The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin's regime.

Source: JHG via Alamy Stock Photo

NEWS BRIEF

The Russian government has set a new precedent for itself by officially designating Recorded Future, the cyber threat intelligence (CTI) company, as "undesirable." It's a development that the company's CEO sees as a badge of honor.

The term is the country's official parlance for sanctioning, and it means that Recorded Future won't be able to operate within Russia or interact with any Russian companies or individuals. It's a status that was first introduced in 2015 as a way to cut off Russian citizens from the influence of nongovernmental organizations (NGO), media organizations, and other members of civil society that call out human rights abuses and other concerns about Vladimir Putin's regime, which is widely characterized as repressive and authoritarian.

Recorded Future is the first infosec organization and one of very few businesses to "earn" the designation, though the Russia Federation's Office of the Prosecutor General incorrectly labeled it as an NGO in its Dec. 18 announcement about the "undesirable" labeling.

Among the company's supposed crimes against the state: being funded by American businesses; providing services for searching, processing, and analyzing data including on the Dark Web; "specializing in cyber threats"; and actively interacting with the CIA and other foreign intelligence forces.

The Prosecutor General also called out the company, which incidentally is being acquired by Mastercard for $2.65 billion, for spreading "propaganda" and engaging in "offensive information campaigns" regarding its war with Ukraine, tracking Russian Army activities, and feeding intelligence to the Ukrainian authorities.

For his part, Recorded Future CEO Christopher Ahlberg took the news better than in stride, posting on X, "Some things in life are rare compliments. This being one."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Source: Anatolii Babii via Alamy Stock Photo

Attackers are spoofing Google Calendar invites in a fast-spreading phishing campaign that can bypass email protections and aims to steal credentials, ultimately to defraud users for financial gain.

The campaign, discovered by researchers at Check Point Software, relies on modified "sender" headings to make emails appear as if they were sent via Google Calendar on behalf of a legitimate entity, such as a trusted brand or individual, they revealed in a blog post published Dec. 17.

Initially, messages included malicious Google Calendar .ics files that would lead to a phishing attack, the threat hunters wrote. However, "after observing that security products could flag malicious Calendar invites," attackers began aligning those files with links to Google Drawings and Google Forms to better disguise their activity.

**Mass-Scale Financial Scamming Is the Goal**

Given that Google Calendar is used by more than 500 million people and is available in 41 different languages, the campaign provides a massive attack surface, so "it is no wonder it has become a target for cybercriminals" seeking to compromise online accounts for financial gain, the team noted.

"After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities," the researchers wrote in the post. Stolen data also can be used to bypass security measures on other victim accounts to lead to further compromise, they added.

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Attackers also are moving fast with the campaign, with researchers observing more than 4,000 emails associated it in a four-week period. In those messages, attackers used references to about 300 brands in their fake invites to make them appear authentic, they wrote.

**What a Google Calendar Phish Looks Like**

A message associated with the campaign looks like a typical invite from Google Calendar in which someone known to or trusted by the individual targeted shares a calendar invite with them. The appearances of the messages vary, with some that really look almost identical to typical Google Calendar notifications, "while others use a custom format," the team wrote.

As noted previously, the emails include a calendar link or file (.ics) that includes a link to Google Forms or Google Drawings in an attempt to bypass email-scanning tools. Once a user takes the bait, they are then asked to click on another link, "which is often disguised as a fake reCAPTCHA or support button," that forwards them to a page "that looks like a cryptocurrency mining landing page or bitcoin support page," according to the post.

Related:Wallarm Releases API Honeypot Report Highlighting API Attack Trends

"These pages are actually intended to perpetrate financial scams," the team wrote. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."

**How to Avoid Becoming a "Google" Phishing Cyber Victim**

Check Point contacted Google about the campaign, which recommended that Google Calendar users enable the "known senders" setting in the app to help defend against this type of phishing. This setting will alert a user when they receive an invitation from someone not in their contact list or someone with whom they have not interacted with from their email address in the past, the company said.

Corporate defenders can used advanced email security solutions that can identify and block phishing attacks that manipulate trusted platforms with the inclusion of attachment scanning, URL reputation checks, and AI-driven anomaly detection, the Check Point team wrote.

Organizations also should monitor the use of third-party Google Apps and use cybersecurity tools that can specifically detect and warn its security teams about suspicious activity on third-party apps.

Related:Texas Tech Fumbles Medical Data in Massive Breach

Finally, two often-cited pieces advice for organizations when recommending phishing defense — the use of multifactor authentication (MFA) across business accounts and employee training on sophisticated phishing tactics — also can work in cases like this to shore up security.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)--Wallarm, the leader in real-time blocking of API attacks, on Dec. 17 unveiled a comprehensive security research report based on data collected from the world's first globally distributed API honeypot network. The findings reveal critical insights into the growing threat landscape for APIs, showcasing their increasing vulnerability to rapid discovery and exploitation.

APIs have surpassed web applications as the primary targets of attackers, underscoring the urgency for businesses to implement robust API security measures. Organizations are plagued by uncontrolled API sprawl and lack of API governance, leading to significant breaches from exposed APIs. Wallarm’s study highlights several alarming trends that demand immediate attention from organizations deploying APIs.

Key Findings from the Report:

*   APIs Are the Prime Target: APIs now attract more attacks than traditional web applications.
    
*   Rapid Discovery: Newly deployed APIs are discovered by attackers in as little as 29 seconds.
    
*   Immediate Exploitation: Unprotected APIs are exploited within one minute of discovery.
    
*   High Velocity Data Theft: Attackers using batched API requests can exfiltrate millions of user records in seconds.
    
*   Targeting Well-Known Products: Recognizable and widely used API products face heightened targeting by attackers.
    

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Wallarm’s globally distributed honeypot, spanning 14 locations, captures data from diverse geographies and providers, revealing critical trends. The honeypot provides targeted responses to API requests across multiple protocols, including REST, XML-RPC, GraphQL, and others. Over half (54%) of observed request types were API-specific, demonstrating that APIs are the preferred vector for attackers. Among these, 40% of requests targeted known vulnerabilities (CVEs). While port 80 emerged as the most commonly discovered entry point, interactions were distributed across many ports, demonstrating that protecting only common ports is insufficient.

“This report sheds light on a rapidly evolving attack surface and represents a groundbreaking effort in API security research,” said Ivan Novikov, CEO and founder at Wallarm. “APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers. We hope this research helps organizations invest in strong protection for their APIs.”

Wallarm’s full report offers actionable insights and recommendations to safeguard APIs. To access the full research report and learn more about securing your APIs, visit http://www.wallarm.com/resources/api-honeypot-report.

Related:Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Wallarm Releases API Honeypot Report Highlighting API Attack Trends

Working closely with CISOs, chief financial officers can become key players in protecting their organizations' critical assets and ensuring long-term financial stability.

Shai Gabay, Co-Founder & CEO, Trustmi

December 18, 2024

4 Min Read

Source: Dzmitry Skazau via Alamy Stock Photo

COMMENTARY

Cybersecurity has spurred many changes in the past five years, from the technology and tools needed to protect an organization from cyberattackers to the skill sets required by IT professionals. The consistent and ongoing ripple effect has also influenced organizational roles and responsibilities. Arguably, one of the most dramatic shifts has been the role of the chief financial officer (CFO).

Today's CFOs must be collaborative leaders, willing to embrace an expanding role that includes protecting critical assets and securing the bottom line. To do this, CFOs must work closely with chief information security officers (CISOs), due to the sophistication and financial impact of cyberattacks. Financial professionals understand data flows and financial processes, while security professionals know the latest cyber threats and best practices to combat those threats. Combining this expertise results in more informed technical investments, faster detection of anomalies, and stronger overall cybersecurity measures.

This enhanced approach is critical as we see payments and unsuspecting financial professionals increasingly become the targets of cyberattacks. Both are prime targets because of the volume of money and transactions they process, often manually leaving organizations even more vulnerable to phishing schemes that can go undetected for months. Collaboration between finance and security departments is crucial to threat detection, maintaining compliance, addressing third-party risks, and providing companywide cybersecurity education and training.

**The Impact of a Security Breach**

The increasing financial impact of a cyberattack alone mandates CFO involvement in cybersecurity matters. According to IBM's "Cost of a Data Breach Report 2024," the global average cost of a data breach reached $4.88 million in 2024, a 10% increase over last year. This substantial financial risk underscores why CFOs must now consider cybersecurity a primary concern for an organization's economic health.

CFOs are uniquely positioned to understand the potential financial devastation from cyber incidents. The costs associated with a breach extend beyond immediate financial losses, encompassing longer-term repercussions, such as reputational damage, legal liabilities, and regulatory fines. CFOs must measure and consider these potential financial impacts when participating in incident response planning.

**Compliance Requires Protection**

The regulatory landscape for CFOs has evolved significantly beyond Sarbanes-Oxley. The Securities and Exchange Commission's (SEC's) rules on cybersecurity risk management, strategy, governance, and incident disclosure have become a primary concern for CFOs and reflect the growing recognition of cybersecurity as a critical financial and operational risk.

The SEC's cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide periodic updates on their cybersecurity risk management, strategy, and governance. This places significant responsibilities on CFOs, who must ensure timely disclosure of cyber incidents and help to develop and implement risk management strategies. As a result, CFOs must work closely with CISOs, board members, and executives to establish effective cybersecurity governance and provide detailed reporting on the company's cybersecurity posture and incident response capabilities.

CFOs must also navigate other cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and similar state-level regulations, and adhere to industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA). These regulations carry significant financial penalties for noncompliance, further emphasizing the critical role CFOs play in managing cyber-risks. As a result, CFOs must now be well-versed in cybersecurity best practices, incident response protocols, and the evolving regulatory landscape to protect their organizations' financial interests and maintain compliance effectively.

**Collaboration and Allocation**

Adding to the complexity, the CFO is now a cross-functional collaborator who must work closely with IT, legal, and other departments to prioritize cyber initiatives and investments. They must also work with the CISO and chief information officer (CIO) to educate the CEO and the board on cybersecurity matters and communicate broadly, at times, with employees, customers, partners, and investors.

CFOs needs to consider the corporate strategy and broader business decisions as they help determine the company's approach and investment in cybersecurity tools and technologies. This level of decision-making requires CFOs to understand the cyber landscape, threats and trends, and viable investment strategies. This expanded role requires CFOs to help their organizations build resilience against cyber threats while ensuring that security measures are cost-effective and aligned with overall business strategy.

**How CFOs Can Succeed**

Working closely with CISOs, CFOs can become key players in protecting their organizations' critical assets and ensuring long-term financial stability. To succeed in this new landscape, CFOs must foster strong partnerships with CIOs and CISOs, develop a deep understanding of cybersecurity risks and technologies, and integrate cybersecurity considerations into all aspects of financial planning and risk management. Doing so can help organizations build resilience against cyber threats while supporting broader business objectives and growth strategies.

**About the Author**

Co-Founder & CEO, Trustmi

Shai Gabay is the co-founder and CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Before Trustmi, he was General Manager at Opera and Vice President of Product and Services at Cynet. He also served as the CIO at Cyberbit and the CISO at Discount Bank, among other roles in cybersecurity and risk management. Shai holds a bachelor’s degree in software engineering from Shenkar College and a master’s in business administration and management from Tel Aviv University. Additionally, Shai was selected for the prestigious full scholarship executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of the Israeli Defense Force's Elite Units. Through this program, he studied with prominent co-founders and leaders at renowned global tech companies and professors at elite universities.

The Importance of Empowering CFOs Against Cyber Threats

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

Source: Funtap via Shutterstock

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

**Careful Planning**

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand's government, using a new and unwieldy backdoor dubbed "Yokai," potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

**Ghost in the Machine: US-Themed Lures in Phishing Attack**

From Thai, the lure documents translate to "United States Department of Justice.pdf" and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit "Kim" Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

"The lures also suggest they are addressed to the Thai police," notes Nikhil Hegde, senior engineer for Netskope. "Considering the capabilities of the backdoor, we can speculate that the attacker's motive was to get access to the systems of the Thai police."

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn't so jejune as that might suggest.

**Abusing Legitimate Windows Utilities**

To begin their attack chain, the attackers made use of "esentutl," a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows' New Technology File System (NTFS), files commonly contain more than just their primary content — their main "stream." An image or text document, for example, will also come packed with metadata — even hidden data — which won't be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

"ADS is often used by attackers to conceal malicious payloads within seemingly benign files," Hegde explains. "When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file."

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

**Inside the Yokai Backdoor Malware**

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, "Its C2 communications, when decrypted, are very structured." In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn't, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. "This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor," Hegde says.

Related:China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. "The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system's performance issues," he says.

In all, Hegde adds, "This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Thai Police Systems Under Fire From 'Yokai' Backdoor

The cyberattack impacts at least 1.4 million patients, as tranches of highly sensitive personal, medical, and financial data fall into the hands of cyber crooks who have everything they need to carry out convincing social engineering and fraud attacks.

Source: Kirby Lee via Alamy Stock Photo

NEWS BRIEF

Texas Tech University's Health Sciences Centers (HSCs) in Lubbock and El Paso are the latest victims of a disruptive cyberattack. The incident impacted the data of 1.4 million patients, exposing a treasure trove of valuable information that could be used for convincing follow-up social engineering attacks, identity theft, and more.

The attackers had access to the university's medical environments between Sept. 17 and 29, during which time they made off with "certain files and folders from the HSCs' network," according to a website notice.

**Cyberattackers Steal Reams of Sensitive Patient Data**

The folders contained patient names, dates of birth, Social Security numbers, driver's license numbers, financial data, medical information, billing and insurance data, medical records numbers, and more.

"The health and social-care sector has always been a popular target for cybercriminals," Brian Higgins, security specialist at Comparitech, said via email. "The combination of plentiful data points along with the often very sensitive nature of some of the information serves not only to add increased pressure on breached organizations to settle any ransom demands, but also to render individual client-side victims more susceptible to follow-up attacks seeking password or logon access and other personal information."

Related:Microsoft Teams Vishing Spreads DarkGate RAT

In October, a ransomware group called Interlock claimed to be behind the hack, saying that it stole 3.2 terabytes of data from the Red Raiders.

"The group posted images of what it says are stolen documents on its leak site," Paul Bischoff, consumer privacy advocate at Comparitech, said via email. "TTHUSC hasn't verified that claim, but no other groups have claimed responsibility at this time. Interlock is a new ransomware gang that first started adding targets to its leak site in October. This was one of the biggest medical data breaches of 2024."

**Texas Tech's Block & Tackle Incident Response**

For its part, the school is offering somewhat boilerplate information: "The HSCs are in the process of notifying individuals whose information may be involved in this incident," according to the notice, which added that free credit monitoring is available. "To help prevent a recurrence, the HSCs are reviewing existing security policies and procedures as part of the investigation and are implementing additional safeguards to enhance system protection and monitoring."

It also noted that affected individuals should monitor their credit reports and bank accounts for evidence of identity theft and fraud, review account statements, and scrutinize health care and health insurance billing statements for suspicious activity or errors.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"One can only hope that Texas Tech will offer a decent level of security mitigation measures … to try to alleviate what is an incredibly stressful situation for all involved," Higgins noted. "It's reasonable, after so many documented attacks, that users should expect high-risk sectors to harden, but that doesn't seem to be happening with the force and frequency necessary to combat the threat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Texas Tech Fumbles Medical Data in Massive Breach

Actions direct agencies to deploy specific security configurations to reduce cyber-risk.

PRESS RELEASE

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. As part of CISA and the broad U.S. government's effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.

"Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise," said CISA Director Jen Easterly. "While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play."

As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

The new Directive can be found at Binding Operational Directive (BOD) 25-01. To learn more about CISA Directives, visit Cybersecurity Directives webpage.

CISA Directs Federal Agencies to Secure Cloud Environments

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)-- Delinea, a pioneering provider of solutions for securing identities through centralized authorization, today announced it has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA).

The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CNAs are organizations responsible for regularly assigning CVE Identifiers (CVE IDs) to vulnerabilities and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Delinea proudly joins a list of partners, including 420+ organizations from 40 countries, to further expand the community-driven CVE Program.

As a CNA, Delinea is authorized to review and assign CVE IDs to newly discovered zero-day vulnerabilities in the company’s software products. This will allow Delinea to directly establish new CVEs, streamline the reporting process, and continue to foster collaboration with the industry as a whole.

“Joining the CVE Program as a CNA reinforces our commitment and dedication to collaborating with the global cybersecurity community to identify and address emerging threats and shape the future of cybersecurity,” said Phil Calvin, Chief Product Officer at Delinea. “As identity security becomes the new frontline in cyber defense, safeguarding identities and governing their interactions is more critical than ever. Delinea’s involvement in this program will ensure our identity security solutions continue to be the most reliable in the market.”

Delinea provides the only identity security platform that enables organizations to seamlessly govern interactions across the modern enterprise through intelligent authorization. It applies context and intelligence throughout the identity lifecycle, eliminating threats while boosting productivity.

**A community-based approach to strengthening cybersecurity**

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders. It is an international, community-based effort to discover vulnerabilities and then assign and publish them to the CVE List, which CNAs build.

Use of CVE Records enables information technology and cybersecurity professionals to ensure they are discussing the same issue and coordinate their efforts to prioritize and address vulnerabilities, resulting in significant time and cost savings.

For more information on Delinea’s responsible disclosure program, visit its Trust Center: https://trust.delinea.com

Source

DARKReading