, market players are actively developing advanced SCADA solutions. For example, in September 2020, Severn Trent plc (U.K.) invested USD 6.4 million to upgrade its SCADA monitoring and management systems to a cloud-based platform.

SCADA Market: Competition Analysis

This report offers a competitive analysis based on an extensive assessment of the leading players' product portfolios, geographic presence, and key growth strategies adopted over the past three to four years. Major companies in the SCADA market have implemented various strategies to expand their product offerings and global footprints and augment their market shares. The key strategies followed by most companies in the SCADA market were product launches & enhancements, acquisitions, expansion, partnerships, agreements, and collaborations. The key market players operating in the SCADA market include Rockwell Automation, Inc. (U.S.), Siemens AG (Germany), Eaton Corporation plc (Ireland), Schneider Electric SE (France), ABB Ltd (Switzerland), Yokogawa Electric Corporation (Japan), General Electric Company (U.S.), Emerson Electric Co. (U.S.), Honeywell International, Inc. (U.S.), Mitsubishi Electric Corporation (Japan), OMRON Corporation (Japan), Pilz GmbH & Co. KG (Germany), Survalent Technology Corporation (Canada), Valmet (Finland), and Hitachi, Ltd. (Japan).

Browse In-Depth Report Now - https://www.meticulousresearch.com/product/scada-market-5186

SCADA Industry Overview: Latest Developments from Key Industry Players

*   In June 2023, Siemens AG introduced the SICAM 8 power automation platform, which includes two new software solutions: the SICAM HMI (Human Machine Interface) visualization tool and the SICAM S8000 software solution for power automation. This platform is part of the Siemens Xcelerator portfolio, an open digital platform designed to help customers accelerate their digital transformation at scale.
    
*   In April 2023, Siemens AG partnered with Gujarat Metro Rail Corporation Limited (GMRCL) (India) to advance rail electrification technologies. Siemens Limited will deliver project management services and cutting-edge rail electrification technologies, including advanced power supply and distribution systems. Additionally, Siemens Limited will provide sophisticated digital solutions, such as Supervisory Control and Data Acquisition (SCADA) systems, for both metro projects.
    
*   In March 2023, Rockwell Automation launched FactoryTalk Optix, a new addition to the company's visualization portfolio. FactoryTalk Optix is a modern, cloud-enabled human-machine interface (HMI) platform that allows users to design, test, and deploy applications directly from a web browser remotely, in real time.
    
*   In February 2023, ABB launched the ABB Ability Symphony Plus distributed control system that delivers seamless and secure access to an extended digital ecosystem for power generation and water industries. It increases performance and enables plant-wide digitalization, offering a noninvasive modernization of the installed base.
    
*   In October 2022, Emerson released a new version of its DeltaV distributed control system (DCS). Version 15 helps plants digitally transform operations through improved production optimization and enhanced operator performance.
    
*   In April 2022, ABB partnered with Ramboll (Denmark) to explore new opportunities in offshore substations. ABB will leverage its expertise in the design and supply of electrical, SCADA, automation, and telecommunications equipment. This includes engineering, products, installation, commissioning, and operational maintenance of these systems.
    
*   In January 2022, Schneider Electric entered into an agreement with AVEVA, a leading technology company. This collaboration was designed to further AVEVA's digital and sustainability objectives. Schneider Electric's extensive reach and profound market expertise will support AVEVA in sustaining, expanding, and enhancing its leadership in the industrial automation software and SCADA sectors across the Pacific region.
    
*   In April 2021, Mitsubishi Electric updated its SCADA lineup with GENESIS64, introducing two new software products for system monitoring and process control. This new software suite replaced the MC Works64 SCADA software, which was designed for monitoring small production lines and managing multi-site monitoring.
    
*   In January 2021, Rockwell Automation acquired Fiix Inc. (Canada), an AI-enabled computerized maintenance management system (CMMS) company. This acquisition bolsters Rockwell Automation's software strategy and strengthens its Lifecycle Services business. The addition of Fiix enhances the company's ability to offer a comprehensive range of industrial automation services, aimed at maximizing the value of customers' production assets, systems, plants, and processes.

SCADA Market Is Set to Reach $18.7B by 2031

Understanding a threat is just as important as the steps taken toward prevention.

Ansh Patnaik, Senior Vice President of Product Management, CyCognito

September 12, 2024

5 Min Read

Source: Zonnar GmbH via Alamy Stock Photo

COMMENTARY

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to Verizon's "2024 Data Breach Investigations Report," the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. 

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. 

SolarWinds is probably the biggest known example of a software supply chain attack to date. More than 18,000 organizations were affected, with some reports stating the attack cost those affected 11% of their revenue, on average.

Similarly, Okta also experienced a significant breach where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.

And let's not forget the drawn-out MOVEit Transfer tool attack, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the Cl0p ransomware group, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. 

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, the Securities and Exchange Commission (SEC) charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.

But to understand how these attacks occur and how they can be mitigated, it's important to first understand what software supply chain security is.

**Unpacking Software Supply Chain Security**

Gartner defines software supply chain security (SSCS) as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:

1.  Curation: This step is all about evaluating third-party software components to assess their risks and determine if they're suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.
    
2.  Creation: This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.
    
3.  Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.
    

In simpler terms, SSCS encompasses all the software components used and built into an organization's software, as well as the practices developers employ to write and monitor code post-deployment.

Gartner's efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031.

The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.

**Building a Software Supply Chain Security Program**

Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.

*   Continuous code scanning: It's crucial to implement continuous code scanning throughout the SDLC to catch vulnerabilities early. This involves using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
    
*   Automated SDLC: Keeping the SDLC highly automated is key to efficiently updating, testing, and deploying new software versions. Automation helps reduce human error and speeds up the process of identifying and fixing vulnerabilities.
    

Scanning third-party code with source code analysis (SCA) tools is essential in this context. SCA automates the detection and management of risks associated with third-party and open source software components. Here's what SCA can do:

*   Identify software components: SCA tools can pinpoint all the components within a software application, giving you a clear view of the software supply chain.
    
*   Generate software bills of materials (SBOM): SBOMs provide a list of all components and their metadata, helping organizations comply with regulatory requirements and manage open source licenses.
    
*   Scan for vulnerabilities: These tools scan for known vulnerabilities in software components, offering alerts and guidance for remediation.
    
*   Assess risks: They evaluate the risk level of each component, allowing organizations to prioritize remediation efforts based on the severity of the risk.
    
*   Generate dependency graphs: These graphs show the relationships between components, helping to identify potential points of failure or risk.
    
*   Provide remediation guidance: SCA tools offer actionable advice on how to fix identified vulnerabilities.
    
*   Automatically enforce policies: You can set policies to automatically block the use of components with known vulnerabilities or license issues.
    

External exposure management is also playing an increasingly critical role in supply chain security, with organizations adding more third-party services and building more Web apps using third-party components and libraries every day.

**The Future**

The financial impact of these attacks is projected to grow significantly, making it imperative for organizations to act now. 

The key moving forward is first awareness. Understanding the threat is as important as the steps toward prevention. Once this is established, there are ample resources and technologies to equip security teams with the reinforcements to protect their ecosystems.

**About the Author**

Senior Vice President of Product Management, CyCognito

Ansh Patnaik, senior vice president of product management of CyCognito, has more than 20 years of cross functional experience in cybersecurity and data analytics. Most recently, Ansh was director, cloud security products for Google Cloud Platform, and chief product officer for Chronicle, prior to the acquisition of Chronicle by Google. Previously, he was vice president of product management at Oracle Cloud, where he defined and launched its security analytics cloud service offering. Ansh has held product management, product marketing, and sales engineering leadership roles at several market leading software companies, including Delphix, ArcSight (acquired by HP), and BindView (acquired by Symantec).

Rising Tide of Software Supply Chain Attacks: An Urgent Problem

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Source: Olekcii Mach via Alamy Stock Photo

Threat actors are infecting Internet-exposed Selenium Grid servers, with the goal of using victims' Internet bandwidth for cryptomining, proxyjacking, and potentially much worse.

Selenium is an open source suite of tools for browser automation that, according to data from Wiz, can be found in 30% of cloud environments. Selenium Grid is its open source tool for automatically testing Web applications across multiple platforms and browsers in parallel, used by millions of developers and thousands of organizations worldwide. Its Selenium/hub docker image has more than 100 million pulls on Docker Hub.

Though it's an internal tool by nature, tens of thousands of Selenium Grid servers are exposed on the Internet today. In turn, at least some hackers have deployed automated malware intended to hijack these servers for various malicious purposes.

To gauge the kinds of threats that face these untended servers, Cado Security recently launched a honeypot. As Al Carchrie, R&D lead solutions engineer for Cado Security, remembers, "We deployed the honeypot on a Tuesday, and then we started to see activity within 24 hours."

**Selenium Proxyjacking**

During the research period, two primary threats kept automatically trying to attack the honeypot day after day.

The first deployed a series of scripts, including one labeled "y," which dropped the open source networking toolkit GSocket. GSocket is designed to allow two users behind firewalls to establish a secure TCP connection. In this and other cases, though, threat actors used it as a means of command-and-control (C2).

Two scripts followed, "pl" and "tm," which performed various reconnaissance functions — analyzing system architecture, checking for root privileges, and other functions — and dropped the campaign's primary payloads: Pawns.app (IPRoyal Pawn) and EarnFM. Each of these are proxyware — programs that allow users to essentially rent out their unused internet bandwidth.

Though services like these are sold legitimately, hackers can easily weaponize them for their own purposes. Called "proxyjacking," it involves hijacking an unwitting Internet user's IP to use as one's own personal proxy server for further malicious activities or selling it to another cybercriminal.

"It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place," Carchrie explains. "So if you're using Tor to try and anonymize yourselves, organizations might blacklist Tor IP addresses from accessing their infrastructure. This gives them an opportunity. This is the first time I've personally come across proxyjacking being used as the end goal of a campaign."

**More Significant Threats to Selenium**

The second attack snagged by the honeypot was similar in its initial means of infection, but dropped a Golang-based executable and linkable format (ELF) binary. The ELF, in turn, attempted to use "PwnKit," a public exploit for CVE-2021-4043, an old, medium severity Linux privilege escalation bug (CVSS score 5.5).

Next, the malware connected to an attacker's C2 infrastructure and dropped "perfcc," a cryptominer. In this way, it paralleled a different, yearlong campaign revealed by Wiz back in July, which used Selenium Grid as a vector to deploy the XMRig miner.

As Ami Luttwak, CTO and co-founder of Wiz, explains, the same kind of attack can be used to do a lot worse.

"Remember, Selenium runs usually in test environments," he says. "Test environments have proprietary code, and many times from test environments you can actually get access back to either engineering environments or production. So this could be used by a more advanced attacker to start actually attacking the exposed organization."

**30,000 Publicly Exposed Servers**

Being an internal tool by nature, Selenium Grid does not have any authentication to barricade attackers from breaking in. Its maintainers have warned in documentation that it "must be protected from external access using appropriate firewall permissions."

In July, though, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. Worse: More than 17,000 were both exposed to the Internet, and running outdated versions. (That number has since dropped below 16,000.) The vast majority of these were based in the US and Canada.

It was only a matter of time, then, before threat actors capitalized on the opportunity. The first documented sign of it was reported in a Reddit post.

"Selenium is built to be an internal service for testing," Luttwak emphasizes. "In most scenarios, it's not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate."

Carchrie advises, "If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Proxyjack &amp; Cryptomine Selenium Grid Servers

With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.

Source: Mark Brandon via Shutterstock

A cybercriminal group — or individual — known as "CosmicBeetle" is exploiting vulnerabilities in technologies used by small businesses in Turkey, as well as Spain, India, and South Africa. The goal is to install ransomware that — unfortunately for victims — sometimes has glitches.

Likely based in Turkey, the ransomware attacker operates at a fairly "low level of sophistication" and is currently developing ransomware that demonstrates a "rather chaotic encryption scheme," according to analysis by Slovakian cybersecurity firm ESET. CosmicBeetle often deploys custom ransomware, dubbed ScRansom by ESET, that appears to be under active development with frequent updates and changes.

Because CosmicBeetle demonstrates immature skills as a malware developers, a variety of problems have affected victims of the threat actor's ransomware, says Jakub Souček, a senior malware researcher at ESET, who analyzed CosmicBeetle. In one case, ESET worked with a victim organization and found that the encryption routines executed multiple times on some of the infected machines, resulting in some data recovery failing.

"Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay," the report stated.

But for CosmicBeetle, "while we were able to verify that the decryptor — in its most recent state — works from the technical point of view, a lot of factors still come to play, and the more you need \[for decryption\] from the threat actor, the more unsure the situation," he says. "The fact that the ScRansom ransomware is still changing quite rapidly doesn't help."

The relative immaturity of the CosmicBeetle threat actor has led the group to embark on two interesting strategies, according to the ESET report. First, the group has attempted to imply connections with the infamous LockBit cybercriminal group as a way to, ironically, inspire trust in their ability to help victims recover their data. Second, the group has also joined the RansomHub affiliate program, and now often installs that ransomware rather than its own custom malware.

**Opportunistically Targeting SMBs**

To kick off its compromises, the CosmicBeetle group scans for and attempts to exploit a variety of older vulnerabilities in software typically used by small and midsize businesses, such as issues in Veeam Backup & Replication (CVE-2023-27532), which can allow unauthenticated attackers to access the backup infrastructure, or two privilege escalation vulnerabilities in Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), which together allow a user to "effectively become a domain admin."

The group is likely not specifically targeting SMBs, but because of the software it targets for exploitation, smaller businesses make up the majority of its victims, Souček says.

"CosmicBeetle abuses quite old known vulnerabilities, which we expect more likely to be patched in larger companies with better patch management in place," he says, adding: "Victims outside of the EU and US, especially SMBs, are typically the result of immature, non-seasoned ransomware gangs going for the low-hanging fruit."

The targets include companies in the manufacturing, pharmaceuticals, legal, education, and healthcare industries, among others, according to ESET's report published on September 10.

"SMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software and to not have robust patch management processes in place," the report stated.

**Turkish Delight? Not So Much**

Turkey accounts for the most victimized organizations, but a significant number also come from Spain, India, South Africa, and a handful of other countries, according to data collected by ESET from the CosmicBeetle leak site.

While one firm has connected the threat actor to an actual person — a Turkish software developer — ESET cast doubt on the connection. Yet, with Turkey accounting for a larger share of infections, the group is probably from the nation or the region, Souček acknowledges.

"We could speculate that CosmicBeetle has more knowledge of Turkey and feels more confident choosing their targets there," he says. "As for the remaining targets, it is purely opportunistic — a combination of vulnerability of the target and it being 'sufficiently interesting' as a ransomware target."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading