The cybercriminal group holding the stolen information is demanding the vendor admit to the breach and pay up.

Source: RATHEESH MALAPPADAVAN via Alamy Stock Photo

The threat actors known as "Hellcat" claim to have stolen sensitive data from Schneider Electric, and the French industrial company has begun an investigation without formally acknowledging any data theft.

The hackers claim to have breached the industrial company's Jira issue tracking system and are demanding a $125,000 ransom.

"This breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40GB compressed data," the threat actors wrote on their Tor website.

However, the cybercriminals note that the ransom will drop by half if Schneider Electric confirms the breach. If their demands are not met, they have threatened to make the data they stole from the vendor public. 

In addition, one of the hackers published evidence on social media platform X regarding how they gained access into the vendor's Jira system to steal the data.

Schneider Electric reported that the cybersecurity incident involved unauthorized access to one of its "internal project execution tracking platforms" and that its global incident response team has been mobilized to deal with the fallout.

This is the third breach in under two years that the manufacturer has faced; the first involved its sustainability business division in January at the hands of Cactus ransomware, and the second was connected to the MOVEit zero-day vulnerability.

**About the Author**

Schneider Electric Clawed by 'Hellcat' Ransomware Gang

Attackers are exploiting the "Envelopes: create API" of the enormously popular document-signing service to flood corporate inboxes with convincing phishing emails aimed at defrauding organizations. It's an unusual attack vector with a high success rate.

Source: Elena Uve via Alamy Stock Photo

Cybercriminals are abusing a Docusign API in a widescale, innovative phishing campaign to send fake invoices to corporate users that appear authentic and likely would not trigger typical security defenses or user suspicions, as many similar scams might.

The campaign to defraud organizations, observed over the last several months, involves attackers creating a legitimate, paid Docusign account using the software that allows them to change templates and use the API directly, researchers at security firm Wallarm revealed in a blog post published this week.

Attackers are taking advantage of Docusign's "API-friendly environment," which while beneficial for businesses, also "inadvertently provides a way for malicious actors to scale their operations," according to the post.

Specifically, the researchers observed abuse of Docusign's "Envelopes: create API" to send one of what turned out to be a significant volume of automated emails to multiple users and recipients directly from the platform, they said. The messages use specially crafted templates "mimicking requests to e-sign documents from well-known brands," which are mainly software companies such as Norton Antivirus, according to the post by Wallarm.

Fake invoices employed in the campaign also leverage an array of other tactics to lend authenticity to the scam. These include offering accurate pricing for a company's products; the addition of expected kinds of charges, such as an activation fee; the inclusion of direct wire instructions or purchase orders; and the sending of different invoices with different items.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

Ultimately, if a user e-signs the document, a threat actor can use it to request payment from organizations outside of Docusign or send the signed document through Docusign to the finance department for compensation, thus committing fraud.

The attack vector may not be limited to Docusign, Wallarm researchers warned; other e-signature and document services could be equally vulnerable to similar exploitation tactics.

**A New Type of Fake Invoice Scam**

Fake invoices are often a part of financially motivated phishing scams, and Docusign — which offers enormously popular software for digital signatures with more than 1.5 million paying customers and 1 billion users worldwide — is often a target for phishers. An API-based attack, however, can potentially be more effective than scams that simply use name recognition or impersonate the brand, for a number of reasons.

Chief among them is that because the emails come directly from Docusign, they "look legitimate to the email services and spam/phishing filters," according to Wallarm's post. "There are no malicious links or attachments; the danger lies in the authenticity of the request itself."

Related:City of Columbus Drops Case on Cyberattack Whistleblower

Indeed, because the attack uses an API exploit, "there probably won’t be many signs that would be easy to spot as in a spoofed email," Erich Kron, security awareness advocate at KnowBe4, observes. Moreover, the popularity of Docusign makes the service "a great target for this sort of attack" at a large scale due to the potential for automation by exploiting the API, he says, adding, "people put their trust in brands they recognize and know, especially those that are used often in legal or other official capacities."

**Mitigating E-Sign Cyberattacks, API Abuse**

Fortunately, there are a number of ways that organizations can protect themselves from being defrauded by such convincing attacks, as well as strategies that service providers like Docusign can take to avoid or detect API abuse, according to Wallarm.

Organizations should always double-check the sender's email address and any associated accounts for legitimacy, as well as implement strict internal procedures for approving purchases and financial transactions that involve multiple team members, if possible.

Related:EmeraldWhale's Massive Git Breach Highlights Config Gaps

"It's fascinating to see how sophisticated cybercriminals have become, leveraging legitimate tools like Docusign to craft realistic phishing attacks," says Randolph Barr, CISO at Cequence. "This highlights the importance of verifying the source of any document signing request, even if it appears to come from a trusted source. \[Organizations\] should emphasize the importance of pausing and verifying before taking any action, even if it seems urgent. Additionally, IT and security teams must stay informed about the latest attack methods and techniques to effectively protect their organizations."

Keeping a close eye on unexpected invoices or requests, especially those that include unusual charges or fees, also can help organizations avoid paying criminals rather than legitimate entities.

Service providers also can take responsibility for mitigating API-based attacks by understanding how APIs may be abused in phishing attacks by conducting regular threat modeling exercises to identify potential attack vectors. They also can apply rate limits to specific API endpoints to prevent attackers from scaling in cases of API abuse, according to the researchers.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Docusign API Abused in Widescale, Novel Invoice Attack

Government and industry want to jump-start the conversation around "human-centric cybersecurity" to boost the usability and effectiveness of security products and services.

Source: whiteMocca via Shutterstock

Many security teams view their nonsecurity coworkers as the potential weak point in any cybersecurity plan, so they bring in technology to mitigate their inevitable poor choices. The viewpoint is understandable: The "human element" contributed to 68% of breaches in 2023 and 74% of breaches in 2022, according to Verizon's "Data Breach Investigations Report."

Yet, the approach is failing companies that want to improve their cybersecurity, experts say. In a US government handout titled "Users Are Not Stupid," the National Institute of Standards and Technology (NIST) urges organizations to avoid creating insider threats through poor usability, layering on too much security, and failing to consider user feedback.

Instead, organizations should pursue a human-centric cybersecurity (HCC) approach, focusing on processes and products that account for users' needs and motivations and incentivize secure behaviors. An HCC program includes security-awareness and anti-phishing training, adds user feedback channels to security products, and aims to reduce the security responsibility placed on the average person. Tools that are critical for companies taking an HCC approach include security monitoring and user/entity behavior analytics (UEBA).

Yet HCC goes beyond just looking for user-centric or user-friendly security products, says Julie Haney, HCC program lead at NIST's Information Technology Lab.

Related:Time to Get Strict With DMARC

"It's really all about putting people at the forefront when we're designing and implementing security," Haney says. "If you don't have human-centered cybersecurity where you're considering that person, then you have unusable security solutions — so people are more prone to making errors or making risky decisions or implementing less secure work-arounds because they just need to get their jobs done."

Last month NIST launched its Human-Centered Cybersecurity Community of Interest (COI) to bring together practitioners, academics, and policymakers to discuss how to make security more effective and user-friendly.

**Cybersecurity Power to People**

The government agency isn't the only organization to focus on the human aspect of security. Increasingly, HCC has become a focus of enterprise security teams, with business intelligence firm Gartner expecting CISOs at half of large enterprises to adopt human-centric practices and designs for cybersecurity by 2027. In fact, Gartner listed human-centric security design as a top cybersecurity trend last year. The firm changed the name but continued to identify security behavior and culture programs (SBCPs) as a top cybersecurity trend in 2024.

Related:AI-Augmented Email Analysis Spots Latest Scams, Bad Content

Security teams need to stop talking at other workers and instead talk to them and work with them to build a cybersecurity-focused culture, says Victoria Cason, a senior principal analyst at Gartner.

"Taking a human-centric approach is recognizing that we're not dealing with an inanimate object," she says. "We're dealing with a human that has different behaviors, different actions, different needs, and really trying to address their wants, desires, and behaviors when it comes to best security practices, as opposed to just telling them what to do."

Among the steps that Gartner identifies as part of an SBCP are conducting threat simulations, adding automation and data analytics to aid users in making secure choices, rewarding workers for reporting potential security incidents, and tracking metrics to demonstrate SBCP impact. Nearly half of companies focused on SBCP are taking each of those steps, according to Gartner data.

Minimizing cybersecurity-induced friction will not only improve companies' security posture but will also reduce the stress that comes with a traditionally adversarial job. Gartner expects that half of cybersecurity leaders will change jobs between 2023 and 2025, with a quarter of those exiting their positions actually leaving the industry for good due to stress.

Related:Compliance Automation Pays Off for a Growing Company

**HCC: A Work in Progress**

Currently, there is no standard definition for HCC, which is partly why NIST is pushing for more research into how companies can better support the security growth of their workers. HCC broadly includes workers' attitudes about cybersecurity, their training, the usability of security products, and the creation of policies.

The latest "Federal Cybersecurity Research and Development Plan," published by the Biden administration in December 2023, identifies HCC as a priority for protecting the nation. Among the research areas espoused by the plan are finding models to determine the impacts of digital technologies and how their security properties can be validated.

"There is a need to reduce the burden of cybersecurity requirements on people, organizations, communities, and society, and to improve the usability and the user experience of digital technologies and systems," the plan states. "Research on human-centered computing aspects has indicated that including end users early in the process of design and development creates more usable systems and an improved user experience."

Gartner has come up with its own approach to implementing SBCPs, which it dubs the PIPE framework, short for practices, influences, platforms, and enablers.

"Most traditional awareness programs just rely on yearly or quarterly training, but that doesn't address the root cause of behavior," says Gartner's Cason. "So going beyond just the traditional computer-based training and phishing simulation, leveraging existing tools and capabilities like identity and access management (IAM) or security monitoring, to even emerging tools like AI can increase engagement and efficiency."

The most significant product category to encapsulate HCC may be human risk management, an evolution of the security-awareness and training market that adds adaptive human protection, according to business intelligence firm Forrester. As opposed to the checkbox compliance of many security-awareness training programs, human risk management focuses on positively educating workers while at the same time reducing the risk posed by their actions, according to a Forrester note published in February.

**Employees Do Worry Over Cybersecurity**

For the most part, workers are cognizant of the critical role in protecting the business. They are worried that they could be the cause of the next breach, with a third of workers (34%) concerned that they may take an action that leaves their organizations vulnerable, according to a survey of 1,000 workers by consultancy Ernst & Young.

Companies should work with those users and find ways to direct those concerns into productive action, rather than failing to support them and then blaming them when something goes wrong, says NIST's Haney.

"If someone clicks on that phishing link, organizations tend to put all the blame on the employee, but they're not actually looking up the chain to all of the procedural things, the process things, the people things that maybe went wrong in the organization before that," she says. "It's not just about the fault of the person at the end of the chain — there's often a lot of other things that have gone wrong before that."

Cybersecurity professionals should strive to develop a culture and mindset that does not label users as the enemy or the weakest link. Having conversations with users can uncover problems in the way security is being implemented, while empowering users to report issues can lead to earlier detection.

Finally, the advent of products — such as human risk analysis services — should be adopted carefully and with the right expectations. Tracking users who may make repeated mistakes can be useful but should not be punitive; rather, the approach should inform security teams about procedural problems or raise the possibility of additional training opportunities, Haney says.

"The data can be useful, but you have to be really careful to not, you know, start labeling people \[as\] a bad employee, or they're bad at security, and this is a person that's good at security," she says. "So there's that fine line that you have to walk."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Oh, the Humanity! How to Make Humans Part of Cybersecurity Design

Zero trust is a mature approach that will improve your organization's security.

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Knowing you would like to implement zero trust and actually implementing it are two different things. That's at least in part because zero trust is not a single solution one can install and walk away from. Rather, it's an approach to IT and security that emphasizes validating every connection, whether it's user to app, app to app, or process to process. The advantages are clear though: a reduced attack surface; lateral movement across a network by attackers is prevented; and each and every access to any corporate resource is granted on a per-request basis.

In short: Never trust, always verify.  

Many of the challenges associated with a large initiative like zero trust are not technical issues, but rather relate to driving change. There are significant interpersonal and organizational components to adopting this approach that must be carefully considered. Over the course of my career — most recently as chief technical officer (CTO) for GE and Synchrony Financial — I had the opportunity to work on many "big word projects," including AI, cloud, and of course, zero trust. What follows are some of my top tips for ensuring you win at cyber by influencing key stakeholders within your organization.  

**How to Win at Cyber in Five Easy Steps**

1\. Organizational Partnership 

Zero trust is a team sport. Successfully executing a zero-trust transformation requires understanding all the personas involved and aligning on intended outcomes.  

*   The CTO is focused on the infrastructure: design, maintenance, configuration, execution, and tech strategy. 
    

*   The chief information security officer (CISO) knows and owns the security strategy, security execution, and monitoring. 
    

*   The chief information officer (ClO) is focused on the technologies and applications of the organization, overseeing the people and process aspect of transformation and day-to-day operations. 
    

*   The risk leader confirms the technology group is covering all the risks to the organization and end consumer. 
    

Bringing the CTO and CISO together on a common goal of zero trust and then inviting the risk leader along on the journey is a huge step in your success. Establishing a rhythm of these leaders with the CIO brings it all together. These roles might be slightly different in your organization, but understanding each stakeholder's role and connecting them before the project begins is key. 

2\. Communication and Board-Level Metrics 

Once key leaders are aligned behind your zero-trust initiative, you need the backing of your board. This won't be accomplished by lengthy, wonky discussions of the underlying technology you hope to implement. Instead, boards want to understand your organization's risk exposure, and how you intend to manage it.  

The ability to demonstrate a comprehensive risk score is a powerful asset for establishing a baseline and reporting on progress over the course of what is likely to be a multistep, multipronged zero-trust deployment journey. Once you've established this score, continue to revisit it along each phase of your initiative to demonstrate maturity backed by real-world data from your environment. 

3\. Phased Deployment Plan 

It's no accident we speak about zero trust as a journey, one that rarely unfolds along a straight line. Transformation initiatives often begin in response to a stimulus — implementing a VPN replacement or incorporating a new acquisition into existing IT systems, for example — and then maturing over time.  

One thing is critical, though: Develop a plan that incorporates individual use cases into an overarching strategy for deployment. A phased deployment allows stakeholders to avoid the feeling of needing to "accomplish" zero trust overnight. The first project will doubtless be the most difficult; it gets easier from there. 

4\. Pragmatic Technical Deliverables 

Throughout my career I have encountered a number of CIOs with impeccable strategic instincts who nevertheless struggle to translate them into pragmatic deliverables. When we're dealing with complex, sometimes nebulous concepts like AI, the cloud, or zero trust, it's easy to get lost in the weeds.  

It's critical that tactical actions like a VPN replacement are framed in terms of the business problems they solve. I return to the VPN example because it is a perfect illustration of enhancing security and the user experience, making it a model IT solution for a business issue. Users become more productive and benefit from a smoother experience, the opportunity for lateral movement is reduced, and cost savings are likely to accrue. 

5\. Fix the Basics 

It may sound simple, but it's a critical point that I have often seen overlooked. Tackle the low-hanging fruit, or threat actors will do it for you. So, what are the basics? Phishing not only remains the number one threat vector facing most organizations, it's also only solvable by creating a culture of security within your organization. I don't mean in terms of high-tech solutions, but by fostering basic cybersecurity literacy organization wide. With the advent of AI-assisted pretext creation, this will only become more critical in the near future.  

Zero trust is a mature approach that will up-level your organization's security. If you haven't yet started out or if you are simply looking for a more complete implementation, I hope you find this advice useful. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Former CTO of GE & Former CTO of Synchrony Financial

Greg Simpson is an experienced technologist, having been CTO at numerous GE businesses, and GE overall. As CTO of Synchrony, Greg first launched the foundational infrastructure to support its IPO and then drove a transformation built on a strategic technology stack that was built on the cloud, a new data lake, application APIs, and AI, enabling faster solution delivery for Synchrony customers. He also was instrumental in its transformation to a work-from-home culture during the pandemic, Greg was named a Premier 100 Technology Leader by Computerworld in 2016. Greg recently published his first a techno-thriller novel called The Quantum Contingent. His follow-up novel, Quantum Time, is coming out later this year.

How to Win at Cyber by Influencing People

Episode #4: NIST's new post-quantum cryptography standards are here, so what comes next? This episode of Dark Reading Confidential digs into the world of quantum computing from a cybersecurity practitioner's point of view — with guests Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT) and Thomas Scanlon, professor, Heinz College, Carnegie Mellon University.

Dark Reading Confidential: Quantum Has Landed, So Now What?

A Dark Reading poll reveals widespread concern over disinformation about election integrity and voter fraud, even as Russia steps up deepfake attacks meant to sow distrust in the voting process among the electorate.

Source: Brain light via Alamy Stock Photo

As voting in the 2024 US presidential election draws to a close today, disinformation remains the most top-of-mind voting-adjacent threat for cybersecurity professionals.

That's according to a fresh Dark Reading poll of nearly 1,000 readers, who were asked: "What are you most concerned about when it comes to election-related security threats?"

The top answer, accounting for 41% of the responses, was "deepfakes, misinformation, and disinformation." That was followed by tampering of polling data (23%); hacking operations by other countries like Russia, China, and Iran (20%); and AI-powered high-volume phishing using election lures (16%).

**Debunking Deepfaked Videos US Elections "Never More Secure"**

The results come as US federal agencies dismissed two inflammatory videos purporting to show vote tampering; the videos, they said, are merely the work of Russian adversaries using deepfake technologies to sow distrust in the electoral process and call the results into question.

One of the videos, debunked by the Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Agency (CISA), shows protestors supposedly destroying ballots in the battleground district of Bucks County, Pennsylvania. The other shows what it claims is video evidence of an illegal immigrant from Haiti voting over and over, in multiple counties in Georgia. The FBI and CISA also discounted the clip as fake and the work of Russian threat actors.

The videos are the latest efforts by a threat actor known as Storm-1516, which in September reached millions of viewers with a video showing alleged Harris supporters attacking attendees at a rally with Republican candidate Donald Trump; and with another that claimed Democratic candidate Kamala Harris’ was responsible for a hit-and-run car accident.

"US govt calls out more election-related Russian troll farm nonsense. Expect more of this. They’re flooding the zone, exploiting historical (and current) tropes, including racial issues," former CISA Director Chris Krebs said in a series of posts on social platform X. "This will only continue thru the count & certification process. Important to rapidly identify and debunk this garbage, and for platforms to label as foreign generated or remove entirely."

He added, "Some mental toughness is in order right now. Voters regardless of political affiliation need to remain aware they’re being targeted and not fall for it."

Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes.  

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states.

Current CISA Director Jen Easterly also has acknowledged the "firehouse of disinformation" that has been swirling around the election so far, driving fears of voter fraud and election tampering, especially among Republicans. The onslaught of distrust has been advanced considerably in the last year through the use of generative AI and deepfake capabilities. But she reiterated in a series of interviews with media that voting infrastructure is nearly bulletproof, and the US elections "have never been more secure."

“I can say \[that\] with confidence based on all the work that we've done together since 2016," Easterly told National Public Radio. “There are cyber threats, there are physical threats to election officials, but we're at a point now with our election infrastructure secure and the election community prepared to meet the moment on the 5th of November.”

In the meantime though, Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes, so it's best to be prepared for more conspiracy theories about voting fraud and the like to continue to circulate.

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states with tailored disinformation.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

On Election Day, Disinformation Worries Security Pros the Most

The Iran-linked group Emennet Pasargad aims to undermine public confidence in Israeli and Western nations by using hack-and-leak campaigns and disrupting government services, including elections.

Source: Muhammad Toqueer via Shutterstock

An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.

In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.

"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.

The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.

"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."

**Iranian Cyberattackers Broaden Their Sights**

Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.

"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.

It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.

"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."

**Governments, Businesses Should Take Stock**

The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.

Related:BlankBot Trojan Targets Turkish Android Users

The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.

SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.

Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.

"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it's now using a new and improved "ElizaRAT" malware.

Source: Mehaniq vis Shutterstock

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

**A Step-by-Step Cyberattack Capability**

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

**Three Campaigns, Three Versions**

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

APT36 Refines Tools in Attacks on Indian Targets

The security researcher who notified the media of the breach will be free from the city's lawsuit, but not without a caveat.

Source: Gregg Vignal via Alamy Stock Photo

The city of Columbus, Ohio, has come to a settlement with whistleblower David Leroy Ross, also known as Connor Goodwolf, after he alerted the local media of compromised personal information of the city's residents in a cyberattack.

The breach was discovered on July 18, when the city found that a foreign cyber-threat actor attempted to disrupt its IT infrastructure in a potential effort to install ransomware and demand a payment from the city.

The threat actors in question belonged to Rhysida ransomware gang, the information they managed to glean involving names, dates of birth, addresses, bank account information, driver's licenses, Social Security numbers, and other identifying information. This information was posted on the Dark Web, according to the notice of data breach letter that the city sent out to 500,000 victims whose information was compromised in the breach.

After learning of the disruption, Columbus' Department of Technology identified the threat and blocked unauthorized users from accessing its systems, launching an investigation into the matter. It also took the usual steps of engaging third-party cybersecurity experts to resolve the issue, as well as notifying law enforcement.

In August, the city sued independent security researcher David Ross, seeking damages greater than $25,000, as well as slamming him with an order to stop discussing the data leak. Now, nearly two months later, both sides have come to an agreement and the case will soon be dropped.

Goodwolf wanted a dismissal with prejudice, which means the city of Columbus cannot try him again for the same reason, and will have his wish be granted but with a catch: He had to agree to a permanent injunction in which he will only be allowed to publicly share data considered public record, and only with written approval from the city.

"It's good to see the city of Columbus dropping the case, partly in response to outcry from the security community back in July," Casey Ellis, founder and adviser at Bugcrowd, wrote in an emailed statement to Dark Reading. "This is another example of shooting the messenger, and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies, and companies should be working hard to avoid."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

City of Columbus Drops Case on Cyberattack Whistleblower

The bug affected accounts with 52-character user names, and had several pre-conditions that needed to be met in order to be exploited.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Okta has addressed an authentication bypass bug that affects those with long usernames or employers with wordy domain names.

The security hole could have allowed cybercriminals to pass Okta AD/LDAP delegated authentication (DelAuth) using just a username. However, it could only be exploited if a series of conditions were met, one of those conditions being a username that had 52 characters or more.

Though unusual, some individuals opt to use their email addresses as their usernames, making the possibility of a 52-character username not entirely out of the question.

Other conditions that needed to be met were if the user previously authenticated, creating a cache of the authentication; and if the cache was used first, which could occur "if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic," according to the authentication company in its advisory of the flaw.

The vulnerability was discovered by Okta on Oct. 30, after lurking in the system for three months. While it has since been fixed, the company recommended that customers check their logs for any odd authentication attempts dating back to July 23.

Okta also recommended that customers implement multifactor authentication (MFA) at a minimum, as this was not applied as part of the exploitation preconditions.

It is unclear whether there were any in-the-wild exploitation attempts. Okta did not respond immediately to a request for comment from Dark Reading.

**About the Author**

Source

DARKReading