Ultimately, a more cyber-secure world requires a global governing body to regulate and campaign for cybersecurity, with consistent regulatory requirements in the various regions around the world.

Joanna Huisman, Senior Vice President of Strategic Insights & Research, KnowBe4

August 5, 2024

3 Min Read

Source: Iulia Bycheva via Alamy

COMMENTARY

Cybersecurity regulations differ across regions, as does the level of security culture. As a result, cybercriminals are better able to take advantage of weak spots arising from the lack of a global governing cyber alliance. We remain scattered when it comes to overarching procedures and cybersecurity response. From North and South America to Asia, Africa, Europe, and Oceania, cybercrime is prospering within the regulatory gaps.

To bridge these gaps, governments worldwide must collaborate closely to come to a consensus on how to deal with cybersecurity incidents. Unfortunately, this is not the kind of thing that will happen immediately. But by understanding the state of global security culture and regulation, we can point ourselves in the right direction. 

**The Americas**

While the emphasis of security culture in North America has resulted in changes to cybersecurity best practices, there are still plenty of major cyberattacks hitting the news. Ransomware events against MGM and United Healthcare show that even as the workforce improves its level of security awareness, there is a long way to go.

Security culture in South America is even more spotty. The varying levels of development across South American countries means cybersecurity companies will avoid investing too much effort in a less prolific region. Additionally, while there are some key regulatory requirements within South America, the lack of consistency across countries there puts the continent at a disadvantage. Though Colombia may be one of the more prepared countries with its strong outline of cyber strategies in its National Council of Economic and Social Policy, the region as a whole is not.

**Africa & Europe**

Africa, which has up to 2,000 unique languages and a quickly growing population, is rapidly adopting technology. African organizations have also experienced the most growth in cybercrime over the past couple of years. With such a quickly evolving environment, security culture will take a while to catch up.

While various African countries boast cybersecurity legislation, the African Union's Convention on Cybersecurity and Personal Data Protection has only been ratified by 15 of the 55 countries. This is concerning, since the South African Council for Scientific and Industrial Research predicts an increase in cyberattacks against critical infrastructure and government organizations.

In Europe, security awareness increasingly is gaining traction, but a range of attitudes toward cybersecurity culture remains.

While European cybersecurity regulations seem to be on track — for example, the well-established General Data Protection Regulation (GDPR) as well as the Digital Operational Resilience Act (DORA), which will be effective in 2025 — the truth is that many organizations haven't taken substantive efforts to develop a security culture, leaving them vulnerable to cyberattacks.

**Asia & Oceania**

Cybersecurity across Asia varies widely due to Asia's diversity of culture and languages.

While legislation like the Association of Southeast Asian Nations (ASEAN) is a great step at unifying portions of the region, Asia is fragmented, and will likely remain so for some time. This is unfortunate timing, as the Allianz Commercial Risk Barometer for 2024 predicts ransomware, malware, and social engineering to be the highest risks facing Asian organizations.

While Oceania is taking some important steps in solidifying a strong cybersecurity culture, the region has a long way to go. However, due to recent data breaches in the region — Latitude Financial, Optus, and Medibank — cybersecurity is considered more of a shared responsibility.

Additionally, the Australian government has implemented various cybersecurity awareness campaigns teaching citizens how to remain abreast of cyber threats. Meanwhile, Australia and New Zealand have each released their own cyber-strategy policies, which encourage cyber resiliency and foster security culture.

**Global Cyber Cooperation**

The ultimate solution, however idealistic, is for an overarching governing body to regulate and campaign for cybersecurity across the globe. In conjunction, each region should have its own consistent regulatory requirements. But that will take time.

In the meantime, individual organizations and individuals themselves can do various things to protect themselves in the face of increased cyber threat. It all begins with a strong security culture. While it may be more difficult for some organizations, the basis for a robust security culture is for everyone involved to feel responsible for their workplace, their city, their country, and so on.

**About the Author**

Senior Vice President of Strategic Insights & Research, KnowBe4

Joanna Huisman is Senior Vice President, Strategic Insights & Research, at KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe.

How Regional Regulations Shape Global Cybersecurity Culture

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

Source: Uwe Deffner via Alamy Stock Photo

A prolific Russian threat actor known as Fighting Ursa is targeting diplomats through a used-car sale email scheme that then distributes HeadLace backdoor malware.

The gambit involves downloading a .zip file supposedly containing car images of an Audi Q7 Quattro SUV that's been outfitted for diplomatic use; but in fact, the files are executables whose .exe extensions are hidden by default in Microsoft Windows.

The photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center to lend the ad additional credibility.

Fighting Ursa (aka APT28, Fancy Bear, and Sofacy) has adopted the tactic from other Russian threat actors, according to a report on the attack published by Palo Alto Networks' Unit 42.

In July 2023, Unit42 reported on the Russian threat actor Cloaked Ursa, which was using a similar lure — that time a used BMW sedan in Kyiv — to target diplomats working at embassies in Ukraine.

"These lures tend to resonate with diplomats and get targets to click on the malicious content," the blog post noted.

**"Audi" Cyberattack Routine Drives Espionage**

The attack chain begins with the use of the legitimate, free service known as "webhook" to host a malicious HTML page — a tactic that Unit 42 noted is often associated with APT28.

This page then determines if the target machine is running Windows. If it is, a .zip archive is offered for download. If the system is not Windows-based, the user is redirected to a decoy image.

Inside the .zip archive are three files: a Windows calculator executable disguised as an image file, a malicious dynamic link library (DLL), and a batch script.

The calculator executable is used to load the malicious DLL, which then runs the batch script.

The batch script then executes a command to retrieve a file from another webhook site URL, saves it in the downloads folder, renames it for execution, and then deletes it afterward to cover the attack’s tracks. That file contains the HeadLace backdoor, which establishes persistent access to a victim's machine in order to set the stage for follow-on data theft, reconnaissance, and surveillance activities.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services \[like webhook\]," a Unit 42 post explained. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

**Disabling Hide File Extension Options**

Roger Grimes, data-driven defense evangelist at KnowBe4, explains that for nearly as long as Windows has been around, it has automatically hidden the file extension of dozens of commonly used files, such as .exe, .scr, .dll, etc.

"This allows an attacker to create a file — for example, 'carphotos.jpg.exe' — that appears to most Windows users as carphotos.jpg," he explains.

For the real file extension not to be hidden, a user must intentionally disable the "hide file extensions" option in Windows, often having to do so in multiple places.

"Why Microsoft continues to allow hiding file extensions to be the default setting for decades is beyond me, as it is responsible for many tens of millions of exploitations," Grimes says. "It's far past the time for Microsoft to disable this dangerous default."

Microsoft did not immediately respond to a request for comment.

**Fighting Ursa: A Very Active Russian Cyber-Threat Actor**

The hacking group, which most researchers track as APT28, has a long and infamous history as the perpetrators of US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and other high-profile cyber offensives.

More recently, it has targeted Ukrainian government bodies with spear-phishing emails posing as Windows Update guides to trick recipients into executing malicious PowerShell commands.

And in 2022, it disseminated a malicious document exploiting the now-patched CVE-2022-30190 flaw through phishing emails to Ukrainian users. The document, titled “Nuclear Terrorism: A Very Real Threat.rtf,” aimed to exploit concerns about the war in Ukraine escalating into a nuclear disaster.

The threat group has also targeted Ukraine's energy infrastructure, and recently built GooseEgg, a custom tool used to exploit CVE-2022-38028 in attacks directed toward Ukraine, Western Europe, and North America.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

The runaway success of an upstart ransomware outfit called "Dark Angels" may well influence the cyberattack landscape for years to come.

Source: Jakub Krechowicz via Alamy Stock Photo

A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn't just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.

Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.

But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.

**Meet the Dark Angels**

Dark Angels first appeared in the wild in May 2022. Ever since, its specialty has been defeating fewer but higher-value targets than its ransomware brethren. Past victims have included multiple S&P 500 companies spread across varied industries: healthcare, government, finance, education, manufacturing, telecommunications, and more.

For example, there was its headline-grabbing attack on the megalith Johnson Controls International (JCI) last year. It breached the company's VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes worth of data. The ransom demand: $51 million. It's unclear how Johnson Controls responded but, considering its $27 million-plus cleanup effort, it's likely that the company did not cave.

$27 million would have been the second-largest ransom payment in recorded history at the time (after the reported CNA payment). But there's evidence to suggest that this wasn't just some outlandish negotiating tactic — that Dark Angels has good reason to think it can pull off that kind of haul.

**Dark Angels Does Ransomware Differently**

Forget everything you know about ransomware, and you'll start to understand Dark Angels.

Against the grain, the group does not operate a ransomware-as-a-service business. Nor does it have its own malware strain — it prefers to borrow encryptors like Ragnar Locker and Babuk.

Its success instead comes down to three primary factors. First: the extra care it can take by attacking fewer, higher-yielding targets.

Second is its ability to exfiltrate gobs of sensitive data. As Brett Stone-Gross, senior director of threat intelligence at Zscaler explains, "If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data."

In that, Dark Angels differs only in degree, not in kind. Where it really separates itself from other groups is in its subtlety. Its leak site isn't flashy. It doesn't make grand pronouncements about its latest victims. Besides the obvious operational security benefits to stealth (it's largely escaped media scrutiny in recent years, despite pulling off major breaches), its aversion to the limelight also helps it earn larger returns on investment.

For example, the group often avoids encrypting victims' data, with the express purpose of allowing them to continue to operate without disruption. This seems to defy common wisdom. Surely the threat of downtime and media scrutiny are effective tools to get victims to pay up?

"You would think that, but the results say otherwise," Stone-Gross suggests.

Dark Angels makes paying one's ransom easy and quiet — an attractive prospect for companies that just want to put their breaches behind them. And avoiding business disruption is mutually beneficial: Without the steep bills associated with downtime, companies have more money to pay Dark Angels.

**Can Dark Angels' Wings Be Clipped?**

In its report, Zscaler predicted "that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high value targets and increasing the significance of data theft to maximize their financial gains."

If that should come to pass, companies will face much steeper, yet more compelling ransom demands. Luckily, Dark Angels' approach has an Achilles' heel.

"If it's a terabyte of data, \[a hacker\] can probably complete that transfer in several days. But when you're talking terabytes — you know, tens of terabytes of data — now you're talking weeks," Stone-Gross notes. So, companies that can catch Dark Angels in the act may be able to stop them before it's too late.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand

The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.

Source: Christophe Coat via Alamy Stock Photo

China-linked advanced persistent threat group APT41 appears to have compromised a government-affiliated institute in Taiwan that conducts research on advanced computing and associated technologies.

The intrusion began in July 2023, with the threat actor gaining initial access to the victim environment via undetermined means. Since then, it has deployed multiple malware tools, including the well-known ShadowPad remote access Trojan (RAT), the Cobalt Strike post compromise tool, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).

APT41 is an attribution that several vendors use to track a loose collective of China-nexus threat groups that have been engaged in a broad range of cyber espionage and financially motivated cyberattacks around the world, going back to 2012. Members of the group such as Wicked Panda, Winnti, Barium, and SuckFly have plundered and pillaged trade secrets, intellectual property, and other sensitive data from organizations in the US and multiple other countries in recent years.

Most recently, Mandiant reported observing members of the group targeting global shipping and logistics companies and organizations in the technology, entertainment, and automotive sectors. The US government indicted several members of the Chengdu-based APT41 in 2020, though that has done little slow it down.

**Academic Research: A Valuable Cyber Target**

Researchers at Cisco Talos discovered the intrusion when investigating abnormal activity involving attempts to download and execute PowerShell scripts in the Taiwan research institute's network environment last year.  

"The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them," Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura said in a report this week. Over the course of the intrusion, APT41 actors broke into three systems in the target environment and stole at least some documents from there, they said.

ShadowPad is malware that researchers first discovered embedded in the source code of NetSarang Computer's Xmanager server management software back in 2017. That supply chain attack impacted several NetSarang customers in the APAC region. Initially, researchers believed that APT41 was the sole user of the backdoor. Over the years however, they have identified multiple groups — all of them China-linked — that have used the RAT in numerous cyber-espionage campaigns and software supply chain attacks.

With the attack on the Taiwanese research institute, APT41 used two different ShadowPad iterations — one that leveraged a previously known packing mechanism called "ScatterBee," and another that used an outdated and vulnerable version of Microsoft Input Method Editors (IME), the Cisco Talos researchers said.

**ShadowPad & Cobalt Strike Anchor Espionage Effort**

The attackers used ShadowPad to run commands for mapping out the victim network, collecting data on hosts, and trying to find other exploitable systems on the same network. Cisco Talos also found the APT harvesting passwords and user credentials stored in Web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.

"From the environment the actor executes several commands, including using 'net,' 'whoami,' 'quser,' 'ipconfig,' 'netstat,' and 'dir' commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems," the researchers said. "In addition, we also observed query to the registry key to get the current state of software inventory collection on the system."

As part of their attack chain, the threat actors also deployed the Cobalt Strike post compromise tool on the victim network using a loader they cloned from a GitHub project. It's designed to evade antivirus detection tools.

"It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader," the researchers said. "In other words, its download, decryption, and execution routines all happen in runtime in memory."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Taiwan Research Institute for Cyber Espionage

Now that the Authy Desktop app has reached EOL and is no longer accessible, users are hoping their 2FA tokens synced correctly with their mobile devices.

Source: Cynthia Lee via Alamy Stock Photo

UPDATE

Twilio's Authy Desktop application for Linux, Windows, and macOS has finally been shut down, and is logging users out of the application. 

Earlier this year, the company announced that the application, which manages sign-ons for two-factor authentication (2FA)-protected accounts, would meet its end of life (EOL) in March. However, the desktop app has continued to work past the EOL date.

Now, the app has officially been discontinued. Twilio recommends that users switch to the mobile version of the app, as it offers "similar or better features for securely storing your authenticator account tokens and are fully supported and regularly updated."

However, some users are reporting that the desktop version is inaccessible: When they installed Authy on their phones, their tokens did not synchronize correctly, and they were missing a significant amount of data.

It is possible that these users did not have the backup feature enabled, which ensures that a user's tokens automatically sync between devices. According to a Twilio spokesperson, "If users are finding that their tokens didn't synchronize properly, it's best for them to follow the instructions linked at the bottom of the page, specifically the 'Decrypt a 2FA account takeover.'"

This story was updated at 4:00 p.m. ET on Aug. 2 to reflect comments from the vendor.

**About the Author**

Twilio Users Kicked Out of Desktop App, Forced to Switch to Mobile

In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services.

Source: Skorzewiak via Alamy Stock Photo

Could the US federal government inadvertently be fueling perfect storm conditions for another unprecedented cyber incident that would have widespread implications for federal, state, and critical infrastructure services, similar to the recent CrowdStrike outage? 

**Setting the Stage**

The US State and Local Cybersecurity Grant Program (SLCGP) provides funding to eligible entities to improve cybersecurity posture and reduce the risk of a cyberattack. This is, of course, good, as many public entities have lacked the budget necessary to have a cybersecurity posture suitable to protect the personal data or services they provide.

Prior to this funding, each entity would make their own decision on cybersecurity and need to fund it from existing budgets. For example, a school district may select a vendor based on services and price, the neighboring school district could choose a different vendor, and so on. For the financially frugal, this would seem like a bad solution. If entities were to group together and use a single vendor, they would get bulk purchase discounts and lower the amount of tax dollars spent. 

But ask a cybersecurity professional to describe the best cybersecurity posture and they will use terms like "defense in depth" or "layers of defense." This refers to the use of multiple technologies, and in most cases multiple vendors, in order to thwart potential attacks, or incidents such as CrowdStrike's single corrupt driver causing a global outage at multiple major companies. 

When the SolarWinds cyberattack unfolded there were 33,000 private, federal, and state users of the technology, with about 18,000 installing the malicious update. The backlash of this supply chain attack resulted in new regulation on improving supply chain security, and this continues to play out today. While the attack was devastating, it was not a cyber-Armageddon event, as states, entities within states, federal agencies, and such were using a diverse set of solutions from different vendors.

The recent, unfortunate incident suffered by CrowdStrike customers highlights how devastating a single vendor issue can be, with just 8.5 million devices affected globally (representing less than 1% of Windows devices) causing mass global disruption to airlines, healthcare facilities, businesses, and more. 

**Creating a Monoculture**

Now consider the offer of SLCGP, which gives free money to spend on cybersecurity — it's like moths attracted to a light. A state can apply for funds from the grant to cover multiple entities within its jurisdiction. Once granted, a vendor is selected and offered to entities statewide, either free or highly discounted due to volume licensing. This creates a monoculture cybersecurity environment, or a perfect storm for a major cyber incident, where if the primary vendor is attacked or has a significant vulnerability exploited, it could take out the entire state's services, every school district, local government administration, etc. The effect on everyday society could be devastating. 

The SolarWinds and CrowdStrike incidents demonstrate, on a limited scale, that when a single vendor suffers an incident of some type, if there are enough affected parties, the incident becomes significant, and if they are all grouped in a single state, it becomes a major incident.

If a single vendor becomes the de facto standard for states that apply for SLCGP (a good possibility: I personally know of some organizations that have been rolled into a standard solution as part of a no-cost, or near-no-cost, state solution)

To put this in context, there are approximately 50 million US children of school age. If 90% of states are customers of one solution, and this includes state-funded education, the impact of a cyber incident would see 45 million children's educations being disrupted. And in some instances, schools have suffered significantly when hit by a cyber incident — requiring closure for potentially months. And education is just one area affected by single-vendor risk.

The SLCGP appears to be creating a new monoculture environment, on a scale that could make the previous incidents pale into insignificance. Monoculture is a term typically used in farming. In brief, it is about crop rotation — diversity in planting in order to protect both the crop and the fields in which the crops are planted. If a single crop is planted in the same field over several seasons the outcome results in bad yield. 

**Promoting Diversity in Cybersecurity**

In 2015, an academic paper detailed the issues of monoculture cybersecurity relating to the use of antivirus (AV) products. It concluded that "lowered infection rates were positively correlated with higher rates of AV activity, stable AV product usage and status, and AV product diversity." The importance of a diverse product selection prevents a single incident, whether malicious or unfortunate, from causing a catastrophic outage. 

The actions by states to standardize on a single product using the SLCGP is creating a dominant security product scenario that causes monoculture, a default standard for cybercriminals to attack. Cybercriminals need to look for a weakness in only one product, or to discover an exploitable vulnerability, to affect a significant portion of services, potentially affecting the entire population of a state.

The solution is to promote, and require, diverse layers of defense architecture, and this should be a requirement of receiving SLCGP funding. 

**About the Author**

Chief Security Evangelist, ESET

With over 20 years of security industry experience, Tony Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit. He is regularly quoted in security, technology, and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON, and CBS.

Is the US Federal Government Increasing Cyber-Risk Through Monoculture?

A simple toggle in Proofpoint's email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough?

Source: Cheryl Ann Quigley via Alamy Stock Photo

Millions of near-undetectable emails impersonating blue chip companies were spreading every day through the first half of 2024, thanks to some permissive features of Microsoft 365 and Proofpoint's email protection service.

Proofpoint's secure email gateway (SEG) is a kind of firewall for corporate emails, filtering what comes in and applying authentication to what goes out. Recently, though, researchers from Guardio uncovered a campaign undermining that outbound part, utilizing a "super-permissive misconfiguration flaw" to send credit-card scam emails that were signed and verified as if they came from legitimate, brand name corporate accounts.

"It puts recipients in a weird place," says Adam Maruyama, field CTO at Garrison Technology. "You can receive a spoofed email and be affected, even if you've done your full \[cybersecurity\] due diligence to try to protect yourself."

Proofpoint has since implemented a fix which has all but killed the campaign, but some broader questions around email security linger.

**How "EchoSpoofing" Worked**

"There's not been a lot that has changed in the underlying infrastructure of what email is since it first started," says Jeremy Fuchs, office of the CTO at Check Point Software. For example, "The sender address in an email is kind of like the sender address in snail mail. I could send you a letter and say it's coming from the North Pole, and there really wouldn't be anything anyone could do to stop it. It's not that simple in the digital world, but it's still fairly easy." 

In the campaign, which Guardio called "EchoSpoofing," the attacker took advantage of this fact by setting up their own Simple Mail Transfer Protocol (SMTP) server on a virtual server. From there, they could send out emails with whatever "From" header they wished — for example, a fake customer service account coming from an @disney.com or @northpole.cool domain.

Of course, any modern security solution that employs anti-spoofing technology like Domain-based Message Authentication Reporting & Conformance (DMARC) monitoring or spam filter would catch suspicious emails coming from a random server. But this is where the EchoSpoofing vulnerability comes into play.

It turned out that Proofpoint's SEG contained a toggle which, when turned on, trusted any emails routing through Microsoft Office 365. Microsoft 365 is a commonly used mail service among businesses, but anybody — including a hacker — can also use it. Thus, if a hacker could send mail through Microsoft to a Proofpoint customer, it would be trusted by default and passed along.

This is where mail exchange (MX) records came in handy. MX records in the Domain Name System (DNS) specify the mail servers responsible for handling email for a domain. Companies that use Proofpoint SEG send their MX records to Proofpoint's servers. These records are public so, Fuchs observes, "they weren't just guessing about who to target. They knew exactly who they could target."

In summary: the attacker forged emails mimicking major corporations (including Disney, Best Buy, ESPN, IBM, Coca Cola, Nike, Fox News, and dozens more) from a private SMTP server, then relayed them through Microsoft 365 to known Proofpoint customers. If the customer had the "super-permissive" setting toggled on, Proofpoint would stamp the malicious emails with the same Domain Keys Identified Mail (DKIM) verification it would legitimate emails, then sent them on to victim inboxes.

**Millions of Fake Emails a Day**

The EchoSpoofing campaign began in January, and was first discovered by Proofpoint itself in late March. At that point, the company explained in a blog post, it took a number of steps to notify and protect customers.

But those efforts did not stem the tide of attacks. In fact, the forged emails only grew in number — averaging three million per week, and occasionally surpassing ten million.

Source: Guardio

Dark Reading reached out to Proofpoint for more information on why email attacks only rose after its initial remediation efforts began. Proofpoint representatives pointed Dark Reading to passages of its blog, and did not provide further comment.

Perhaps the campaign survived because the attacker had a keen operational awareness. As Guardio explained, "Once it finds a vulnerable Proofpoint account (by testing out this exploit on a small scale), it saves the domain for later use, forcing time gaps between delivery opportunities. It switches abused domains and Office365 accounts each time, making it harder to spot the activity and trying to stay 'under the radar' as much as possible."

This diligence may have been the key to the campaign's staying power, even after it had been detected. "It was quite interesting to see how, once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing 'the end is near' — as can be seen with the disney.com domain usage in the above graph in early June 2024."

EchoSpoofing finally seems to have died down recently, after Proofpoint introduced a vendor-specific header for outgoing emails. Now, customers can restrict the 365 accounts allowed to send emails on their behalf to only their own.

**Being Diligent About Corporate Email**

Besides permissiveness, negligence too paved the way for the EchoSpoofers.

According to Guardio, despite Proofpoint's efforts to alert Microsoft, the attackers' maliciously-wielded Office365 accounts remain active many months later. In a statement to Dark Reading, a Microsoft spokesperson claimed that "When our partner alerted us to this issue, we took immediate action to investigate. We blocked tenants abusing our service and disabled accounts deemed fraudulent."

Then there were the companies that were victims of being spoofed. As Nati Tal, head of Guardio Labs, notes, they weren't powerless to detect millions of fake emails impersonating their brands. "In this case, if someone from Disney or wherever was looking at the amount of emails being sent out from their ProofPoint \[server\], it would probably have popped out immediately, at the first moment. You would see some kind of anomaly."

That, he says, should be a lesson that "You need to implement some kind of logging, some kind of data tracking for your email distribution."

Organizations that don't implement secure email controls like DMARC monitoring risk far greater cyber consequences than EchoSpoofing has demonstrated thus far. As Maruyama reflects, "I think my concern is that these have been pretty generic spam attacks. 'Click here', then they try to steal your credit card number. I could see a world in which a more sophisticated actor would save a similar vulnerability to do very targeted spear phishing to, for example, get emails through that look like they are from the government and defense services, targeted toward individuals in the Pentagon, DHS, etc. That is a much bigger threat, with due respect to folks who've had credit cards stolen here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day

Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY  
In the modern enterprise, where IT infrastructure, applications, and data are spread across multiple clouds, hybrid clouds, and on-premises data centers, identity ensures that the right individuals have access to the right resources at the right times. In many ways, identity is now on par with electricity when it comes to business continuity. Without it, business operations grind to a standstill. 

Just as most businesses have backup power sources so they can continue to operate when their electric utility goes down, organizations should implement an identity continuity plan to maintain the availability of critical IT systems if their primary identity provider (IDP) is offline. Having a failover plan is more critical than ever, since many organizations now rely on cloud-based IDPs that are vulnerable to outages for a host of reasons, including provider outages, natural disasters, loss of Internet connectivity, and more. 

When developing an identity continuity strategy, the NIST Cybersecurity Framework can serve as a valuable model to follow. Designed to help organizations manage and mitigate cybersecurity risks, it consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function plays a pivotal role in forming a robust identity continuity plan. Here’s how to map an identity continuity plan to the NIST Cybersecurity Framework. 

**Identify****Inventory Applications, Policies, and Identities**

The initial step in creating an identity continuity plan involves cataloging all applications, policies, and identities within the organization. This inventory should distinguish between different user groups, such as customers and employees, to address their specific access requirements effectively.

This process should include detailing interdependencies and criticalities to ensure comprehensive coverage. Classifying these resources based on their criticality and the potential impact of downtime helps prioritize efforts. For instance:

*   Critical applications: These are vital for immediate business operations, like primary revenue-generating platforms.
    
*   Important applications: These support daily operations but can endure short periods of downtime.
    
*   Supportive applications: These are necessary but not critical on an hour-to-hour basis.
    
*   Non-essential applications: These can tolerate extended downtimes without significant impact.
    

**Routine Continuity Tests**

Regularly testing the continuity plan is crucial for identifying gaps and ensuring its effectiveness. Routine tests help keep the plan up to date and ready for real-world disruptions.

**Protect****Ensure Continuous Identity Operations**

Protecting identity operations requires ensuring continuous access to identity services. This includes establishing robust mechanisms for cloud-to-cloud and cloud-to-premises failovers. With many organizations adopting zero-trust architectures, where each access request requires continuous authentication and authorization checks, identity continuity is even more critical to ensure end-to-end security.

**Develop Disaster Recovery Plans**

While preventing outages is always best, in addition to continuity planning it's critical to also have a disaster recovery plan. Regular backups of policies and resources from cloud and on-premises identity infrastructures ensure quick restoration if a rebuild is necessary.

**Detect****Monitor Identity Infrastructure**

Implement centralized analytics and reporting to continuously monitor the availability of identity and access services. Early detection of outages or slowdowns allows for prompt intervention and proactive response.

**Conduct Regular Testing**

Regular continuity tests simulate real-world scenarios to detect potential weaknesses in the identity infrastructure. This proactive "test to verify" approach ensures that the continuity plan is robust and effective.

**Respond****Maintain Continuous Identity Operations**

Develop strategies for failover and fail-back to ensure continuous identity operations. Predefined custom actions, alerts, and automations should be in place to handle various scenarios.

**Establish Failover Mechanisms**

Multiple layers of failover mechanisms ensure redundancy and resilience. For example, assign:

*   Primary identity provider (IDP)
    

*   On-premises IDP (as a last-resort backup)
    

**Predefine Continuity Actions**

Having predefined continuity actions ensures a swift and organized response to identity service disruptions. Actions can include automatic service ticket opening, initiating an incident response workflow, or some other scriptable action. This minimizes downtime and mitigates its impact on operations.

**Recover****Manage Incidents and Resolve Outages**

An incident management plan should outline the steps for failover, failback, and incident resolution. The focus should be on quick recovery while documenting and analyzing any anomalies. Use data collected for availability and outages with your IDP vendor to negotiate expectations.

**Run Disaster Recovery Backups**

Ensure the disaster recovery plan includes procedures for running backup and restore operations. This enables swift recovery from identity service outages, minimizing downtime.

**Govern****Continuous Monitoring and Policy Management**

Implement continuous monitoring of identity systems to ensure adherence to established policies. Regularly update, document, and report policies to reflect changes in the IT environment and emerging threats.

**Monitor Access Requests and Activities**

Track access requests and activities to identify unusual patterns that may indicate security threats. Continuous monitoring helps maintain a proactive defense against potential disruptions.

By leveraging the NIST Cybersecurity Framework, organizations can develop a comprehensive identity continuity plan that ensures resilience against disruptions. Now that identity is interwoven into all business operations and predominantly relies on cloud-based IDPs, having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

**About the Author**

CEO, Strata Identity

Eric has made a career out of simplifying and securing enterprise identity management. He founded, scaled, and successfully exited both Securant/ClearTrust (Web Access Management) and Symplified, (the first IDaaS company). Recently Eric served as SVP and GM at Oracle, where he ran the identity and security business worldwide and was responsible for product development, go to market, and partnerships. As a technologist, he was a co-author of the SAML standard, created the first pre-integrated SSO platform, and is the visionary behind the Identity Fabric™.

Implementing Identity Continuity With the NIST Cybersecurity Framework

By injecting malicious bytecode into interpreters for VBScript, Python, and Lua, researchers found they can circumvent malicious code detection.

Source: Casimiro PT via Shutterstock

Attackers can hide their attempts to execute malicious code by inserting commands into the machine code stored in memory by the software interpreters used by many programming languages, such as VBScript and Python, a group of Japanese researchers will demonstrate at next week's Black Hat USA conference.

Interpreters take human-readable software code and translate each line into bytecode — granular programming instructions understood by the underlying, often virtual, machine. The research team successfully inserted malicious instructions into the bytecode held in memory prior to execution, and because most security software does not scan bytecode, their changes escaped detection.

The technique could allow attackers to hide their malicious activity from most endpoint security software. Researchers from NTT Security Holdings Corp. and the University of Tokyo will demonstrate the capability at Black Hat using the VBScript interpreter, says Toshinori Usui, research scientist with NTT Security. The researchers have already confirmed that the technique also works for inserting malicious code in the in-memory processes of both the Python and the Lua interpreters.

"Malware often hides its behavior by injecting malicious code into benign processes, but existing injection-type attacks have characteristic behaviors ... which are easily detected by security products," Usui says. "The interpreter does not care about overwriting by a remote process, so we can easily replace generated bytecode with our malicious code — it's that feature we exploit."

Bytecode attacks are not necessarily new, but they are relatively novel. In 2018, a group of researchers from the University of California at Irvine published a paper, "Bytecode Corruption Attacks Are Real — And How to Defend Against Them," introducing bytecode attacks and defenses. Last year, the administrators of the Python Package Index (PyPI) removed a malicious package, known as fshec2, which escaped initial detection because all its malicious code was compiled as bytecode. Python compiles its bytecode into PYC files, which can be executed by the Python interpreter.

"It may be the first supply chain attack to take advantage of the fact that Python byte code (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index," Karlo Zanki, reverse engineer at ReversingLabs, said in a June 2023 analysis of the incident. "If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files."

**Going Beyond Precompiled Malware**

After an initial compromise, attackers have a few options to expand their control of a targeted system: They can perform reconnaissance, try to further compromise the system using malware, or run tools already existing on the system — the so-called strategy of "living off the land."

The NTT researchers' variation of bytecode attack techniques essentially falls into the last category. Rather than using pre-compiled bytecode files, their attack — dubbed Bytecode Jiu-Jitsu — involves inserting malicious bytecode into the memory space of a running interpreter. Because most security tools do not look at bytecode in memory, the attack is able to hide the malicious commands from inspection.

The approach allows attacker to skip other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers, Usui says.

"While native code has instructions directly executed by the CPU, bytecode is just data to the CPU and is interpreted and executed by the interpreter," he says. "Therefore, unlike native code, bytecode does not require execution privilege, \[and our technique\] does not need to prepare a memory region with execution privilege."

**Better Interpreter Defenses**

Developers of interpreters, security-tools developers, and operating-system architects can all have some impact on the problem. While attacks targeting bytcode do not exploit vulnerabilities in interpreters, but rather the way that they execute code, certain security modifications such as pointer checksums could mitigate the risk, according to the UC Irvine paper.

The NTT Security researchers noted that checksum defenses would not likely be effective against their techniques and recommend that developers enforce write protections to help eliminate the risk. "The ultimate countermeasure is to restrict the memory write to the interpreter," Usui says.

The purpose of presenting a new attack technique is to show security researchers and defenders what could be possible, and not to inform attackers' tactics, he stresses. "Our goal is not to abuse defensive tactics, but to ultimately be an alarm bell for security researchers around the world," he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Attacks on Bytecode Interpreters Conceal Malicious Injection Activity

Law firms make the perfect target for extortion, so it's no wonder that ransomware attackers target them and demand multimillion dollar ransoms.

Source: the lightwriter via Alamy Stock Photo

2023 was the worst year on record for cybersecurity in the legal industry by some distance.

Just one point of evidence: Since 2018, 2.9 million records have been stolen in association with publicly reported breaches of law firms. Some 1.56 million records were stolen last year alone, an increase of 615% as compared with the down year of 2022 (218,473 records).

A new blog post from Comparitech paints a picture of an industry struggling to grapple with the ransomware problem. Major law firms have been paying multimillion dollar sums to protect their clients' ultra-sensitive data, and flailing in their attempts to fight back.

**The State of Legal Industry Cybersecurity**

Since 2018, 138 legal firms have publicly admitted being affected by ransomware attacks.

Of those, 107 attacks have been US-based, with approximately 2.9 million records affected. As Comparitech noted, the distance between the US and its next neighbors — the UK, with 9 attacks affecting 9,703 records, and Germany, with 5 affecting an unknown number — may have more to do with reporting requirements than anything else.

Source: Comparitech

Ransom demands vary widely. In 2021, the French law firm Cabinet Remy Le Bonnois paid the Everest group just $30,000 to resolve its attack. At the other end of the spectrum: REvil demanded $21 million from New York's Grubman Shire Meiselas & Sacks in 2020. The attackers doubled that amount to $42 million when the group discovered that Grubman's records included some belonging to Donald Trump. (The firm did not pay.)

The average ransom among publicly reported cases has been $2.47 million, and the average amount actually paid out after negotiations is $1.65 million. These numbers are rough estimates of reality, however, as only 11 reported incidents also reported the ransom demands, with only eight reported ransoms paid.

**Consequences to Law Firms**

If ransomware attacks against law firms have been trending, it's because they make for perfect targets.

"Legal firms are an interesting case," Paul Bischoff, privacy advocate at Comparitech explains, "because with most any other company, hackers are just looking for low-hanging fruit. They may want as many, say, Social Security numbers or passwords as they can possibly steal. And higher quantities of records is the goal. But with law firms, you have data that's very valuable to very specific people. Documents related to ongoing litigation would be extremely valuable to an opposing party in that case. So it's not so much about the quantity of data as much as it is about the content."

The ultra-sensitivity of legal data puts firms in a difficult negotiating position: pay millions of dollars, and risk achieving nothing, or don't, and risk extra ire from clients. 12% of legal industry ransomware attacks have resulted in lawsuits, and at least 75% of those have been successful.

Another reason to pay up? Comparitech estimates that the 138 attacks recorded might have cost victims around $18.8 billion dollars, purely thanks to the downtime they incurred. One victim of LockBit — the Ince Group, based in London — filed for bankruptcy last year after failing to cover the £5 million ($6.5 million USD) it spent restoring its systems.

Meanwhile, when victims try to use the law in their aid, they usually fail. The UK's Ward Hadaway and Australia's HWL Ebsworth Lawyers both issued injunctions against their attackers to little effect, as anonymous hackers aren't particularly easy to wrangle into court. Canadian firm Robson Carpenter LLP enjoyed seeing its attacker face justice, but in the end received just $2,500 in restitution.

On the bright side, ransomware attacks against law firms in 2024 are noticeably lagging behind last year's numbers. Only 11 have been reported so far, affecting an unknown volume of client data.

"Overall, ransomware attacks happen down in frequency of attacks across all sectors that we've been covering," Bischoff notes. Perhaps, he speculates, attackers have been choosing quality over quantity. Or, more optimistically, "I think it's law enforcement crackdowns, and companies and organizations getting better in general at knowing what these threats are and being prepared."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading