Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

**Question: There are so many cloud security acronyms nobody seems to be spelling out. What do they mean?**

**Answer:** Acronyms are confusing jargon that can often serve as a gatekeeper — if you don't sling the lingo, the thinking goes, you don't belong. But if you're reading this, you _do_ belong in cybersecurity, which has to become more welcoming if we ever hope to close the talent gap. So here's a quick guide to some of the acronyms you may come across when talking about cloud security.

**CDR – Cloud detection and response.** These tools continuously aggregate, normalize, and analyze data provided by SaaS (software-as-a-service) and cloud services about accounts, privileges, configurations, and activity to power insights, situational knowledge, and threat alerts. It provides single-pane visibility into cloud environments while maintaining user context.

**CIEM – Cloud infrastructure entitlement management.** Such tools address the issue of excessive permissions and entitlements to cloud resources. They detect over-permissioned accounts and roles and unused permissions and accounts. Note that this is distinct from SIEM (security information and event management), which analyzes alerts in real time, and CIAM (customer identity and access management), which aims to give users secure access to resources.

**CNAPP – Cloud-native application protection platform.** CNAPP addresses the inevitable increased number of moving parts and interlocking systems in cloud-native applications. Using a modular approach, existing CI/CD (continuous integration and continuous delivery) pipelines and runtime platforms can be extended and updated as better methods are discovered. Leveraging a CNAPP gives you in-depth, multilayered, agent-based, and agentless coverage across all aspects of your environment — everything from proactive validation of workloads to auditing policies on the public cloud platform you're running on. Providing more than just convergence of CIEM, CWPP, and CSPM (read on for more about the latter two), CNAPP allows CISOs (chief information security officers) to see the value that cloud security suites deliver, as opposed to a series of disjoint point solutions needing painstaking integration.

**CSPM – Cloud security posture management.** This refers to a set of controls that detect when your deployed accounts and resources deviate from best practices. CSPM tools embed a variety of standards that allow you to continuously evaluate all cloud accounts and workloads and quickly identify areas of drift and misconfiguration.

**CWPP – Cloud workload protection platform.** These protect workloads and focus on securing the entire application life cycle, providing cloud-based security solutions that protect instances on AWS, Google Cloud Platform, Microsoft Azure, and other cloud vendors' platforms. CWPP focuses on specific application use cases, such as runtime detection, system hardening, vulnerability management, network security, compliance, and incident response.

**SSPM – SaaS security posture management.** Such tools monitor security risks in SaaS applications. SSPM looks for and surfaces misconfigurations, compliance risks, unnecessary or defunct user accounts, excessive user permissions, and other cloud security issues so that security personnel can resolve them.

What Do All of Those Cloud Cybersecurity Acronyms Mean?

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

New program offers free tech skills training and paid apprenticeships to make education and career pathways more accessible.

TULSA, OK -- Today Tulsa Community College (TCC) and Tulsa Innovation Labs (TIL), in partnership with edX, the global online learning platform from 2U, Inc. (Nasdaq: TWOU), and Skillstorm, launch the Cyber Skills Center. The new program, based in Tulsa, will develop a diverse talent pipeline for the in-demand and rapidly expanding career fields of cybersecurity and data analytics **at no-cost to Tulsa-area residents**.

Developed with edX’s Access Partnership initiative, Cyber Skills Center model is designed to streamline the skill development and career transition process for underserved communities. The program offers a 24-week online accelerated training boot camp curriculum offered by the Tulsa Community College, in partnership with edX, along with a paid apprenticeship upon graduation, and a suite of wrap-around services to make education and career transitions more accessible. These services, which are offered through the support of the George Kaiser Family Foundation, include childcare, transportation stipends, coaching and job readiness support.

The initial program is estimated to support more than 200 Tulsans over the next three years.

“Tulsa Community College has extensive experience and history of evolving with constant workforce changes and developing individuals with the needed skills for in-demand careers,” said Dr. Leigh Goodson, TCC president & CEO. “Boot camp graduates will not only be able to pursue new career opportunities after program completion, but can also apply credits earned from the boot camp to education opportunities to support additional reskilling and upskilling.”

The Cyber Skills Center will also lead to additional opportunities through college credit towards a 2-year associate degree through TCC, or bachelor’s degree at the University of Tulsa School of Cyber Studies or Oklahoma State University Spears School of Business.

Demand for careers in these fields are at an all-time high, for example, cybersecurity is expected to see a demand of nearly 3.5 million jobs by 2025.

With an average entry-level salary in this field in excess of $63,000 per year, according to the Bureau of Labor Statistics, and hundreds of available jobs in the greater Tulsa metropolitan area, there is an extraordinary opportunity to leverage the demand for cybersecurity talent to create a new pathway to the middle class.

“Our Access Partnerships help provide the infrastructure to bring colleges and universities, local workforce agencies and nonprofits, funding partners, and employers to the table to solve regional skills gaps and empower more working adults to succeed in the digital economy,” said Anant Agarwal, edX Founder and Chief Open Education Officer at 2U. “We are honored to welcome TCC as our first community college partner and look forward to working together with them and TIL to help reskill and upskill Tulsa area learners as the city continues to grow its tech community.”

**Upon completion of the 24-week program, graduates will be eligible to continue learning enterprise-level skills in cybersecurity and data analytics through SkillStorm’s 10-week immersive training program, which also provides potential opportunities to be connected with SkillStorm’s diverse group of commercial and federal clients.**

“Through our work with Fortune 500 companies across the country, we’ve seen rapidly accelerating demand for workers with cybersecurity and data analytics skills in an increasingly competitive labor market,” said Joe Mitchell, Chief Operating Officer at SkillStorm. “We look forward to the opportunity to help upskill individuals in the Tulsa community — and expand access to career pathways both in the region and with major employers nationwide.”

This effort builds on TIL’s strategy to create one of the more inclusive tech ecosystems in the country. By building the foundation for tech sectors where Tulsa has a competitive advantage: energy tech, advanced aerial mobility, virtual health, and cyber and analytics, and building accessible pipelines to each, Tulsa aims to serve as a new model for how tech growth can truly serve residents from diverse backgrounds and prepare the economy for the future.

"TIL is committed to making big investments where opportunities for traditionally underserved Tulsans overlap with industries in which Tulsa has a right to win,” said Nicholas Lalla, Managing Director of Tulsa Innovation Labs. “This initiative is a home run on both counts, and will be a game-changer in how the city leverages its unique competitive advantages to give Tulsans from every background a chance to access a high-paying career in cyber and data analytics."

To ensure the program meets the educational needs of diverse student populations in Tulsa, the Cyber Skills Center is working with nearly 30 nonprofits and community partners to provide feedback on program design and recruit students for the program. One such organization is Black Tech Street, a group advancing the digital transformation of historic Black Wall Street.

“No one should be intimidated by words like cyber and analytics,” said Tyrance Billingsley, the executive director of Black Tech Street. “People who excel in this field will be those who are creative, great at problem solving, and who have an eye for recognizing patterns. Cyber Security may sound scary and "elite" but it's not, and we want to demystify this world by making that clear. That's why this partnership was a no brainer. The Cyber Skills Center will be an incredible and accessible tool for helping Black Tulsans break into the tech world and will be crucial for our mission to rebirth Black Wall Street through technology”

The Cyber Skills Center will launch the first class in Fall 2022. To get started, apply at tulsacc.edu/cybercenter.

**##########**

**About Tulsa Community College**

Tulsa Community College, winner of two national Awards of Excellence from the American Association of Community Colleges in 2021, is a vital link to workforce development for northeast Oklahoma. Serving more Oklahomans than any other higher education institution in the state, TCC has four main campuses with roughly 21,000 students in credit courses each year. For five decades, TCC has provided access to an affordable college education. As one of 30 community colleges selected for the inaugural Pathways Project, a national initiative funded by the Bill and Melinda Gates Foundation, TCC is one of the most comprehensive community colleges in the United States. For more information on TCC, visit www.tulsacc.edu**.**

**About Tulsa Innovation Labs**

Recognizing that the jobs of the future are rooted in a thriving innovation economy, the George Kaiser Family Foundation pioneered Tulsa Innovation Labs to develop a city-wide strategy that positions Tulsa as a tech hub and leader in the future of work. Through a diverse coalition of public and private partners, TIL is creating economic development programs that seek to make Tulsa the nation’s most inclusive tech community. Learn more at tulsainnovationlabs.com.

**About edX**

edX is the education movement for restless learners and a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU). Together with the majority of the world’s top-ranked universities and industry-leading companies, we bring our community of over 44 million learners world-class education to support them at every stage of their lives and careers, from free courses to full degrees. And we're not stopping there — we're relentlessly pursuing our vision of a world where every learner can access education to unlock their potential, without the barriers of cost or location. Learn more at edX.org.

**About SkillStorm**

Founded in 2002, SkillStorm was built on the mission of accelerating careers in high-demand technologies. We create Stormers, the world’s most elite developers. We hire, train, and deploy Stormers from all backgrounds and experience levels in today’s in-demand technologies, including AWS, Appian, Salesforce, PEGA, and ServiceNow. We are committed to hiring and training college graduates and veterans for high-growth technology careers with our Fortune 100 clients. Through these dedicated efforts, we provide our clients with an exclusive pipeline of high-quality, U.S.-based tech talent that is custom trained with the skills required to support our clients’ critical technology initiatives. As a flexible technology workforce partner, we provide fully formed tech teams at every level of experience, skill sets, and clearance. Stormers are deployed either at our clients’ sites or at our U.S.-based delivery centers.

Cyber Skills Center Launches in Tulsa to Develop Diverse, Local Tech Talent Pipeline

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

Orlando, FL, July 6, 2022 – Fortress Information Security, the nation’s leading cybersecurity provider for critical infrastructure organizations with digitized assets, today joined the Open Web Application Security Project (OWASP) as a silver sponsor. Fortress has allocated a portion of that sponsorship to support the CycloneDX project focused on promoting a lightweight Software Bill of Materials (SBOM) standard for application security and supply chain component analysis.

OWASP is a nonprofit foundation that works to improve software security by making application security risks visible. OWASP activities include community-led open source software projects, over 250+ local chapters worldwide, tens of thousands of members, and industry-leading educational and training conferences.

“OWASP and the CycloneDX project are critical to making universal SBOM principles and standards a reality,” said Betsy Jones, chief operating officer of Fortress Information Security. “Bringing software developers and cybersecurity professionals together openly and collaboratively will foster the development of trusted SBOM solutions.”

Joined by Tony Turner, Fortress vice president of research and development and an OWASP chapter and project leader for over 10 years, Fortress utilizes multiple OWASP projects such as CycloneDX, SCVS, OWASP Risk Ranking methodology, and many others to secure critical infrastructure.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

**About Fortress Information Security**  
Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.

**About OWASP**  
As the world’s largest non-profit organization concerned with software security, OWASP: supports the building of impactful projects; develops & nurtures communities through events and chapter meetings worldwide; and provides educational publications & resources to enable developers to write better software and security professionals to make the world’s software more secure.

Fortress Information Security Sponsors Open Web Application Security Project To Work on Industry-Wide Software Bill of Materials Standards

In a significant spike of activity, the state-sponsored group is going after intelligence on Russian government agencies.

Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine's Computer Emergency Response Team (CERT).   

The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That's according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.

**Escalating Cyberattacks Against Russia**

While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by the purported threat actor, Tonto Team — has grown following the Russian invasion of Ukraine, says Tom Hegel, a senior threat researcher at SentinelOne.

"Tonto Team, like other Chinese actors, has a long history of targeting Russia," he says. "What we're seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia. Perhaps an increased prioritization or expansion of resources assigned to such tasking."

The reported increase in Chinese cyber operations comes as Russia has strengthened diplomatic relations with China in the face of sanctions from Western nations. While the two major nations are not formal allies, they have expanded trade and defense ties over the past decade as a way to foil the expansion of Western alliances.

    

Delivery timing of the malicious documents in latest Tonto Team attacks. Source: SentinelOne

In addition, they have different approaches to pursuing their foreign policy goals. Russia has tacitly allowed cybercriminal gangs to operate in its territory and has also widely used cyber operations to steal intelligence and attack infrastructure, as well as an adjunct to military operations. For example, Russia has used disinformation campaigns, infrastructure attacks, and espionage operations in its conflict with Ukraine.

China, which has profited significantly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations for acquiring intellectual property and conducting espionage. Treating Russia as any other adversary just shows consistency, says SentinelOne's Hegel.

This is "simply China looking out for itself in uncertain times," he says. "Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize."

**Technical Breadcrumbs Point to China**

The recent campaigns have used two pieces of malware linked to Chinese advanced persistent threats (APTs): a toolkit used to build malicious documents known as Royal Road and a custom remote access Trojan (RAT) known as Bisonal used by Chinese actors. The Tonto Team — also known as Karma Panda and Bronze Huntley — traditionally has focused on other Asian nations, such as South Korea and Japan, as well as the United States and Taiwan. Recently, the group has increased its operations to Russia, Pakistan, and other nations.

While false flag operations, where one adversary attempts to disguise their operations as another attacker, have happened, a variety of evidence links the attacks to China.

At least seven threat groups — all linked to China — use Royal Road to create malicious documents as part of the initial attack aimed at gaining access to targeted systems. In April, for example, cyberthreat intelligence firm DomainTools analyzed an document created with the Royal Road malware building toolkit that had the hallmarks of a Chinese espionage campaign and targeted a Russian underwater research and weapons development organization.

"Combined with the sensitive targeting and the attempts at hardening the ultimate payload, it appears the adversary went to some effort to evade analysis of their activity as well," the analysis stated. "Although this campaign appears specifically targeted to an entity in the Russian Federation, the underlying behaviors of this campaign — from malicious document usage through binary execution guardrails and controls — provide helpful insight into adversary tradecraft from which all defenders can learn valuable lessons."

In addition, Bisonal is used exclusively by Chinese groups, according to the advisories.

Companies should take note that nation-state attacks can often affect private businesses. The SentinelOne advisory has indicators of compromise (IoCs) for the latest campaigns, and DomainTools highlights various countermeasures for detecting and blunting cyber-espionage attacks.

Organizations should use the intelligence to check their own defenses against similar attacks, says SentinelOne's Hegel.

"Targets of espionage or disruption in today's world are not isolated to government networks but can overflow or directly hit private business simply because of their stance on a political issue or where they operate," he says. "As we observed when Ukraine was invaded, things can shift overnight — so CISOs should remain aware of this activity as we continue to live with such geopolitical tension."

China's Tonto Team APT Ramps Up Spy Operations Against Russia

Improper implementations of authentication APIs at a global crypto wallet service provider could have resulted in the loss of account control — and millions of dollars — from personal and business accounts.

A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented. 

The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so.  

According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a user's account in the system.  

This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice.

"Once we successfully logged in to a user's accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user's personal data, which might include name, address, bank account number, and other valuable data," Salt researchers note in the report.

The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user.

The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email.

"This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute," according to the researchers.

Each security issue on its own provided limited abilities to the attacker, according to the report. "However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account."

Yaniv Balmas, vice president of research at Salt, explains there are two factors that made these vulnerabilities impactful and dangerous.

"First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars — or more — being stolen from personal and business accounts," he says.

**Poor API Implementations: An Important Object Lesson**

As noted, the wallet-provider quickly fixed the API implementations in question, but there are important takeaways from the analysis, Balmas explains. After all, as the entire cryptocurrency market is relatively young, most of the services in this domain are heavily dependent on APIs as part of their core technologies.

"I have yet to see any cryptocurrency service that does not publish some sort of API to ease automated interactions with its functionalities," he says. “This reliance on APIs in turn surfaces another problem."

He explains API are designed to be dynamic and rapidly evolving interfaces for core business functionalities, which is obviously very positive from the user perspective.

"However, this same behavior opens the door for many security issues and vulnerabilities that may go unnoticed," he says. "Hence, we see with great frequency in our research efforts a relatively poor state of API security, sometimes with serious business implications."

**API Security Issues a Major Concern as Usage Grows**

As agile development grows in popularity, organizations are turning to APIs, resulting in broader attack surfaces more vulnerable to exploitation by threat actors. A recent analysis by application security firm Imperva and risk-strategy firm Marsh McLennan of breaches involving APIs revealed US companies face a combined $12 billion to $23 billion in losses in 2022.

Meanwhile, a March report from Salt Labs found API attacks increased a whopping 681% in the last year, with API attack traffic growing at more than twice the rate of nonmalicious traffic. Again, much of that could be due to implementation and configuration error: In May, for instance, Shadowserver Foundation researchers discovered that 380,000 Kubernetes API servers were open to the public Internet, representing 84% of all global Kubernetes API instances observable online.

**API Attack Surface Must Be Tracked, Monitored**

Balmas notes another issue with APIs and their nature is that once an API ecosystem gets big, it becomes very hard to have a complete handle on it. With multiple applications and internal services each publishing their own unique sets of APIs, it is very hard for the maintainers sometimes to even know which APIs are published at any given point in time.

"This is why API visibility and consolidation measures are sometimes the very first — and important — step to securing a company's APIs," he says.

Balmas recommends that cryptocurrency platforms, and any other heavy API users, should start paying more attention to the API attack surface that they expose.

"This new attack surface should be carefully tracked and monitored," he adds. "The services behind it should be more carefully reviewed on a periodic basis to make sure no new security issues have been introduced, and behavioral monitoring should be applied on the ongoing traffic to spot anomalies that might be happening in an effort to find and exploit vulnerabilities."

Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system's behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.  

**Use Case: Qbot Malware Delivered via Follina and Malspam**

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

    

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

    

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider's security controls is the Email Security Assessment.

**About the Author**

    

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Empower Your Security Operations Team to Combat Emerging Threats

It's time to tap the large reservoir of talent with analytical skills to help tackle cybersecurity problems. Train workers in cybersecurity details while using their ability to solve problems.

When I decided to get a degree in criminal justice, cybersecurity wasn't top of mind for me. I just wanted to get justice for folks who had been wronged.

But as I learned more about the criminal justice system in the United States, it wasn't long before I made a pivot. In my junior year in college, while working for a degree in history, I received an unpaid internship to work at a small company in New Hampshire. It was there that I got my introduction to the cybersecurity world — and it led to an epiphany.

I realized that what I learned in college about human behavior extends in the same way to any criminal — whether we're talking about the physical or cyber worlds, a similar logic applies. Since I had always wanted a job where I could develop my analytical skills, cybersecurity was an unexpected fit.

**Tapping an Untapped Talent Pool**

This field can also be an unexpected fit for some of the hundreds of thousands of people who enter the job market each year, even if they graduate with degrees other than computer science. Cybersecurity suffers from a talent shortage and we're making it worse by not tapping this reservoir of potential talent.

There's no one-size-fits-all handbook to guide the battle against cybercriminals. Most often, it requires cybersecurity defenders to fit together different pieces of a human puzzle that will vary depending on a myriad of geographical, political, and cultural influences.

Essentially, this boils down to problem-solving on a global scale. Yet, whether it's cybercrime or physical crime, it's possible to read into the motivations of the threat actors and understand why they're doing the things they do. And then, once we know that, we get closer to predicting their next steps. This is where people with finely honed analytic skills can make excellent cyber sleuths.

Clearly, it's important to possess technical knowledge. But I think you can always teach technical skills to curious minds who enjoy a challenge. The critical thinking aspect is harder to come by. People who possess top-flight problem-solving abilities can make a difference and leverage their skills and fill the cybersecurity ranks with badly needed talent. It's key to have skilled individuals who are capable of training and teaching these individuals.

**Understanding Criminal Motivations**

In terms of adversary detection, there are several variables to consider. But you don’t need to be a veritable Sherlock Holmes to understand the criminal mindset. We need people who can determine what motivates someone to commit a certain act, and subsequently identify the likely next potential actions a threat actor would conduct, whether we’re talking about a distributed denial-of-service (DDoS) attack or a home intrusion.

When it comes to deciphering criminal groups, we repeatedly find similar patterns.

Cybercriminals can often be lazy and tend to choose targets that are designated as "easier," or simply target everyone to see what sticks. Professional cybercriminal groups develop and distribute malware on a global scale, and some groups can be very sophisticated and financially motivated. For example, advanced persistent threat (APT) groups are highly sophisticated professionals that tend to be motivated to carry out the theft of sensitive information, and sometimes, the destruction or prevention of resource access. With Russia-sponsored groups increasingly active since the Ukraine invasion, we can sometimes see both motivations simultaneously. Cyber espionage is solely motivated by information, and threat actors will go to great lengths and show extreme patience to get it. Nation-state groups arguably have the most resources at their disposal, and they can function with different motivation depending on their given objectives.

So, the process of adversary detection comes down to making logical deductions to understand how cybercriminals approach their goals. Once we know what the bad guys tend to do, then it becomes easier to detect their behavior. That's not to dismiss the complexity of the task. Attacker detection is challenging, but not impossible.

It's about getting that full picture of the actor, their motivations, and how they like to operate. Just like Sun Tzu said a long time ago, "If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Source

DARKReading