While still under development, the malware contains Turkish-language filenames, can record the screen and keystrokes, and inject custom overlays to steal passwords and sensitive data.

Source: Muhammad Toqeer via Shutterstock

A threat intelligence firm discovered samples of a malicious Android program that appears to target Turkish-language speakers. The program can take screen grabs, capture keystrokes, and create custom overlays — also known as Web injections — that can fool users into entering sensitive information.

The Trojan, dubbed BlankBot, appears to be under active development — judging from a significant number of code variants and log files — and remains largely undetected by the anti-malware scanners hosted on VirusTotal, cyberthreat-intelligence firm Intel 471 stated in its report published on Aug. 1. The developers of the Trojan use openly available libraries for mimicking account pages and producing other overlays and showed other signs of cybercriminal sophistication, Intel 471's analysts, who asked not to be named, said in an email interview.

"The developers appear to be experienced Android application developers, and they also demonstrate an understanding of the ATO \[account takeover\] business," they said. "These libraries allow the malware operators to imitate real financial applications more closely and create a seamless, authentic-looking phishing page, making it more likely that a user will follow all the steps and give up their sensitive information."

At this point, the motive for the group's targeting of Turkey is unclear, the company said. In recent years, Turkey has become a target for cyberattackers, especially nation-state espionage groups. India's SideWinder group has targeted individuals in Turkey — in addition to the group's typical targets of regional rivals, such as Pakistan — while China's APT41 has targeted global shipping, technology, and automotive industries, including those in Turkey.

Meanwhile, the country has been developing its own cyber capabilities. A Turkey-linked group has targeted Kurdish opposition groups throughout Europe, the Middle East, and North Africa, while another cybercriminal group in Turkey is targeting corporate databases in the United States, Europe, and Latin America with ransomware.

**Malware Under Development**

The malicious application appears to be under development but already has a host of features. Like other Android malware, BlankBot requests permission and then uses Android's accessibility features to take control of the device. Once in control, the malware can record the screen via the MediaProjection API, with the recording saved as JPEG images, which are then sent to a remote server.

In a relatively rare technique, the malware also creates its own keyboard for input, so the application can more easily capture user keystroke input. BlankBot also uses two open source libraries, CompactCreditInput and Pattern Locker View, to create screens that mimic the data entry pages for various sensitive credentials, such as usernames, passwords, PIN combinations, and credit card information, Intel 471 stated in its advisory.

Finally, using the accessibility services, the company said that the malware can control certain features by spoofing finger swipes.

"Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes," the advisory stated. "Additionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting contacts, SMS text and a list of installed applications."

**Focused on Cybercrime**

The malware's lineage is still a question mark. While Turkey-linked groups have not shied away from sophisticated attacks against the country's rivals, Intel 471's analysts say the malware seems more likely targeted at financial gain through cybercrime.

"We're fairly certain that this malware was not written for espionage because it has all of the features required for account takeover for financial gain, such as overlays for popular financial applications," the analysts said in an email interview. "Some of those features have limited use for espionage purposes but would make the malware more likely to be detected by anti-malware products."

However, the malware has anti-analysis capabilities, such as obfuscated code and a feature for detecting if it runs in an emulator.

Finally, while Turkish language strings do appear in the code, the malware could easily be localized to target other users and mimic other institutions, Intel 471 stated in its advisory.

"\[N\]o specific financial institutions were identified as targets during our analysis, therefore, this malware could be distributed in campaigns against users in different countries," the advisory stated.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

BlankBot Trojan Targets Turkish Android Users

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Everyone expected some kind of cyberattack during the Olympics. If this is the best they've got, the bad guys don't deserve a spot on the podium.

Source: Alexandre ROSA via Alamy Stock Photo

Overnight on Saturday, Aug. 3, cyberattackers struck the computer systems belonging to the Réunion des Musées Nationaux et Grand Palais (RMN), a French cultural institution that oversees dozens of museums, shops, and exhibitions, as well as around 100 publications.

In its own words, RMN is "neither a museum nor a gallery, but an unidentified creature on the cultural landscape." This summer, its namesake Grand Palais complex has hosted various Olympics-related exhibitions and events, including fencing and Taekwondo competitions.

Between Aug. 3 and 4, RMN fell victim to a purported ransomware attack. Defenders quickly responded, and the organization reported little impact to any of its many related institutions.

France's Anti-Cybercrime Brigade has opened an investigation into the incident. According to the country's penal code, fraudulently accessing a data processing system is punishable by three years' imprisonment, and deleting or modifying the data therein adds another two years on top.

**What (Seems to Have) Happened**

Le Parisien was the first to report that a weekend attack against RMN involved ransomware. The attack targeted the system that centralizes financial data across its various related institutions. It suggested that a cryptocurrency ransom was involved, that data had been exfiltrated, and that organizations like the Louvre were affected.

In an Aug. 6 press release, however, the RMN said it had discovered no signs of data exfiltration. Meanwhile, the Louvre's chief of staff, in a post to X, denied that the attack had affected it.

The Grand Palais director clarified to reporters, "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency."

RMN noted that even those potentially affected shops "are operating normally, autonomously and the museums and their bookshops remain open to the public under the usual conditions."

**Hackers' Underwhelming Performance at the Olympics**

"Everyone expected the Olympic Games to be the target of cyberattacks," says Dr. Martin J. Kraemer, security awareness advocate at KnowBe4. If this attack was the best the bad guys have got, though, it will have been underwhelming.

"Attackers have used ransomware attacks on other occasions to cover the tracks of something else," Kraemer adds. "This might be the case here. However, it seems more likely that the scheme is a quick exploit and nothing else in this case."

Still, there are five more days of the Olympics to go. "It will be interesting to watch the situation unfold on the world stage," says Josh Jacobson, director of professional services at HackerOne. "There continues to be a significant risk of attacks against the event’s associated venues, attendees, and spectators. Fake ticketing sites, social engineering campaigns or phishing attacks still pose a significant risk until the games end and beyond that."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattack Strikes the Grand Palais RMN; Impact Appears Limited

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Source: Blackboard via Shutterstock

A convicted dealer of credit card accounts and identity documents and a hacker who helped steal sensitive data from companies to inform stock trades were among the eight Russian nationals traded last week to that country's government in exchange for 16 imprisoned Americans and Europeans.

In the most extensive prisoner exchange since the Cold War, the United States and its allies traded eight convicted Russian nationals — including cybercriminals Vladislav Klyushin and Roman Valeryevich Seleznev — for the release of four Americans, five Germans, and seven Russian political prisoners. Since 2017, Seleznev has been serving a 14-year sentence for participating in a massive cyber-fraud ring that stole more than $9 million from banks and $50 million in consumer losses. Klyushin was sentenced in September 2023 to nine years in prison for taking part in a hack-and-trade scheme.

The fact that the two cybercriminals were included in the exchange shows the importance that the Russian government puts on cyber operations, says Waithera Junghae, associate on the incident response team at S-RM, a global corporate intelligence and cyber security consultancy.

"Cyber activity aligns closely with real-world events such as conflict in Russia-Ukraine, and therefore it's perhaps not unsurprising that we see individuals engaged in this activity feature in negotiations and resulting releases," she says.

The massive exchange involved US diplomacy as well as the cooperation of at least five allies: Germany, Norway, Poland, Slovenia, and Turkey. The United States and its allies gained the release of three American citizens, an American green card holder, five German citizens, and seven Russian political prisoners, according to the White House. In addition to the two cybercriminals, Russia freed Vadim Krasikov, previously held by Germany after being convicted of assassinating a Chechen separatist in Berlin, news reports stated.

In remarks on Aug. 1, President Joe Biden stressed that the five countries who helped make the deal possible — either by releasing prisoners or in helping with logistics — showed the importance of the United States' alliance partners.

"They all stepped up, and they stood with us," Biden said. "They stood with us, and they made bold and brave decisions, released prisoners being held in their countries who were justifiably being held, and provided logistical support to get the Americans home. So, for anyone who questions whether allies matter, they do. They matter."

**Cybercriminals Pursued Unique Approaches**

The two cybercriminals released by US authorities included Klyushin, 42, who monetized hacks in an uncommon — if not unique — way. The Russian businessman, who owned the Moscow-based IT-security firm M-13, worked with four other co-conspirators to steal information on corporate earnings from publicly traded businesses, making trades around more than 2,000 "earnings events," according to a statement by the US Attorney's Office for the District of Massachusetts. The scheme netted the group around $93 million.

The "hack-to-trade" scheme is not unique, but it is a rare way for financially motivated cybercriminals to make money, Junghae says.

"Financially motivated cybercriminals typically opt for the quickest and easiest routes to make money, including encrypting and exfiltrating data or engaging in payment diversion schemes," she says. "However, in this particular case, Klyushin's strategy involved hacking companies to obtain confidential information for trading purposes."

Meanwhile, Seleznev — as part of the credit-card theft ring, Carder.su — created an automated portal for selling credit card data, allowing members to log in, search for specific types of account holders and card information, and then purchase the data by checking out. Seleznev, who used the handles Track2, Bulba, and Ncux, was sentenced to 14 years in prison in 2017, following a guilty plea. Law enforcement charged more than 55 individuals related to Carder.su as part of a concerted investigation dubbed Operation Open Market.

The scale and ease of the cybercriminal operation made Selznev, a pioneer at the time, Junghae says.

"High-profile cases like Seleznev's can embolden other cybercriminals, encouraging them to pursue similar activities under the belief that they too can evade detection and prosecution," she says. "The techniques and methods Seleznev employed can be adapted and refined by other criminals, thereby enhancing their capabilities."

**Not a Major Factor for Law Enforcement**

Some international policy experts have argued that the successful negotiated release of legitimately convicted Russian criminals poses a risk: Rogue governments could be incentivized to trump up charges and arrest other nations' citizens. Since 2021, the Biden administration has negotiated the release of prisoners from Russia, Iran, and Venezuela, according to Reuters.

"While it is or would be great to have these individuals released, it underscores how hostage-taking has become a prominent and frequent — if not growing — element of Russian strategy toward the U.S. and the West," Ian Brzezinski, a former US defense official, told Reuters.

Yet, the prisoner exchange will not change how law enforcement agencies pursue and prosecute cybercriminals, S-RM's Junghae says.

"This was an historic move, years in the making, that likely won't be repeated for some time," she says. "So, it would be remiss for countries and their government administrations to base future activity around further negotiated releases."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

Cybersecurity startup RAD Security, a finalist in this year's Black Hat USA Startup Spotlight competition, looks for "drift events," or events that vary from the baseline.

Source: THP Creative via Alamy Stock Photo

Consider these two statistics: By 2025, 95% of new applications will be deployed on cloud-native platforms. And in 2023, 90% of teams working with containers and Kubernetes reported a breach.

RAD Security cites these two figures to illustrate the challenges enterprise defenders face in detecting supply chain and cloud-based attacks. The cybersecurity startup offers a behavioral cloud detection and response solution that generates a "consistent, predictable, behavioral baseline" of an organization's cloud environment in order to detect anomalous activity, according to the company, in response to emailed questions from Dark Reading.

RAD Security calls its approach "behavioral workload fingerprinting." Behavioral fingerprints are represented by the deduplicated hierarchy of programs, processes, and files that a container image exhibits at runtime. RAD Security creates "fingerprints that contain 'golden signals,' created by a proprietary algorithm, with key metrics and behaviors that indicate the health and security status of each container," the company says.

The company looks for "drift events," or those events that don't match the baseline, and adds posture and identity context so that defenders understand what is happening in the environment.

"Anomaly detection is not something you can verify in your environment, as it happens in a black box," the company says. "And there are simply not enough cloud attacks to be able to use machine learning to analyze millions of cloud attacks and find new ones."

This approach is appropriate for clouds because it is transparent and portable, the company says.

The team is currently working on making behavioral fingerprints a de facto standard for how behavioral detection and response is done in cloud security, "all the way from early on in the software supply chain to runtime," RAD Security says.

**Startup Spotlight Finalist**

RAD Security was a Kubernetes Security Operations Center (KSOC) until earlier this year. The name change reflects how the company's scope has evolved beyond being a "best-of-breed Kubernetes Security solution," according to the company. The RAD in RAD Security is not an acronym but references the fact that something radical is technically exciting and "an "irreverence to the status quo," the company says. The name RAD Security is "straightforward, just like the solution we provide."

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to RAD Security's booth will be able to see demonstrations of the platform. The company also announced new features to the platform to "change the way investigations are done in the cloud."

**Startup Brief**

If the company were a band, what would its band name be?

RAD, and our band would be a full experiential show (like the Sphere in Las Vegas) that engages all your senses.

If your company had a mascot, what would the mascot look like?

"Funny you should ask — we have unveiled our new mascot, their name is BRAD!" Brad is a bear that knows how to be rad when it comes to security.

Startup Spotlight: RAD Security Brings Behavioral Profiling to Cloud

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security.

David O'Berry, vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

August 6, 2024

4 Min Read

Source: Science Photo Library via Alamy Stock Photo

COMMENTARY

Quantum computing has been projected to enable market-defining and life-changing capabilities since its inception more than three decades ago. From financial portfolio optimization and improved electric vehicle (EV) battery production to enhanced drug discovery and advanced semiconductor manufacturing, quantum computers can perform complex calculations at faster speeds than both traditional and super computers. 

Thanks to the recent artificial intelligence (AI) boom, quantum computing is predicted to become even more significant in the coming years. Quantum computers will facilitate advancements in AI algorithms — better known as quantum AI or QAI. These quantum-enabled AI models will be faster as well as more accurate and efficient, due to quantum computers' parallel processing abilities that can simultaneously solve complex problems and prepare large datasets. This also means that quantum computing can deliver more energy-efficient AI algorithms, as well as hybrid architecture, neural network-enabled data modeling, and improved AI and data security.

Despite the positivity surrounding quantum computing, there is also a dark side to this burgeoning technology. Cybersecurity criminals are increasingly using quantum computing techniques to attack enterprises and break encryptions. It is believed that in the next five to 10 years, quantum computers will be able to break the majority of today's cryptographic algorithms.

This reality leaves corporate leaders and cybersecurity experts with one choice — prepare for the future of post-quantum cryptography (PQC) before it's too late.

**Current State of Post-Quantum Cryptography**

Encryption has been a highly divisive cybersecurity tool in the United States for several decades. In fact, if it was not for the work of experts like Phil Zimmerman catalyzing public-private discussion during the Crypto Wars, we could be living in a more vulnerable world, where encryption was still widely outlawed. 

Fortunately, after years of debate and a growing onslaught of concerning cyberattacks, cryptography is now a broadly accepted security technique, backed by the US government. Encryption is used to protect everything from emails to cryptocurrencies to private wireless networks. However, of all the cryptographic applications, post-quantum cryptography in particular is now the gold standard.

In 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act to ensure all federal entities will have quantum-resilient plans and technology in the coming years. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) also collectively developed the "Quantum Readiness: Migration to Post-Quantum Cryptography" information sheet last year, to advise US defense agencies and private enterprises alike on the new reality of cybersecurity in our post-quantum world. 

This surge in PQC legislation is largely due to the fact that most of our existing encryption is weak and cannot withstand a quantum-enabled attack. And while there is some work being done to advance quantum-proof algorithms, it is not nearly enough. Organizations across industries will be subjected to quantum-led attacks, including government agencies, financial and insurance enterprises, government suppliers — such as aerospace and defense companies — and corporations managing critical infrastructure like telcos and utilities. In other words, PQC is a matter of national security and personal privacy. 

**Bolstering Unbreakable Security**

Cyber leaders have always been tasked with preparing for the unpredictable, but now perhaps for the first time, they must prepare for the unknown. Cyber teams have limited knowledge of both quantum-enabled attacks and quantum-resistant encryption. So how can leaders across sectors bolster their defenses in the unfolding era of PQC?

To start, preparations should begin with risk assessments and inventories to help organizations understand where they have cryptographic gaps. Cyber teams should ask themselves where and how they are using encryption. Moreover, they should identify the various kinds of encryption algorithms and their current use cases across the enterprise. This will, in turn, help companies achieve crypto agility across systems. 

Leaders must also enable a cultural and technological reset. Most cybersecurity professionals will need to be trained to identify, mitigate, respond to, and even predict and prevent quantum-driven threats. These upskilling and reskilling initiatives will typically require third-party support from cyber vendors with deep expertise in quantum technologies.

In order to ultimately protect data and secure AI models using post-quantum cryptographic protocols, algorithms, and systems, organizations will also have to revamp their key management strategy, public key infrastructure deployments, and certificate life cycle management practices. 

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security. The US government has seen the writing on the wall — and now, enterprises must meet the unknown head-on as well. 

**About the Author**

vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

David currently leads the vCISO Practice for the Converged OT/IT, Enterprise, and Cyber Resilience Towers for the North America Cybersecurity Practice at Capgemini. In this role, David also works on the creation of Capgemini’s Cybersecurity Delivery Center of Excellence in North America. Most recently, David served as the chief architect for a large North American utility, helping to lead a $100 million-plus cybersecurity transformation initiative. David has more than 30 years of experience in IT, OT, converged IT/OT, network security, and consulting services.

Preparing for the Future of Post-Quantum Cryptography

A security vulnerability in Rockwell Automation's ControlLogix 1756 programmable logic controllers, tracked as CVE-2024-6242, could allow tampering with physical processes at plants.

Source: Kay Roxby via Alamy Stock Photo

A security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices could open critical infrastructure to cyberattacks on the operational technology (OT) that controls physical processes.

According to Claroty's Team82, the bug (CVE-2024-6242, CVSS 8.4), could allow a remote attacker with network access to the device to send elevated commands to the CPU of a programmable logic controller (PLC), from an untrusted chassis card.

"Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis," Claroty researcher Sharon Brizinov explained in a blog posting on the bug.

The result? Successful attackers can download new logic for controlling a PLC's behavior, and send other elevated commands that would interfere with the physical operations of a manufacturing site.

Rockwell has issued a fix, and users are urged to apply it immediately; and the Cybersecurity and Infrastructure Security Agency has published mitigation advice, noting that exploitation is a low-complexity endeavor.

According to Rockwell, ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, widely deployed in industrial manufacturing environments, are affected by the vulnerability.

**Manipulating the Trusted Slot Mechanism**

The 1756 chassis is a modular enclosure that houses various cards within physical slots that are responsible for communicating with sensors, actuators, and other OT equipment; they also provide the physical and electrical connections to allow those components to interoperate and talk to each other. All of the communication and connections are carried out via a shared circuit board known as the backplane, using the common industrial protocol, or CIP.

"A 1756 PLC in a production line might be connected to multiple sources via different network cards, for example, the human-machine interface (HMI) panel, engineering workstation, and other devices," Brizinov explained. "To ensure that only specific individual devices are performing elevated operations on the PLC such as download logic, a security mechanism was introduced called trusted slot."

The trusted-slot feature ensures that only authorized slots can communicate with each other, protecting against potential tampering. It does this by requiring slots to essentially authenticate to the PLC.

However, Claroty found a way around that.

"Since all slots are connected via the backplane, and CIP supports path (routing), we could generate a CIP packet that will be routed through a trusted card before it reaches the CPU," according to the blog post. "Basically, the method involved 'jumping' between local backplane slots…This technique allowed us to traverse the security boundary that was meant to protect the CPU from untrusted cards."

To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell's patches immediately:

*   ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
    
*   GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later.
    
*   1756-EN4TR: Update to versions V5.001 and later.
    
*   1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Rockwell PLC Security Bypass Threatens Manufacturing Processes

Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years.

Source: Tero Vesalainen via Shutterstock

An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.

Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.

**Post-Exploit Malware**

"LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims' devices," Kaspersky researcher Dmitry Kalinin wrote in a blog post this week. "It remains unclear which vulnerability the attackers might have exploited in the former scenario."

LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the NSO Group's Pegasus Software and the Intellexa alliance's Predator. Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.

In many instances — as was the case with last year's Operation Triangulation iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed BadBazaar last year and another espionage tool dubbed SandStrike in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.

**A Three Year Campaign**

Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.

Unlike some so-called zero-click spyware tools, LianSpy's ability to function depends, to a certain extent, on user interaction.  When launched, the malware first checks to see if it has the required permissions to execute its mission on the victim's device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name ("mu" instead of "su") to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.

"Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges," Kalinin wrote. "This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone."

**Data Harvesting and Exfiltration**

LianSpy's primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.

"The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder," Kaspersky said in a technical writeup on the malware.

One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. "Interestingly, root privileges are used so as to prevent their detection by security solutions," the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.

"Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion," Kalinin said. "Unlike financially motivated spyware, LianSpy's focus on capturing instant message content indicates a targeted data-gathering operation."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Sophisticated Android Spyware Targets Users in Russia

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone did — or didn't — do something they should or shouldn't have, but no one wants to claim responsibility. What's your take? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the August 28, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Props to Marcello Delcaro, implementation manager at Exiger, whose caption for last month's "Cyber Cloudburst" contest snagged first place and a $25 Amazon gift card. Many thanks to all who played!

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Source

DARKReading