Attackers are targeting a number of key vertical markets in the U.S. with the active campaign, which impersonates the organization and Microsoft to lift Office365 and Outlook log-in details.

Attackers are targeting a number of key vertical markets in the U.S. with the active campaign, which impersonates the organization and Microsoft to lift Office365 and Outlook log-in details.

Attackers are using an oft-used and still effective lure to steal credentials to key Microsoft apps by sending emails notifying potential victims that they have a voicemail message, researchers have found.

A team from Zscaler ThreatLabZ has been monitoring a campaign since May that targets key vertical industries in the United States with “malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials,” researchers said in a blog post published recently. Both the emails and the credential-stealing page appear to be coming from legitimate entities, tactics that aim to dupe victims into falling for the ploy, they said.

In fact, Zscaler itself was one of the organizations targeted in the campaign, which researchers said is similar to one that ThreatLabZ discovered in July 2020. This gave ThreatLabZ particular insight into how the campaign works.

Other victims of the latest campaign include organizations in specific U.S. verticals, including software security, the military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain, researchers said.

While the tactics in the campaign are far from novel, threat actors appear to be taking an “if it ain’t broke, don’t fix it” approach to stealing credentials as a way to access corporate networks, noted one security professional.

The sad fact is, they still work, and as long as that’s the case, attackers will still leverage them, Erich Kron, security awareness advocate with security firm KnowBe4, said in an email to Threatpost.

**“**While not a new approach, using voicemail notifications does continue to be very effective, as they tend to blend into the types of notifications that are part of our daily work,” he observed.

****How the Attack Works****

However, one aspect of the campaign that does set it apart from other similarly themed attacks is that it involves “more research and effort as the attacks are customized for each target,” he said.

Attackers aim to lure victims with an email that informs them that they have a new voicemail in a message that appears to be coming from the targeted organization, according to ThreatLabZ. They use an address in the “From” field that mimics the targeted organization’s name as well as logo branding on the mail itself to appear legitimate.

The messages include an HTML attachment that, if opened, redirects the user to a credential-phishing site that also appears to be the real deal by mimicking Microsoft’s own log-in page.

Further, attackers use a consistent format for the URLs used in the redirect process “which included the name of the targeted organization as well as the email address of the targeted individual,” researchers observed.

“For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp\[.\]com/<base64\_encoded\_email>,” they wrote in the post.

The credential-phishing site even uses Google’s reCAPTCHA technique—requiring targets to prove they are “not a robot” by identifying objects in photos–to lend more credibility to the experience. This previously used tactic also helps attackers ” evade automated URL analysis tools,” a tactic also used in the July 2020 campaign, according to ThreatLabZ.

If a victim follows through on the CAPTCHA, he or she is then redirected to legitimate-looking Microsoft Office 365 sign-in page to enter credentials on a site controlled by attackers, according to the post. Analysis conducted by ThreatLabZ on the email headers used in the campaign shows that threat actors used email servers located in Japan to stage attacks, researchers said.

****Avoiding Credential Theft****

As the campaign remains active, both ThreatLabZ and KnowBe4’s Kron recommend that organizations reiterate secure email practices with their employees to ensure that they’re not giving up their credentials to attackers.

As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources, researchers noted. Moreover, as a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials, they said.

Indeed, organizations should train employees on how to spot and report phishing attacks, as well as how to check the browser’s URL bar to ensure the website where they are entering credentials is legitimate, Kron said.

They also can use multi-factor authentication so even if employees do give up credentials, there is an extra safeguard to keep attackers off the corporate network, he added.

Voicemail Scam Steals Microsoft Credentials

Evidence suggests that a just-discovered APT has been active since 2013.

Evidence suggests that a just-discovered APT has been active since 2013.

Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.

Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to \[an APT called\] UNC94,” they reported.

Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote.

****Aoqin Dragon’s Evolving Stealth Tactics****

Part of what’s helped Aoqin Dragon stay under the radar for so long is that they’ve evolved. For example, the means the APT used to infect target computers has evolved.

In their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which their targets might not have yet patched.

Later, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers’ command-and-control (C2) servers.

Since 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.

The group has employed other techniques to stay off-the-radar. They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to ” pgraded the malware to protect it from being detected and removed by security products.”

****Nation-State Links****

Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”

Further evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.

Most important of all, the researchers highlighted an overlapping attack on the president of Myanmar’s website back in 2014. In that case, police traced the hackers’ command-and-control and mail servers to Beijing. Aoqin Dragon’s two primary backdoors “have overlapping C2 infrastructure,” with that case, “and most of the C2 servers can be attributed to Chinese-speaking users.”

Still, “properly identifying and tracking State and State Sponsored threat actors can be challenging,” Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”

China-linked APT Flew Under Radar for Decade

Analysts have uncovered an Iran-linked APT sending malicious emails to top Israeli government officials.

Analysts have uncovered an Iran-linked APT sending malicious emails to top Israeli government officials.

An advanced persistent threat group, with ties to Iran, is believed behind a phishing campaign targeting high-profile government and military Israeli personnel, according to a report by Check Point Software.

Targets of the campaign included a senior leadership in the Israeli defense industry, the former U.S. Ambassador to Israel and the former Deputy Prime Minister of Israel.

The goal of the campaign, the researchers said, was to obtain personal information from targets.

**Fake Emails from Legit Addresses**

One of the targets, according to Check Point, is Tzipi Livni, Israel’s former foreign minister, minister of justice and vice prime minister. Researchers believe that the target was selected because of the high-caliber list of contacts in her address book.

Not long ago she received an email from, according to the researchers, “a well-known former Major General in the IDF who served in a highly sensitive position.” The sender address was not spoofed – it was the same domain she’d corresponded with before. Translated from Hebrew, the message read:

> _Hello my dear friends, Please see attached article to summarize the year. ((\*eyes only\*))_ _Of course I don’t want it to be distributed, because it is not the final version. I would be happy to receive remarks of any kind. Have a great rest of the day._

The message contained a link. Livni delayed in clicking the link, prompting several follow-up emails.

> _Good morning, I haven’t heard from you. Some friends sent me remarks. Your remarks are also very important to me. I know you are very busy. But I wanted to ask you to take your time and read the article. Good week_

The persistence of the sender and flurry of messages raised her suspicions, according to Check Point. After Livni met with the former Major General, it became clear that the emails were sent from a compromised account and the contents of the messages were part of a phishing attack.

It was a similar story for the other targets in this campaign – suspect emails were being sent from legitimate contacts.

**What Really Happened**

The method of attack wasn’t particularly technical. “The most sophisticated part of the operation is the social engineering,” Sergey Shykevich, threat intelligence group manager at Check Point Research, noted. He said, the campaign was “a very targeted phishing chain that is specifically crafted for each target.” Personally crafted phishing emails is a technique called spear phishing.

The attackers initiated their spear phishing attacks, first by compromising an email address book belonging to a contact of their target. Then, using the hijacked account, they’d continue an already existing email chain between the contact and the target. In time, they’d steer the conversation towards conning the target to clicking on or opening a malicious link or document.

“Some of the emails include a link to a real document that is relevant to the target,” Check Point’s analysts noted. For example, an “invitation to a conference or research, phishing page of Yahoo, link to upload document scans.”

“The goal,” in the end, was “to steal their personal information, passport scans, and steal access to their mail accounts.”

**Who and Why**

“We have solid evidence that it started at least from December 2021,” Shykevich wrote, “but we assume that it started earlier.”

In their analysis, the researchers found evidence they believe points to the Iran-linked Phosphorus APT group (a.k.a. Charming Kitten, Ajax Security, NewsBeef, APT35). Phosphorus is one of Iran’s most active APTs, with “a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.”

Iran and Israel are usually at odds, and these attacks came “in the midst of escalating tensions between Israel and Iran. With recent assassinations of Iranian officials (some affiliated with the Israeli’s Mossad), and the thwarted attempts to kidnap Israeli citizens worldwide, we suspect that Phosphorous will continue with its ongoing efforts in the future.”

State-Sponsored Phishing Attack Targeted Israeli Military Officials

Ryan Witt, Proofpoint's Healthcare Cybersecurity Leader, examines the impact of ransomware on patient care.

Ryan Witt, Proofpoint’s Healthcare Cybersecurity Leader, examines the impact of ransomware on patient care.

In the last two years, COVID-19 has occupied healthcare providers’ minds — rightfully so, considering the pandemic’s tremendous toll on patients. But another threat that causes immense harm gets less attention: ransomware. While ransomware attacks receive lots of headlines, the irreparable damage that this threat could cause patients is often missing from the discussion.

Cyberattacks are a different kind of a pandemic that’s substantially increased over the last several years. They have become an everyday reality for the healthcare sector. Healthcare leaders understand cyber threats are a “new normal.” But the cyber-risk conversation typically centers on the bottom line, such as the costs of mitigation, noncompliance, or lawsuits.

For a sector whose mission is to improve our quality of life, it’s surprising that the top cybersecurity concerns revolve around financial losses. Healthcare leaders, physicians, and other care providers need to look at cybersecurity risks through a new lens — patient health and safety.

****Ransomware and Health Professionals Promise to ‘Do No Harm’****

Healthcare professionals devote their attention to protecting patients from harm. In today’s digital world, this mandate is no longer limited to direct-care delivery. A ransomware attack puts patients physically at risk and might be as devastating as a life-threatening disease.

Consider the attack that crippled operations at the University of Vermont Medical Center (UVMC) in the fall of 2020. After ransomware shuttered access to systems like electronic health records for almost a month, UVMC’s cancer center had to turn away hundreds of chemotherapy patients.

The cancer clinic largely served rural areas, so the cyberattack not only left many of those patients with fear, anguish, and tears but also with no treatment alternatives. The New York Times quoted one nurse as saying, “To look someone in the eye, and tell them they cannot have their life-extending or lifesaving treatment, it was horrible, and totally heart-wrenching.”

Stories like those of the UVMC patients rarely unravel in public, but they’re far from unique. A recent Ponemon Institute report (PDF) found that a ransomware attack hit 43% of surveyed healthcare delivery organizations in the past two years. Consequences included poor outcomes because of procedure or test delays (experienced by 70% of hospitals affected by ransomware), increased complications from medical procedures (36%), and a rise in mortality rates (22%).

****Rethinking the Importance of Cybersecurity****

ECRI, a nonprofit focused on patient safety, named cybersecurity attacks the top health technology hazard (PDF) for 2022. The factors that influenced the ranking included severity, frequency, breadth, and preventability. The ECRI report drove home the point that cybersecurity incidents “don’t just interfere with business operations — they can disrupt patient care, posing a real threat of physical harm.”

Expect this risk to loom large as threat actors target the sector at an alarming pace. UVMC is a case in point — just days after U.S. government officials warned about imminent cyberattacks by Russian hackers on American hospitals, they hit the medical center. It wasn’t the first such alarm.

Cybersecurity, of course, is not a fresh problem for the sector. IT and cybersecurity professionals have long sounded the siren that healthcare is behind many other industries in implementing robust defenses. But ransomware threats shine a new light on cybersecurity inadequacies because the impact on patients is immediate, and the harm is much greater than something like a data breach.

It’s time for both decision-makers and healthcare delivery professionals to comprehend the human benefits of cybersecurity and the human loss when it is absent or fails. Patients come to hospitals or clinics expecting treatment, often urgent. If the healthcare providers can’t deliver those services because cybercriminals hijacked their systems, they’re violating patient trust, as well as putting lives in danger. Considering the rapid growth of cyberattacks in the sector, life-altering scenarios like those we saw at UVMC will become common.

****Investing in What Matters****

Cybersecurity is not an easy problem to resolve in any sector, but even more so in healthcare. The complexities of the environment, with connected medical devices, multiple locations, and legacy systems, create many challenges. And it doesn’t help that a typical healthcare organization has a minimal IT budget that is far from adequate for implementing effective cybersecurity solutions.

Leaving IT teams with few resources to defend against cyberattacks is no longer an option. While healthcare organizations allocate most of their funding to the delivery of care, they also need to realize that in today’s environment, care delivery relies not only on medical equipment and personnel but also on strong cybersecurity defenses. If cybersecurity is a low priority, the delivery of care will suffer.

How can you compel decision-makers to view their responsibility through a new lens? Start by telling them the stories they need to hear. The story about the mother of two who was denied her lifesaving treatment. Or the nurse who compared working at a medical center in the grips of ransomware to working at a burn unit after the Boston Marathon bombing. Or the mother who blames a ransomware attack for the death of her baby.

These are not scare tactics. They are the kind of messages that help translate cybersecurity risks into human impacts. If that doesn’t compel the board of directors or other decision-makers to make investments into cybersecurity, what will?

Ryan Witt is Proofpoint’s Healthcare Cybersecurity Leader.

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Ransomware Risk in Healthcare Endangers Patients

One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting.

One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting.

For months now, millions of Facebook users have been duped by the same phishing scam that cons users into handing over their account credentials.

According to a report outlining the phishing campaign, the scam is still active and continues to push victims to a fake Facebook login page where victims are enticed to submit their Facebook credentials. Unconfirmed estimates suggest nearly 10 million users fell prey to the scam, earning a single perpetrator behind the phishing ploy a huge payday.

According to a report published by researchers at PIXM Security, the phishing campaign began last year and ramped up in September. Researchers believe millions of Facebook users were exposed each month by the scam. Researchers assert that the campaign remains active.

Facebook has not replied to requests for comment for this report.

PIXM asserts the campaign is tied to a single person located in Colombia. The reason PIXM believes the massive Facebook scam is tied to a single individual is because each message links back to code “signed” with a reference to a personal website. Researchers state the individual went so far as responding to researcher inquiries.

**How the Scam Worked**

The crux of the phishing campaign centers around a fake Facebook login page. It might not look immediately suspicious, as it copies Facebook’s user interface closely.

When a victim enters their credentials and clicks “Log In,” those credentials are sent to the attacker’s server. Then, “in a likely automated fashion,” the authors of the report explained, “the threat actor would login to that account, and send out the link to the user’s Friends via Facebook Messenger.”

Any Friends that click the link are brought to the fake login page. If they fall for it the credential-stealing message is forwarded to their Friends.

Post-credential phish, victims are redirected to pages with advertisements, which also in many instances also included surveys. Each of these pages generates referral revenue for the attacker, researchers said.

When researchers reached out to the individual taking claim for the phishing campaign the individual “claimed to make $150 for every thousand visits \[to the advertising exit page\] from the United States.”

PIXM estimates nearly 400 million U.S.-based page views of the exit page. This, researchers said, “would put this threat actor’s projected revenue at $59M from Q4 2021 to present.” However, researchers don’t believe the criminal is being honest about their earnings, adding they are “probably exaggerating quite a bit.”

**How the Scam Bypassed Security**

The perpetrator of this campaign managed to circumvent the social media platform’s security checks by utilizing a technique that Facebook didn’t catch, PIXM said.

When a victim clicks on a malicious link in Messenger, the browser initiates a chain of redirects. The first redirect points to a legitimate “app deployment” service. “After the user has clicked,” the report’s authors explained, “they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well.”

Even if Facebook caught on to and blocked any one of these illegitimate domains, “it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID. We would often observe several used in a day, per service,” researchers said.

PIXM said it was able to access the hacker’s own pages for tracking the campaigns. The data indicated that nearly 2.8 million people fell for the scam in 2021 and 8.5 million have so far this year.

Researchers warn, “As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish.”

Facebook Messenger Scam Duped Millions

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

According to a new advisory from Radware, a hacktivist group called DragonForce Malaysia, “with the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.” In addition to DDoS, their targeted campaign – dubbed “OpsPatuk” – involves advanced threat actors “leveraging current exploits, breaching networks and leaking data.”

DragonForce Malaysia – best known for their hacktivism in support of the Palestinian cause – have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

According to the advisory, OpsPatuk remains ongoing today.

**The Casus Belli**

In a televised debate last month, Nupur Sharma – a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) – made controversial remarks regarding the age of the Prophet Mohammed’s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.

Then, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a tweet:

_Greetings The Government of India._ _We Are DragonForce Malaysia._ _This is a special operation on the insult of our Prophet Muhammad S.A.W._ _India Government website hacked by DragonForce Malaysia. We will never remain silent._ _Come Join This Operation !_ _#OpsPatuk Engaged_

(image from @DragonForceIO on Twitter)

The new advisory confirms that the group has used DDoS to perform “numerous defacements across India,” pasting their logo and messaging to targeted websites.

The group also “claimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.”

The researchers also observed other hacktivists – ‘Localhost’, ‘M4NGTX’, ‘1887’, and ‘RzkyO’ – joining the party, “defacing multiple websites across India in the name of their religion.”

**Who are DragonForce Malaysia?**

DragonForce Malaysia is a hacktivist group in the vein of Anonymous. They’re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums – used for everything “ranging from running an eSports team to launching cyberattacks” – are visited by tens of thousands of users.

In the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations – #OpsBedil, #OpsBedilReloaded and #OpsRWM – against the nation and its citizens.

According to the authors of the advisory, DragonForce are “not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.” Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools –  Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more – in choreographed, flashy website defacements.

Some members, “over the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.” Among other things, that’s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they’ve been working with the recently discovered CVE-2022-26134.

“DragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,” concluded the authors. With no signs of slowing down, “Radware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.”

DragonForce Gang Unleash Hacks Against Govt. of India

Upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cybercriminals to scam the tourists.

Upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cybercriminals to scam the tourists.

Researchers are warning a post-COVID upsurge in travel has painted a bullseye on the travel industry and has spurred related cybercrimes.

Criminal activity includes an uptick in adversaries targeting the theft of airline mileage reward points, website credentials for travel websites and travel-related databases breaches, according to a report by Intel 471.

The impact of the attacks are hacked accounts stripped of value. But also, researchers say the consequences of recent attacks can also include flight delays and cancelations as airlines grapple with mitigating hacks.

****Your Reward Points Head to Illicit Markets****

Since January the researcher at Intel 471 detect multiple hacks used by cybercriminals to trade the credentials linked to the traveling websites.

The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles,” according to 471. These accounts are used to earn certain rewards on every dollar that is spent. The account credentials that were listed in February belong to U.K.-based users from a major traveling website and two U.S.-based airlines.

“Access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers,” said researchers. “The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity,” they added.

The exploitation of rewards-points programs, especially those associated with travel, is not new. Researchers have tracked several incidents over the years where hackers have targeted reward points. In 2018, a pair of Russian teens have been arrested for infiltrating more than a half-million online accounts, in particular targeting services that offer rewards points.

Researchers point out that as the travel industry rebounds from a COVID-related slump, the industry is once again a prime target for cybercriminals.

****Travel-related Identity Theft****

Other criminal activities include the targeting of travel-related databases – ripe with employee and traveler personal identifiable information (PII) that threat actors can sell for money.

Researchers observed on travel-related hackers leveraging a database of “40,000 people employed in Illinois”. The stolen database includes PII of employees. Researchers said this type of leaked information plays a role in travel-related fraud – allowing an attacker to generate new identities that can be used to either cross boarders or evade authorities.

In one instance, Intel 471 researchers, cybercriminals used PII to create illicit travel documents used for border crossings. “Shortly after the start of the (Russian invasion of Ukraine) war, the actor claimed the insider could facilitate illegal border crossings for Ukrainian males aged 18 to 60” researchers noted.

Some of the traveling bodies including Romania-based Air Traffic Services Administration and Bucharest Airport were targeted by a pro-Russian group of hackers known as KillNet. “Aviation and transportation entities were among KillNet’s most frequented targets in the first half of 2022,” researcher added.

Last month, an attack on the IT systems of SpiceJet airlines left travelers stranded at airports and causes the delay and cancellation of flights.

****Protection From the Scams****

The researchers suggested customers stay vigilant while making arrangements and should book flights from a trusted source, handle payment cautiously, and refrain from getting phished in any dubious vacation-related offers.

Travel-related Cybercrime Takes Off as Industry Rebounds

The dangers to SMBs and businesses of all sizes from cyberattacks are well known. But what’s driving these attacks, and what do cybersecurity stakeholders need to do that they’re not already doing?

The dangers to SMBs and businesses of all sizes from cyberattacks are well known. But what’s driving these attacks, and what do cybersecurity stakeholders need to do that they’re not already doing?

The dangers to SMBs and businesses of all sizes from cyberattacks are well known. But what’s driving these attacks, and what do cybersecurity stakeholders need to do that they’re not already doing?

To answer these questions, we recently analyzed dozens of detailed incident response (IR) reports from businesses across a range of industries, locations, and company sizes. The findings were surprising and concerning, to say the least. Here’s what we learned:

**The Common Denominator: Visibility**

From enterprises with 5000+ employees to SMBs with fewer than 15, across diverse network architectures, vastly different network sizes, and varying software and network management solutions – we found a single overriding deficiency in cybersecurity: lack of network visibility.

By “network visibility,” I mean a clear awareness of the components, devices, servers and data that actually comprise the network. This may sound strange. But the fact is that in many of the IR cases we surveyed, client networks had several blindspots and areas whose visibility was not accounted for.

The end result is that IT departments frequently just don’t know what’s out there.

Why is this actually a problem? Once an attacker gets into a corporate network, he or she is essentially free to conduct malicious activities – steal data, hijack accounts, deploy ransomware, or even just destroy assets for the heck of it. Without network visibility, cyberattackers are more likely to move undetected and laterally through a network – leaving malware to propagate, unchecked, until it’s too late.

**Top Three Impediments to Visibility**

The numbers from our survey bear out the top three key impediments to visibility and security: Easily accessible ports and services, outdated, unpatched, and end-of-life systems and a deficient security toolset.

**Easily Accessible Ports and Services**

64% of security incidents examined were the result of ports, servers, and critical services that were left open and exposed to web access. This generally happens simply because as an organization grows, so does its network. Servers running backend development, testing, applications, services, VPNs, CRM suites and more need to be accessible from the internet. However, these assets remain part of the network and thus pose a security risk if not adequately secured.

**Outdated, Unpatched and End-of-life Systems**

In 67% of the cases we researched, the attacker exploited unpatched, outdated, or end-of-life applications and operating systems. In many of these, the attack entry point was an old internet-facing server or device running Windows 8, 7 and even XP. These systems stopped receiving security updates years (if not decades) ago. Yet their continued accessibility allowed attackers a way in. Other cases resulted from application and web servers hosting outdated versions of Jenkins, Oracle WebLogic, and IIS, which are vulnerable to Remote Code Execution (RCE) attacks, granting hackers complete control of infected systems.

**A Deficient Security Toolset**

78% of the networks whose incidents we reviewed had no Endpoint Detection and Response (EDR) or antimalware solutions installed on endpoints, and 35% of these had no IPS or IDS solutions. Without a proper and updated cybersecurity toolset, visibility is severely impeded, and attacks can run rampant. Most of the incidents we reviewed could have been completely avoided if an EDR solution had been installed on the targeted devices.

**The Bottom Line**

Based on the impediments to visibility discussed above, every enterprise or SMB needs to aspire to meet three simple criteria:

*   Know what you have
*   Know how to protect it
*   Effectively monitor and respond to threats

Of course, meeting these criteria is far more complex than just delineating them. Yet the starting point is always visibility. Our research showed that businesses lacking visibility and monitoring across endpoints, exposed ports, servers, critical services, outdated and end-of-life systems and applications were far more likely to be attacked. And when such attacks occurred, they tended to be more severe – since monitoring all network assets and systems facilitates quick detection and incident response. Without this, IR teams are challenged even to understand what happened – let alone beginning the process of containment, eradication, and remediation.

To achieve visibility, analysts have recognized the need for a cybersecurity “mesh”. Rather than focus on standalone tools, organizations need to ensure that solutions work interoperably. Once merged with a network’s existing defenses, solutions like a SOC Platform can bridge network gaps, identify weaknesses, and make sure that defenders have access to the status of every endpoint in real-time. The ability to connect all security systems and tools into a single, central command offers an unmatched level of visibility, context, and clarity about network incidents. Because in network security what you can see, frequently can’t hurt you.

Read the full CYREBRO report on the trends we saw in incidents reports and learn why network and endpoint visibility is critical to enhancing cybersecurity.

In Cybersecurity, What You Can’t See Can Hurt You

Attackers gained access to private account details through an email compromise incident that occurred in April.

Attackers gained access to private account details through an email compromise incident that occurred in April.

Kaiser Permanente suffered a data breach due to email compromise on April 5 that potentially exposed the medical records of nearly 70,000 patients, the company revealed earlier this month.

Attackers gained access to the emails of an employee at Kaiser Foundation Health Plan of Washington that contained “protected health information,” the company revealed in a letter to affected clients on June 3.

The attacker maintained unauthorized access for several hours, after which Kaiser terminated the activity “and promptly commenced an investigation to determine the scope of the incident,” according to the letter.

However, even Kaiser wasn’t completely sure if attackers gained access to personal health information of clients due to the breach, though the company acknowledged that it is “unable to completely rule out the possibility.”

So far, the company said it has no evidence of “identity theft or misuse of protected health information” as a result of the breach.

In addition to Kaiser’s own investigation, the U.S. Department of Health and Human Services Office for Civil Rights also is currently looking into the breach, according to a listing on its website that claims that the incident affected 69,589 individuals.

****Quicker Response?****

One security professional noted that while it was “proactive” of Kaiser Permanente to notify such a large group clients about the breach, the company’s uncertainty about whether data was stolen or not may indicate a lack of sufficient incident response on its part.

“It demonstrates the need for organizations to have robust auditing controls to quickly identify what data was accessed by attackers during an incident,” observed Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, in an email to Threatpost.

He also noted that the company could have acted faster to notify those potentially affected, as three months is plenty of time for attackers to take advantage of the breach.

“During this time, the affected individuals could have been targeted by attackers using any specific information stolen in convincing social engineering campaigns,” Clements said. “It’s critical that as a part of their larger cybersecurity culture organizations include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises.”

****Human Error Still a Security Plague****

The incident also once again sheds light on what has always been and remains the biggest security risk that organizations face—human error.

Verizon’s 2022 Data Breach Investigations Report (DBIR), a comprehensive look at data breaches that occurred in the previous year, found that 82 percent of the breaches analyzed last year involved what researchers call “the human element,” which can be any number of things.

“Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote in the report.

Business email compromise (BEC), which is what appears to have occurred in the Kaiser breach, is an especially significant threat. Attackers have become increasingly sophisticated in crafting socially engineered phishing and other malicious email campaigns, which dupe unsuspecting employees into giving up credentials to their business email accounts.

This can lead to further nefarious activities once a threat actor has gained initial access to a company network, such as ransomware or other financially motivated cybercrimes.

In fact, BEC has become a major financial drain for organizations, with the FBI reporting recently that companies spent $43 billion between June 2016 and December 2021 due to this type of attack. In fact, between July 2019 and December 2021 alone there was a 65 percent spike in BEC scams, which the FBI attributed mainly to the pandemic forcing most business activity to occur online.

Kaiser Permanente Exposes Nearly 70K Medical Records in Data Breach

Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit functionality and install a backdoor for remote access.

Symbiote, discovered in November, parasitically infects running processes so it can steal credentials, gain rootlkit functionality and install a backdoor for remote access.

A new Linux malware that’s “nearly impossible to detect” can harvest credentials and gives attackers remote access and rootkit functionality by acting in a parasitic way to infect targets, researchers said.

Researchers from The BlackBerry Research and Intelligence Team have been tracking the malware, the earliest detection of which is from November 2021, security researcher Joakim Kennedy wrote in a blog post on the BlackBerry Threat Vector Blog published last week.

Researchers have appropriately dubbed the malware—which apparently was written to target the financial sector in Latin America—”Symbiote.” In biology, the word means an organism that lives in symbiosis with another organism.

The name is an homage to how the malware operates, which is differently than other Linux malware that researchers have encountered, Kennedy explained.

“What makes Symbiote different … is that it needs to infect other running processes to inflict damage on infected machines,” he wrote. “Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD\_PRELOAD (T1574.006), and parasitically infects the machine.”

Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said.

In addition to the rootkit capability, the malware also provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges, he added.

****Evasive Maneuvers****

Symbiote’s behavior isn’t the only thing that makes it unique, researchers said. It’s also highly evasive to such a degree that it’s “likely to fly under the radar,” making it extremely difficult to know if it’s even being used by threat actors at all, he said.

Some evasive tactics it uses is that by design, it is loaded by the linker via the LD\_PRELOAD directive, which allows it to be loaded before any other shared objects, researchers found. This privilege of being loaded first allows it to hijack the imports from the other library files loaded for the application, they said. In this way, it hide its presence on the machine by hooking libc and libpcap functions, Kennedy said.

“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect,” he explained. “Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware.”

In fact, researchers said they themselves could not uncover enough evidence to determine whether threat actors are currently using Symbiote ” in highly targeted or broad attacks,” he said.

Unusual DNS requests may be one way to detect if the malware is present on a system, researchers noted. However, typical antivirus or other security tools aimed at endpoint detection and response won’t pick up Symbiote, making organizations using Linux that rely on those protections at risk, they said.

****Objectives****

Attackers’ key objectives for wielding Symbiote are “to capture credentials and to facilitate backdoor access to infected machines,” Kennedy noted. He outlined in detail how the malware achieves both of these activities.

For credential harvesting, Symbiote hooks the libc read function; if an ssh or scp process is calling the function, it captures the credentials, which are first encrypted with RC4 using an embedded key and then written to a file, Kennedy said.

Attackers not only steal the credentials locally for access but also exfiltrate them by hex encoding and chunking up the data to be sent via DNS address record requests to a domain name that they control, he added.

To gain remote access to an infected machine, the malware hooks a few Linux Pluggable Authentication Module (PAM) functions, which allows it to authenticate to the machine with any service that uses PAM—including remote services such as Secure Shell (SSH), Kennedy said.

“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”

Once the threat actor has accomplished authentication, Symbiote allows for an attacker to gain root privileges by scanning the environment for the variable HTTP\_SETTHIS, Kennedy said.

“If the variable is set with content, the malware changes the effective user and group ID to the root user, and then clears the variable before executing the content via the system command,” he explained.

Source

Threatpost