By understanding how FaaS works and following best practices to prevent it, your business can protect its customers, revenue, and brand reputation.

The pandemic pivot to digital banking, shopping, and other services was an important health measure, but it created opportunities for organized fraudsters to grow their "business" and expand their offerings to include fraud-as-a-service (FaaS). FaaS takes several forms, all with the goal of making it easier for both experienced and novice criminals to commit fraud. Here's what merchants need to know about this trend and how to prevent FaaS attacks.  

**How Fraud-as-a-Service Works  
**There are two main components to FaaS: bots and brand impersonation. Neither tactic is entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic scheme for phishing credentials and payment data.

Now, though, fraud "service providers" are going farther. Criminals can rent bot networks inexpensively to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM-swapping is one option for getting around 2FA, but it's time consuming and requires planning. So, criminals now offer OTP (one-time password) bot services. Fraudsters can plug in victims' names and financial institutions or favorite stores, and the bot handles the rest – phishing the victim for their one-time password so fraudsters can take over the related account – all for as little as 15 cents per bot call.  

**Detecting and Preventing Fraud-as-a-Service Attacks  
**The best practices that protect businesses from fraud are more important than ever . This is a good time to make sure your organization's anti-fraud program includes these elements:

**1\. Limit data entry attempts and velocity:** One of the telltale signs of a bot attack is the speed at which it moves. Bots can load up carts, check out, and place orders much faster than humans can. They can also repeatedly enter different passwords and one-time codes until they hit a match.

If your website allows customers to make unlimited attempts to enter their data correctly, setting a limit on the number of attempts before they're locked out can protect your store from bots. Likewise, flagging orders for velocity can help to separate busy shoppers who are reordering familiar items from botnets that are programmed to scoop up as many items as they can, as fast as possible.

**2\. Screen every order:** Because there are billions of compromised credentials available to fraudsters now, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to crack accounts at scale, businesses can no longer assume that returning customers are who they appear to be.

That means it's no longer safe to automatically approve orders from known customers. Every order needs to be screened for payment data as well as for device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.

**3\. Run batch analyses to detect fraud at scale:** Bot rental and compromised credentials allow fraudsters to get creative with their attacks on businesses. For example, a gang can target an online store with a spate of orders that appear to come from different customers using different payment methods. Each of these orders may pass muster with the fraud screening solution and get approved.

However, if the merchant also selects random orders for analysis as a group, the fraud solution may find patterns that indicate criminal activity. Maybe that burst of orders from different customers were all shipping to the same address. Or perhaps all of the cards they used to pay had the same bank identification number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before items ship.

**4\. Avoid automatic declines:** Stopping fraud can only save a company money if it doesn't also stop good customers from completing their orders and coming back for repeat purchases. Automatic declines may seem like a way to save money and time on order decisioning, but this approach typically generates a high rate of false declines. A recent ClearSale five-country survey of online shoppers found that 40% won't ever go back to a website that declines their order. That represents a lot of lost customer lifetime value.

**5\. Use manual review:** The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manual review of flagged orders costs more than auto-declines up front, but the ROI includes more approved orders and less customer churn due to false declines.

**6\. Continuously train your ML:** Manual review results can and should feed the automated fraud solution's machine learning algorithms. This helps the AI get better at detecting sophisticated fraud and customer behavior that's not completely normal but also isn't fraudulent. This can result in fewer flagged orders and reduce the need for manual review over the long term.

**7\. Monitor brand mentions:** FaaS schemes often impersonate brands to trick consumers into sharing their credentials and even authentication codes. Every business should keep an eye out for social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a company can report imposters to the platform, Web host, or Federal Communications Commission and alert their customers there's a scam operating under the company's brand.

FaaS shows how fraud continues to evolve, and how the technologies that make life more convenient for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, your revenue, and your brand reputation.

How Can Your Business Defend Itself Against Fraud-as-a-Service?

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

May 11, 2022 — Like many things since 2020, Dark Reading News Desk has had to adapt. Instead of broadcasting live interviews with security researchers presenting at Black Hat, News Desk shifted to prerecorded interviews with the speakers. 

For Black Hat Asia 2022, Dark Reading News Desk is staying virtual, even as the conference goes hybrid. Black Hat attendees have the option to tune in virtually or attend in person at the Marina Bay Sands in Singapore. Dark Reading News Desk is keeping its virtual format.

News Desk interviewed some speakers presenting at Black Hat Asia 2022 about their sessions. These interviews will be available on-demand at Black Hat Virtual (under the show's "Dark Reading News Desk" tab) and right here on Dark Reading:

**DAY 1: Thursday, May 12**

Speakers from Binarly, Immune GmbH, and Red Hat discuss the complexity of the firmware ecosystem and the challenges of identifying and fixing flaws in hardware devices in "The Firmware Supply-Chain Security Is Broken: Can We Fix It?"

Watch the speakers try to distill the challenges in less than 15 minutes in this News Desk segment:  

No Black Hat is complete without at least one dissection of a cyber espionage operation. SideWinder (also known as RattleSnake and T-APT-04) is an aggressive threat actor that has been active since at least 2012. Details on the techniques and methods used by this advanced cyber espionage team will be part of "SideWinder Uncoils to Strike." Dark Reading editor-in-chief Kelly Jackson Higgins offers a sneak peak in this preview. 

Check out the News Desk segment:  

****DAY 2: Friday, May 13****

Trend Micro researchers discuss their discovery of a botnet infrastructure masquerading as an SMS phone-verified account service in "SMS PVA Services Fueled by Compromised Supply-Chain Mobile Botnets."

Watch the News Desk segment on this mobile threat:  

With the Russian invasion of Ukraine in February, the world has had a front-row seat to information warfare. A security expert with experience in security intelligence, policy, and Ukraine dissects what is happening in "The Virtual Battlefield in 2022: Russia-Ukraine War & Its Policy Implications."

Watch this News Desk segment with Very Good Security’s Kenneth Geers:  

It's a fact that every operating system has vulnerabilities, but it still takes many by surprise when there are "macOS Vulnerabilities Hiding in Plain Sight."

Watch Offensive Security's Csaba Fitzl describe what he found:  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

On the Air With Dark Reading News Desk at Black Hat Asia 2022

NEW YORK, May 11, 2022 /PRNewswire/ -- Six months after news broke about fake, 'bot-driven' student college enrollment in California's community colleges, global cybersecurity company CHEQ released new data suggesting that bot traffic on higher education websites continues to rise.

In December of 2021, the LA Times reported that a Pierce College professor discovered many of those registering for her classes online were bots rather than legitimately enrolled students. During that time, The California Community Colleges Chancellor's Office estimated that about 1 in 5 applications was "malicious and bot-related."

CHEQ's data tells a similar story, indicating that the issue of bot traffic in online higher education may be even larger than originally estimated. Specifically, throughout 2021, bot traffic coming from organic and direct sources hovered around 30%. So far in 2022, that number has jumped to 45% - showing a 50% overall increase. The bot traffic discovered includes malicious scrapers and web crawlers, automation tools, headless browsers and botnets. The data was collected as part of a global study into fake user and bot traffic trends online, conducted across over 50,000 websites.

_"Like with many other industries, higher-education is increasingly transitioning to online models of registration, enrollment, payment and virtual classrooms, opening the door to more online fraud and increased exposure to the Fake Web"_ said Guy Tytuniovich, CHEQ's CEO. _"When you also factor in the sheer size of the economy around higher-education, you realize why it's an appealing target for fraudsters and scammers, as we see in our most recent data."_

Through analyzing their data, CHEQ has found that higher education bot traffic is more common than bot traffic in many other industries. When it comes to organic and direct traffic, the gaming industry typically sees Invalid Traffic (IVT) rates of 15%, and the insurance industry sees 18%. This indicates that the education sector has consistently been a target for fraudulent activity, and may continue to see increases in attacks from fake users.

Fraudulent 'Bot-driven' College Enrollment up 50%, New Study Finds

Analysis finds 687 million exposed credentials and personally identifiable information (PII) among Fortune 1000 employees, and a 64% password reuse rate.

AUSTIN, Texas – May 10, 2022 – SpyCloud, the leader in account takeover and fraud prevention, today published its 2022 SpyCloud Fortune 1000 Identity Exposure Report, an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.

Drawing on SpyCloud’s database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.

Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyberattacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.

“In the last two years, most companies’ attack surfaces have expanded due to the new reality of a hybrid workforce.” said David Endler, co-founder and Chief Product Officer of SpyCloud. “Combined with facing a barrage of threats from malicious actors and the state of global affairs, there’s an urgent need for Fortune 1000 companies to shore up all threat vectors, starting with identifying and remediating compromised employee credentials and malware-infected devices.”

SpyCloud researchers identified credentials, PII and infected device data of 70,000 Fortune 1000 employees in recaptured botnet logs containing information siphoned using infostealer malware. An employee working from a malware-infected personal device creates risk for the enterprise, even with the use of complex passphrases and MFA. These high-severity exposures give criminals all the data they need to bypass authentication measures and impersonate employees, including passwords, system information, browser fingerprints, and web session cookies. Further, nearly 29 million malware-infected consumer devices were used to log into the consumer-facing sites of Fortune 1000 companies, exposing their credentials and PII to fraudsters.

“Malware infections on personal devices are the riskiest source of exposure because they are so difficult to detect and can drastically increase the attack surface for ransomware,” Endler said. “These attacks could not only lead to disastrous consequences for a company’s bottom line but could also significantly impact sectors such as critical infrastructure.”

**Critical Infrastructure and Technology Sectors Lag Behind**

The report showed that critical infrastructure companies were the worst offenders for bad password hygiene. Across four industries – aerospace and defense, chemical, industrial, and energy – elementary password hygiene issues were found, including the use of company names in the top three to five most used passwords.

While critical infrastructure employees exhibited the poorest password hygiene, the technology sector had the most severe exposure, with over 26 million breach records representing 139 million employee assets (credentials, PII, cookies, etc) –– comprising 21% of all exposed Fortune 1000 records (followed by financial services with 21 million records and nearly 120 million assets).

Technology companies also had the largest number of malware-infected devices across sectors, with nearly 70% of all infected consumer devices identified among the Fortune 1000 (20.6 million) and about 50% of all infected employee devices (approximately 34,000).

To defend against account takeover, malware, ransomware and other malicious cyberattacks, Fortune 1000 companies cannot bet solely on their employees to keep them safe and rather should think of users as consumers whose behavior expands the attack surface multi-fold.

To minimize exposure and safeguard data, enterprises need to enforce strong enterprise password policy with SSO where possible, create clear company policies on the use of business and personal devices, enforce multi factor authentication on critical accounts and mandate the use of password managers, as well as leverage continuous, actionable intelligence into their users’ exposure – especially in industries entrusted with a vast amount of sensitive consumer data such as technology, ecommerce, financial services, and critical infrastructure.

SpyCloud’s unique solutions, built on a foundation of recaptured data from breaches, malware-infected devices and other underground sources protect businesses and consumers from fraud and cyberattacks that stem from the use of stolen data by allowing companies to proactively monitor and remediate their exposures.

To download the full 2022 SpyCloud Fortune 1000 Breach Exposure Report, visit https://spycloud.com/resource/2022-fortune-1000-identity-exposure-report/.

To learn more about how SpyCloud helps organizations defend against fraudulent transactions, visit https://spycloud.com/.

**About SpyCloud**

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

SpyCloud Report: Fortune 1000 Employees Pose Elevated Cyber Risk to Companies

The Five Eyes nations comprising Australia, Canada, New Zealand, the U.K., and the U.S., along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication (SATCOM) provider that had "spillover" effects across Europe.
The cyber offensive, which took place one hour before the Kremlin's military invasion of Ukraine on February

The Five Eyes nations comprising Australia, Canada, New Zealand, the U.K., and the U.S., along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication (SATCOM) provider that had "spillover" effects across Europe.

The cyber offensive, which took place one hour before the Kremlin's military invasion of Ukraine on February 24, targeted the KA-SAT satellite network operated by telecommunications company Viasat, crippling the operations of wind farms and internet users in central Europe.

Viasat, in late March, disclosed that it had shipped nearly 30,000 modems to distributors to restore service to customers whose modems were rendered unusable.

"This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several E.U. Member States," the Council of the European Union said.

Calling it a deliberate and unacceptable cyberattack, the nations pointed fingers at Russia for its "continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine."

The U.S. State Department said the digital assaults against commercial satellite communications networks were orchestrated to disrupt Ukrainian military command-and-control capabilities during the invasion.

An analysis from cybersecurity firm SentinelOne published last month revealed that the intrusion aimed at Viasat involved the use of a data-wiping malware dubbed AcidRain that's designed to remotely sabotage tens of thousands of vulnerable modems.

Furthermore, the discovery unearthed similarities between AcidRain and "dstr," a third-stage wiper module in VPNFilter, a botnet malware previously attributed to Russia's Sandworm group.

Besides the Viasat attacks, Australia and Canada also blamed the Russian government for targeting the Ukrainian banking sector in February 2022, COVID-19 vaccine research and development in 2020, and interfering in Georgia's 2020 parliamentary elections.

The attribution comes as Ukraine has been at the receiving end of a number of destructive attacks directed at public and private sector networks since the start of the year, launched as part of Russia's "hybrid" warfare strategy in concert with ground warfare.

The U.K.'s National Cyber Security Centre (NCSC) noted that Russian military intelligence agencies were "almost certainly" involved in the deployment of WhisperGate wiper malware and the defacements of several Ukrainian websites in January 2022.

AcidRain and WhisperGate are part of a long list of data wiper strains that has hit Ukraine in recent months, which also includes HermeticWiper (FoxBlade aka KillDisk), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.

"Russian hackers have been waging war against Ukraine in the cyberspace for the past eight years," the State Service for Special Communication and Information Protection of Ukraine (SSSCIP) said in a statement, adding they "pose a threat not only to Ukraine, but to the whole world."

"Their purpose is to damage and destroy, to wipe out data, to deny Ukrainian citizens' access to public services as well as to destabilize \[the\] situation in the country, to spread panic and distrust in the authorities among the people."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

E.U. Blames Russia for Cyberattack on KA-SAT Satellite Network Operated by Viasat

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.
"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.

"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol," Trend Micro said in a report published Thursday.

PrivateLoader, as documented by Intel 471 in February 2022, functions as a downloader responsible for downloading and installing additional malware onto the infected system, including SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and Anubis.

Featuring anti-analysis techniques, PrivateLoader is written in the C++ programming language and is said to be in active development, with the downloader malware family gaining traction among multiple threat actors.

PrivateLoader infections are typically propagated through pirated software downloaded from rogue websites that are pushed to the top of search results via search engine optimization (SEO) poisoning techniques.

"PrivateLoader is currently used to distribute ransomware, stealer, banker, and other commodity malware," Zscaler noted last week. "The loader will likely continue to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads."

The framework, still in its development phase, contains different modules: a dropper, a loader, a kernel-mode process and file protection driver, and a remote access trojan that uses a custom protocol to communicate with the command-and-control (C2) server.

The newly observed set of infections involving the NetDooka framework commences with PrivateLoader acting as a conduit to deploy a dropper component, which then decrypts and executes a loader that, in turn, retrieves another dropper from a remote server to install a full-featured trojan as well as a kernel driver.

"The driver component acts as a kernel-level protection for the RAT component," researchers Aliakbar Zahravi and Leandro Froes said. "It does this by attempting to prevent the file deletion and process termination of the RAT component."

The backdoor, dubbed NetDookaRAT, is notable for its breadth of functionality, enabling it to run commands on the target's device, carry out distributed denial-of-service (DDoS) attacks, access and send files, log keystrokes, and download and execute additional payloads.

This indicates that NetDooka's capabilities not only allow it to act as an entry point for other malware, but can also be weaponized to steal sensitive information and form remote-controlled botnets.

"PPI malware services allow malware creators to easily deploy their payloads," Zahravi and Froes concluded.

"The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

**The one big thing **

Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.  

> **Why do I care? **
> 
> The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.  
> 
> **So now what? **Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary. 

**Other newsy nuggets **

For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Russia, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld) 

Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET) 

A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #94: Everything you need to know about the BlackCat ransomware group
*   Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free
*   Threat Roundup for April 22 - April 29

**Upcoming events where you can find Talos ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    **MD5:** 3e10a74a7613d1cae4b9749d7ec93515**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A    **Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426    
**MD5:** a841c3d335907ba5ec4c2e070be1df53  **Typical Filename:** chip 1-click installer.exe    
**Claimed Product:** chip 1-click installer     
**Detection Name:** Win.Trojan.Generic::ptp.cam  

**SHA 256:** 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97   **MD5:** 258e7698054fc8eaf934c7e03fc96e9e   **Typical Filename:** samsungfrp2021.exe     
**Claimed Product:** N/A   **Detection Name:** W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

By Waqas
Cloudflare explained that it wasn’t the largest application-layer attack but the largest ever noted in the HTTPS category.…
This is a post from HackRead.com Read the original post: Cloudflare Successfully Thwarted One of The Largest DDoS Attacks

Cloudflare explained that it wasn’t the largest application-layer attack but the largest ever noted in the HTTPS category.

Internet Infrastructure company Cloudflare has mitigated one of the world’s largest distributed denial of service attacks (DDoS attacks) recorded to date. According to Cloudflare’s blog post published on April 27th, the company mitigated a 15.3 million rps (request-per-second) DDoS attack earlier in April 2022.

That’s one of the largest HTTPS DDoS attacks recorded so far. It is worth noting that HTTPS DDoS attacks extract more computing power from the device and tend to be more expensive since creating a secure TLS encrypted connection is far costlier than traditional attacks.

> “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale,”
> 
> Omer Yoachimik and Julien Desgats – Cloudflare

In August 2021, Cloudflare stopped the largest ever recorded DDoS attack involving 1.72 million HTTP rps. This figure was three times larger than all previously registered volumetric DDoS attacks.

**Volumetric and Bandwidth Attacks**

It is worth noting that volumetric DDoS attacks are different from conventional bandwidth DDoS attacks. In the latter, the attacker tries to exhaust and clog up the internet connection bandwidth of the targeted device.

In contrast, in the former, the attacker focuses on bombarding the victim with as many junk HTTP requests as possible to use up the server CPU and RAM. Moreover, volumetric DDoS attacks prevent other legit users from accessing/visiting the website.

**Details of the Attack**

According to Cloudflare, the victim was its customer using a crypto launchpad that surfaces DeFi (decentralized finance) projects to potential investors. Cloudflare revealed that around 1,300 different networks, including top networks like German provider Hetzner Online GmbH, OVH in France, Azteca Comunicaciones Colombia, and other cloud providers, were used for the attack.

However, the attack lasted less than fifteen seconds and was launched from a botnet comprising 6,000 unique bots originating from 112 countries. 15% of the traffic originated from Indonesia, while other most prominent countries included Russia, Brazil, India, Colombia, and the USA.

Cloudflare didn’t clarify whether the attack was linked to the Emotet botnet, but it did admit that it came from a botnet they have been tracking lately. Another interesting finding Cloudflare shared is that the attack originated from data centers mostly.

**More DDoS Attacks News**

1.  Christian crowdfunding site GiveSendGo hit by DDoS attack
2.  Imperva mitigated a series of massive ransom DDoS attacks
3.  DDoS Attack and Data Wiper Malware hit Computers in Ukraine
4.  Microsoft Azure customer hit by largest ever 3.47 Tbps DDoS attack
5.  DDoS attacks on Minecraft event crippled Internet of a European country

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Cloudflare Successfully Thwarted One of The Largest DDoS Attacks

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific (APAC) region, researchers have found.

Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.

Researchers at cybersecurity firm Trellix has been tracking attacks on financial institutions from what they believe is North Korea’s cyber army—which typically generate from Lazarus Group—for the last few years. The group is perhaps best known for its deftness at ripping off the crypto-currency market through money-laundering schemes to raise money for the North Korean government.However, Lazarus also appears to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week. Researchers found that Bitcoin transactions and connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they said.

****Financial Attacks Raise Suspicion****

A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.

“The investigation, performed by several U.S. agencies, led to a North Korean actor, dubbed ‘Hidden Cobra,'” he wrote. “Ever since then, the group has been active, compromising numerous victims.”

Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting U.S. businesses with malware- and botnet-related attacks.

“Over time we have observed several methods North Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.”

Trellix has followed North Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers and users from South Korea–over the last few years. Tactics used included spear-phishing emails as well as the use of fake mobile applications and companies, researchers noted.

“Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income,” Beek wrote.

****Code Links****

Knowing that ransomware has emerged a part of the toolkit of the North Korean cyber army, Trellix researchers peered under the hood of the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.

“Using those \[code\] blocks as a starting point, a hunt was started from March 2020 onwards to discover related families,” he wrote.

Researchers identified code from four ransomware families known to be used by North Korean threat actors—BGEAF, PXJ, ZZZZ and CHiCHi–in the code of VHD.

While the Tflower and ChiChi families share only generic-function code with VHD, “the ZZZZ ransomware is almost an exact clone of the Beaf ransomware family,” which has been linked to North Korea, Beek wrote.

“Another observation is that the four letters of the ransomware ‘BEAF’ … are exactly the same first four bytes of the handshake of APT38’s tool known as Beefeater,” he added.

The use of the MATA framework in VHD—which has been used to spread the Tflower ransomware family—also links the VHD to Lazarus, as MATA has previously been linked to North Korea, researchers said.

****Following the Money****

Researchers then investigated the various ransomware families they’d linked to North Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between then.

They extracted the Bitcoin  wallet addresses and started tracing and monitoring the transactions, though they did not find overlap in the wallets themselves, Beek wrote.

“We did find, however, that the paid ransom amounts were relatively small,” he wrote, linking a pattern between the ransomware families attributed to North Korean actors.

For example, a transaction of 2.2 Bitcoin in mid-2020 was worth around $US20,00 and was transferred multiple times through December 2020, researchers found. At that time, a transaction took place on a Bitcoin exchange to either cash out–as the value had roughly doubled–or exchange for a different and less traceable cryptocurrency, they said.

“We suspect the ransomware families … are part of more organized attacks,” Beek wrote. “Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to \[North Korean\] hackers with high confidence.”

VHD Ransomware Linked to North Korea’s Lazarus Group

The Internet of Things needs to be part of the overall corporate information security policy to prevent adversaries from using these devices as an entry point.

**Question: What do I need to know about defending IoT attack surfaces?**

**Bud Broomhead, CEO at Viakoo:** There are several reasons why it's critical for organizations to defend their IoT attack surface, most importantly being that IoT devices are powerful systems containing compute, storage, and networking that threat actors view as the easiest way to breach an organization or enable exploits. They need to be part of the overall corporate infosec policy unless a specific exemption is given, including policies around firmware patches and using certificates. The impact of not defending the IoT attack surface is massive and tends to fall into two categories. First is realizing that IoT device vulnerabilities are an effective method to breach an organization, and second is preventing IoT devices from being used in broader cyberattacks against multiple organizations.

Let's start with why IoT devices have become a preferred method for cybercriminals to breach an organization. IoT devices are hard to secure; they exist at 5 to 20 times the scale of IT devices, and they are often physically distributed widely across the organization (they are not neatly contained in data centers). Traditional IT security solutions don't work for IoT because they are often agent-based, and IoT devices do not allow agents to be placed on them due to the devices having unique operating systems and communication protocols.

Not only are there more vulnerabilities impacting IoT devices than traditional IT systems, IoT devices offer a wider set of exploits to a threat actor. For example, man-in-the-middle attacks are essentially a solved problem for IT systems, yet still can be effective against IoT systems. These are some of the reasons threat actors view IoT as low-hanging fruit in breaching an organization.

Likewise, many IoT devices are deployed and managed by the line of business (such as physical security, facilities, manufacturing, etc.), and may not be visible to the IT organization. Unless an automated solution is used, updating firmware on IoT devices can be slow, meaning that the window of vulnerability is open far longer for IoT than for IT systems. And because many IoT devices use open source software components (a fast-growing method of delivering vulnerabilities), enabling security fixes across a fleet of IoT devices with different makes and models also allows the attack window to be open for much longer than IT. Despite many organizations deploying IoT devices on networks segmented and firewalled away from the corporate network, over time connections to the corporate network happen, leading to IoT devices being a key method of entering an organization then pivoting to the corporate network (the hacked fish tank in Las Vegas comes to mind).

Another major reason defending the IoT attack surface is a high priority comes from how botnet armies are typically formed using IoT devices (the most famous example being the Mirai botnet, but many other examples exist). These IoT-based botnets deliver a significant percent of spam and phishing attempts (estimates range as high as 90%), which leads directly to planting malware and ransomware and enabling data exfiltration across multiple organizations. Fighting phishing and other attack vectors leads directly to shrinking the IoT attack surface.

I'd like to end on a practical note with a few concrete tips:

*   Make sure IoT devices are covered by corporate infosec policies.
*   Use IoT discovery and threat-assessment solutions to ensure every IoT device is visible.
*   If you have a zero trust initiative underway, extend it to IoT.
*   Use automation for implementing security fixes, and documenting all stages of it, both for compliance and management purposes.

The end result should be every IoT device being visible, secure, and performing its function – and a greatly reduced attack surface.

Tag

#botnet