The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.

Source: Christophe Coat via Alamy Stock Photo

China-linked advanced persistent threat group APT41 appears to have compromised a government-affiliated institute in Taiwan that conducts research on advanced computing and associated technologies.

The intrusion began in July 2023, with the threat actor gaining initial access to the victim environment via undetermined means. Since then, it has deployed multiple malware tools, including the well-known ShadowPad remote access Trojan (RAT), the Cobalt Strike post compromise tool, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).

APT41 is an attribution that several vendors use to track a loose collective of China-nexus threat groups that have been engaged in a broad range of cyber espionage and financially motivated cyberattacks around the world, going back to 2012. Members of the group such as Wicked Panda, Winnti, Barium, and SuckFly have plundered and pillaged trade secrets, intellectual property, and other sensitive data from organizations in the US and multiple other countries in recent years.

Most recently, Mandiant reported observing members of the group targeting global shipping and logistics companies and organizations in the technology, entertainment, and automotive sectors. The US government indicted several members of the Chengdu-based APT41 in 2020, though that has done little slow it down.

**Academic Research: A Valuable Cyber Target**

Researchers at Cisco Talos discovered the intrusion when investigating abnormal activity involving attempts to download and execute PowerShell scripts in the Taiwan research institute's network environment last year.  

"The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them," Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura said in a report this week. Over the course of the intrusion, APT41 actors broke into three systems in the target environment and stole at least some documents from there, they said.

ShadowPad is malware that researchers first discovered embedded in the source code of NetSarang Computer's Xmanager server management software back in 2017. That supply chain attack impacted several NetSarang customers in the APAC region. Initially, researchers believed that APT41 was the sole user of the backdoor. Over the years however, they have identified multiple groups — all of them China-linked — that have used the RAT in numerous cyber-espionage campaigns and software supply chain attacks.

With the attack on the Taiwanese research institute, APT41 used two different ShadowPad iterations — one that leveraged a previously known packing mechanism called "ScatterBee," and another that used an outdated and vulnerable version of Microsoft Input Method Editors (IME), the Cisco Talos researchers said.

**ShadowPad & Cobalt Strike Anchor Espionage Effort**

The attackers used ShadowPad to run commands for mapping out the victim network, collecting data on hosts, and trying to find other exploitable systems on the same network. Cisco Talos also found the APT harvesting passwords and user credentials stored in Web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.

"From the environment the actor executes several commands, including using 'net,' 'whoami,' 'quser,' 'ipconfig,' 'netstat,' and 'dir' commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems," the researchers said. "In addition, we also observed query to the registry key to get the current state of software inventory collection on the system."

As part of their attack chain, the threat actors also deployed the Cobalt Strike post compromise tool on the victim network using a loader they cloned from a GitHub project. It's designed to evade antivirus detection tools.

"It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader," the researchers said. "In other words, its download, decryption, and execution routines all happen in runtime in memory."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Taiwan Research Institute for Cyber Espionage

Now that the Authy Desktop app has reached EOL and is no longer accessible, users are hoping their 2FA tokens synced correctly with their mobile devices.

Source: Cynthia Lee via Alamy Stock Photo

UPDATE

Twilio's Authy Desktop application for Linux, Windows, and macOS has finally been shut down, and is logging users out of the application. 

Earlier this year, the company announced that the application, which manages sign-ons for two-factor authentication (2FA)-protected accounts, would meet its end of life (EOL) in March. However, the desktop app has continued to work past the EOL date.

Now, the app has officially been discontinued. Twilio recommends that users switch to the mobile version of the app, as it offers "similar or better features for securely storing your authenticator account tokens and are fully supported and regularly updated."

However, some users are reporting that the desktop version is inaccessible: When they installed Authy on their phones, their tokens did not synchronize correctly, and they were missing a significant amount of data.

It is possible that these users did not have the backup feature enabled, which ensures that a user's tokens automatically sync between devices. According to a Twilio spokesperson, "If users are finding that their tokens didn't synchronize properly, it's best for them to follow the instructions linked at the bottom of the page, specifically the 'Decrypt a 2FA account takeover.'"

This story was updated at 4:00 p.m. ET on Aug. 2 to reflect comments from the vendor.

**About the Author**

Twilio Users Kicked Out of Desktop App, Forced to Switch to Mobile

In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services.

Source: Skorzewiak via Alamy Stock Photo

Could the US federal government inadvertently be fueling perfect storm conditions for another unprecedented cyber incident that would have widespread implications for federal, state, and critical infrastructure services, similar to the recent CrowdStrike outage? 

**Setting the Stage**

The US State and Local Cybersecurity Grant Program (SLCGP) provides funding to eligible entities to improve cybersecurity posture and reduce the risk of a cyberattack. This is, of course, good, as many public entities have lacked the budget necessary to have a cybersecurity posture suitable to protect the personal data or services they provide.

Prior to this funding, each entity would make their own decision on cybersecurity and need to fund it from existing budgets. For example, a school district may select a vendor based on services and price, the neighboring school district could choose a different vendor, and so on. For the financially frugal, this would seem like a bad solution. If entities were to group together and use a single vendor, they would get bulk purchase discounts and lower the amount of tax dollars spent. 

But ask a cybersecurity professional to describe the best cybersecurity posture and they will use terms like "defense in depth" or "layers of defense." This refers to the use of multiple technologies, and in most cases multiple vendors, in order to thwart potential attacks, or incidents such as CrowdStrike's single corrupt driver causing a global outage at multiple major companies. 

When the SolarWinds cyberattack unfolded there were 33,000 private, federal, and state users of the technology, with about 18,000 installing the malicious update. The backlash of this supply chain attack resulted in new regulation on improving supply chain security, and this continues to play out today. While the attack was devastating, it was not a cyber-Armageddon event, as states, entities within states, federal agencies, and such were using a diverse set of solutions from different vendors.

The recent, unfortunate incident suffered by CrowdStrike customers highlights how devastating a single vendor issue can be, with just 8.5 million devices affected globally (representing less than 1% of Windows devices) causing mass global disruption to airlines, healthcare facilities, businesses, and more. 

**Creating a Monoculture**

Now consider the offer of SLCGP, which gives free money to spend on cybersecurity — it's like moths attracted to a light. A state can apply for funds from the grant to cover multiple entities within its jurisdiction. Once granted, a vendor is selected and offered to entities statewide, either free or highly discounted due to volume licensing. This creates a monoculture cybersecurity environment, or a perfect storm for a major cyber incident, where if the primary vendor is attacked or has a significant vulnerability exploited, it could take out the entire state's services, every school district, local government administration, etc. The effect on everyday society could be devastating. 

The SolarWinds and CrowdStrike incidents demonstrate, on a limited scale, that when a single vendor suffers an incident of some type, if there are enough affected parties, the incident becomes significant, and if they are all grouped in a single state, it becomes a major incident.

If a single vendor becomes the de facto standard for states that apply for SLCGP (a good possibility: I personally know of some organizations that have been rolled into a standard solution as part of a no-cost, or near-no-cost, state solution)

To put this in context, there are approximately 50 million US children of school age. If 90% of states are customers of one solution, and this includes state-funded education, the impact of a cyber incident would see 45 million children's educations being disrupted. And in some instances, schools have suffered significantly when hit by a cyber incident — requiring closure for potentially months. And education is just one area affected by single-vendor risk.

The SLCGP appears to be creating a new monoculture environment, on a scale that could make the previous incidents pale into insignificance. Monoculture is a term typically used in farming. In brief, it is about crop rotation — diversity in planting in order to protect both the crop and the fields in which the crops are planted. If a single crop is planted in the same field over several seasons the outcome results in bad yield. 

**Promoting Diversity in Cybersecurity**

In 2015, an academic paper detailed the issues of monoculture cybersecurity relating to the use of antivirus (AV) products. It concluded that "lowered infection rates were positively correlated with higher rates of AV activity, stable AV product usage and status, and AV product diversity." The importance of a diverse product selection prevents a single incident, whether malicious or unfortunate, from causing a catastrophic outage. 

The actions by states to standardize on a single product using the SLCGP is creating a dominant security product scenario that causes monoculture, a default standard for cybercriminals to attack. Cybercriminals need to look for a weakness in only one product, or to discover an exploitable vulnerability, to affect a significant portion of services, potentially affecting the entire population of a state.

The solution is to promote, and require, diverse layers of defense architecture, and this should be a requirement of receiving SLCGP funding. 

**About the Author**

Chief Security Evangelist, ESET

With over 20 years of security industry experience, Tony Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit. He is regularly quoted in security, technology, and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON, and CBS.

Is the US Federal Government Increasing Cyber-Risk Through Monoculture?

A simple toggle in Proofpoint's email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough?

Source: Cheryl Ann Quigley via Alamy Stock Photo

Millions of near-undetectable emails impersonating blue chip companies were spreading every day through the first half of 2024, thanks to some permissive features of Microsoft 365 and Proofpoint's email protection service.

Proofpoint's secure email gateway (SEG) is a kind of firewall for corporate emails, filtering what comes in and applying authentication to what goes out. Recently, though, researchers from Guardio uncovered a campaign undermining that outbound part, utilizing a "super-permissive misconfiguration flaw" to send credit-card scam emails that were signed and verified as if they came from legitimate, brand name corporate accounts.

"It puts recipients in a weird place," says Adam Maruyama, field CTO at Garrison Technology. "You can receive a spoofed email and be affected, even if you've done your full \[cybersecurity\] due diligence to try to protect yourself."

Proofpoint has since implemented a fix which has all but killed the campaign, but some broader questions around email security linger.

**How "EchoSpoofing" Worked**

"There's not been a lot that has changed in the underlying infrastructure of what email is since it first started," says Jeremy Fuchs, office of the CTO at Check Point Software. For example, "The sender address in an email is kind of like the sender address in snail mail. I could send you a letter and say it's coming from the North Pole, and there really wouldn't be anything anyone could do to stop it. It's not that simple in the digital world, but it's still fairly easy." 

In the campaign, which Guardio called "EchoSpoofing," the attacker took advantage of this fact by setting up their own Simple Mail Transfer Protocol (SMTP) server on a virtual server. From there, they could send out emails with whatever "From" header they wished — for example, a fake customer service account coming from an @disney.com or @northpole.cool domain.

Of course, any modern security solution that employs anti-spoofing technology like Domain-based Message Authentication Reporting & Conformance (DMARC) monitoring or spam filter would catch suspicious emails coming from a random server. But this is where the EchoSpoofing vulnerability comes into play.

It turned out that Proofpoint's SEG contained a toggle which, when turned on, trusted any emails routing through Microsoft Office 365. Microsoft 365 is a commonly used mail service among businesses, but anybody — including a hacker — can also use it. Thus, if a hacker could send mail through Microsoft to a Proofpoint customer, it would be trusted by default and passed along.

This is where mail exchange (MX) records came in handy. MX records in the Domain Name System (DNS) specify the mail servers responsible for handling email for a domain. Companies that use Proofpoint SEG send their MX records to Proofpoint's servers. These records are public so, Fuchs observes, "they weren't just guessing about who to target. They knew exactly who they could target."

In summary: the attacker forged emails mimicking major corporations (including Disney, Best Buy, ESPN, IBM, Coca Cola, Nike, Fox News, and dozens more) from a private SMTP server, then relayed them through Microsoft 365 to known Proofpoint customers. If the customer had the "super-permissive" setting toggled on, Proofpoint would stamp the malicious emails with the same Domain Keys Identified Mail (DKIM) verification it would legitimate emails, then sent them on to victim inboxes.

**Millions of Fake Emails a Day**

The EchoSpoofing campaign began in January, and was first discovered by Proofpoint itself in late March. At that point, the company explained in a blog post, it took a number of steps to notify and protect customers.

But those efforts did not stem the tide of attacks. In fact, the forged emails only grew in number — averaging three million per week, and occasionally surpassing ten million.

Source: Guardio

Dark Reading reached out to Proofpoint for more information on why email attacks only rose after its initial remediation efforts began. Proofpoint representatives pointed Dark Reading to passages of its blog, and did not provide further comment.

Perhaps the campaign survived because the attacker had a keen operational awareness. As Guardio explained, "Once it finds a vulnerable Proofpoint account (by testing out this exploit on a small scale), it saves the domain for later use, forcing time gaps between delivery opportunities. It switches abused domains and Office365 accounts each time, making it harder to spot the activity and trying to stay 'under the radar' as much as possible."

This diligence may have been the key to the campaign's staying power, even after it had been detected. "It was quite interesting to see how, once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing 'the end is near' — as can be seen with the disney.com domain usage in the above graph in early June 2024."

EchoSpoofing finally seems to have died down recently, after Proofpoint introduced a vendor-specific header for outgoing emails. Now, customers can restrict the 365 accounts allowed to send emails on their behalf to only their own.

**Being Diligent About Corporate Email**

Besides permissiveness, negligence too paved the way for the EchoSpoofers.

According to Guardio, despite Proofpoint's efforts to alert Microsoft, the attackers' maliciously-wielded Office365 accounts remain active many months later. In a statement to Dark Reading, a Microsoft spokesperson claimed that "When our partner alerted us to this issue, we took immediate action to investigate. We blocked tenants abusing our service and disabled accounts deemed fraudulent."

Then there were the companies that were victims of being spoofed. As Nati Tal, head of Guardio Labs, notes, they weren't powerless to detect millions of fake emails impersonating their brands. "In this case, if someone from Disney or wherever was looking at the amount of emails being sent out from their ProofPoint \[server\], it would probably have popped out immediately, at the first moment. You would see some kind of anomaly."

That, he says, should be a lesson that "You need to implement some kind of logging, some kind of data tracking for your email distribution."

Organizations that don't implement secure email controls like DMARC monitoring risk far greater cyber consequences than EchoSpoofing has demonstrated thus far. As Maruyama reflects, "I think my concern is that these have been pretty generic spam attacks. 'Click here', then they try to steal your credit card number. I could see a world in which a more sophisticated actor would save a similar vulnerability to do very targeted spear phishing to, for example, get emails through that look like they are from the government and defense services, targeted toward individuals in the Pentagon, DHS, etc. That is a much bigger threat, with due respect to folks who've had credit cards stolen here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day

Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY  
In the modern enterprise, where IT infrastructure, applications, and data are spread across multiple clouds, hybrid clouds, and on-premises data centers, identity ensures that the right individuals have access to the right resources at the right times. In many ways, identity is now on par with electricity when it comes to business continuity. Without it, business operations grind to a standstill. 

Just as most businesses have backup power sources so they can continue to operate when their electric utility goes down, organizations should implement an identity continuity plan to maintain the availability of critical IT systems if their primary identity provider (IDP) is offline. Having a failover plan is more critical than ever, since many organizations now rely on cloud-based IDPs that are vulnerable to outages for a host of reasons, including provider outages, natural disasters, loss of Internet connectivity, and more. 

When developing an identity continuity strategy, the NIST Cybersecurity Framework can serve as a valuable model to follow. Designed to help organizations manage and mitigate cybersecurity risks, it consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function plays a pivotal role in forming a robust identity continuity plan. Here’s how to map an identity continuity plan to the NIST Cybersecurity Framework. 

**Identify****Inventory Applications, Policies, and Identities**

The initial step in creating an identity continuity plan involves cataloging all applications, policies, and identities within the organization. This inventory should distinguish between different user groups, such as customers and employees, to address their specific access requirements effectively.

This process should include detailing interdependencies and criticalities to ensure comprehensive coverage. Classifying these resources based on their criticality and the potential impact of downtime helps prioritize efforts. For instance:

*   Critical applications: These are vital for immediate business operations, like primary revenue-generating platforms.
    
*   Important applications: These support daily operations but can endure short periods of downtime.
    
*   Supportive applications: These are necessary but not critical on an hour-to-hour basis.
    
*   Non-essential applications: These can tolerate extended downtimes without significant impact.
    

**Routine Continuity Tests**

Regularly testing the continuity plan is crucial for identifying gaps and ensuring its effectiveness. Routine tests help keep the plan up to date and ready for real-world disruptions.

**Protect****Ensure Continuous Identity Operations**

Protecting identity operations requires ensuring continuous access to identity services. This includes establishing robust mechanisms for cloud-to-cloud and cloud-to-premises failovers. With many organizations adopting zero-trust architectures, where each access request requires continuous authentication and authorization checks, identity continuity is even more critical to ensure end-to-end security.

**Develop Disaster Recovery Plans**

While preventing outages is always best, in addition to continuity planning it's critical to also have a disaster recovery plan. Regular backups of policies and resources from cloud and on-premises identity infrastructures ensure quick restoration if a rebuild is necessary.

**Detect****Monitor Identity Infrastructure**

Implement centralized analytics and reporting to continuously monitor the availability of identity and access services. Early detection of outages or slowdowns allows for prompt intervention and proactive response.

**Conduct Regular Testing**

Regular continuity tests simulate real-world scenarios to detect potential weaknesses in the identity infrastructure. This proactive "test to verify" approach ensures that the continuity plan is robust and effective.

**Respond****Maintain Continuous Identity Operations**

Develop strategies for failover and fail-back to ensure continuous identity operations. Predefined custom actions, alerts, and automations should be in place to handle various scenarios.

**Establish Failover Mechanisms**

Multiple layers of failover mechanisms ensure redundancy and resilience. For example, assign:

*   Primary identity provider (IDP)
    

*   On-premises IDP (as a last-resort backup)
    

**Predefine Continuity Actions**

Having predefined continuity actions ensures a swift and organized response to identity service disruptions. Actions can include automatic service ticket opening, initiating an incident response workflow, or some other scriptable action. This minimizes downtime and mitigates its impact on operations.

**Recover****Manage Incidents and Resolve Outages**

An incident management plan should outline the steps for failover, failback, and incident resolution. The focus should be on quick recovery while documenting and analyzing any anomalies. Use data collected for availability and outages with your IDP vendor to negotiate expectations.

**Run Disaster Recovery Backups**

Ensure the disaster recovery plan includes procedures for running backup and restore operations. This enables swift recovery from identity service outages, minimizing downtime.

**Govern****Continuous Monitoring and Policy Management**

Implement continuous monitoring of identity systems to ensure adherence to established policies. Regularly update, document, and report policies to reflect changes in the IT environment and emerging threats.

**Monitor Access Requests and Activities**

Track access requests and activities to identify unusual patterns that may indicate security threats. Continuous monitoring helps maintain a proactive defense against potential disruptions.

By leveraging the NIST Cybersecurity Framework, organizations can develop a comprehensive identity continuity plan that ensures resilience against disruptions. Now that identity is interwoven into all business operations and predominantly relies on cloud-based IDPs, having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

**About the Author**

CEO, Strata Identity

Eric has made a career out of simplifying and securing enterprise identity management. He founded, scaled, and successfully exited both Securant/ClearTrust (Web Access Management) and Symplified, (the first IDaaS company). Recently Eric served as SVP and GM at Oracle, where he ran the identity and security business worldwide and was responsible for product development, go to market, and partnerships. As a technologist, he was a co-author of the SAML standard, created the first pre-integrated SSO platform, and is the visionary behind the Identity Fabric™.

Implementing Identity Continuity With the NIST Cybersecurity Framework

By injecting malicious bytecode into interpreters for VBScript, Python, and Lua, researchers found they can circumvent malicious code detection.

Source: Casimiro PT via Shutterstock

Attackers can hide their attempts to execute malicious code by inserting commands into the machine code stored in memory by the software interpreters used by many programming languages, such as VBScript and Python, a group of Japanese researchers will demonstrate at next week's Black Hat USA conference.

Interpreters take human-readable software code and translate each line into bytecode — granular programming instructions understood by the underlying, often virtual, machine. The research team successfully inserted malicious instructions into the bytecode held in memory prior to execution, and because most security software does not scan bytecode, their changes escaped detection.

The technique could allow attackers to hide their malicious activity from most endpoint security software. Researchers from NTT Security Holdings Corp. and the University of Tokyo will demonstrate the capability at Black Hat using the VBScript interpreter, says Toshinori Usui, research scientist with NTT Security. The researchers have already confirmed that the technique also works for inserting malicious code in the in-memory processes of both the Python and the Lua interpreters.

"Malware often hides its behavior by injecting malicious code into benign processes, but existing injection-type attacks have characteristic behaviors ... which are easily detected by security products," Usui says. "The interpreter does not care about overwriting by a remote process, so we can easily replace generated bytecode with our malicious code — it's that feature we exploit."

Bytecode attacks are not necessarily new, but they are relatively novel. In 2018, a group of researchers from the University of California at Irvine published a paper, "Bytecode Corruption Attacks Are Real — And How to Defend Against Them," introducing bytecode attacks and defenses. Last year, the administrators of the Python Package Index (PyPI) removed a malicious package, known as fshec2, which escaped initial detection because all its malicious code was compiled as bytecode. Python compiles its bytecode into PYC files, which can be executed by the Python interpreter.

"It may be the first supply chain attack to take advantage of the fact that Python byte code (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index," Karlo Zanki, reverse engineer at ReversingLabs, said in a June 2023 analysis of the incident. "If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files."

**Going Beyond Precompiled Malware**

After an initial compromise, attackers have a few options to expand their control of a targeted system: They can perform reconnaissance, try to further compromise the system using malware, or run tools already existing on the system — the so-called strategy of "living off the land."

The NTT researchers' variation of bytecode attack techniques essentially falls into the last category. Rather than using pre-compiled bytecode files, their attack — dubbed Bytecode Jiu-Jitsu — involves inserting malicious bytecode into the memory space of a running interpreter. Because most security tools do not look at bytecode in memory, the attack is able to hide the malicious commands from inspection.

The approach allows attacker to skip other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers, Usui says.

"While native code has instructions directly executed by the CPU, bytecode is just data to the CPU and is interpreted and executed by the interpreter," he says. "Therefore, unlike native code, bytecode does not require execution privilege, \[and our technique\] does not need to prepare a memory region with execution privilege."

**Better Interpreter Defenses**

Developers of interpreters, security-tools developers, and operating-system architects can all have some impact on the problem. While attacks targeting bytcode do not exploit vulnerabilities in interpreters, but rather the way that they execute code, certain security modifications such as pointer checksums could mitigate the risk, according to the UC Irvine paper.

The NTT Security researchers noted that checksum defenses would not likely be effective against their techniques and recommend that developers enforce write protections to help eliminate the risk. "The ultimate countermeasure is to restrict the memory write to the interpreter," Usui says.

The purpose of presenting a new attack technique is to show security researchers and defenders what could be possible, and not to inform attackers' tactics, he stresses. "Our goal is not to abuse defensive tactics, but to ultimately be an alarm bell for security researchers around the world," he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Attacks on Bytecode Interpreters Conceal Malicious Injection Activity

Law firms make the perfect target for extortion, so it's no wonder that ransomware attackers target them and demand multimillion dollar ransoms.

Source: the lightwriter via Alamy Stock Photo

2023 was the worst year on record for cybersecurity in the legal industry by some distance.

Just one point of evidence: Since 2018, 2.9 million records have been stolen in association with publicly reported breaches of law firms. Some 1.56 million records were stolen last year alone, an increase of 615% as compared with the down year of 2022 (218,473 records).

A new blog post from Comparitech paints a picture of an industry struggling to grapple with the ransomware problem. Major law firms have been paying multimillion dollar sums to protect their clients' ultra-sensitive data, and flailing in their attempts to fight back.

**The State of Legal Industry Cybersecurity**

Since 2018, 138 legal firms have publicly admitted being affected by ransomware attacks.

Of those, 107 attacks have been US-based, with approximately 2.9 million records affected. As Comparitech noted, the distance between the US and its next neighbors — the UK, with 9 attacks affecting 9,703 records, and Germany, with 5 affecting an unknown number — may have more to do with reporting requirements than anything else.

Source: Comparitech

Ransom demands vary widely. In 2021, the French law firm Cabinet Remy Le Bonnois paid the Everest group just $30,000 to resolve its attack. At the other end of the spectrum: REvil demanded $21 million from New York's Grubman Shire Meiselas & Sacks in 2020. The attackers doubled that amount to $42 million when the group discovered that Grubman's records included some belonging to Donald Trump. (The firm did not pay.)

The average ransom among publicly reported cases has been $2.47 million, and the average amount actually paid out after negotiations is $1.65 million. These numbers are rough estimates of reality, however, as only 11 reported incidents also reported the ransom demands, with only eight reported ransoms paid.

**Consequences to Law Firms**

If ransomware attacks against law firms have been trending, it's because they make for perfect targets.

"Legal firms are an interesting case," Paul Bischoff, privacy advocate at Comparitech explains, "because with most any other company, hackers are just looking for low-hanging fruit. They may want as many, say, Social Security numbers or passwords as they can possibly steal. And higher quantities of records is the goal. But with law firms, you have data that's very valuable to very specific people. Documents related to ongoing litigation would be extremely valuable to an opposing party in that case. So it's not so much about the quantity of data as much as it is about the content."

The ultra-sensitivity of legal data puts firms in a difficult negotiating position: pay millions of dollars, and risk achieving nothing, or don't, and risk extra ire from clients. 12% of legal industry ransomware attacks have resulted in lawsuits, and at least 75% of those have been successful.

Another reason to pay up? Comparitech estimates that the 138 attacks recorded might have cost victims around $18.8 billion dollars, purely thanks to the downtime they incurred. One victim of LockBit — the Ince Group, based in London — filed for bankruptcy last year after failing to cover the £5 million ($6.5 million USD) it spent restoring its systems.

Meanwhile, when victims try to use the law in their aid, they usually fail. The UK's Ward Hadaway and Australia's HWL Ebsworth Lawyers both issued injunctions against their attackers to little effect, as anonymous hackers aren't particularly easy to wrangle into court. Canadian firm Robson Carpenter LLP enjoyed seeing its attacker face justice, but in the end received just $2,500 in restitution.

On the bright side, ransomware attacks against law firms in 2024 are noticeably lagging behind last year's numbers. Only 11 have been reported so far, affecting an unknown volume of client data.

"Overall, ransomware attacks happen down in frequency of attacks across all sectors that we've been covering," Bischoff notes. Perhaps, he speculates, attackers have been choosing quality over quantity. Or, more optimistically, "I think it's law enforcement crackdowns, and companies and organizations getting better in general at knowing what these threats are and being prepared."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

More Legal Records Stolen in 2023 Than Previous 5 Years Combined

Researchers say the attacks are easy to perform, difficult to contact, nearly unrecognizable, and "entirely preventable."

Source: Panther Media GmbH via Alamy Stock Photo

More than a dozen Russian cybercriminals are taking advantage of opening in the Domain Name System (DNS) by deploying the "Sitting Ducks" attack that targets DNS providers.

In this kind of attack, a threat actor gains unauthorized access to a registered domain and conducts whatever activity they please, including impersonating the legitimate owner. This activity ranges from malware delivery and phishing campaigns to brand impersonation and data exfiltration. And the pool of exploitable domains is not small; the researchers at Infoblox and Eclypsium estimate that there are more than 1 million susceptible domains on any given day, with multiple ways to identify each of them.  

The attacks, according to the researchers, are easy to perform, difficult to contact, nearly completely unrecognizable, and most of all are "entirely preventable."

"While DNS serves as the backbone for Internet communication, it is often overlooked as a strategic attack surface," the researchers said. "Published attack vectors against DNS may be dismissed as inevitable and not receive the same level of mitigation as a software bug, creating a perfect attack surface for malicious actors."

To stop these kinds of attacks, the researchers recommend that domain name owners evaluate their risk, especially for domains 10 years or older. The researchers provide information on their blog post for how to evaluate a domain and mitigate risks to their DNS services.

**About the Author**

'Sitting Ducks' Attacks Create Hijacking Threat for Domain Name Owners

The prolific ransomware group has shifted away from phishing as the method of entry into corporate networks, and is now using initial access brokers as well as its own tools to optimize its most recent attacks.

Source: Ciaobucarest via Alamy Stock Photo

The enormously successful Black Basta ransomware group has pivoted to using new custom tools and initial access techniques as part of a shift in strategy in the wake of last year's takedown of the Qakbot botnet.

The evolution of the group, which has compromised more than 500 victims and counting, demonstrates the resilience of threat groups who have had to shift tactics on the fly due to law enforcement and other disruptions, yet still somehow continue to flourish in their cybercriminal operations, experts said.

Black Basta's initial claim to fame was its prolific use of Qakbot, which it distributed via sophisticated and evolving phishing campaigns. As an initial access Trojan, Qakbot could then deploy a host of publicly available open source tools and ultimately the gang's namesake ransomware. However, about a year ago, the Qakbot botnet was largely put out of commission (though it has since reappeared) in a federal law-enforcement campaign called Operation Duck Hunt, forcing the group to find new modes of access to victim infrastructure.

Initially, Black Basta continued to use phishing and even vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives to conduct further malicious activity, researchers from Mandiant revealed in a blog post this week.

The group, which Mandiant tracks as UNC4393, has now settled into a "transition from readily available tools to custom malware development as well as \[an\] evolving reliance on access brokers and diversification of initial access techniques" in recent attacks, Mandiant researchers wrote in the post.

**'SilentNight' Resurgence**

One of the new methods for initial access involves the deployment of a backdoor called SilentNight, which the group used in 2019 and 2021, respectively, before putting it on the shelf until last year. Earlier this year, the group began using it again in malvertising efforts, the researchers said, marking "a notable shift away from phishing," which previously was the “only known means of initial access,” they wrote in the post.

SilentNight is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm for command and control (C2). It has a modular framework that allows for plug-ins to provide "versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access," the researchers wrote. It also targets credentials through browser manipulation.

Once Black Basta gains access to target environments, the group uses a combo of living-off-the-land (LotL) techniques and an assortment of custom malware for persistence and lateral movement before deploying ransomware, the researchers found.

"UNC4393's goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to engage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom demands," the researchers noted.

**Custom Tools to Optimize Attacks**

One of the first new tools deployed after gaining initial access is called Cogscan, which seems to have replaced open source tools previously used by the group, such as Bloodhound, Adfind, and PSNmap to help map out victim networks and identify opportunities for either lateral movement or privilege escalation.

Cogscan is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information, and is internally referred to as "GetOnlineComputers" by Black Basta itself, the researchers observed.

Another notable new tool that allows Black Basta to speed up its deployment of ransomware is Knotrock, a .NET-based utility. Knotrock creates a symbolic link on network shares specified in a local text file; after creating each symbolic link, Knotrock executes a ransomware executable and provides it with the path to the newly created symbolic link.

"Ultimately, Knotrock serves a dual purpose: it assists the existing Basta encryptor by providing network-communication capabilities, and streamlines operations by proactively mapping out viable network paths, thereby reducing deployment time and accelerating the encryption process," the Mandiant researchers wrote.

The malware represents an evolution in UNC4393's operations in that it boosts its capabilities "by expediting the encryption process to enable larger-scale attacks and significantly decreasing its time to ransom," they noted.

Other new tools observed in recent attacks include tunneling technology for command-and-control (C2) communications dubbed Portyard, and a memory-only dropper that decrypts an embedded resource into memory called DawnCry, the researchers said.

**Black Basta: A Significant Threat Remains**

Changes to Black Basta’s initial access and tooling demonstrate a "resilience" in the group that shows it will continue to remain a threat against "organizations of all sizes," even if it’s moving away from phishing, which is one of the most successful forms of cybercrime, one security expert noted.

"Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their own tools and improve their ability to attack," says Erich Kron, security awareness advocate at security firm KnowBe4.

Indeed, Black Basta’s ability to adapt and innovate in its use of new tools and techniques means that defenders, too, also must be proactive and fortify their security measures with the latest technology and threat intelligence available, the Mandiant researchers said.

Defensive measures for organizations Kron recommends include "employee education and training to counter social engineering; strong data loss prevention controls to keep data from being stolen; a good endpoint detection and response system that can possibly spot and stop attempts to encrypt files from infected computers; and immutable and tested backups to allow for quick recovery in the event of system encryption."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Black Basta Develops Custom Malware in Wake of Qakbot Takedown

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading