Businesses that successfully manage the complexities of multicloud management will be best positioned to thrive in an increasingly digital and interconnected world.

Source: John Williams RF via Alamy Stock Photo

COMMENTARY

Improper cloud security has cost organizations millions — sometimes even billions — in revenue in the past decade alone. A significant example is Japanese automaker Toyota, which suffered a data breach due to cloud misconfiguration, exposing the personal data of more than 2 million customers. Another example is Accenture, which in August 2021 fell victim to the LockBit ransomware group. Due to cloud misconfigurations, hackers gained access to and stole 6TB of proprietary client data, demanding a ransom of $50 million. These incidents highlight the catastrophic impact that cloud security failures can have. 

As organizations increasingly adopt multicloud strategies, managing multiple cloud environments can lead to cloud misconfigurations and improper handling of cloud resources. Each cloud provider offers different tools, settings, and protocols, making it challenging to ensure consistent security configurations across all platforms. These misconfigurations often are the root cause of significant security breaches, as seen in the examples above. The lack of visibility and control over multiple clouds exacerbates these risks, making it imperative for organizations to adopt robust cloud security practices.

The shift to multicloud environments offers enhanced reliability, reduced vendor lock-in risks, and greater business capabilities. However, this transition is fraught with complexities that require careful planning and strategic management to ensure success. Let's look at the critical aspects of managing multicloud environments, focusing on governance, security, and operational challenges. 

**Evolution and Risks of Multicloud Environments**

The cloud landscape has evolved from traditional on-premises virtualization to a complex array of cloud platforms operating simultaneously. This shift has introduced significant security challenges for enterprises. One of the primary drivers for adopting a multicloud strategy is the need to mitigate risks such as: 

*   Security vulnerabilities/zero-days 
    

However, these benefits come with inherent risks. Organizations must navigate the challenges of the following: 

*   Shared security controls: Implementing consistent security measures across different platforms can be challenging. 
    

*   Governance across multiple platforms: Ensuring compliance with various regulatory requirements can be complex. 
    

*   Varying compatibility: Third-party tools and services may not be compatible across all cloud environments. 
    

For example, companies that previously operated in a single cloud environment must now contend with the complexities of integrating and securing multiple cloud platforms, each with its own unique set of tools and protocols. The lack of coordination and governance in operations and deployments can lead to increased vulnerabilities and operational inefficiencies. Moreover, the scarcity of skilled professionals proficient in multiple cloud platforms exacerbates these challenges, making it crucial for organizations to invest in cross-functional training and development. 

**The Strategic Imperative of Governance and Security**

Effective governance is at the heart of a successful multicloud strategy. Organizations must establish clear guidelines and policies to manage the complexities of multiple cloud environments. Key governance aspects include: 

*   Defining roles and responsibilities: Clarifying who is responsible for cloud administration and security across different platforms. 
    

*   Deploying consistent security controls: Ensuring that security measures are uniformly applied across all cloud environments. 
    

*   Ensuring regulatory compliance: Meeting compliance requirements in each cloud environment.  
    

Security in a multicloud environment is particularly challenging, due to the expanded attack surface and the need for consistent security measures across different cloud platforms. A key aspect of managing security is the centralization of security operations. Centralizing the deployment of images and infrastructure-as-code (IaC) is essential for maintaining a secure and consistent cloud environment. For instance: 

*   Standardizing configurations: Establishing uniform configurations across all cloud environments to minimize the risk of security breaches. 
    

*   Automating security controls: Implementing automated security checks to reduce the likelihood of human error. 
    

Cloud security posture management (CSPM) tools play a critical role in this process. These tools enhance visibility across multiple cloud environments by providing a unified view of security risks. CSPM tools help organizations identify and prioritize risk mitigations according to their business requirements, ensuring that the most critical vulnerabilities are addressed promptly. By consolidating security data from various clouds into a single dashboard, these tools offer a comprehensive picture of the organization's security posture, enabling more effective decision-making. 

CSPM tools like Wiz, Orca, and Lacework go beyond basic security monitoring. They provide continuous assessment of cloud infrastructure, detect misconfigurations, and monitor compliance against frameworks such as CIS, PCI, NIST, and HIPAA. These tools also offer automation features, which can streamline incident response processes by automatically remediating identified risks or alerting security teams for further investigation. 

For instance, in my experience, Wiz and Orca have been particularly effective in identifying and mitigating risks in multicloud environments. These tools not only help prioritize the mitigation of various security risks but also provide structured guidance based on widely accepted baselines. Similarly, Lacework offers robust capabilities in anomaly detection, allowing organizations to identify unusual behaviors that may indicate security breaches or misconfigurations. 

**Taking Multicloud Management to the Finish Line**

Managing a multicloud environment requires a strategic approach that prioritizes governance, security, and centralization. Organizations must develop comprehensive strategies that align with their specific needs and invest in the necessary tools and skills to navigate the complexities of multicloud environments successfully. Understanding which offerings are unique to each cloud service provider allows organizations to leverage the strengths of different platforms effectively. Building a consistent monitoring capability across clouds is essential to maintain visibility and control over the entire infrastructure. 

The use of third-party tools suited for multicloud environments can enhance security and operational efficiency. Applying a framework with consistent policies and controls ensures that security standards are uniformly enforced across all cloud environments. Additionally, implementing a single identity system across clouds simplifies identity and access management, reducing the risk of unauthorized access and improving overall security posture. 

CSPM tools are essential components of this strategy, offering enhanced visibility and control across multiple cloud platforms. These tools provide a single, comprehensive view of the organization's security posture, enabling more informed decision-making and more effective risk management. As businesses continue to embrace the multicloud paradigm, those that successfully manage these complexities will be better positioned to thrive in an increasingly digital and interconnected world. 

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

Navigating the Complexities &amp; Security Risks of Multicloud Management

NIST standardized three algorithms for post-quantum cryptography. What does that mean for the information and communications technology (ICT) industry?

Source: Cynthia Lee via Alamy Stock Photo

COMMENTARY

After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing.

Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online.

Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.

**The Post-Quantum Transition**

PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor's algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.

Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.

**Hybrid Approach to Security**

The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.

Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.

Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.

This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn't quantum-safe will become the focal point of any data harvesting attack.

Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.

Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.

**Ready for Q-Day**

PQC isn't the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It's vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.

Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.

Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.

**About the Author**

Senior Research Scientist, Nokia

Aritra Banerjee is a Senior Research Scientist in Nokia Standards leading quantum-safe standardization efforts. His research interests span cryptography, quantum technologies, security, privacy-preserving technologies, and machine learning trends.

What Communications Companies Need to Know Before Q-Day

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

CeranaKeeper is bombarding Southeast Asia with data exfiltration attacks via file-sharing services such as Pastebin, OneDrive, and GitHub, researchers say.

Source: Antonio Gill via Alamy Stock Photo

An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand.

The group has been working since early 2022, according to ESET researchers. Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub.

"Based on our findings, we decided to track this activity cluster as the work of a separate threat actor," a new ESET report said. "The numerous occurrences of the string \[Bb\]ectrl in the code of the group's tools inspired us to name it CeranaKeeper; it is a wordplay between the words beekeeper and the bee species Apis Cerana, or the Asian honey bee."

CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections.

Once comfortably in the network, the group began a massive data harvesting effort, ESET observed.

The group is "relentless," rapidly evolving, and nimble, ESET warned.

"The operators write and rewrite their toolset as needed by their operations and react rather quickly to keep avoiding detection," ESET added. "This group's goal is to harvest as many files as possible and it develops specific components to that end."

The Chinese government uses APT groups like Mustang Panda and CeranaKeeper to support government activities through espionage and other cybercrimes.

China-Backed APT Group Culling Thai Government Data

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

Source: J Poulssen via Alamy Stock Photo

A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.

It's been some time now that individuals in the US and Russia, Germany and Indonesia, Korea, China, Spain, and most everywhere in between have been reporting cases of "perfctl" (aka perfcc) eating up all their compute power.

"We've seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don't know, I'm trying to kill it,'" Aqua Nautilus chief researcher Assaf Morag recalls. "There are a lot of articles describing how you kill perfctl, but people can't kill it because it keeps hiding itself, and it's very persistent."

The malware looks for vulnerabilities and misconfigurations to exploit in order to gain initial access. To date, Aqua Nautilus reported today, the malware has likely targeted millions of Linux servers, and compromised thousands. Any Linux server connected to the Internet is in its sights, so any server that hasn't already encountered perfctl is at risk.

Related:Dark Reading News Desk Live From Black Hat USA 2024

And, Morag warns, its ambitions don't necessarily end with cryptomining and proxyjacking. Though not recorded in his report, Morag has observed the malware dropping TruffleHog, a legitimate penetration testing tool designed to snuff out hardcoded secrets in source code.

"So imagine: They're earning money on the side \[by cryptomining and proxyjacking\], but also stealing secrets and maybe selling them in the cyber underground — selling access to servers that are related to big companies," he posits.

**Every Misconfiguration in the Book**

The volume and variety of potential server misconfigurations that perfctl is capable of identifying and exploiting is vast.

By tracking its infections, researchers identified three Web servers belonging to the threat actor: two that were previously compromised in prior attacks, and a third likely set up and owned by the threat actor. One of the compromised servers was used as the primary base for malware deployment. The other compromised server contained a much more interesting find: a list of potential avenues to directory traversal, nearly 20,000 entries long.

The list contained more than 12,000 known server misconfigurations, nearly 2,000 paths towards nabbing unauthorized credentials, tokens, and keys, more than 1,000 techniques for unauthorized login, and dozens of possible misconfigurations in different applications (68, for example, associated just with Apache RocketMQ, the open source distributed messaging and streaming platform). Citing just a few examples, Morag explains that "if you have an HTTP server, maybe you expose a template. In Kubernetes, by mistake, you could expose secrets, or roles. Or even a weak password can be a misconfiguration."

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

Alongside this fuzzing list on the compromised server were follow-on files containing exploits for the various kinds of documented misconfigurations.

Besides misconfigurations, perfctl is also capable of gaining initial access to a server via various bugs, such as CVE-2023-33246, a remote command execution (RCE) vulnerability in Apache RocketMQ. CVE-2023-33246 earned a "critical" 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) last year.

**How perfctl Hides Loud Activity**

Cryptomining and proxyjacking are loud by nature. Whether it be third-party proxyware or the XMRig Monero miner, the programs that perfctl drops onto a compromised server will exhaust its CPU resources. And yet, perfctl itself is not easy to spot or excise, thanks to its layers of sophisticated stealth and persistence mechanisms.

Related:LockBit Associates Arrested, Evil Corp Bigwig Outed

For example, to facilitate stealthy communication, the program drops a backdoor and listens for communications via Tor. And to avoid detection and obscure evidence of its presence, it uses process masquerading, copying itself to various locations under names that map to legitimate system processes.

The very name its authors gave to it, "perfctl," is evidence of the same sort of tactic: "perf" is a Linux monitoring tool, and "ctl" is commonly used as a suffix for command line tools which control system components or services. The legitimate-looking name of the malware, then, allows it to more easily blend in with typical processes.

And then, after executing, perfctl deletes its binary but continues to run as a service behind the scenes.

To further hide its presence and malicious activities from security software and researcher scrutiny, it deploys a few Linux utilities repurposed into user-level rootkits, as well as one kernel-level rootkit. The kernel rootkit is especially powerful, hooking into various system functions to modify their functionality, effectively manipulating network traffic, undermining Pluggable Authentication Modules (PAM), establishing persistence even after primary payloads are detected and removed, or stealthily exfiltrating data.

And when a user logs in to the compromised server, perfctl instantly halts its noisiest behaviors, laying low until the user logs off and the coast is clear.

In short, "it's a powerful tool," Morag says. "You can decide to erase data, to steal data, to buy cryptocurrency, to do proxyjacking — it's up to the attacker."

**Mitigation for perfctl & Other Fileless Malware**

Those running Linux servers should take immediate steps to protect their environments, researchers warned. Aqua recommends the following mitigations for perfctl and similar threats:

*   Patch vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications such as RocketMQ servers and CVE-2021-4043 (Polkit). Keep all software and system libraries up to date.
    
*   Restrict file execution: Set noexec on /tmp, /dev/shm and other writable directories to prevent malware from executing binaries directly from these locations.
    
*   Disable unused services: Disable any services that aren’t required, particularly those that may expose the system to external attackers, such as HTTP services.
    
*   Implement strict privilege management: Restrict root access to critical files and directories. Use role-based access control (RBAC) to limit what users and processes can access or modify.
    
*   Network segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially TOR traffic or connections to cryptomining pools.
    
*   Deploy runtime protection: Use advanced anti-malware and behavioral detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl.
    

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Near-'perfctl' Fileless Malware Targets Millions of Linux Servers

Generative AI is being used to make cyberscams more believable. Here's how organizations can counter that using newly emerging tools and reliable methods.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

As cybercriminals finesse the use of generative artificial intelligence (GenAI), deepfakes, and many other AI-infused techniques, their fraudulent content is becoming disconcertingly realistic — and that poses an immediate security challenge for individuals and businesses alike. Voice and video cloning doesn't happen only to prominent politicians or celebrities; it's defrauding individuals and businesses of significant losses that run into millions of dollars.

AI-based cyberattacks are rising. According to a study by Deep Instinct, 85% of security professionals attribute this rise to generative AI.

**The AI Fraud Problem**

Earlier this year, Hong Kong police revealed that a financial worker was tricked into transferring $25 million to criminals through a multiperson deepfake video call. While this kind of sophisticated deepfake scam is still quite rare, advances in technology mean that it's becoming easier to pull off, and the huge gains make it a potentially lucrative endeavor. Another tactic is to target specific workers by making an urgent request over the phone, masquerading as their boss. Gartner now predicts that 30% of enterprises will consider identity verification and authentication solutions "unreliable" by 2026, primarily due to AI-generated deepfakes.

A common type of attack is the fraudulent use of biometric data, an area of particular concern given the widespread use of biometrics to grant access to devices, apps, and services. In one example, a convicted fraudster in the state of Louisiana managed to use a mobile driver's license and stolen credentials to open multiple bank accounts, deposit fraudulent checks, and buy a pick-up truck. In another, IDs created without facial recognition biometrics on Aadhar, India's flagship biometric ID system, allowed criminals to open fake bank accounts.

Another kind of biometric fraud is also rapidly gaining ground. Rather than mimicking the identities of real people, as in the previous examples, cybercriminals are using biometric data to inject fake evidence into a security system. In these injection-based attacks, the attackers game the system to grant access to fake profiles. Injection-based attacks grew a staggering 200% in 2023, according to Gartner. One common type of prompt injection involves tricking customer service chatbots into revealing sensitive information or allowing attackers to take over the chatbot entirely. In these cases, there is no need for convincing deepfake footage.

CISOs can take several practical steps to minimize AI-based fraud.

**1\. Root Out Caller ID Spoofing**

In keeping with many AI-based threats, deepfakes are effective because they work in combination with other tried-and-tested scamming techniques, such as social engineering and fraudulent calls. Almost all AI-based scams, for example, involve caller ID spoofing, which is when a scammer's number is disguised as a familiar caller. That increases believability, which plays a key part in the success of these scams. Stopping caller ID spoofing effectively pulls the rug out from under the scammers.

One of the most effective methods in use is to change the ways that operators identify and handle spoofed numbers. And regulators are catching up: In Finland, Traficom has led the way with clear technical guidance to prevent caller ID spoofing, a move that is being closely watched by the EU and other regulators globally.

**2\. Use AI Analytics to Fight AI Fraud**

Increasingly, security pros are joining cybercriminals at their own game — deploying the AI tactics scammers use, only to defend against attacks. AI and machine learning (ML) models excel at detecting patterns or anomalies across vast data sets. This makes them ideal for spotting the subtle signs that a cyberattack is taking place. Phishing attempts, malware infections, or unusual network traffic could all indicate a breach.

Predictive analytics is another key AI capability that the AI community can exploit in the fight against cybercrime. Predictive AI models can predict potential vulnerabilities — or even future attack vectors — before they are exploited, enabling preemptive security measures, such as using game theory or honeypots, to divert attention from the valuable targets. Enterprises need to be able to confidently detect subtle behavior changes taking place across every facet of their networks in real time, from users and devices to infrastructure and applications.

**3\. Zone in on Data Quality**

Data quality plays a critical role in pattern recognition, anomaly detection, and other ML-based methods used to fight modern cybercrime. In AI terms, data quality is measured by accuracy, relevancy, timeliness, and comprehensiveness. While many enterprises have relied on (insecure) log files, many are now embracing telemetry data, such as network traffic intelligence from deep packet inspection (DPI) technology, because it provides the "ground truth" upon which to build effective AI defenses. In a zero-trust world, telemetry data, like the kind supplied by DPI, provides the right kind of "never trust, always verify" foundation to fight the rising tide of deepfakes.

**4\. Know Your Normal**

The volume and patterns of data across a given network are a unique signifier particular to that network, much like a fingerprint. For this reason, it is critical that enterprises develop an in-depth understanding of what their network's "normal" looks like so that they can identify and react to anomalies. Knowing their networks better than anyone else gives enterprises a formidable insider advantage. However, to exploit this defensive advantage, they must address the quality of the data feeding their AI models.

In summary, cybercriminals have been quick to exploit AI, and in particular GenAI, for increasingly realistic frauds that can be implemented at a scale previously not possible. As deepfakes and AI-based cyber threats escalate, businesses must leverage advanced data analytics to strengthen their defenses. By adopting a zero-trust model, enhancing data quality, and utilizing AI-driven predictive analytics, organizations can proactively counter these sophisticated attacks and protect their assets — and reputations — in an increasingly perilous digital landscape.

**About the Author**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

4 Ways to Fight AI-Based Fraud

Despite a $10 million bounty on one member, APT45 is not slowing down, pivoting from intelligence gathering to extorting funds for Kim Jong-Un's regime.

Source: Nature Picture Library via Alamy Stock Photo

A well-known North Korean advanced persistent threat (APT) has shifted its focus to targeting private companies in the US for financial gain.

Researchers at Symantec's Threat Hunter Team said this week that the state-sponsored group it tracks as "Stonefly" (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) is flaunting an indictment and a $10 million bounty from the US Department of Justice (DoJ), in order to rack up more funds for the Kim Jong-Un regime.

Stonefly, which is part of North Korea's Reconnaissance General Bureau (RGB), mounted assaults on three organizations in the US in August, about a month after the DoJ moved against the group. The victims, the researchers noted, had "no obvious intelligence value," and were likely being prepped for a ransomware whammy — though the intrusions were detected before the endgame could play out.

The focus on snapping up funds is a relatively new flex for the group, Symantec researchers stressed, even though other North Korean APTs are dedicated to grifting foreign currency for the regime. Stonefly in the past targeted hospitals and other healthcare providers during the pandemic (which drew the DoJ scrutiny), and is known for going after high-value espionage targets like US Air Force bases, NASA Office of Inspector General, and government organizations in China, South Korea, and Taiwan.

"Since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets," according to the analysis. "It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property … \[Stonefly had\] appeared not to be involved in financially motivated attacks."

**Look for Stonefly's IoCs to Swat Ransomware Attacks**

With Stonefly's less-targeted focus on siphoning funds from unsuspecting private companies, it pays for everyday businesses that might not normally think of themselves as APT targets to get familiar with the group's indicators of compromise (IoCs).

And there are many. While the ransomware never deployed in the August attacks, and the initial compromise path isn't clear, Stonefly still managed to smuggle in plenty of tools from its kit before being ultimately thwarted.

"In several of the attacks, Stonefly's custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed," according to Symantec's blog post. "In addition … attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign."

The toolbox also included Nukebot, which is a backdoor capable of executing commands, downloading and uploading files, and taking screenshots; Mimikatz; two different keyloggers; the Sliver open source cross-platform penetration testing framework; the PuTTY SSH client; Plink; Megatools; a utility that takes snapshots of folder structures on a hard drive and saves them as HTML files; and FastReverseProxy, which can expose local servers to the public Internet.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Korea's 'Stonefly' APT Swarms US Private Co's. for Profit

Organizations can use this guide to make decisions about designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as to enable business continuity for critical services.

Organizations can use this guide to make decisions about designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as to enable business continuity for critical services.

Source: Metamorworks via Shutterstock

The National Security Agency (NSA) joined cybersecurity agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom to publish a guide outlining six principles that can be used to guide the creation and maintenance of a safe, security critical infrastructure operational technology (OT) environment. "Principles of Operational Technology Cyber Security" offers security practitioners ways to bolster the security of critical infrastructure, including water, energy, and transportation systems.

The document encourages organizations to determine whether making changes to their OT systems will impact or break any of the principles, which would likely introduce vulnerabilities into the OT environment, and to examine whether the right security controls are in place to mitigate risk. 

The six principles are as follows: 

*   Safety is paramount. While changes to corporate IT systems could disrupt business continuity, the stakes are higher for OT environments. Changes to critical infrastructure could lead to deadly threats to human life or significant damage to equipment or the environment. Failures to water and power infrastructure can be catastrophic for communities and individuals. In order to keep communities safe, OT managers should consider how systems are able to be restarted and backed up to minimize potential for downtime. Thinking about safety and reliability needs to permeate all tasks, even the most common cyber-hygiene tasks.
    
*   Knowledge of the business is crucial. Teams should know what needs to be protected and what parts of the business are essential to providing services. And when leadership stakeholders are aware of cybersecurity concerns and practices, outcomes improve. In practice, activities supporting this principle could include creating cybersecurity incident response playbooks and business continuity plans that contain enough information. Color coding types of cables and identifying their functions so that practitioners can work quickly in an emergency is another idea.
    
*   OT data is extremely valuable and needs to be protected. Since OT infrastructure rarely changes, securing information about its configuration is paramount. Engineering configuration data (such as network diagrams), documentation outlining the sequence of operations, logic diagrams, and schematics provide adversaries with information to gain an in-depth knowledge of how the system works or how the network is structured. Even short-lived data, such as pressure gauge settings and voltage levels, can still provide insights into the organization's activities, customer behavior, and the overall OT environment. OT data should be segregated from corporate environments and the Internet. Keep track of who has access to the data and when and how it is accessed.
    
*   Segment and segregate OT from all other networks. Entities should segment and segregate OT networks from the Internet and from IT networks to decrease the risk of compromise from the Internet or systems, like email or Web browsing. OT networks should also be segregated from vendors. For example, OT networks of electricity transmission networks (ETNs) could be connected to the OT networks of other ETNs or of vendors or electricity distribution networks. Networks could also be managed in corporate environments, allowing for greater risk.
    
*   The supply chain must be secure. Vendors present risk exposure that OT teams need to be aware of and minimize, and they must have awareness of all devices that touch the OT network, down to printers and terminals or building management systems, like HVAC. Know what's where, who manages it, and what the cybersecurity maturity level of that vendor's system may be.
    
*   People are essential for OT cybersecurity. In the event of a cybersecurity incident, trained OT professionals must be on hand to respond. A strong cybersecurity culture is imperative, as is having a diverse set of people with different skill sets, knowledge, and experience. Security culture should be emphasized across roles, including IT, control system engineers, field operations staff, and asset managers.
    

"Public safety and strengthening our cybersecurity posture are at the heart of this particular CSI \[cybersecurity information sheet\]," said Dave Luber, NSA cybersecurity director, in a statement. "The six principles of operational technology cybersecurity explored in this CSI are vitally important to anyone wanting to strengthen their cybersecurity posture and especially important for those who work in an operational technology environment supporting our nation's critical systems."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

You May Also Like

NSA Releases 6 Principles of OT Cybersecurity

All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

Source: sofiacorte via Shutterstock

It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.

The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.

**Large Number of Potential DDoS Attack Systems**

Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.

"Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario," researchers at Akamai said this week after discovering the new attack vector.

CUPS is an Internet Printing Protocol (IPP)-based open source printing system for Unix-like operating systems, including Linux and macOS. It provides a standard way for computers to manage printers and print jobs.

Independent security researcher Simone Margaritelli last week disclosed a serious flaw in CUPS that could allow an attacker to remotely execute malicious commands by manipulating URLs using a combination of four different vulnerabilities. The vulnerabilities are CVE-2024-47176 in "cups-browsed," a component for simplifying printer discovery and management in a network; CVE-2024-47076 in the "libcupsfilters" software library; CVE-2024-47175 in the "libppd" library; and CVE-2024-47177 in the "cups-filters" package.

Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, potentially Google Chrome OS and Chromium, and other operating systems. "The short version of this exploit is that certain configurations of cups-browsed as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system" and potentially gain control of it, open source and software bill of materials management vendor Fossa said in an analysis.

**All It Takes is a Single Packet**

Margaritelli's research focused on how attackers could leverage the vulnerabilities to take control of CUPS hosts. What Akamai discovered is that a threat actor could also use them for DDoS attacks. "The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added," Akamai said. "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a single maliciously crafted packet to a vulnerable CUPS service with Internet connectivity.

Kyle Lefton, security researcher at Akamai, says that while the previously reported RCE exploit is more dangerous, the DDoS vulnerability is much easier for a threat actor to exploit. "It is likely that organizations may start seeing attacks leveraging this vulnerability, which causes issues for not just the targets of these DDoS attacks, but those running the vulnerable CUPS servers as well," he says. "The key takeaway here is to stress the importance of patching outdated CUPS systems, or applying other mitigation techniques, such as removing CUPS if deemed unnecessary, or applying firewall rules for UDP port 631 and keeping them from accessing the public Internet."

Akamai researchers discovered a total of 198,000 vulnerable CUPS hosts that are Internet accessible. Of those, 34%, or more than 58,000, are vulnerable to corralling for DDoS attacks. Akamai found that a threat actor could get these systems to start spewing out attack traffic by using a simple script to send a single malicious UDP packet to a vulnerable CUPS host. They found they could substantially amplify attack traffic volumes by padding — or adding extra and often irrelevant characters or data — to the URL payload.

Larry Cashdollar, principal security researcher at Akamai, says the vulnerability of a CUPS host to the DDoS attack really depends on its configuration. "It's possible that network administrators might have additional firewalls in place to block outbound traffic from the printers or that system administrators have done their hardening of the printer servers," on the other vulnerable hosts, Cashdollar says.

**Strain on Server Hardware**

Troublingly, although organizations running vulnerable CUPS systems may not be the target of DDoS attacks, the attacks themselves can put strain on the server hardware, Lefton adds. "We confirmed that some of these CUPS systems complete TLS handshakes to HTTPS protected websites, which creates further strain on server hardware and resource consumption overhead due to the handshake and encryption/decryption processing."

DDoS attacks, though well understood, continue to present a challenge for many organizations. Though many companies have implemented robust measures for protecting against DDoS attacks and mitigating fallout, the number of these attacks have only increased. Recent numbers from Cloudflare showed a 20% year-over-year increase in DDoS attacks; the company said it mitigated 8.5 million DDoS attacks just in the first six months of this year. Cloudflare attributed the trend at least partly to more threat actors gaining access to capabilities that once were available only to nation-state actors, thanks to the rise in generative AI (GenAI) tools and autopilot systems for writing attack code better and faster.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading