Cyberattackers have been targeting the online NFT marketplace with emails claiming to make an offer to a targeted user; in reality, clicking on a malicious link takes victims to a crypto-draining site.

Source: Mundissima via Alamy Stock Photo

Cyberattackers are targeting users of the OpenSea nonfungible token (NFT) platform with a phishing attack that lures users with the potential sale of items listed on the marketplace. The aim? Draining their cryptocurrency wallets dry.

Researchers at Cofense discovered the campaign, in which adversaries impersonate the OpenSea website and claim a user has a new offer on a listing on the site to try to bait them into clicking on a malicious link.

"The goal of the phishing scheme is to get recipients to connect their crypto wallets to the phishing page, which will drain their wallets," Cole Adkins of the Cofense Phishing Defense Center wrote in a post. "The phish presents itself as an offer on an NFT the recipient has listed on OpenSea, in hopes they will click on it and connect their wallet once redirected."

OpenSea is the largest marketplace for NFTs and thus "the go-to platform for many entry-level NFT enthusiasts looking to enter the crypto collectible market," who are likely unaware of the common tactics of phishers and thus can easily be fooled, he wrote.

The campaign demonstrates the speed with which attackers are targeting new and emerging technologies like NFT — which held little interest for people until OpenSea was launched in 2017 —  with custom campaigns tailored to their particular interests, he said. OpenSea marketplace currently has more than 2 million users with at least one transaction on the site, many of them enterprise users.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

**OpenSea Brand Impersonation for the Phishing Lure**

The attack begins when targeted victims receive an email that appears to come from OpenSea. To a savvy user, it would be a clear phish, as the sender address is "administrator\[at\]motordna\[dot\]io," and thus unrelated to the NFT marketplace. However, the branding in the content of the email mimics OpenSea using a look that's similar to the site, and it could fool someone not keeping an eye out for phishing clues, according to Cofense.

"By branding the email as OpenSea and employing the same email format used for an actual notification from the OpenSea NFT marketplace, the threat actor hopes to ease the recipient’s suspicion so they will click the button in the email body," Adkins wrote.

Recipients are prompted to hit an "Access Now" button to direct to a purported offer that's come on one of their items on the marketplace, demonstrating the use of social engineering that adds urgency and aims to instill excitement at the potential of a sale, he wrote.

Users that click on the button are directed to a fake OpenSea webpage that's also been designed by attackers to appear legitimate. The page shows that an offer has been made on an NFT owned by the victim and they must accept it quickly by connecting to their crypto wallet via a "Connect Wallet" button, or else lose their chance at a sale. Clicking presents the user with multiple ways to access the wallet, such as via a QR code or signing in with credentials. Once this step is complete, an attacker can control the wallet and any credentials associated with it.

Related:News Desk 2024: Can GenAI Write Secure Code?

**NFT in the Crosshairs**

The campaign is not the first time OpenSea has been targeted by a potential threat actor. A couple of years ago, an employee of one of the marketplace's email vendors, Customer.io, accessed and downloaded the company's email list, ostensibly for future phishing attacks. The cybercriminal group Marko Polo also has impersonated OpenSea as a way to target its users for fraud.

While NFT hasn't quite gone mainstream yet, attackers are increasingly targeting those interested in the novel technology to expand their attack surface. These attacks will likely ramp up as the technology gains popularity, according to Cofense. "This … highlights why recipients must stay vigilant and up to date with common phishing threats in order to protect their assets," Adkins wrote.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Cofense recommends that users of OpenSea and other NFT marketplaces use the same online hygiene as any other e-commerce user when navigating access to their accounts. Best practices for protecting assets include avoiding clicking on links in emails from addresses or users they don't recognize, and learning to recognize common phishing and social-engineering tactics. The company also recommends that OpenSea users should check the sender field of any email that purports to be from the marketplace for suspicious-looking addresses that could alert them to foul play.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OpenSea Phishers Aim to Drain Crypto Wallets of NFT Enthusiasts

Protection ranged from 0.38% to 50.57% for security effectiveness.

PRESS RELEASE

AUSTIN, Texas, Nov. 26, 2024 /PRNewswire/ -- CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent "Mini-Test" of Cloud Service Provider (CSP) Native Firewalls from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Security effectiveness protection ranged from 0.38% to 50.57%.

In today's cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP's marketplace. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization's ability to protect against cyber threats.

The CSP firewalls were tested against 522 exploits using Keysight's CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. Only known Common Vulnerabilities and Exposures (CVEs) from the last ten years with a severity of medium or higher were used to assess security effectiveness, usability, and protection. The exploit (CVE) types targeted servers and are typically relevant to cloud workload deployments.

"This was designed to be an entry level test," said Vikram Phatak, CEO of CyberRatings.org. "The exploits were straightforward; we didn't apply any evasions which is normally how attackers bypass security products. The number of missed exploits is concerning. Until cloud native firewalls demonstrate they have a higher level of security effectiveness to protect against cyber threats, we strongly recommend that customers consider third-party providers with a proven track record."

This test is part one of a two-part test. Part two will include a higher number of exploits, along with evasions and malware. The second part of the test will also compare cloud service provider native solutions against market leading third-party cloud network firewall providers.

The native firewalls were tested using Keysight's CyPerf v5.0 software testing platform. Enterprises can easily replicate the results with a 2-week free trial from Keysight. Further details of the strike library can be found here: https://www.keysight.com/us/en/products/network-test/cloud-test/cyperf.html

The test report is available for free at cyberratings.org.

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

SOURCE  CyberRatings.org

CyberRatings.org Announces Test Results for Cloud Service Provider Native Firewalls

Findings reveal growing cybersecurity risks in ecommerce, exposing vulnerabilities in PII handling and lack of basic security protections like HTTPS and WAFs

PRESS RELEASE  
PALO ALTO, Calif., Nov. 26, 2024 – CyCognito today released a special report on the security risks facing ecommerce platforms during the holiday shopping season, highlighting the growing threats to customer data as Black Friday and Cyber Monday drive a surge in online activity. The findings showed that, despite ecommerce sites handling more sensitive data than ever, vulnerabilities continue to persist—especially in web applications and interfaces. 

With the holidays fast approaching, both retailers and shoppers need to be prepared for the risks of the seasonal rush. As they race to meet shopping demands, attackers are ready to exploit vulnerabilities in ecommerce assets, potentially stealing personal information or causing major disruptions,” said Emma Zaballos, Senior Researcher, CyCognito. “It’s crucial for retailers to prioritize ongoing security checks, ensuring their websites are prepared well ahead of peak shopping days. Otherwise, the consequences could be a far worse gift than any shopper expected.”

For this report, CyCognito’s research team aggregated and analyzed ecommerce web application assets across its customer base from November 2023 to October 2024. All findings are anonymized and normalized. These customers span multiple industry verticals and include a mix of small, medium, and large enterprises across the globe, including Fortune 500 companies.

Key findings:

*   Ecommerce Sites Handling Sensitive Data at Risk
    
*   Widespread Lack of HTTPS and WAF Protections
    
*   PII-Exposing Assets Lacking Security Protections
    
*   Certificate Validity and Trust Issues  
    

To view the full report, please visit this link.

About CyCognito

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. For more information, visit https://www.cycognito.com/

CyCognito Report Highlights Rising Cybersecurity Risks in Holiday E-Commerce

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Source: santoelia via Alamy Stock Photo

COMMENTARY

If you drive an Internet-connected car, like I do, your real threat isn't a cop with a radar gun: It's your vehicle becoming a giant, metal snitch. Under your hood, through miles of circuitry, lies a dark secret: Data brokers are collecting every detail of your trip, from where you grab your morning coffee to that shortcut you take to avoid rush hour. They say it's for safety and a better driving experience, but regardless, the idea of our cars spying on us can be terrifying. However, before we admonish our all-seeing rides, we must be honest with ourselves — the convenience we opt into isn't the same as a full-blown invasion of privacy. 

I've been in cybersecurity for more than a decade, taking the fight to the worst threat actors and fending off market-shifting phishing attacks. I get the whole "privacy matters" spiel. But let's face it: We crave convenience and yet complete privacy on the road isn't always practical, especially when it comes to safety. 

My garage houses its own fleet of Teslas — three to be exact, including one for my teenage daughter (just to be clear, I'm not an Elon fanboy). I love these cars because they're packed with safety features that allow me to monitor and supervise our driving. This is important to me because teenagers and speeding go together like peanut butter and jelly. Age aside, who among us hasn't rolled through a stop sign in the wee hours? We all have imperfections, and for me and my family, that includes the occasional lapses in driving that I want to know about. 

Some folks might clutch their pearls at the thought of supporting tracking features, and in some cases they'd be right. I can scoff at the US Automobile Association's (USAA) attempt to totally track me with its SafePilot app just for an insurance discount. But Tesla's monitoring feature that lets me see where my daughter ghosts off to after curfew? Totally different.  

It's all about commonsense control. USAA wants to use my data to judge my driving and probably jack up costs down the road. Tesla's features, and others like it, skew toward safety and meaningful oversight (again, not an Elon fanboy).  

**Picking and Choosing Our Privacy Choices**

The point is, we're all picking and choosing when it comes to privacy, whether we know it or not. We crave convenience and control, even if it means sacrificing a bit of anonymity in the digital age. But is this the future we signed up for? Convenience at the expense of complete transparency? We willingly hand over our data to the tech giants — the Apples and Googles of the world — trusting them to be our benevolent data overlords. They assure us our information is anonymized, like a digital cloak of invisibility protecting our identities. And we just have to trust them. Here's the thing: I sleep soundly at night knowing my Internet-connected car's got my back (and my daughter's). 

That isn't to say this is a black-and-white issue. We do need a data reality check. Yes, personalized data collection can be a good thing. Suggesting that scenic rest stop on your road trip through Yosemite is super helpful. But the line gets blurry when that same data allows insurance companies to track your movements or marketers to manipulate you into buying an overpriced Chick-fil-A sandwich along your normal route home. 

In less safe, opted-in hands, our so-called anonymized data becomes a dystopian road map of our lives, influencing everything from insurance rates to targeted ads for the nearest repair shop (because, hey, after that questionable parking job, you must need one!). 

The bigger problem is the lack of transparency and accountability. Just how much anonymized data gets used for less helpful purposes remains unclear. We're quick to click "Accept" on those endless terms-of-service agreements faster than you can say "data breach." Suddenly, your reckless driving habits, gleaned from your helpful Internet-connected car, could torpedo your chances of getting an auto loan, or worse. It's like having a digital stalker whispering the worst, juiciest gossip about you to lenders. 

Even worse, malicious threat actors, particularly nation-state groups, lurk in these gray areas. They're exploiting vulnerabilities in data transmission protocols or storage systems to snag sensitive driver information — everything from real-time location to private conversations. This grants them a frightening level of control over individuals as well as the potential to disrupt critical infrastructure. 

**We Deserve a Say**

So, the next time you scoff at a car's "stalker" features, take a good look at your own smartphone, brimming with data-hungry apps. Maybe a little commonsense privacy hypocrisy is the price we pay for our self-driving, AI-powered future. In the meantime, we still deserve a say in how our data is used. We need stricter regulations and a healthy dose of skepticism toward "anonymous data" claims. Governments can incentivize research and development in secure data storage and anonymization techniques. This way, businesses can offer new services without compromising user privacy. 

Privacy isn't a luxury. It's a fundamental right. Let's not trade it away for the fleeting convenience of a perfectly optimized commute. This is a fight for our data, privacy, and the freedom to exist online without being constantly tracked and judged if we don't want it. Remember Rage Against the Machine? They're still my favorite band. I can't help but feel that one of their lyrics rings true here: "If we don't take action now, we settle for nothing later." If we don't take action now, we'll surrender our privacy bit by bit, until there's nothing left. 

**About the Author**

CEO & Co-Founder, Huntress

Kyle Hanslovan is CEO and co-founder of Huntress, where he protects 150,000 businesses and oversees millions of employees, and isn’t afraid to drop hot takes to disrupt herd mentality. He’s successfully raised nearly $200 million in venture capital and is passionate about entrepreneurship, innovation, radical candor, and social impact. Prior to this, he served 10 years in the US intelligence community and Air Force supporting offensive cyber operations. During this time, he won the World Series of hacking (DEF CON's CTF) and presented at most major cybersecurity conferences.

My Car Knows My Secrets, and I'm (Mostly) OK With That

The incident is typical of the heightened threats organizations face during the holidays, when most companies reduce their security operations staff by around 50%.

Source: Ned Snowman via Shutterstock

A disruptive ransomware attack on Blue Yonder, a supply chain management software provider for major retailers, consumer product companies, and manufacturers, highlights the heightened risk organizations face during the busy holiday season.

A Nov. 21 attack on Blue Yonder affected infrastructure that the company uses to host a variety of managed services for customers, which include 46 of the top 100 manufacturers, 64 of the top 100 consumer product goods makers, and 76 of the top 100 retailers in the world.

**Major UK Supermarket Chains Hit in Cyberattack**

Among those reportedly most affected by the attacks are Morrisons and Sainsbury's, two of the UK's largest supermarket chains. British media outlet The Grocer quoted a Morrisons spokesperson as describing the Blue Yonder attack as affecting the smooth delivery of goods to stores in the UK. Availability of some product lines at wholesale and convenience locations could drop to as low as 60% of normal availability, the media outlet reported.

In the US, Starbucks reported the Blue Yonder attack affecting a back-end process for employing scheduling and time-tracking. But besides that, there have been no confirmed reports so far of widespread disruptions resulting from the attack. Blue Yonder's US customers include Kimberly-Clark, Anheuser-Busch, Campbell's, Best Buy, Wegmans, and Walgreens.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

In its initial disclosure on Nov. 21, Blue Yonder said it experienced disruptions to its managed services hosted environment, which it determined was the result of a ransomware attack. The company said it was actively monitoring its Blue Yonder Azure public cloud environment but had not spotted any suspicious activity.

"Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process," a Blue Yonder spokesperson said in an emailed statement to Dark Reading. "We have implemented several defensive and forensic protocols" to mitigate the issue.

"We have notified relevant customers and will continue to communicate as appropriate. Additional updated information will be provided on our website as our investigation proceeds," the spokesperson added. The statement did not provide any kind of timeline by which it hopes to completely restore its systems.

**Ripple Effect From Blue Yonder Hack**

The fallout from the Blue Yonder attack is similar to that from other major supply chain attacks in recent times, including the ones on Progress Software's MOVEit file transfer software, Kaseya, WordPress, and Polyfill.io. In each instance, the threat actors behind the attacks managed to impact a broad swath of organizations by targeting a single trusted player in the software supply chain.

Related:Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

The Blue Yonder incident is also typical of the attacks that tend to happen around holidays and during weekends, when IT departments tend to be less than fully staffed. Research that Semperis conducted showed that 86% of ransomware victims over the past year were targeted either on a holiday or on a weekend. More than six in 10 respondents in the survey said they experienced a ransomware attack during a corporate event.

Semperis found that while most of the organizations in its survey maintained a round-the-clock security operations capability, some 85% scaled back security operations center (SOC) staffing levels by up to 50% outside normal business hours.

**Opening the Door to Cyberattacks**

"Despite widespread cybersecurity efforts, many organizations are unintentionally opening a door to ransomware by reducing their defenses during weekends and holidays," says Jeff Wichman, director of incident response at Semperis. "Attackers clearly expect this behavior and target these periods — as well as other material corporate events that might signal distracted or reduced defenses — to strike.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Wichman says the Semperis study looked at nearly 1,000 organizations in the US, the UK, France, and Germany. In each country, the vast majority of businesses reduce staffing by up to 50% on holidays and weekends. In Germany, 75% of organizations downsized staff by as much as 50% on holidays and weekends. "In security, you can’t wax or wane, and your defenses need to be constant" and around the clock, he says.

Wichman recommends that organizations maintain at least 75% of their regular staffing levels on holidays and weekend to maintain operational resiliency.

Nick Tausek, lead security automation architect at Swimlane, says incidents like the attack on Blue Yonder highlight why cyber hygiene is important at all times of the year, but especially so during the holiday season: "User training, frequent, comprehensive backups, and a tested disaster recovery plan are the three biggest protections against cybercriminals and ransomware operators during the busy holiday season."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

The anti-fraud plan calls for companies to create a pipeline for compiling attack information, along with formal processes to disseminate that intelligence across business groups.

Source: Romolo Tavani via Shuttertock

A data-focused approach to tackling phishing and business fraud promises significant reductions in the amount of phishing and phone-based fraud that companies — and their customers — face, but worries remain over whether fraudsters will adapt.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled its Phishing Prevention Framework on Nov. 19, a program consisting of best practices in data collection, defense, and customer communications that has already reduced the volume of phishing incidents — as measured by abuse complaints — in a pilot program with three banks. The framework cut the incidence of abuse complaints for those financial services firms in half and promises significant benefits for any business targeted by cybercriminals, if they implement certain best practices — such as security education and intelligence collection — included in the framework.

While FS-ISAC has released the framework for the financial services sector — where phishing is a pernicious problem — the techniques are broadly applicable, says Linda Betz, executive vice president of global community engagement at the organization.

"While the framework is tailored for financial institutions due to the sensitive nature of their operations, the strategies can benefit businesses across industries," she says. "For instance, cataloging communication channels and deploying anti-phishing technologies are broadly applicable and scalable solutions for any organization dealing with sensitive customer interactions or high volumes of transactional data."

The financial services sector is not the only industry plagued by phishing. In 2023, US consumers and businesses reported nearly 300,000 phishing-related crimes to the FBI, according to its annual Internet Crime Report. Phishing and pretexting — which differ in that the attacker surreptitiously joins an email thread — account for 31% and 40%, respectively, of all social engineering attacks, according to Verizon's "2024 Data Breach Investigations Report" (DBIR). Security awareness exercises have found that it takes less than 60 seconds for the first victims of a phishing campaign to click a link and enter their information.

**Focus on Sources, Not Transactions**

As part of its Phishing Prevention Framework, the FS-ISAC recommends that organizations create a data-focused process for handling abuse complaints and focus on maximizing the insights that can be learned from phishing campaigns. Companies should create a fraud and phishing intake pipeline that records critical information and an abuse box infrastructure that allows security and fraud teams to disseminate intelligence to other business groups, the report states.

Three banks that piloted the Phishing Prevention Framework all saw decreases in phishing abuse, but Bank A saw the most dramatic changes. Source: FS-ISAC's "Stop the Scams: A Phishing Prevention Framework for Financial Services" report

The key issue is that fraud reporting often focuses on preventing the bad transaction and spends little time on understanding how the activity originated, FS-ISAC's Betz says.

"Structuring the abuse box to glean that information from the customer helps the financial institution know where to focus to address the root cause and take actions to reduce the risk and prevent future attempts, then share the actionable intelligence across the organization and the sector," she says. "\[Companies\] should implement structured fraud reporting systems to capture actionable data, coordinate across relevant departments, and participate in industrywide threat intelligence platforms to help the entire sector understand the current tactics being used by fraudsters."

The framework also calls for cataloging all of the ways a business communicates with customers and partners, a potentially time-consuming process. While automation can help, collaborating internally across groups and with third parties is key, says Betz.

"Leveraging a succinct data collection survey including the type, origin, and results of the fraudulent activity can help establish any trends in the phishing attempts and better identify any weak areas within networks," she says.

**Keeping Up With Attackers**

While all the steps included in the framework are common sense approaches to anti-phishing, implementing them all will take time, says Betz. For that reason, the FS-ISAC has listed the actions along with a step number to prioritize defensive efforts.

Whether establishing the processes and technologies called for by the Phishing Prevention Framework will lead to fewer successful phishing campaigns or just force attackers to evolve remains to be seen, says Matthew Harris, senior product manager for fraud at OpSec Security, a brand protection and anti-fraud firm.

"One thing I've learned about dealing with fraudsters is that they'll pivot instantly, and the problem is that they'll pivot far faster than any other company can pivot," he says. "If they realize that there's a way that they can get better ROI, they'll do it."

Scammers are already moving toward phishing attacks that increasingly use voice calls. Phone-based phishing started as a minor issue in 2021 and now accounts for nearly a quarter (23%) of all phishing attacks, according to data collected by OpSec Security. Phone-based phishing includes SMS phishing — "smishing" — and phishing emails that include a fraudulent phone number.

Because there are fewer integrity checks on phone calls, cyberattackers will likely increasingly use the telecommunications channel in their scams, says OpSec's Harris.

"As email security ... has gotten more and more advanced, it becomes more and more difficult \[for a scammer\] to communicate a traditional email to a person," he says. "By pivoting away from email and toward a phone number, ... there's a good chance a person is going to pick up that phone \[giving them\] access to the victim directly."

For that reason, the final step of the FS-ISAC's framework includes collaborating with telecommunications firms to reduce the attack surface area through phone systems. Many providers have technologies or services, such as "Do Not Originate," on numbers that are inbound only, giving business customers additional controls, says FS-ISAC's Betz.

"Partnerships with telecommunications providers are increasingly collaborative, as these companies recognize the mutual benefits of reducing spam and phishing attacks," she says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Phishing Prevention Framework Reduces Incidents by Half

New analysis says law enforcement efforts against Russian-language ransomware-as-a-service (RaaS) infrastructure helped consolidate influence behind BlackBasta, but some experts aren't so sure the brand means that much.

Source: JK Sulit via Alamy Stock Photo

The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.

Since the spectacular law enforcement takedown of Conti's operations in 2022, the Russian-language ransomware landscape has been a bit in flux. Upending usual business operations further was the subsequent August 2023 takedown of Qakbot botnets, long relied upon by these groups to deliver their ransomware. The law enforcement action, called "Operation Duck Hunt," removed Qakbot malware from more than 700,000 infected machines. The Qakbot botnet takedown success would be short lived. Analysts started to see the it pop back up in cyberattacks just a couple of months later.

Even so, by January, BlackBasta has already pivoted and was observed using a competing botnet tool called Pikabot, along with an emerging new threat group, Water Curupira, which similarly used Pikabot to drop BlackBasta ransomware.

From there BlackBasta diversified into phishing, vishing, and social engineering, as well as buying entry into target networks from initial access brokers. But by last August, the ransomware group was using its own custom-developed malware, Cogscan, used to map victim networks and sniff out the most valuable data, as well as a .NET-based utility called Knotrock, used to execute ransomware.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**Are Law Enforcement Takedowns Against Ransomware Working?**

In a new report, RedSense cybersecurity analyst Yelisey Bohuslavskiy has provided a detailed look at the evolution of BlackBasta tactics, concluding that the group's requirement to adapt in the wake of large-scale law enforcement has made it a leader in the Russian-language ransomware space. In fact, Bohuslavskiy worries that the group is in a position to become an important partner of the Russian state. In the report, he used the example of the punishing rounds of cyberattacks against the healthcare sector this year and a potential bleak peek at what's to come.

"Considering the abnormality of 2024 high-profile attacks against healthcare, I am concerned about the potential liaison between BlackBasta and \[Russian nation-state threat actor\] Nobelium \[Midnight Blizzard\] and the Russian security apparatus in general," Bohuslavskiy tells Dark Reading. "While at this point, the connection is mostly MS Teams exploitation and some other TTPs and can not be confirmed, if in the future Russian ransomware groups will develop direct cooperation with the Russian state, this will result in tangible deterioration of the threat landscape."

Related:Leaky Cybersecurity Holes Put Water Systems at Risk

He predicts that BlackBasta and the hackers in its orbit will get increasingly sophisticated in their attacks in the months to come, namely social engineering attempts at compromising credentials.

"I would advise preparing for defending different social engineering against endpoints with a focus on credentials," Bohuslavskiy adds. "Cisco, Fortinet, and Citrix credentials are definitely the main focus of BlackBasta now. I would also look at GitHub repositories and other open repositories that an enterprise may have, as we are seeing these actors hunting for them."

This is good news for cyber defenders. Social engineering is a much less efficient way to disseminate ransomware versus a botnet blast, Bohuslavskiy adds.

"To my opinion, the most important thing is that law enforcement action is working," he says. "The transition shows a slow but steady movement from botnets to social engineering, even for traditionalists like BlackBasta. And by all means, social engineering is inferior to botnets in dissemination."

Related:Going Beyond Secure by Demand

Bohuslavskiy points to the Conti group's foray into a massive experiment with call centers filled with people conducting social engineering cyberattacks, adding that it turned out to be a flop.

"Trickbot, Emotet, and Qbot were the ultimate sources of ransomware delivery for the entirety of the Russian-speaking domain, and by now, all of them are down due to law enforcement action," he says. "No substitute has come since. However, we should be aware that the leadership of the groups also understands this, and therefore, they will try to double down on developing new botnets. This is why I predict that BlackBasta's plays with social engineering will be short-lived."

**Russian-Language Ransomware Coordination**

Expert ransomware negotiator Ed Dubrovsky, COO and partner at Cypfer, isn't sure it's that simple. In his experience, he explains, these Russian RaaS operations are highly decentralized groups of individual hackers with a complex organizational structure. Assigning cooperation between groups and the Russian state implies a level of operational coordination he hasn't seen.

When one group is taken down by law enforcement, individual talent easily flows to another brand, in his view.

"We tend to bunch them up together into a named group like BlackBasta, which is nothing more than an umbrella structure offering software and infrastructure solutions and some adjacent services," Dubrovsky says. "They are completely dependent on the affiliates, aka franchisees, to actually conduct attacks. So to claim that there is cooperation between nation-state actors and a ransomware 'brand' or 'franchise' is almost equivalent to saying McDonald's is working with state actors because they have a McDonald's in Russia."

He suggests it's more likely individuals shuffling around ransomware trade secrets driven purely by return on investment rather than commitment to any specific group or specific fear of law enforcement.

It's also important to note that "Russian-speaking" doesn't necessarily mean "Russian threat actors" when it comes to the hackers circulating around these RaaS operations, Ngoc Bui, cyber expert with Menlo Security says.

"Many Dark Web forums and illicit communities predominantly use the Russian language, but this doesn’t necessarily mean all participants are Russian," she explains. "This distinction is critical when interpreting predictions about increased coordination."

She adds there is a "golden rule" among these adversaries.

"As long as operations don’t target Russia or its allies, they are often overlooked," she says. "This tolerance can make Russia an appealing environment for cybercriminals to operate, whether or not direct state coordination is involved."

Beyond assigning specific tactics to various brands, Dubrovsky urges cybersecurity teams to focus on protecting their systems from increasingly well-funded and well-trained Russian-speaking ransomware adversaries. The entire threat landscape has been exploding since 2013, and he views its "further deterioration" predicted by Bohuslavskiy as an obvious given.

"Could we say that this will accelerate even more due to the resources available to \[threat actors\] and certainly nation-states? Absolutely," Dubrovsky adds. "Would/could it be directly correlated because of observed TTPs? Not sure this will ever be conclusive. The real question is how do we defend against threat actors with increasing resources and capabilities to cause more impact."

BlackBasta Ransomware Brand Picks Up Where Conti Left Off

In a "new class of attack," the Russian APT breached a target in Washington, DC, by credential-stuffing wireless networks in close proximity to it and daisy-chaining a vector together in a resourceful and creative way, according to researchers.

Source: Science Photo Library via Alamy Stock Photo

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**A Cyberattack Chained Through Multiple Orgs**

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

**Beware Thy (Wi-Fi) Neighbors**

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\\ProgramData\\, and improve detection of data exfiltration from Internet-facing services running in an environment.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

Diversity isn't just an issue of fairness — it's about operational excellence and ensuring we have the best possible teams defending our national security.

Theresa Payton, Former White House CIO, and CEO, Fortalice Solutions, LLC

November 25, 2024

6 Min Read

Source: designer491 via Alamy Stock Photo

COMMENTARY

The US government often operates with a natural inclination toward risk aversion and a slower pace of change compared with the private sector. While this cautious approach is understandable, given the high stakes of national security, it can inadvertently hinder efforts to close the diversity gap in cybersecurity and STEM fields (that is, science, technology, engineering, and mathematics). By sharing best practices across the public and private sectors, the US government and the private sector can build a more diverse and resilient cybersecurity workforce, capable of addressing today's complex threats. 

Here are seven strategies that every enterprise, whether in the public or the private sector, can implement to close the diversity gap in cybersecurity, drawing from successful approaches: 

**Proactive Recruitment **

In the private sector, actively seeking diverse talent rather than waiting for applicants has yielded substantial results. We've broadened our talent pool by partnering with organizations dedicated to underrepresented groups in tech and attending diversity-focused events. Similarly, the US government can implement a proactive approach, targeting communities that historically have been underrepresented in STEM and cybersecurity. 

Stat: Partnering with organizations like Women in Cybersecurity (WiCyS) or the National Society of Black Engineers (NSBE) can help increase diversity. According to the "ISC2 Cybersecurity Workforce Study," only 24% of cybersecurity professionals are women, and the numbers are even lower for Black and Hispanic professionals. Proactive partnerships and outreach are crucial to closing this gap. 

**Flexible Career Pathways**

Offering flexible career pathways has proven to be a powerful recruitment and retention tool in the private sector. Rather than adhering to rigid, predefined positions, designing roles around an individual's strengths, skills, and interests attracts a more diverse workforce. Nontraditional candidates bring fresh perspectives, which are invaluable in the evolving cybersecurity landscape. 

The US government has leveraged the NICE framework, which is a good foundation. All enterprises can implement dynamic roles and career pathways tailored to diverse skill sets and backgrounds. This flexibility would make government careers more appealing to underrepresented talent. 

Stat: According to the "ISC2 Cybersecurity Workforce Study," expanding career pathways can help close the global cybersecurity workforce gap, which is estimated to be more than 3.4 million professionals. 

**Building an Inclusive Culture**

Culture is critical to retaining diverse talent. It's not enough to hire diverse candidates — organizations must also create environments where everyone feels valued. In our experience, building an inclusive culture has strengthened our team's ability to tackle complex challenges.  

Fostering an inclusive culture would help enterprises recruit and retain diverse talent. A diverse team brings new ideas and varied perspectives, which is crucial when defending against rapidly evolving cyber threats. 

**Leveraging Midcareer Switchers**

Midcareer professionals from diverse fields like project management, communications, music, and arts can bring valuable transferable skills to cybersecurity roles. Some of our most effective cybersecurity professionals come from non-technical backgrounds, where problem-solving, creativity, and leadership were honed. 

The US government and private sector could benefit from targeting mid-career switchers and offering retraining and upskilling programs to support their transition. This approach would diversify the talent pool and inject fresh perspectives into government cybersecurity teams. 

Stat: According to the World Economic Forum, 50% of all employees will need reskilling by 2025. Leveraging the transferable skills of midcareer professionals can be a strategic solution for addressing talent shortages. 

**Targeted Outreach for BIPOC Talent**

To close the diversity gap, targeted outreach to Black, indigenous, and people of color (BIPOC) communities is essential. This can be achieved through partnerships with minority-serving institutions and organizations focused on increasing representation in tech. Scholarships, mentorship, and internship programs specifically designed for BIPOC students and professionals can help build a pipeline of diverse talent into government roles. 

Stat: Currently, only 9% of cybersecurity professionals are Black, and just 4% are Hispanic, according to ISC2's "Cybersecurity Workforce Study." Targeted initiatives can help bridge these gaps and attract underrepresented talent to cybersecurity roles. 

**Early Engagement With Younger Talent**

The private sector has seen remarkable success by engaging younger talent early in their education and careers. Hackathons, internships, and partnerships with gaming communities have effectively identified and nurtured young cybersecurity talent. This generation is motivated by mission-driven work and seeks roles where they can make a tangible impact. 

The US government can adopt similar strategies by creating internships, challenges, and self-paced learning opportunities. By emphasizing the critical role of cybersecurity in national security, the government can make these positions more appealing to younger talent who seek purpose in their careers. 

Stat: A Deloitte survey revealed that 87% of millennials value professional development and learning opportunities in their jobs, which aligns with the desire for continuous growth and impact-driven careers. 

**Retention Through Flexibility and Support**

Retention is as important as recruitment when building a diverse workforce. Offering flexible work arrangements, professional development opportunities, and support during life transitions — such as raising children or caring for aging parents — can significantly improve retention rates. In the private sector, these initiatives have allowed us to keep diverse talent engaged and thriving. 

The US government can adopt similar strategies by implementing flexible work policies and providing robust professional development programs. When employees feel supported in balancing work and personal responsibilities, they are likely to stay and grow within the organization. 

Stat: Research shows that organizations with inclusive and flexible cultures have 1.7 times greater innovation and 2.3 times higher cash flow per employee than those without. 

**Conclusion**

Closing the career diversity gap in STEM and cybersecurity fields is critical to our nation's cybersecurity future. By sharing best practices and lessons between the public and private sectors, the United States can lead by example, closing the career diversity gap and building a more resilient cybersecurity workforce. Diversity isn't just an issue of fairness — it's about operational excellence and ensuring we have the best possible teams defending our national security.

**About the Author**

Former White House CIO, and CEO, Fortalice Solutions, LLC

Theresa Payton made history as the first female to serve as White House Chief Information Officer and currently helps organizations in both the public and private sectors protect their most valuable resources. As one of the nation’s most respected authorities on secured digital transformation, Theresa Payton is frequently requested to advise boards of the Fortune 500, CEOs, and technology executives. Theresa is a visionary in the digital world leading the way as an inventor of new security designs and has an approved US patent in security. She provides advice drawing from her experience as a technologist first and now veteran cybercrime fighter and entrepreneur, masterfully blending memorable anecdotes with cutting-edge insights.

Closing the Cybersecurity Career Diversity Gap

Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading