Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

As part of the commitment to CISA's Secure by Design pledge, Snowflake will begin blocking sign-ins using single-factor authentication next year.

NEWS BRIEF

Snowflake has announced a new authentication policy that will require all customers to enable multifactor authentication (MFA) on their accounts by November 2025 or risk having their access blocked.

The three-phase policy change comes after Snowflake's recent decision to enable MFA by default on all new accounts.

"MFA will be enforced by default for all human users in any Snowflake account created as of October 2024," Snowflake's Anoosh Saboori and Brad Jones wrote back in September.

In the first phase, planned for April, human users on accounts without a customized authentication policy will be required to enroll in MFA the next time they sign into Snowflake.

The second phase, in August, will require MFA for all password-based sign-ins for human users. This requirement will apply regardless of any custom authentication policy in place on the account.

In the final phase, Snowflake will block all password-based sign-in attempts using single-factor authentication. While the previous two phases focused on human users, this phase will also apply to service accounts using programmatic access.

Snowflake customers must make the necessary changes before November. Snowflake has created guides to help organizations with the migration. There is also a Threat Intelligence scanner package available on Snowflake's Trust Center that can scan accounts to identify users who do not have MFA enabled and are at risk of losing access.

The spree of attacks targeting Snowflake customers earlier this year was a result of poor hygiene and the lack of MFA. More than 165 organizations were impacted, such as Neiman Marcus, Ticketmaster, and AT&T. A significant volume of customer data has been stolen, and several victims were hit with subsequent extortion attempts.

**About the Author**

Snowflake Rolls Out Mandatory MFA Plan

FCC Chairwoman Jessica Rosenworcel recommended "urgent action" to safeguard the nation's communications systems from real and present cybersecurity threats.

Source: Asharkyu via Shutterstock

NEWS BRIEF

In the wake of recent cyberattacks against US communications companies by foreign actors, the Federal Communications Commission (FCC) has proposed new cybersecurity rules on how telecommunication companies should secure their networks. 

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said FCC Chairwoman Jessica Rosenworcel in a statement last week. "As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses." 

Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications and to submit annual certifications to FCC confirming that they have created, updated, and implemented a cybersecurity risk management plan to fortify their defenses against future attacks. The proposal focuses on a "modern framework to help companies secure their networks," Rosenworcel said.

"The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways," said Trey Ford, chief information security officer at Bugcrowd, in an emailed statement. "The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with - how inventory, score, and treat cyber risks - and the challenges in communicating what needs done, when, and how."

The Chinese-state sponsored hacker group Salt Typhoon hit several Internet service provider networks in the US earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks, and the intelligence community is still trying to determine the scope and impact of the attacks.

In what is considered one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance with the National Security Agency and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities, and limiting the attack surface. It also highlighted ways to harden Cisco network gear. 

After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC, along with CISA and the Director of National Intelligence, to create specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures, work to patch any uncovered vulnerabilities, and tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear whether there will be any immediate action on this legislation.

If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

FCC Proposes New Cybersecurity Rules for Telecoms

The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.

Source: Zoonar GmbH via Alamy Stock Photo

A Windows zero-day security vulnerability under active exploit leads Microsoft's December 2024 Patch Tuesday security update, which hardly constitutes a sleigh of festive tidings for security admins: A stocking stuffed with 71 patches.

The tech giant unwrapped CVEs in Windows and Windows Components, Office and Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager.

This year's holiday-season entry brings the total number of patches for the year to 1,020, Redmond's second-most voluminous year for fixes after 2020's 1,250. Out of this month's CVEs, 16 are rated as critical.

**Windows CLFS Zero-Day Allows Privilege Escalation**

The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw in the Windows Common Log File System (CLFS) Driver.

“CLFS is a logging service that supports user and kernel-mode operations,” explained Henry Smith, senior security engineer at Automox, in an emailed analysis. "While the details are still limited, the root cause likely ties back to improper data validation. … Early indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability."

The potential impact is substantial, he added, given that an exploit leads to SYSTEM-level privileges on Windows Server. When paired with a remote code execution (RCE) bug, it's a perfect recipe for completely taking over a PC.

Related:Microsoft NTLM Zero-Day to Remain Unpatched Until April

Satnam Narang, senior staff research engineer at Tenable, noted via email that ransomware operators in particular have "developed a penchant for exploiting CLFS elevation-of-privilege flaws over the last few years."

He noted, "unlike advanced persistent threat (APT) groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash-and-grab tactics by any means necessary. By using elevation-of-privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims."

**Critical Remote-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP**

The critical-severity CVE-2024-49112 (CVSS 9.8) is perhaps the most concerning CVE in this month's stocking of misery. It's an unauthenticated RCE issue in the Windows Lightweight Directory Access Protocol (LDAP).

According to Dustin Childs at the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Domain Controllers by sending a specially crafted set of LDAP calls.

Related:Microsoft Expands Access to Windows Recall AI Feature

"Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM," Childs wrote in a blog post on Dec. 10. "Microsoft provides some … interesting mitigation advice. They recommend disconnecting Domain Controllers from the Internet. While that would stop this attack, I'm not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly."

Another critical RCE vulnerability to address quickly is CVE-2024-49117 (CVSS 8.8) in Windows Hyper-V. An exploit would allow someone on a guest virtual machine (VM) to execute code on the underlying host OS, or perform a cross-VM attack.

"The good news here is that the attacker does need to be authenticated," Childs noted. "The bad news is that the attacker only requires basic authentication — nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you'll definitely want to get this patched quickly."

A total of nine critical bugs affect Windows Remote Desktop Services, with one (CVE-2024-49132, CVSS 8.1) allowing RCE by exploiting a use-after-free memory condition.

"The exploit requires precise timing, making it an advanced attack," Ryan Braunstein, security manager at Automox, said via email. "Specifically, if a user connects through the Remote Desktop Gateway role, an attacker could intentionally trigger the use-after-free scenario. Successfully exploited, this vulnerability can allow attackers to execute their code remotely, gaining control of the system."

Related:Open Source Security Priorities Get a Reshuffle

That means exploitation is on the difficult side, but Braunstein cautioned that "over time, it's likely that cyberattackers develop tools that simplify the attack process. Until then, there are no effective workarounds, making immediate patching your best chance to mitigate this risk."

There are also eight other critical vulnerabilities that rate 8.1 on the CVSS scale in Remote Desktop Services, including five other UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which involves sensitive data storage in improperly locked memory; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper resource handling during RDP sessions.

"These vulnerabilities underscore persistent issues in RDP components, including memory management, timing, and operational handling," said Mike Walters, president and co-founder of Action1, via email. “\[With\] varied root causes, \[it shows that\] attackers can exploit different facets of RDP services. Organizations should avoid exposing RDP services to the global Internet and implement robust security controls to mitigate risks. These flaws further prove the dangers of leaving RDP open and unprotected."

**Other December 2024 Security Vulnerabilities to Patch Now**

Security experts also flagged two other bugs for security admins to add to their holiday checklists, including an EoP vulnerability in the Windows Resilient File System (ReFS).

Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It offers data resilience, storage efficiency, and improved performance.

"CVE-2024-49093 (CVSS 8.8) revolves around a scope change that allows an attacker to elevate privileges from a low-privilege app container environment," explained Seth Hoyt, senior security engineer at Automox, via email. "Normally, app containers are designed to limit a process's ability to access files, memory, and other resources. Exploiting this vulnerability enables attackers to escape those confines, gaining broader system-level access. This means they can interact with files, processes, and memory previously out of reach."

From there, cyberattackers could move laterally across the environment, he added.

The final lump of coal called out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a research project on AI-created music.

“We've been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities," ZDI's Childs said. "That's what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch Tuesday

The threat actor group recently took credit for a similar attack on Blue Yonder that affected multiple organizations, including Starbucks.

Source: znakki via Shutteratock

Ransomware group "Termite" — which recently claimed supply chain vendor Blue Yonder as a victim — may be behind widespread exploit activity targeting a previously fixed vulnerability in Cleo's LexiCom, VLTransfer, and Harmony file transfer software.

Cleo is currently developing a new patch for the flaw but nothing is currently available for the issue, which means the vulnerability is a zero-day under active attack.

**Widespread Attacks**

The attacks appear to have begun on Dec. 3 and have claimed at least 10 victims across multiple sectors, including consumer products, trucking and shipping, and the food industry, according to researchers at Huntress Labs who are tracking the activity. A search for vulnerable, Internet-exposed Cleo systems suggests that the actual number of victims may be higher, the security vendor said.

Rapid7 also said it had received reports of compromise and post-exploit activity involving the Cleo vulnerability from multiple customers. "File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular," Rapid7 wrote in a blog post on Dec. 10. The company recommended affected organizations take "emergency action" to mitigate risk related to the threat.

More than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution use Cleo software for a variety of use cases. Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global.

Huntress identified the vulnerability that Termite is targeting as CVE-2024-50623, an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21. Cleo disclosed the vulnerability in October and urged customers to immediately upgrade affected products to the fixed version 5.8.0.21.

However, the patch appears to have been insufficient, because all previously affected versions of Cleo software, including the patched 5.8.0.21, remain vulnerable to the same CVE, Huntress said. "This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable," Huntress researcher John Hammond wrote. "We strongly recommend you move any Internet-exposed Cleo systems behind a firewall until a new patch is released."

**Working on a Patch**

Cleo has acknowledged the issue and said it plans to issue a new CVE, or identifier, for the bug. In an emailed statement, a company spokesperson described the flaw as a critical issue. The statement noted that Cleo has notified customers about the threat and advised them on how to mitigate exposure till its patch becomes available. "Our investigation is ongoing," the statement said. "Customers are encouraged to check Cleo's security bulletin webpage regularly for updates."

Hammond said Huntress's analysis of the threat actor's post-exploit activity showed the attacker deploying Web shell-like functionality for establishing persistence on compromised endpoints. Huntress also observed the threat actor enumerating potential Active Directory assets with nltest.exe and other domain reconnaissance tools.

In comments to Dark Reading, Huntress director of adversary tactics Jamie Levy says that available evidence points to Termite as the likely perpetrator. Like the victims of the ongoing attacks, Blue Yonder had an instance of Cleo's software open to the Internet, she says. Termite claimed Blue Yonder as one of its victims and appeared to confirm it by publicly listing files belonging to the company, Levy notes.

**The New Cl0p?**

"There have been some rumblings that Termite might be the new Cl0p," Levy says, and data has emerged that appears to substantiate those claims. Also, Cl0p's activities have waned while Termite's activities have increased. Both are operating in similar fashions. "We're not really in the attribution game, but it wouldn't be surprising at all if we are seeing a shift in these ransomware gangs at the moment," Levy says.

Max Rogers, senior director of security operations at Huntress, described the new Cleo zero-day as something that enables easy access to Cleo systems for attackers with the exploit code. "The most effective immediate action is to ensure that affected systems are not accessible from the Internet, which significantly reduces the risk of exploitation."

Rogers additionally recommends that organizations disable the autorun feature in Cleo software to limit the attack surface while waiting for an updated patch. "However, at this time," he says, "the only guaranteed way to protect systems is to make them inaccessible over the Internet until a new patch is out."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks

Because the streaming service website offers no content restrictions, attackers are able to hijack and manipulate live streams.

Source: Norman Pogson via Alamy Stock Photo

NEWS BRIEF

Deepfakes are becoming a threat to recordings and live video streams of Scottish Parliamentary proceedings.

Scottish Parliament TV is a website providing livestreaming services and archived recordings from the Debating Chamber and committee rooms to the public masses. The website contains no content restrictions, allowing users to download streaming video clips in real time. The licensing to reuse the material is also relatively broad.

The Scottish Parliament was one of the first legislatures to allow this kind of public access to its proceedings, but with the transparency comes major cybersecurity risks according to Ben Collier of the Scottish Centre for Crime and Justice Research (SCCJR) and the University of Edinburgh, adding they "could threaten public trust in democracy."

Researchers at the University of Edinburgh and SCCJR have identified three key threats that the Scottish Parliament faces when it comes to deepfakes: attackers hijacking a live stream by breaking into the network and chain of video and intercepting the data, showing viewers a manipulated video on the live stream rather than the true version; threat actors creating deepfake videos of Parliament and distributing them via social media channels for wider dissemination; and, lastly, using the parliamentary video archive provide training resources to AI for creating malicious materials to target members of the Scottish Parliament.

There are currently no processes put in place by the Scottish Parliament to prevent such attacks, but the researchers laid out several solutions to help mitigate these threats, such as developing an intervention and reporting plan, implementing more authentication checks, and creating a communications team with the broadcasting unit to support any Parliament members that are targeted.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Scottish Parliament TV at Risk From Deepfakes

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

The software supply chain is a growing target, and organizations need to take special care to safeguard it.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

In 2011, Marc Andreessen coined a phrase we're now all familiar with: "Software is eating the world." More than 13 years later, the expression still rings true. The world runs on software, and each day it continues to transform industries and fuel the global economy. Companies are generating more software — faster than ever before — in order to keep up in today's dynamic and ultracompetitive business landscape.

Innovation is a beautiful thing, but the increased volume and velocity with which software is being built and delivered creates more opportunities for something to go wrong in the software supply chain. Over the past decade, we've seen this happen time and time again.

Around this time last year, Okta disclosed that it had experienced a significant security breach, where bad actors gained access to private customer data through its support management system, highlighting the dangers of third-party risk. In 2020, the SolarWinds platform update mechanism was compromised and used to send malicious software that impacted more than 18,000 of its customers. And back in 2017, Equifax suffered a massive breach due to a failure to patch a known security flaw in its software.

This is just a small sampling of the types of software supply chain attacks that have plagued organizations over the past decade. Unfortunately, these attacks show no signs of slowing down — quite the opposite, actually.

Research indicates software supply chain attacks are occurring at a rate of one successful attack every two days, and Gartner predicts that by 2025, 45% of organizations will have experienced a software supply chain attack. Alarmingly, one report found that there has been a staggering 742% increase in these attacks over the past three years.

The uptick in software supply chain attacks can be attributed to a combination of several factors. Often, organizations simply don't realize the breadth of their exposure. As software shops move toward more sophisticated software delivery and consumption models (e.g., continuous integration/continuous delivery \[CI/CD\] and cloud), their supply chains become more vulnerable. Additionally, typical attack vectors have become increasingly difficult to exploit (thanks to vendors incorporating more sophisticated security measures into platforms and software), which has forced bad actors to uncover new vulnerabilities and become more creative in their attacks. More recently, the spike in adoption of generative AI (GenAI) tools like coding assistants has created new and difficult-to-monitor security gaps. At the same time, attackers are leveraging GenAI themselves to carry out more sophisticated attacks at a higher volume.

Enterprises must urgently find a balance between creating and releasing high-quality software quickly, while upholding a high level of security at each link in the software supply chain.

Here's how they can maintain security without impeding innovation:

**Thoroughly Vet Vendors on an Ongoing Basis (and Treat GenAI Tools With the Same Level of Scrutiny)**

If anything can be learned from Okta's breach, it's that third-party vendors must be carefully vetted if they're to be trusted with private customer data and other sensitive information. Too often, development shops assume that the third-party code they consume is a black box.

Organizations need to look at each vendor's software bill of materials (SBOMs) so they're aware of any open source or third-party components of their code and can therefore identify possible vulnerabilities. They should also assess the vendor's track record for security and review its policies, procedures, and certifications.

Vetting vendors shouldn't be a box the organization checks at the beginning of their engagement and then forgets about. The vetting process must be ongoing: Organizations should continually be asking questions and keeping a pulse on the vendor's new offerings, policies, compliance certifications, and more.

Of note, GenAI tools should be subjected to the same level of scrutiny as third-party vendors. Organizations need visibility into how the large language model (LLM) works, what data it was trained on, whether the model is open or closed, and how user inputs and generated content are collected and used. They'll also need to assess the accuracy and quality of the code the LLM generates, as well as have a plan in place to mitigate any inaccurate or buggy code it produces.

**Consume Open Source Projects Carefully**

Open source projects are critical for rapid development and innovation, but organizations need to be very careful about how they consume open source code. Last year alone, researchers found 245,032 malicious packages in open source projects available for public download. Open source repositories are a prime target for bad actors, who can wreak havoc by attacking a single package that, in turn, impacts an entire ecosystem of companies and their customers.

Organizations should use code only from open source projects that adhere to strict compliance frameworks, such as the OpenSSF Scorecard, System Package Data Exchange (SPDX), and OpenVEX. This ensures they have visibility into the security hygiene of the project before they borrow its code. Additionally, organizations should adopt a software composition analysis (SCA) solution and have a plan in place to address any open source vulnerabilities, should they emerge.

**Evaluate the Security of Your Entire Software Delivery Process**

There's no silver bullet for securing the software supply chain. Organizations must diligently evaluate the security of each step of the software delivery process — including design, development, testing, deployment, maintenance, and beyond.

By infusing security measures throughout the CI/CD pipeline, companies can identify and remediate vulnerabilities early in the development process so they don't lead to a full-blown breach down the line. They can accomplish this through automated security solutions that flag potential issues and source composition analysis (SCA) tools that scan code for known vulnerabilities, and by implementing source code access controls to prevent unauthorized access.

The security cat-and-mouse game is never over. As the industry works diligently to expand its knowledge and strengthen security, attackers are just as hard at work planning and carrying out nefarious activities. The software supply chain is a growing target, and organizations need to take special care to safeguard it. By carefully vetting vendors, mindfully consuming open source, and securing the entire software delivery process, organizations can strike a balance between driving innovation and maintaining software supply chain security.

**About the Author**

Chief Architect Officer, Apiiro

Eldan Ben-Haim has a proven track record in technology leadership, with 25 years of experience in software development, many of them in cybersecurity. Currently CAO atApiiro, he previously served as CTO at Transmit Security and prior to that held the position of vice president of R&D at Trusteer, a cybersecurity company acquired by IBM.

Lessons From the Largest Software Supply Chain Incidents

A Chinese threat actor infiltrated several IT and security companies in a bring-your-own VS code, with an eye to carrying out a supply-chain-based espionage attack.

Source: Araki Illustrations via Alamy Stock Photo

Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.

It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.

To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.

**Malware via Microsoft**

Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.

The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.

VS Code has also become a proven weapon of Chinese threat actors as of late, thanks to its Remote Tunnels feature. Remote Tunnels is designed to allow developers to access and work on code on remote machines. In a different light, though, it's a perfect malicious payload, enabling command execution and file editing on remote systems in the context of a seemingly innocuous Microsoft program. The attackers behind Operation Digital Eye intended to use VS Code to maintain persistent backdoor access to victims, using innocuous file and service names and storing it in the Temp folder to further blend in with victims' normal business operations.

Tunneling with VS Code isn't quite as simple as loading malware onto a victim's machine, though — it requires a GitHub account and connection with an Azure server. Researchers aren't sure whether the attackers used stolen GitHub and Azure credentials, or registered their own accounts.

What is clear is that they turned this potential roadblock into an advantage, leveraging public cloud infrastructure in Western Europe to make their otherwise suspicious traffic look more legitimate, and more likely to evade notice by security tools. VS Code and Azure network traffic tends to avoid close scrutiny, the researchers noted, and are commonly allowed by application controls and firewall rules. "Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit," they wrote.

**The Trouble in Attributing Chinese Attackers**

The actual malware used in Operation Digital Eye did less to clarify than to confuse who, exactly, was behind the attacks.

The most notable tool in the mix, "bK2o.exe," is a modified version of the open source credential stealing tool Mimikatz, designed for pass-the-hash attacks. Its aim is to snag a New Technology LAN Manager (NTLM) hash, in lieu of the targeted user's actual password, to enable the further execution of processes within the user's security context.

BK2o.exe is just one among many Mimikatz variants deployed by several Chinese advanced persistent threats (APTs). Related variants have been observed in Operations Soft Cell and Tainted Love, associated with groups like APT41 and APT10. Researchers from SentinelLabs concluded that there is likely a shared vendor supplying many groups at once, as evidenced by the recent case of iSoon.

Also common to these many groups, besides their malware, is the intent behind their cyberespionage. In the case of Digital Eye, "Southern Europe's role as a Mediterranean hub intersects with China's Belt and Road Initiative, particularly in infrastructure investments like Greece's Port of Piraeus," notes SentinelLabs principal threat researcher Tom Hegel. "Cyber operations in this area likely support China's efforts to safeguard these investments, gain leverage in energy transit routes, and monitor naval activities critical to global trade and security. Economically, Southern Europe offers access to critical industries such as energy, shipping, aerospace, and agriculture, as well as opportunities for scientific and technological espionage, particularly in aerospace and renewable energy. Politically, the region's challenges provide opportunities for influence, allowing China to exploit economic dependencies, shape public sentiment, and potentially weaken EU and NATO unity."

He concludes that "In targeting Southern Europe, China seeks not only to secure competitive advantages but also to deepen its influence in a region vital to global trade, energy flows, and Western alliances."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Sprawling 'Operation Digital Eye' Attack Targets European IT Orgs

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

Source: QINQIE99 via Shutterstock

Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions.

However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn't yet have a CVE or CVSS score, is not expected to be patched for months.

**Windows NTLM Zero-Day Allows Credential Theft**

Researchers from ACROS Security reported finding a zero-day bug in all supported Windows versions. The bug allows an attacker to grab a user's NTLM credentials simply by getting the user to view a malicious file via the Windows Explorer file management utility.

"Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker's Web page" is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Security wrote in a blog post.

ACROS said it would not release any further information on the bug until Microsoft has a fix for it. But Kolsek tells Dark Reading that an attacker's ability to exploit the bug depends on various factors.

"It's not easy to find where the issue is exploitable without actually trying to exploit it," he explains. Microsoft has assessed the vulnerability as being of moderate or "Important" severity, a designation that is one notch lower than "Critical" severity bugs. The company plans to issue a fix for it in April, Kolsek says.

In an emailed comment, a Microsoft spokesman said the company is "aware of the report and will take action as needed to help keep customers protected."

The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and allowed attackers a way to coerce victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.

The bugs are among several NTLM-related issues that have surfaced in recent years including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, recently, one affecting the open source policy enforcement engine.

**Legacy Protocol Dangers**

Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft includes in modern Windows for backward compatibility purposes. Attackers have frequently targeted weaknesses in the protocol to intercept authentication requests and forward or "relay" them to access other servers or services to which the original users have access.

In its advisory this week, Microsoft described NTLM-relaying as a "popular attack method used by threat actors that allows for identity compromise." The attacks involve coercing a victim to authenticate to an attacker-controlled endpoint and relaying the authentication against a vulnerable target server or service. The advisory pointed to vulnerabilities that attackers have used previously, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to exploit service that lack protections against NTLM-relaying attacks.

In response to such attacks, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server, the company said. The latest Windows Server 2025 ships with EPA enabled by default for both AD CS and LDAP.

The advisory highlighted the need for organizations to enable EPA specially for Exchange Server, given the "unique role that Exchange Server plays in the NTLM threat landscape." The company pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes. "Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them," the company says.

Kolsek says it's unclear if Microsoft's advice for protecting against NTLM attacks has anything to do with his recent bug disclosure. "\[But\] if possible, follow Microsoft's recommendations on mitigating NTLM-related vulnerabilities," he says. "If not, consider 0patch," he adds, referring to the free micropatches that his company provides for vulnerabilities, especially in older and no longer supported software products.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading