PRESS RELEASE

SAN FRANCISCO, June 26, 2024 /PRNewswire/ -- Ballistic Ventures, the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, is pleased to announce that co-founder Kevin Mandia is now General Partner.

Mandia is one of the world's most recognized experts in cybersecurity, known for his relentless efforts to fight cyber threats for more than 30 years. In 2004, he founded renowned cybersecurity firm Mandiant, serving as CEO from 2004 to 2013, when Mandiant Corporation was acquired by FireEye. Mandia took the helm as CEO of FireEye in 2016, guiding the company through a divestiture and corporate name change to Mandiant, Inc. in 2021, and through a successful acquisition by Google in 2022. Mandia recently transitioned to an advisory role within Google Cloud, and he continues to sit on the Google Public Sector board.

In 2023, Mandia was appointed by President Biden to serve as a member of the National Security Telecommunications Advisory Committee (NSTAC). He is also a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee. Previously, he held senior positions in the security consulting divisions of Sytex, acquired by Lockheed Martin, and Foundstone, acquired by McAfee. He also served in the United States Air Force as a computer security officer at the Pentagon, and later as a special agent in the Air Force Office of Special Investigations.

"I am very excited to dedicate more of my energy to Ballistic Ventures, and I especially look forward to working with the entrepreneurs who are shaping the future of cybersecurity," said Mandia.

Ballistic Ventures was co-founded in 2021 by Mandia and General Partners Barmak Meftah, Ted Schlein, Jake Seid and Roger Thornton. While CEO of Mandiant (now part of Google Cloud), Mandia jointly served as Co-founder and Strategic Partner at Ballistic, leading the firm's investment in SpecterOps, the Attack Path Management company, where he is an Observer to the company's Board of Directors. Mandia also served as the second investing partner for five of the VC firm's 18 investments to date, and is a Board Observer to portfolio company Alethea, the disinformation detection and mitigation company.

"We're excited to have Kevin as a General Partner at Ballistic," said Schlein. "Kevin's expertise in the cybersecurity industry is unparalleled, and his knowledge of the market and customer set is unmatched."

As General Partner, Mandia will draw from his extensive knowledge of the threat landscape and expertise as a successful founder and CEO to expand his investments within the firm and continue to mentor entrepreneurs and scale companies across the Ballistic portfolio.

Mandia's move to General Partner comes on the heels of Ballistic Ventures announcing the close of its $360 million oversubscribed second fund. The firm is actively looking to deploy the new capital in novel innovations led by passionate cybersecurity entrepreneurs.

About Ballistic Ventures  
Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The partners have spent their entire careers defending against every cyber threat conceivable. Members of the firm have founded, operated, and funded over 100 successful cybersecurity firms – including Abnormal Security, AlienVault, ArcSight, Fortify, Mandiant, and Shape Security – led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. The Ballistic portfolio includes Aembit, Alethea, ArmorCode, AuthMind, Codezero, Concentric AI, Mimic, Nudge Security, Oligo, Pangea, Perygee, Reach Security, SpecterOps, Talon (PANW), Veza and WitnessAI. Our experience provides entrepreneurs impactful support from people focused on the same mission. Our networks and relationships open doors for our founders. Learn more at ballisticventures.com.

Cybersecurity Veteran Kevin Mandia Named General Partner of Ballistic Ventures

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

Thursday, June 27, 2024 14:00

AI has since replaced “cryptocurrency” and “blockchain” as the cybersecurity buzzwords everyone wants to hear. 

We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on “Saturday Night Live.” 

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. This, in turn, means there are fewer instances of cryptocurrency mining malware being deployed in the wild — if cryptocurrencies aren’t as valuable, the return on investment for adversaries just isn’t there.  

But that still hasn’t stopped bad actors from using the cryptocurrency and blockchain spaces to carry out other types of scams that have cost consumers millions of dollars, as a few recent incidents highlight. 

In place of major cryptocurrencies, many bad faith actors are creating “memecoins,” which are cryptocurrencies usually themed around a particular internet meme or character meant to quickly generate hype. The most famous example, Dogecoin, themed after the “Doge” meme, was 72% below its peak value as of Wednesday. 

At one point, Dogecoin was at least worth something, which is more than can be said for most other memecoins launched today. Cryptocurrency news site CoinTelegraph found that one in six newly launched meme-themed cryptocurrencies are outright scams, primarily centered around getting users to spend real-world money to invest in currency before the creator just takes off with their funds. 

And 90% of the memecoins they studied contained at least one security vulnerability that could leave users open to abuse or theft. 

Singer Jason Derulo is even facing allegations that his “JASON” memecoin on the Solana blockchain platform is a scam after it hit a market cap of $5 million on June 23, and then the value fell almost immediately later that day. Separately, someone hacked rapper 50 Cent’s Twitter account to promote the “$GUINT” memecoin. Upon regaining control of his account, 50 Cent said that whoever committed the scam made $3 million in 30 minutes, with consumers putting money into the memecoin thinking it was legitimate, before the creator took off with the money almost immediately, leaving users unable to access their funds. 

Another popular scam still going around in this space is called the “rug pull,” where a cryptocurrency or NFT developer starts to hype up a new project to attract investor funds, only to completely shut down the project days or weeks later, taking investors’ assets with them. 

Blockfence, a Web3 security firm, found a collection of these scammers earlier this year, claiming they had stolen the equivalent of $32 million from more than 42,000 people across multiple rug pull scams. Unmoderated social media platforms have been rife for abuse for these types of scams, with semi-anonymous users with large followings finding it fairly easy to get a large amount of interest in whatever their latest “project” is in a short amount of time.  

The last example, I’m still not sure if it’s a scam yet. A new video game called “Banana” recently blew up on the Steam online store, even though it’s barely a video game. Users can open the game at fixed intervals and click a button to receive a “banana” in their Steam account. Some of these bananas, usually different artists' renderings of an image of the fruit, are extraordinarily rare and can be re-sold on Steam’s internal marketplace for real-world money. 

Some of these bananas have sold for more than $1,000, but most of the basic ones are only worth a few cents. To me, this looks and smells like an NFT. A former cryptocurrency scammer was once even connected to the project before the creators parted ways with him.  

I have no way of knowing any of this for sure, but there doesn’t seem to be any safeguards in place to ensure the creators of the game could rig it for themselves and give only themselves or close friends copies of the rarer items. And I’m not fully sure what the endgame is for the developers, since “Banana” is free to download and “play.”  

Thankfully, I’m not getting as many questions as I used to about NFTs and “the crypto” from extended family members. But just because it’s disappeared from mainstream consciousness doesn’t mean scammers have forgotten about this space, too. 

**The one big thing **

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware. SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware, however, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.   

**Why do I care? **

SneakyChef has already targeted more than a dozen government ministries across the Eastern Hemisphere. Based on the lure documents Talos discovered the actor using, like targets for the campaign could include the Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan and the Saudi Arabian embassy in Abu Dhabi. This actor doesn’t seem to be deterred by much, either, as their actions have largely continued in the same manner since Talos first disclosed the existence of SugarGh0st several years ago, using the same TTPs and C2.  

**So now what? **

Talos could not find any of the lure documents used in the wild, so they were very likely stolen through espionage and slightly modified. This could make it more difficult to spot lure documents and spam emails, so users should pay closer attention to the sender’s email address if they are suspicious of any messages. We also released OSQueries, Snort rules and ClamAV signatures that can detect and block SneakyChef’s activities and the SpiceRAT malware.  

**Top security headlines of the week **

**A cyber attack that is stalling communication and sales at car dealerships around the U.S. is unlikely to be restored by the end of the month.** CDK Global, the victim of the campaign, reportedly told customers that they should prepare alternative methods for preparing month-end financial statements. Car dealerships use CDK to conduct sales, process financial information, and look up vehicles’ warranties and recalls. The outage is affecting more than 60 percent of Audi dealerships in the U.S. and about half of Volkswagen’s locations, forcing them to switch to pen-and-paper transactions and contracts or to drop sales altogether. One sales manager of an affected dealership told CNN it could take “months to correct, if not years,” the financial fallout of the outage. CDK first disclosed two back-to-back cyber attacks last week, both of which occurred on June 19. There are already two class action lawsuits against CDK, with plaintiffs alleging that the breach may have exposed customers’ and employees’ names, addresses, social security numbers and other financial information. (Reuters, CNN) 

**The list of victims resulting from a data breach at cloud storage provider Snowflake continues to grow.** Australian ticket sales platform Tiketek informed customers this week of a potential data breach, though it was not immediately clear if it was connected to Snowflake. Retailer Advance Auto Parts also said this week that said employee and applicant data — including social security numbers and other government identification information — were stolen during the breach. Clothing chain Neiman Marcus also filed regulatory documents in Maine and Vermont disclosing that the personal information of more than 64,000 people was potentially accessed because of the Snowflake breach. This information could include names, contact information, dates of birth and gift card numbers for the retailer. Security researchers at Mandiant first estimated that as many as 165 Snowflake customers could be affected. Snowflake says that internal investigations found that the breach was not caused by “a vulnerability, misconfiguration, or breach of Snowflake’s platform." (The Register, The Record by Recorded Future) 

**Adversaries quickly started exploiting another vulnerability in the MOVEit file transfer software, just hours after it was disclosed.** The high-severity vulnerability, CVE-2024-5806, could allow an attacker to authenticate to the file-transfer platform as any valid user with the accompanying privileges. The vulnerability exists because of an improper authentication issue in MOVEit’s SFTP module, which Progress, the creator of the software, says “can lead to authentication bypass in limited scenarios.” A different vulnerability in MOVEit was targeted in a rash of Clop ransomware attacks that eventually affected more than 160 victims, including the state of Maine, the University of California Los Angeles, and British Airways. Managed file transfer software (MFT) like MOVEit are popular targets for threat actors because they contain large amounts of sensitive information, which adversaries will steal and then use to extort victims. The Shadowserver Foundation posted on Twitter on Tuesday that they began seeing exploitation attempts shortly after details emerged about CVE-2024-5806. (Dark Reading, SecurityWeek) 

**Can’t get enough Talos? **

*   Cisco Talos: How Threat Actors Target MFA 
*   MFA plays a rising role in major attacks, research finds 
*   SpiceRAT: Cisco Talos Sound Alarm Over New Trojan 
*   Hack your water and electricity! Myth or Reality? 
*   Multiple vulnerabilities in TP-Link Omada system could lead to root access 
*   Talos Takes Ep. #188: Everything we know about denial-of-service attacks in 2024 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202  
**MD5:** e4acf0e303e9f1371f029e013f902262  
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe  
**Claimed Product:** FileZilla  
**Detection Name:** W32.Application.27hg.1201

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

The attacks infiltrate enterprise networks through browsers, and show an evolution in evasive and adaptive tactics from well-resourced state-sponsored actors.

Source: Rawpixel.com via Shutterstock

Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users — including top-level executives — in just three months' time, researchers have found.

The attacks target a range of industries and enter corporate environments through browsers, allowing them to get past network infrastructure security controls and cloud network services and demonstrating an evolution in capabilities on the part of adversaries, according to researchers from Menlo Security who discovered them.

The campaigns — called LegalQloud, Eqooqp, and Boomer — are characterized by their deployment of what the researchers call highly evasive and adaptive threat (HEAT) attack techniques that can circumvent controls such as multifactor authentication (MFA) and URL filtering.

Tactics used by the campaigns include bypassing MFA and using phishing kits and adversary-in-the-middle (AitM) tactics to take over user sessions; impersonating entities, primarily Microsoft, familiar to or associated with the organizations targeted; and using dynamic phishing links that make it hard for filtering technologies to track and thus detect.

"These are challenging new tactics, and security practitioners must augment controls and take care to address them immediately," according to the report. "These sophisticated attacks magnify concerns about the effectiveness of traditional network security controls such as secure service Edge (SSE), secure Web gateways (SWG), and endpoint detection and response (EDR)."

**State-Sponsored Actors Get Aggressive**

The campaigns are aimed exclusively at credential phishing, with evidence to connect them to China-sponsored threat actors who are targeting the US and private enterprise in "aggressive cyber espionage efforts, posing an alarming risk to national security and pilfering innovation," according to the report. However, though researchers have established some attribution to a group previously tracked by Microsoft as Storm-1101/DEV-1101 — known for its development of AitM tactics that are used in the campaigns — it's not entirely clear exactly to which nation the attacks are linked.

All told, the campaigns targeted more than 3,000 unique domains across more than 10 industries and government institutions, and six out of 10 malicious links that users clicked on were connected to some kind of phishing campaign or fraud, with one of four of phishing links getting past legacy URL filtering, the researchers found.

Overall, this activity demonstrates how "nation-state cyber actors are constantly refining their methods to make their attacks more sophisticated and adaptable," notes Patrick Tiquet, vice president, security and architecture, at Keeper Security. This, in turn, means enterprises must accept that "adapting cybersecurity strategies is an ongoing process that demands flexibility and agility," he says.

**Specific Credential-Stealing Campaigns**

Though the campaigns have similarities, each has its own unique set of targets and tactics, all with the ultimate goal of extracting credentials from corporate users for further malicious purposes, primarily cyber-espionage.

LegalQloud, so-named because it impersonates legal firms to steal Microsoft credentials, targeted 500 enterprises in 90 days and is exclusively hosted on Tencent Cloud, which is from the largest Internet company in China. This hosting enables the URLs to bypass traditional categorization and allow-list controls, the researchers said.

Eqooqp has been targeting multiple government and private sector organizations — including logistics, finance, petroleum, manufacturing, higher education, and research firms — with AitM attacks that can defeat MFA. Menlo found nearly 50,000 attacks associated with the campaign, which uses malicious HTML attachments or links to pages that mimic Microsoft to phish credentials.

Another phishing campaign, Boomer, is especially intricate, targeting the government and healthcare sectors with advanced evasive techniques that include dynamic phishing sites, custom HTTP headers, tracking cookies, bot-detection countermeasures, encrypted code, and server-side generated phishing pages.

"Boomer uses server-side generated phishing pages for rapid campaign deployment and modification, enhancing the campaign’s ability to evade traditional security tools, indicating a higher level of skill," according to the report. "Boomer also includes properly configured security headers, such as X-XSS-Protection, and uses legitimate libraries, like Font Awesome for icons."

The campaign's Web application also employs a hidden iframe that's designed to detect bots and scan automation as a further advanced evasion tactic, the researchers found.

**Demand for Stronger Defense**

What all this amounts to is that organizations continue to have their work cut out for them to keep up with the evolving nature of attacks, especially from well-resourced state-sponsored actors, security experts say.

AitM attacks in particular — in which attackers deploy a proxy server between a target user and the website the user wishes to visit — "are the future of cybercrime," notes one security expert, and will be a particular thorn in the side of organizations' security strategies going forward.

"\[They\] are extremely effective and much harder to trace and prevent compared to traditional social engineering attacks," says Mika Aalto, co-founder and CEO at human risk management platform firm Hoxhunt.

And while they historically have been technically difficult to achieve for attackers, their recent prevalence shows that threat actors are quickly navigating this barrier, which will bring on "a wave of serious breaches from AitM-integrated credential harvesters, BECs, and ransomware," he says.

"The bottom line is, you have to accept that some attacks will get through to your users and thus you must do your best to prepare them for that fateful moment," Aalto says. "Security awareness and phishing training must keep pace with the latest threats so that people understand AitM and dynamic phishing, and they know how to spot these attacks and stay safe. Indeed, as cybersecurity is now a matter of national security and not just about protecting an organization's own data, it must be treated with the highest priority," Tiquet observes.

This requires organizations to embrace a zero-trust framework that "must evolve alongside technological advancements, workflow changes and shifts in the threat landscape," Tiquet says, and be continually refined and adapted "to ensure it remains effective in mitigating risks and protecting sensitive information."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China-Sponsored Attackers Target 40K Corporate Users in 90 Days

By Nick Biasini with contributions from Kendall McKay and Guilherme Venere
Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used

Thursday, June 27, 2024 08:01

_By Nick Biasini with contributions from Kendall McKay and Guilherme Venere_

Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

  
Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used those credentials — which weren’t protected by multi-factor authentication (MFA) — to infiltrate Snowflake customers’ accounts and steal sensitive information. However, Snowflake isn’t the issue here. This incident is indicative of a much larger shift we’ve seen on the threat landscape for a while — and it focuses on identity.

  
Over the past few decades, we’ve seen the criminal threat landscape collapse under the ransomware / data extortion umbrella, which is generating so much revenue everyone is trying to grab their piece of the pie. This has been a stark transformation from a loosely associated group of criminals searching for credit card numbers to steal, and spam messages to send to large syndicates that generate, according to the FBI, more than a billion dollars in revenue annually.

**Infostealer logs are a gold mine**

As part of our regular intelligence discussions, Talos reviews all Cisco Talos Incident Response (Talos IR) engagements. Ransomware/data extortion typically dominate engagements, with business email compromise (BEC) periodically rising to the top, but more broadly, we’ve seen the ways these actors gain initial access continue to diversify.

  
Early on, active exploitation of known vulnerabilities or other critical misconfigurations would dominate the initial compromise leading to the breach. Lately, the sources have broadened with a focus on compromised, legitimate credentials. These credentials originate from a wide array of sources from generic phishing campaigns and infostealers to insider threats, valid credentials are the ideal cover for malicious activities. This is further supported with information from the most recent Talos IR Quarterly Trends report, where the top infection vector was valid accounts. This problem extends far beyond compromised credentials with large-scale brute force and password spraying attacks occurring regularly.

  
Infostealers specifically are commonly cited as a source of credentials for these breaches and have been reportedly involved in the recent wave. Many defenders think the infostealers landscape is a monolith with individual actors compromising victims and gathering credentials, but the truth is these are highly organized widely distributed campaigns. The groups have congregated online in Telegram chat rooms where credentials are sold by the thousands or tens of thousands. These actors operate large scale campaigns, gather, vet, and organize the credentials they harvest ready to sell to the highest bidder. This ecosystem includes providing tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.

Advertisement for one of the infostealer log services.

Cisco Talos has sat in these channels and seen thousands of personal credentials for things like Google, Facebook, Netflix, etc. posted for free as a teaser to the larger services they offer. For a fee, actors can get timed access to a repository of credentials to search and use freely. The cost to access these tools varies, but considering a compromised set of enterprise credentials could result in a multi-million-dollar ransom, it’s a minute price to pay.

Free infostealer log offering in Telegram channel.

These channels are full of would-be criminals trying to gain the foothold necessary for their nefarious activities. So far, the focus has been on ransomware and data extortion, but BEC actors can also earn payouts from valid enterprise credentials — even the basic accounts tied to organizations like Google can be a windfall. The Cisco breach from several years ago originated with Google credentials and a password vault that contained their corporate credentials.

  
Today in many enterprises, the credentials alone aren’t enough, as organizations worked diligently to deploy MFA to improve their security baselines. The challenge is that the application isn’t consistent, and the focus has largely been on the enterprise (domain) itself.

**Protect data with MFA, not just assets**

Organizations have heeded the constant drone of security professionals pushing for deployment of MFA across the organization and its helped. We’ve seen a huge increase in attacks designed to defeat the protections MFA provides. We constantly observe things like MFA fatigue and social engineering to defeat MFA. This is further supported from the IR Quarterly Trends report, where for the first time, MFA push notifications was the top observed security weakness. Improper MFA implementation was also found in nearly as many engagements. Likewise, MFA itself has gone through some iterations with basic push notifications being insufficient for modern attackers. Now, challenge-based authentication is recommended for all MFA deployments. Actors have noticed, and this recent issue with Snowflake credentials has shown you need to protect data, not just assets, and corporate data is everywhere.

  
Software as a service (SaaS) has revolutionized business and provided advanced sales tools and analytics to a wide array of industries, facilitating growth and expansion. The problem is it requires data to leave the organization’s safe haven. Most medium- to large-sized organizations today are heavily invested in the cloud, if not multi-tenet cloud environments, with data and resources spread across multiple vendors around the globe. This creates many points of entry for attackers that might be more focused on data exfiltration than unauthorized encryption in 2024.

  
We’ve noticed a marked shift over the last year or two with larger cartels increasingly focusing on the data they can exfiltrate over the data they can encrypt. There are a variety of factors driving this shift, most importantly technology is catching up. We are seeing more pre-ransomware engagements that are detected and stopped before deployment in our emergency responses (ERs), an important shift from the years prior. Organizations are prepared and ready to respond to ransomware and have solid, practiced recovery processes to minimize any effects of data encryption. This has driven actors to focus on the data they can steal over the data they can encrypt.

  
Actors running large scale infostealer campaigns have compromised tens of thousands, if not millions, of accounts and the breadth of accounts is extensive. Modern infostealers will gather credentials from web browsers, applications, and the system themselves to even include crypto wallets. For many organizations, this includes the SaaS applications that house sensitive data that, when stolen, can result in financial damage. It’s obvious criminals have taken notice — the recent activity was linked to Snowflake, but all SaaS providers and other organizations that house business-critical data for organizations are at risk.

**What can defenders do?**

The solution to this problem isn’t going to sound novel, in fact it's going to sound quite familiar. Primarily, anywhere critical data is housed, it needs to be protected with MFA. Organizations should conduct audits of all external data houses and ensure that the vendor supports MFA, and that MFA has been configured along with whatever logging capabilities are available, specifically associated with authentication.

  
The next thing organizations need to do is acknowledge and act on infostealer infections with urgency. Once an infostealers is detected, assume that all credentials on that system have been compromised, work quickly and effectively to remediate by resetting the passwords, remembering this spreads far beyond just the enterprise itself. Speed is of the utmost importance, as high-value credentials will be sold and actioned quickly. The goal is to make sure that whoever purchases the credentials cannot access critical data. Additionally, ensuring your users have a vetted and trusted way to store passwords is critical. By having an approved mechanism, you avoid credentials ending up stored in web browsers and easy picking for infostealers.

  
In a perfect world, we’d expect MFA to be deployed everywhere, but that’s not realistic. For instances where MFA cannot be deployed, there are a couple mechanisms to increase security and protection. If possible, limit the access of these accounts to the absolute least privilege. If internal assets are going to be accessed, look at deploying jump boxes. This creates a single point of connection where increased scrutiny can be applied. All non-MFA protected accounts should have increased visibility and all security alerts generated from these accounts should be investigated quickly and effectively.

  
As attackers continue to shift focus to the data they are trying to steal organizations need to take an honest look at where this data is housed and what data protections are in place to ensure you don’t end up in the headlines for stolen data being sold to the highest bidder, even if that bidder is the compromised organization itself.

Snowflake isn’t an outlier, it’s the canary in the coal mine

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

Source: Bleakstar via Shutterstock

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill\[.\]io to a Chinese organization earlier this year.

Security researchers are warning that the cdn\[.\]polyfill\[.\]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser.

Researchers from security monitoring firm c/side sounded the alarm about the attack in an advisory by founder Simon Wijckmans warning website owners to "check your code for any use of the polyfill\[.\]io domain and remove it from your applications."

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."

**Dynamically Generated Payloads**

Specifically, researchers discovered malicious, obfuscated code that "dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution" being injected into devices via websites using cdn\[.\]polyfill\[.\]io, Wijckmans wrote.

"In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link," he wrote. "This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region."

Given that the malicious code is JavaScript, it also could "at any moment introduce new attacks like formjacking, clickjacking, and broader data theft," Wijkmans noted.

**Polyfill Users Were Forewarned**

Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill\[.\]io domain after it was purchased by Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users in a post on X to remove references to the content delivery network (CDN), in part because he never owned the site.

"I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale," he wrote.

A site called Pollykill was even created on Feb. 27 "to bring awareness to a major JavaScript supply chain vulnerability," since Polyfill was sold and all Polyfill traffic was pointed "to the Baishan Cloud CDN."

Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the "many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application."

"They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser," according to the site.

**Immediate Action Required**

Supply chain attacks that compromise website scripts and other code that's used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.

"Third-party resources are in a very powerful position and thus a high value target for bad actors," he wrote, adding that CDNs hosting third-party scripts are especially subject to attack.

However, one thing that's important to note is that "the Polyfill service itself is still solid," Wijkmans said. "You can host your own version in a safe and controlled environment without issue."

As the problem lies in the domain cdn\[.\]polyfill\[.\]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty don't flag the domain, so administrators should not rely on that, Wijkmans added.

The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the developer community Fastly Connect that also can help them secure websites that use Polyfill; these include polyfill-fastly\[.\]net and polyfill-fastly\[.\]io, which are free drop-in replacements for polyfill\[.\]io in a website's code.

Fastly’s fork of the open source code 223 also can be used to self-host the service to maintain full control over the code delivered to users, according to Fastly.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

Affected devices could include wireless access points, routers, switches and VPNs.

Multiple vulnerabilities in TP-Link Omada system could lead to root access

LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.

On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:

LockBit leak site

> “Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
> 
> 33 terabytes of juicy banking information containing American’s banking secrets.”

The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.

So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.

However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.

Overview of the available data

All the links lead to directories containing data that seems to belong to Evolve.

There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.

At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.

According to the Federal Reserve statement released at the time:

> “In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”

So, as expected, LockBit drew a lot of attention under false pretences.

The group was disrupted by law enforcement in February of 2024 and their activity diminished as a result. As the ThreatDown monthly ransomware review of May review pointed out:

> “While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”

And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.

Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.

A lot of data

We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Federal Reserve &#8220;breached&#8221; data may actually belong to Evolve Bank 

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
Polyfill is a popular library that

Supply Chain Attack / Web Security

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.

More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.

Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.

The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill\[.\]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill\[.\]io.

"The concerns are that any website embedding a link to the original polyfill\[.\]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

The Dutch e-commerce security firm said the domain "cdn.polyfill\[.\]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.

"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."

San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.

The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.

"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."

It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

Source: Primakov via Shutterstock

A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.

WordPress.org's Plug-in Review team warned users on Monday that a plug-in called Social Warfare was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org plug-ins injected with the same code, according to a blog post published by Wordfence on June 24.

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1.

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that's been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.

**Malicious Behavior**

The malicious code injected in the plug-ins "attempts to create a new administrative user account and then sends those details back to the attacker-controlled server" located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.

"The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow," Chamberland added.

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don't know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.

**Mitigating Attacks Via WordPress Plug-Ins**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.

As such an attack demands greater vigilance, Wordfence — which focuses on the security of the WordPress platform — is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and "go into incident-response mode," Chamberland said.

"We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan" to remove any malicious code, she said.

Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Tag

#cisco