The draft amendment also includes prison time for those who access systems to maliciously spy or intercept data.

Source: Simon Tilley via Alamy Stock Photo

Germany's Federal Ministry of Justice has drafted legislation that would protect security researchers who discover and report security flaws to vendors.

The draft eliminates criminal liability for people who choose to warn businesses, and ultimately the public, of cyber vulnerabilities. The proposed law amends an existing law that protects IT security researchers, companies, and hackers from punishment.

Certain criteria must be met for the act to be considered security research. The action must aim to identify a vulnerability or security risk in an IT system, and the researcher who discovers the flaw must have the intent of reporting the vulnerability to those responsible for addressing the issue. They should also only be accessing a system to identify a vulnerability.

The draft proposes a penalty of three to five months in prison for severe cases of malicious data spying and data interception that include criminal acts, acts motivated by profit, or those that result in substantial financial damage.

"Those who want to close IT security gaps deserve recognition — not a letter from the prosecutor," stated Marco Buschmann, the Federal Minister of Justice.

**About the Author**

German Law Could Protect Researchers Reporting Vulns

SANS's "2024 State of ICS.OT Cybersecurity report" highlights the most common types of attack vectors used against ICT/OT networks.

Attacks against industrial-control systems (ICS) and operational technology (OT) systems are increasing, as adversaries find weaknesses in IT networks that allow them to move into OT networks, according to a recent report from the SANS Institute.

The "State of ICS/OT Cybersecurity 2024" report is based on responses from cybersecurity professionals in various critical-infrastructure sectors. More non-ransomware incidents (74.4%) were reported than ransomware (11.7%) over the past year, according to the report.

Other initial attack vectors involved in OT/ICS incidents include compromising these systems by use of external remote services (23.7%) or Internet-accessible devices (23.7%), compromising employee workstations (20.3%) and removable media (20.3%), and a supply chain compromise (20.3%). It's worth noting that 18.6% of respondents said attackers attempted spear-phishing with an email attachment for the initial compromise.

Nearly one out of five (19%) of respondents reported one or more security incidents over the past year.

While only 12% of respondents reported being the targets of ransomware attacks in the past 12 months, the impact on the OT/ICS environment remains "potentially catastrophic," SANS said in the report. Of the organizations that reported a ransomware incident, 38% said only their IT network systems were impacted, while 28.6% said their OT/ICS networks were affected. Just 21% said both networks were impacted, and 38.1% said reliability and safety were compromised during those attacks.

"Although the overall trend \[of ransomware\] seems to have decreased, the impacts are still potentially catastrophic and should be considered for all ICS/OT-specific incident response programs," SANS said.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

Interpol disrupts 22,000 malicious IP addresses, 59 servers, 43 electronic devices, and arrests 41 suspected cybercriminals.

Source: Timon Schneider via Alamy Stock Photo

Operation Synergia II, an international law enforcement effort supported by the private cybersecurity sector, successfully dismantled a widespread cybercrime operation stretching from Hong Kong to Estonia, Interpol said this week.

Operation Synergia II was launched in April, with law enforcement collaborating with cybersecurity experts from Group-IB, Trend Micro, Kaspersky, and Team Cymru to track down thousands of servers used to commit cybercrimes involving phishing, infostealers, and ransomware attacks. Interpol discovered 30,000 malicious IP addresses and has already taken down 22,000, along with 59 servers.

Law enforcement across several countries contributed on-the-ground resources to perform house searches and seize electronics believed to support the cybercriminal operation — leading to the arrest of 41 people, with 65 others still under investigation, according to Interpol.

As part of the coordinated response, police in Hong Kong took down 1,037 servers, while in Mongolia police conducted 21 house searches and were able to identify 93 individuals believed to be linked to cybercrimes. Macau cops took 291 servers offline, and in Madagascar police tracked down 11 people linked to the servers and seized multiple devices. And in Estonia, authorities confisacted more than 80GB of server data, which is still being analyzed at Interpol.

"The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II," Neal Jetton, Interpol's director of the Cybercrime Directorate, said in a statement. "Together, we've not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

International Police Effort Obliterates Cybercrime Network

Omdia Principal Analyst Hollie Hennessy says that until a promising new set of regulations around the world comes online, connected device security entails a shared responsibility among consumers, enterprises, and manufacturers.

Hollie Hennessy, Principal Analyst, IoT Cybersecurity, Omdia

November 6, 2024

4 Min Read

COMMENTARY

A broad array of Internet-connected devices have become a part of our lives, whether the mobile devices that we use daily, the Internet of Things (IoT) devices often spread throughout our "smart" homes, or even the medical devices that help provide us care when we need it.

These devices are now a fixture of our lives, professionally and personally. Unfortunately, they bring with them a countless number of cybersecurity challenges.

**Consumers Must Watch for Insecure Devices, Scams**

Historically, home IoT devices in particular have been neglected when it comes to cybersecurity. Security was rarely a concern for consumer device makers.

However, we've seen positive movement by governments globally, offering up new guidelines and regulations to facilitate better security of these products for consumers. In October alone, the Cyber Resilience Act (EU) was adopted by the council, and Australia announced its Cybersecurity Bill 2024, which proposes new security guidelines for smart devices.

That said, consumers should be aware that manufacturers might not yet be doing the best they can regarding cybersecurity. Cheap devices sold on online marketplaces often are riddled with vulnerabilities, despite looking like a good deal. Fortunately, once a number of promising new and proposed regulations take effect in many regions, this will no longer be the case — but for now, consumers must still largely look out for themselves.

Related:Any IoT Device Can Be Hacked, Even Grills

Scams are one of the most common cybersecurity issues for consumers, and IoT and mobile devices can make these scams easier to perpetrate. Mobile devices have put everything in the palm of our hand, even our financial transactions; a seemingly legitimate mobile application or a well-timed smishing message can do great harm. Consumers should be wary of anyone telling them to download an application or take any other unusual action, especially if they are asking for payment without receiving any services.

For example, in Singapore, millions of dollars are lost to scams — whether through social engineering, or malware-enabled. Scams have proliferated social media too, including Facebook, Instagram, and LinkedIn. While the government, banks, and device makers are working to address issues like this, consumers must practice vigilance throughout daily life.

**IT-OT Combination Is Emerging Issue**

For enterprises, even though information technology and operational technology (IT and OT) security are generally handled separately, Omdia believes a holistic strategy incorporating both will be increasingly important.

Organizations are also increasingly relying on IoT and other cyber-physical devices — many of which fall into critical national infrastructure sectors such as energy, transport, wastewater, and healthcare. Often, IT security tends to get a lot of focus, but it's the entire landscape, including IoT and OT, and the gaps in between that need to be adequately secured.

Enterprises will increasingly be affected by regulation as well. October also saw the deadline for European Union member states to implement the NIS 2 Directive — which is intended to enhance the security and resiliency of networking and information systems in the EU — into national law. Requirements are broadly focused on reporting, accountability, risk management, and business continuity, with minimum requirements spanning these categories, such as incident response planning, cybersecurity training, and tooling such as multifactor authentication and employee and asset access.

Despite regulatory burdens, Omdia's research suggests that cybersecurity maturity — at least for cyber-physical assets — isn't quite where it needs to be. Omdia's 2024 Cybersecurity Decision Maker Survey revealed that only 37% of organizations are confident that their business could continue to operate efficiently in the event of a cyber-physical system compromise, yet around a third do not have an adequate strategy for securing IoT devices.

**Device Manufacturers Facing Major Strategic, Operational Adjustments**

For device manufacturers, it's time to start thinking about how to adapt to an evolving regulatory environment. Even small manufacturers hoping to sell into regulated regions will need to adhere to cybersecurity requirements — setting up the product security teams, processes, and supporting technology will take a significant period of time. Collaborating effectively between product security and cybersecurity teams is no mean feat.

Considering the software and firmware element of product security also will be key. This will require new and enhanced communication between engineering and cybersecurity teams, alongside DevSecOps processes. Omdia's research suggests that consumers see security as a purchase driver for IoT devices, so it's best to start to ensure devices are secure sooner rather than later.

**About the Author**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Despite Emerging Regulations, Mobile Device, IoT Security Requires More Industry Attention

The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Nokia: No Evidence So Far That Hackers Breached Company Data

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

Adam Meyers, Senior Vice President of Counter Adversary Operations, CrowdStrike

November 6, 2024

5 Min Read

Source: Andrey Khokhlov via Alamy Stock Photo

COMMENTARY

Throughout the past year, we've seen a sharp uptick in cross-domain threats. This activity spans multiple domains within an organization's IT architecture, including identity, cloud, and endpoint. These attacks leave minimal footprints in each domain, like separate puzzle pieces, making them harder to detect. 

While cross-domain intrusions vary in complexity, my team and I are increasingly observing attacks that leverage stolen credentials to breach cloud environments and move laterally across endpoints. This activity is fueled by sophisticated phishing techniques and the proliferation of infostealers. Once adversaries obtain or steal credentials, they can gain direct access to poorly configured cloud environments and bypass heavily defended endpoints. With this access, they often deploy remote monitoring and management (RMM) tools instead of malware, making these attacks particularly hard to detect and disrupt. 

**Scattered Spider: A Master of Cross-Domain Tradecraft**

One of the most proficient adversaries in cross-domain attacks is the prolific e-crime group Scattered Spider. Throughout 2023 and 2024, Scattered Spider demonstrated sophisticated cross-domain tradecraft within targeted cloud environments, frequently using spear-phishing, policy modification, and access to password managers. 

In May 2024, CrowdStrike observed Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. The adversary compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once inside, they established persistence.  

This attack spanned three operational domains: email, cloud management, and within the VM itself. As a result, the detectable footprint in any single domain was minimal and difficult to identify with traditional signature-based detection methods. Identifying this attack relied on extensive threat intelligence and prior knowledge of Scattered Spider's tactics. By correlating telemetry from the cloud control plane with detections within the virtual machine, threat hunters were able to recognize and stop the intrusion in progress. 

**A Massive Insider Scheme: DPRK's Famous Chollima**

North Korea-nexus adversary Famous Chollima presented a unique challenge to threat hunters with a highly sophisticated attack campaign expanding beyond technology boundaries. In this massive insider threat scheme, malicious actors obtained contract or full-time positions using falsified or stolen identity documents to bypass background checks. Their résumés often listed employment at prominent companies, with no gaps, making them appear legitimate.  

In April 2024, CrowdStrike responded to the first of several incidents where Famous Chollima targeted more than 30 US-based companies, including those in the aerospace, defense, retail, and technology sectors. Leveraging data from a single incident, threat hunters developed a scalable plan to hunt this emerging insider threat and identified over 30 additional affected customers within two days. 

In many cases, the adversary attempted to exfiltrate data and install RMM tools using company network credentials to facilitate unauthorized access. CrowdStrike threat hunters searched for RMM tools paired with suspicious network connections to uncover additional data and identify suspicious behaviors. By mid-2024, the US Department of Justice indicted several individuals involved in this scheme, which likely enabled North Korean nationals to raise funds for the DPRK government and its weapons programs. CrowdStrike's coordinated efforts with law enforcement and the intelligence community were instrumental in bringing these malicious activities to light and disrupting the massive threat. 

**Putting the Puzzle Pieces Together: Stopping Cross-Domain Attacks**

Countering sophisticated cross-domain threats requires constant awareness of behavioral and operational shifts, making intelligence-driven hunting essential. Stopping these novel attacks takes a multipronged approach involving people, process, and technology. For organizations to protect against these attacks they should adopt the following approaches:  

*   Full visibility: Unified visibility across the enterprise (cloud, endpoints, and identities) is essential to detect and correlate cross-domain attacks. This approach prevents adversaries from moving laterally through environments, improves response time, and reduces the likelihood of incidents escalating into breaches. 
    

*   Integrate cross-domain hunting: 24/7 real-time threat hunters can proactively search across security planes for malicious behavior. By continuously monitoring employee activity, they can detect deviations from normal behavior, such as abnormal use of RMM tools.  
    

*   Focus on identity: Identity is one of the fastest-growing threat vectors. To mitigate risks, businesses must implement advanced identity verification processes, such as multifactor authentication and biometric check. In addition to establishing strong authentication procedures, identity protection should be implemented to catch anomalous authentication events before they turn into a breach. 
    

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough. As these stealthy threats operate across identity, cloud, and endpoint, they require a blend of advanced technology, the irreplaceable insights of human expertise, and cutting-edge telemetry to inform proactive decision making. Threat hunters and intelligence analysts, working in tandem with cutting-edge tools, are essential for identifying, understanding, and neutralizing these ever-evolving dangers before they can cause harm. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Senior Vice President of Counter Adversary Operations, CrowdStrike

As CrowdStrike's senior vice president of counter adversary operations, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyber threat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups around the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity. 

Meyers works closely with other departments within CrowdStrike to ensure the smooth and speedy integration of intelligence into CrowdStrike’s entire lineup of products and services. His team brings unprecedented insights into the activities of cyber threat actors, providing strategic and technical guidance to Fortune 100 businesses, major financial institutions, key government agencies, and other CrowdStrike customers.

How to Outsmart Stealthy E-Crime and Nation-State Threats

When it comes to landing a job in cybersecurity, what does it take to stand out from the pack? Try playing games.

Source: Ekkaphan via Adobe Stock Photo

While having the right technical chops and certifications matter, having cyber-gaming experience, whether it's participating on a cyber games team or in online competitions, can help you stand out when potential hiring managers are reviewing your resume. It can also give you more confidence after you land the job.

From showing that they can perform well under pressure to demonstrating that they're a good team player, there are many reasons why playing on a cyber team could give a candidate a leg up, says US Cyber Games commissioner Jessica Gulick, who has often asked job candidates what they did in their free time to get a broader understanding of their technology capabilities. Gamers always stood out, and she found it beneficial to hire them, particularly in areas such as penetration testing and forensics. These candidates usually were good at entering unknown environments and figuring things out given limited information, as well as sticking it out to identify solutions if they initially fail, she says.

"They're the kind of people that walk into a room and are constantly looking around and looking beyond what they see," Gulick says. "Is there an Easter egg? They don't need instructions; they'll just figure it out. And to have that kind of employee, it means that it's a faster time to value for your corporation. You're bringing on somebody who doesn't need a lot of hand-holding, \[someone who is\] going to really take the ball and run with it."

**Demonstrate Technical Proficiency**

When it comes to technical skills, cyber games give players the chance to practice the kinds of skills that they'll use on the job but in a safe context — not connected to any active business or infrastructure network that would be harmed by an actual cyberattack. And it gives players exposure to a broader array of cybersecurity experience than they might get in a role with specific responsibilities.

"Players are gaining skills in areas that they may not be particularly focused on right now, and that's a huge thing to give them those extra skill sets to work on the workforce and have on their resume," says US Women's Cyber Team assistant coach Chelsie Cooper, also a senior intelligence analyst at CrowdStrike. "That's a huge boost. Having this skill set specifically is definitely going to help them push forward to stand out in an applicant pool."

Showing technical proficiency in a cyber game, like having experience playing with the National Cyber League (NCL), can help candidates stand out. The NCL, an organization that holds cyber competitions for students, issues report cards to participants that they can use to show how well they performed in subjects like forensics or Web security. That can give them an edge as job candidates.

"If you have two students or two early career professionals that are interviewing and you ask, 'What's your experience doing pen testing with this particular vector of an attack?' the one who doesn't have experience is going to say, 'I don't have experience. Why are you asking me this?' whereas the one who has experience playing a game can say, 'Well, I don't have on the job experience, but I saw something similar when I was playing this game. Here's what I did about it,'" Gulick says.

The person who played the game will likely get the job.

**Develop Soft Skills, Teamwork**

Being on a cyber team can also help you hone nontechnical skills that are valuable in the workplace, like collaboration, mentoring, and working well in groups.

"Cyber games allow us to really cultivate those skills, the situational awareness, the ability to work as a team, to be able to pass off or to ask for help, or to mentor," Gulick says. "These are all critical skills that create high-performing teams."

Sarah Ogden, a 19-year-old student at Northern Kentucky University and a junior member of the US Women's Cyber Team, says she's excited about participating in this year's competition, but it's with a bigger goal in mind: to be competitive when it's her turn on the job market.

"My end goal is to get into a large company as a security engineer and actually get to see how the code and systems are developed, and to make an actual difference in that company's security and see the payoff of that," she says.

**Exposure to Job Opportunities**

Playing on a cyber team can also give competitors exposure to job opportunities with corporate sponsors. According to Gulick, sponsors like Battelle have hired team members.

"Competing as part of the US Cyber Team continually exposes athletes to a wide range of skill sets — such as binary exploitation, reverse engineering, and red-versus-blue activities — that enable them to excel in an increasingly competitive early-career job market. This experience provides them with a distinct credential on their resumes that sets them apart from their peers," says Chase P. Schueler, division manager for Battelle's cyber business.

US Cyber Team athletes also demonstrate "remarkable self-motivation," he adds.

"The selection process demands both skill and dedication, which are critical in a field where formal academic training is still limited when compared to the physical sciences," Schueler says. "This strong display of commitment makes them especially attractive to employers, including here at Battelle, who can see them as known quantities with demonstrated proficiencies."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Playing Cyber Games Can Help You Get Hired

The suspect, tracked as UNC5537, allegedly bragged about hacking several Snowflake victims on Telegram, drawing attention to himself.

Source: GK Images via Alamy Stock Photo

Canadian authorities arrested Alexander "Connor" Moucka, whom they believe orchestrated a malicious campaign that compromised 165 Snowflake accounts.

Moucka was scheduled to appear in court today, though limited information has been shared regarding his arrest or potential extradition. Online, Moucka reportedly went by the aliases "Judische" and "Waifu."

Snowflake is an American cloud-based data storage company operating on Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Judische bragged about hacking several Snowflake victims on Telegram just before the attacks were confirmed, prompting suspicion.

In May, the storage vendor warned that a limited number of customer accounts were targeted by threat actors, none of which were protected by multifactor authentication.

Google Mandiant later investigated the breach and found that the attackers used previously compromised credentials from information-stealer infections to access these accounts.

The threat actor behind the attacks is tracked as UNC5537, with its campaign beginning in April and targeting organizations such as Ticketmaster, Advanced Auto Parts, Neiman Marcus, State Farm, AT&T, and others.

In the past, the threat actor has demanded ransom payments ranging from $300,000 to $5 million from organizations in exchange for deleting data it steals from their Snowflake accounts.  
Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Canadian Authorities Arrest Attacker Who Stole Snowflake Data

The CRON#TRAP campaign involves a novel technique for executing malicious commands on a compromised system.

Computer display with obfuscated codeSource: Grenar via Shutterstock

Among the many constantly evolving tactics that threat actors are using to target organizations is a new one involving emulated Linux environments to stage malware and conceal malicious activity.

Researchers at Securonix spotted an attacker using the novel approach to maintain a stealthy presence on target systems and harvest data from them undetected by conventional antivirus and malware detection systems.

**Novel Technique**

So far, the security vendor has not been able to identify the adversary or determine whom they might be targeting. But available evidence — including the campaign's verbiage and the fact that the command-and-control (C2) server is based in the US — suggest that organizations in North America are the primary focus, Securonix theorized in a report this week.

"While not all evidence points one way or the other, the technical sophistication and customization observed make it more likely that \[the campaign\] was crafted with specific targets or sectors in mind within North America and Europe," says Tim Peck, senior threat researcher at Securonix.

CRON#TRAP, as Securonix is tracking the campaign, is notable for the attacker's use of a custom emulated QEMU Linux environment to persist on endpoints and execute a variety of malicious activity on them. QEMU — for Quick EMUlater — is an open source, cross-platform virtualization tool that allows organizations to emulate systems based on x86, PowerPC, ARM, and other processor technologies. One of its primary use cases is to emulate hardware platforms for software testing across Linux, Windows, macOS, and other operating system environments.

"In the case of the CRON#TRAP campaign, the attackers opted to emulate a Linux installation of Tiny Core Linux," Securonix said in its blog. "As far as we can determine, this is the first time that this tool has been used by attackers for malicious purposes outside of cryptomining." Tiny Core Linux is a modular, lightweight Linux distribution with a footprint small enough for use in resource-constrained environments.

The attacks that Securonix observed as part of the CRON#TRAP campaign began with a phishing email containing a link to an unusually large zip file with a survey-themed name.

The zip file contained a similarly themed shortcut file, which, when clicked on, once again extracted the contents of the zip file and initiated a sequence of steps that ended with the QEMU virtual box getting deployed on the victim machine. Securonix found the emulated Linux instance to contain a preconfigured backdoor that during startup automatically connected the victim systems to a hardcoded C2 server in the US. The attackers implemented the backdoor using Chisel, a legitimate tool for creating secure, encrypted tunnels for transferring data, typically over WebSockets.

The security vendor's analysis of the QEMU image showed the attackers named it PivotBox. It contained a detailed history of the commands the threat actor had executed undetected within the emulated Linux environment. Among them were commands for network testing and initial reconnaissance, user enumeration, tool installation and preparation, SSH key manipulation, payload manipulation and execution, file and environment management, data exfiltration, privilege escalation, and persistence.

**Clearly Motivated Attacker**

"The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access," Peck says. "They were highly focused on establishing a stable, reliable, and stealthy point of access within the target's network." The use of SSH key generation and subsequent uploads of the public key to a file-sharing service highlight an effort to ensure persistent remote access even after reboots, he notes.

The use of emulated Linux environment for malicious activity is the latest example of how attackers constantly find new ways and new techniques to bypass security mechanisms. As with any malicious campaign, the best protection against attacks like CRON#TRAP is to nip them in the bud, which in this case would be training users not to act on phishing emails, Peck says. For instance, the zip file associated with the campaign weighs in at a massive 285MB, which alone should be cause for suspicion.

Beyond that, measures such as application whitelisting and endpoint monitoring can also help organizations detect such campaigns. "As QEMU was executed through unconventional methods, this does present us with interesting detection opportunities," Peck says. One example is detecting the execution of QEMU outside the default Program Files directory. "Monitoring for network-based indicators such as persistent SSH connections from unexpected endpoints could also aid in detecting this campaign."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attacker Hides Malicious Activity in Emulated Linux Environment

Chinese-speaking adversaries are using a fresh Android banking Trojan to take over devices and initiate fraudulent money transfers from financial institutions across Latin America, Italy, Portugal, and Spain.

Source: Oneinchpunch via Alamy Stock Photo

Researchers have designated a new botnet on the scene — initially suspected to be a part of the Toxic banking Trojan family — as a whole new spinoff strain with its own moniker, ToxicPanda.

The ToxicPanda banking bot has turned up on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions, according to new findings from Cleafy. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over a targeted device and initiate scam money transfers, bypassing the banks' identity and authentication protections, the Cleafy team warned.

"Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique," the Cleafy report explained. "This consolidation of this technique has already been seen by other banking Trojans, such as Medusa, Copybara, and, recently, BingoMod."

This stripped-down, manual approach to the Android banking Trojan gives the threat actors the advantage of not having to use highly skilled developers, it opens up the potential to victimize a wider swath of banking customers, and it bypasses many cybersecurity protections used by financial services and banks, the researchers noted.

Importantly, code analysis uncovered that ToxicPanda is in the early stages of development. But that doesn't mean it doesn't already have an impressive set of features, including the ability to exploit Android's accessibility services to escalate permissions, and capturing data from applications, the Cleafy team noted.

Further, ToxicPanda allows the threat actor to gain remote control of the infected device and initiate actions like money transfers without the users' knowledge. The banking Trojan also intercepts one-time passwords sent either by text or authenticator app, completely dismantling multifactor authentication protections. Finally, ToxicPanda is loaded with code-hiding tricks to avoid detection.

The ramp up of ToxicPanda indicates Chinese-speaking threat actors are beefing up their operations to expand into new territory outside its traditional Southeast Asian roots, the report warns.

"This trend underscores the mobile security ecosystem's escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge," Cleafy's report said. "An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue."

**Google Patches Two Actively Exploited Android Flaws**

As Chinese-speaking groups look to gain initial access to devices, they often leverage Android vulnerabilities in wide-scale attacks.

Fittingly, on Nov. 4, Google released patches for dozens of Android vulnerabilities as part of November's update, among them, two that already have been exploited, CVE-2024-43047 and CVE-2024-43093. Although Google has not released details, the first was discovered by Amnesty International and Google's Threat Analysis Group, which are well known for tracking commercial spyware activities. The second is a high-severity privilege escalation flaw in Android's framework.

Beyond disclosing the flaws, which "may be under limited, targeted exploitation," Google has not provided additional details.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Source

DARKReading