2023 Security Service Edge (SSE) Adoption Report finds that SSE technology addresses key pain points including much-needed solution consolidation, transition to hybrid work and need for hardened security.

**PLANO, Texas****,** **Jan. 10, 2023** **/PRNewswire/ --** Axis, in partnership with Cybersecurity Insiders, released industry-first data with its 2023 Security Service Edge (SSE) Adoption Report. This report distills insights from 355 cybersecurity professionals on the migration from legacy access solutions such as Virtual Private Networks (VPNs) in light of the new hybrid workplace and the rapidly growing SSE market.

With 88% of organizations supporting a hybrid or remote work model, it's clear that the way people work has changed, thus organizations are realizing that the means in which secure access is achieved must also adapt.

**SSE is crowned queen when it comes to securing the modern workplace**

In just under two years since the term was first introduced, SSE has become immensely popular, with nearly three out of four cybersecurity professionals (71%) now familiar with the category. The study found that SSE now ranks as more critical than SSO, MFA, endpoint security, and SIEM when it comes to zero trust. Furthermore, 65% of organizations plan to adopt an SSE platform in the next 24 months, with 43% planning on implementing it before the end of 2023.

This year the industry will see SSE quickly become a top strategic initiative for organizations as it plays a major role in Secure Access Service Edge (SASE) adoption, and successful Zero Trust implementation. 67% state that they will start their SASE strategy with an SSE platform, compared to 33% with SD-WAN. One bonus statistic that was uncovered was regards to single-vendor SASE vs. multi-vendor SASE preference. The audience was split (~50% for each).

**The benefits of SSE for cost reduction and productivity are clear drivers of business adoption**

The impact of remote and hybrid work has led to the proliferation of security solutions for organizations. The research found that 63% of enterprises have 3 or more security solutions in use to enable access, while nearly a quarter leverage 6 or more. This contributes to an increase in costs to the business, and complexity in management. Respondents stated that complexity in access management ranked second, right behind the fact legacy access solutions grant too much inherent trust to users – when it came to top challenges.

SSE services provide a means of reducing costs and reliance on the internal appliance stack and external appliance stack in a new macroeconomic climate. The top two legacy solutions that enterprise security teams will look to replace with SSE will be VPN Concentrators (63%) for VPN, SSL inspection services (50%) and DDoS (44%) with data loss prevention services (42%) being a very close fourth place.

Cost reduction, high availability, and reliability, have long been benefits of cloud services. Hence, it was not surprising that 60% of respondents said that they prefer SSE services built on a public cloud backbone. In addition, there was overwhelming agreement that including Digital Experience Monitoring (DEM) is important for any SSE platform (90%). As teams evaluate SSE, they are prioritizing platforms with DEM capabilities.

As teams contemplate where they should begin utilizing SSE for their business, nearly 50% of organizations have decided to start by securing access for their remote and hybrid employees. And, given the mass adoption of hybrid work, this a logical starting point for the businesses.

"Uncovering this data shines light on the truth about SSE adoption in the context of SASE, the criticality of SSE compared to other zero trust ecosystem technologies, and the positive impact SSE has on business as they transform" said Dor Knafo, Co-founder and CEO of Axis. "We are even more excited to continue to build on our Atmos SSE platform for our customers, and deliver on the promise of SSE and SASE, as we continue our mission of harmonizing secure access for the modern workplace."

Read the full 2023 Security Service Edge Adoption report here

**About Axis Security**

Axis' vision is to bring harmony to workplace connectivity and that the sooner IT adopts zero trust, the sooner we can witness a world where the exchange of information is always fast, seamless, and secure. With 350 Axis cloud service edges across the world, Axis helps IT leaders enable their employees, partners, and customers to securely access business data without the pitfalls of network-centric solutions or application limitations that every other zero trust service faces. Through its world-class research and development and founding team which hails from Israel's acclaimed Unit 8200, Axis aims to accelerate the world's transition to a modern workplace where hybrid work is made simple, digital experience becomes a competitive advantage and business data remains protected from cyber threats even as it moves to the cloud. For more information, visit www.axissecurity.com. Follow us on Twitter and on LinkedIn.

SOURCE Axis Security

65% of Organizations Plan to Adopt a Security Service Edge Platform in Next 2 Years: Axis Security

The Serbian government reports that it staved off five attacks aimed at crippling Serbian infrastructure.

The Serbian Ministry of the Interior reported over the weekend being targeted by at least five separate distributed denial-of-service (DDoS) attacks in 48 hours, intended to hobble the country's IT infrastructure.

Working together, the Ministry of Internal Affairs and Telecom Serbia were able to fend off the DDoS attacks.

"All attacks were repelled and the Ministry's bases were protected and safe," the statement said. "Enhanced security protocols have been activated, which can lead to slower work and occasional interruptions of certain services, all in order to protect the data of the Ministry of Internal Affairs."

The cyberattacks come amid rising tensions in the Balkans as a result of the Russian invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Serbia Slammed With DDoS Attacks

Categories: Threat Intelligence
One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.



(Read more...)




The post Crypto-inspired Magecart skimmer surfaces via digital crime haven appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

Online criminals rarely reinvent the wheel, especially when they don't have to. From ransomware to password stealers, there are a number of toolkits available for purchase on various underground markets that allow just about anyone to get a jumpstart.

During one of our crawls, we spotted a skimmer using the 'Mr.SNIFFA' framework that targets e-commerce sites and their customers. In recent years, this skimmer has adopted various obfuscation techniques as well as steganography to load its malicious code and exfiltrate stolen credit card data. While Magecart threat actors usually pick domain names after third-party libraries, or Google Analytics, in this case they went with a crypto-inspired theme which we had not seen before.

Digging further into the skimmer's infrastructure on Russian-based hosting provider DDoS-Guard, we came across a digital crime haven for cryptocurrency scams, Bitcoin mixers, malware distribution sites and much more. This blog post will cover the technical details of the skimmer and its crime-filled ecosystem.

**Overview**

When looking for malicious code on the web, we tend to inspect HTML code, JavaScript dependencies as well as redirects. What makes some attacks interesting is how they will purposely avoid leaving obvious signs, try to only load one time or maybe dynamically in some unsuspecting format.

In this case, we saw an e-commerce website that was injected with a link to an external website named after American Entrepreneur and BTC supporter Michael J. Saylor (saylor2xbtc\[.\]com). We should note that the sites we found injected with this skimmer had nothing to do with cryptocurrencies themselves. However, interest in targeting this industry has been shown before and likely such attacks are still happening.

_Figure 1: Skimmer attack chain_

As the skimmer code is dynamically unpacked in the DOM it will harvest card payment details and exfiltrate those in a similar fashion. In the next section, we will show exactly what happens during this process of data collection and exfiltration.

_Figure 2: Fiddler traffic capture_

**Technical details****Mr.SNIFFA skimmer**

Back in the spring of 2020, an advert for a new skimmer was posted to a criminal forum. The product, called mr.SNIFFA, claims to have code that cannot be seen using browser tools and works across different browsers. More importantly, the author offers free bug fixes and 24/7 support.

_Figure 3: Tweet about new product being advertised_

It seems some of those promises were true as a clever feature that hides the skimmer was implemented later on: 

_Figure 4: Update to mr.SNIFFA's code_

**Loader**

Going back to this latest skimming attack, the first interesting piece is the JavaScript loaded from elon2xmusk\[.\]com. You have to scroll down halfway through it and after a number of tab entries, you can finally see some lightly obfuscated code.

_Figure 5: Loader with leading and tailing white space_ 

This loader is quite important with what happens next because it is meant to load a special CSS file hosted at (2xdepp\[.\]com/stylesheet.css). In effect, all these different parts are connected and needed for the skimmer to get properly loaded.

**Core**

The beginning of the file contains standard CSS content, in this case code to render fonts. But we can also notice a lot of white space beneath and a very long side scroll bar.

_Figure 6: Skimmer hiding inside CSS file_

Turning on special characters in the text editor program reveals over 88k lines containing spaces, tabs and new line feeds. That encoded whitespace data is converted into binary code via the original loader (elon2xmusk\[.\]com/jquery.min.js).

This particular technique was previously documented by Denis Sinegubko and Eric Brandel in a thread about some new features in the Mr.Sniffa toolkit.

_Figure 7: White space encoding characteristic of Mr.SNIFFA skimmer_

When decoding this piece of the code we end up with the same skimmer produced by Eric Brandel.

_Figure 8: Decoded skimmer identical to previously reported Mr.SNIFFA_

**Exfiltration**

At the checkout page, we see the payment form injected by the skimmer. Note the grammar mistake at the bottom "_please enter your card details and will charge you later_". This is a small detail, but those who pay attention to details will view it as a sign of a fraudulent form.

Stolen credit card data will be exfiltrated back to the attackers using the same special character encoding and sent as an image file.

_Figure 9: Data exfiltration via encoded image file_

**Infrastructure overview****DDoS-Guard hosting**

The 3 domains involved in this skimmer campaign were or are hosted on DDoS-Guard infrastructure, a Russian company that provides DDoS protection, CDN and hosting among some of its services. It has hosted controversial websites and according to a blog post by Group-IB documenting a leak and source code dump, "_DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling, and copyright infringements_".

_Figure 10: VirusTotal graph showing connections to DDos-Guard_

We previously wrote about Magecart groups relying on bulletproof infrastructure such as the hoster in Ukraine's Luhansk region. The obvious advantage is that takedowns are practically impossible and criminals can grow their infrastructure undisturbed.

**Immediate neighbors**

Often times criminals will buy and sell across different services. With stolen credit cards, the path to monetization can be via resale or using money mules and eventually funneling funds back home. It can be difficult and time consuming to try to map out exactly where a threat actor's playground begins and ends. In this instance we decided to follow the crypto-naming theme and explore other places of interest.

On the same IP address (185.178.208\[.\]174) as elon2xmusk\[.\]com (skimmer loader), there is a fraudulent store (3houzz\[.\]com) that is copying the legitimate Houzz retailer. This type of sites is generally promoted via spam or malicious redirects.

_Figure 11: Comparison of fake and legitimate Houzz websites_

On the same IP address (185.178.208\[.\]181) as 2xdepp\[.\]com (skimmer hidden in CSS code), we can find orvx\[.\]pw, a website selling CPanel, RDP and Shells:

_Figure 12: Marketplace for remote access and shells_

There is also bestmixer\[.\]mx, a service to mix cryptocurrencies. Criminals, especially ransomware actors, love to use mixers to make money harder to trace back to them.

_Figure 13: Bitcoin mixer service_

On the same subnet and at 185.178.208\[.\]190 is blackbiz\[.\]top, there is a forum for criminals to advertise various malware services, including ransomware:

_Figure 14: Crimeware forum_

**Additional criminal services**

To look deeper into this rather vast network, we leveraged the services provided by SilentPush and used their free community app to run a number of queries. The domains part of the skimmer attack all have '2x' in their name and appear related to cryptocurrencies:

saylor2xbtc\[.\]com  
elon2xmusk\[.\]com  
2xdepp\[.\]com

The first query we tried was a "Domain Search" to look for any domain with '2x' in their name that's using DDoS-Guard infrastructure.

*   domain\_regex=^\[a-z-\]{0,}2x\[a-z-\]{0,}.\[a-z\]{1,}$
*   asn\_starts\_with=DDOS-GUARD
*   last\_seen\_min=2022-12-31

_Figure 15: SilentPush interface with domain query_

**Cryptocurrency giveaways **

These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC. These crypto giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB.

_Figure 16: Scam giveaway site_

**Malware distribution **

A number of domains mimicking AnyDesk, MSI afterburner, Team Viewer, or OBS that download malware instead. These phishing pages have been appearing in recent reports about malvertising abusing Google ads like the one reported by Guardio Labs (leading to Vidar and other infostealers) as well as SilentPush (leading to Ursnif).

Domains under this section are dropping a similar Vidar version along with Aurora in other cases. Domains mentioned by Guardio Labs report (traidlngvieew\[.\]site, msi-afterbarner\[.\]com) point to the infrastructure under our investigation (185.149.120\[.\]9).

_Figure 17: Fake AnyDesk website that downloads malware_

**Credit cards (FULLZ)**

This is a web portal named after investigative journalist Brian Krebs offering stolen credit cards for sale. 

This domain is synchronized with other previously known briansclub domains and related to the threat actor "Brian Krebs" who advertised it on the altenan site in May 2021. The card data appears to be identical with other domains and there are unique BTC addresses on each deposit. (Thanks to the real Brian Krebs and Gemini Advisory for providing this additional piece of information).

_Figure 18: Login page for stolen credit cards_

_Figure 19: Dump of stolen credit cards_

**PhaaS platform Robin Banks**

Robin Banks is a phishing-as-a-service platform that was first observed in March 2022 specializing in selling phishing kits. In a July 2022 report, IronNet saw the motivation for criminals to use the kit as more than phishing for typical credentials but also of interest to Initial Access Brokers. After it was booted off Cloudflare, the Robin Banks infrastructure relocated to DDos-Guard as robinbanks\[.\]su. We now see the domain beta4us\[.\]click associated with ASN47674 (NETSOLUTIONS).

Figure 20: Login page for phishing as a service RobinBanks

**Conclusion**

In this blog post, we identified a Magecart skimmer using the mr.SNIFFA toolkit and infrastructure from DDoS-Guard. The domain names used to serve the skimmer referenced public figures or names well-known in the cryptocurrency world. This allowed us to follow the trail and discover a number of other malicious domains, some of which may be connected to the original threat actor.

Where one criminal service ends another one begins but often times they are linked. Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends.

Malwarebytes customers were already protected against the first layer of this skimmer and we've added detection for the rest of the infrastructure. To learn more about you can better protect your organization from the latest threats, set up a 15-minute call with our experts to tailor a custom plan.

**Acknowledgements**

We would like to thank the team at SilentPush for their contribution and help while investigating this skimmer and related infrastructure. Feel free to check out their community app which we used in this research.

**Indicators of Compromise**

**Indicator**

**Type**

**Description**

hxxps://saylor2xbtc\[.\]com/vqK4Pq

URL

Redirect

hxxps://elon2xmusk\[.\]com/jquery\[.\]min\[.\]js

URL

Loader

hxxps://2xdepp\[.\]com/stylesheet\[.\]css

URL

Skimmer

185\[.\]178\[.\]208\[.\]174

IP

Skimmer hosting

185\[.\]178\[.\]208\[.\]181

IP

Skimmer hosting

185\[.\]178\[.\]208\[.\]190

IP

Crime forum

185\[.\]149\[.\]120\[.\]19

IP

Crypto scams

185\[.\]149\[.\]120\[.\]47

IP

Crypto scams

185\[.\]149\[.\]120\[.\]67

IP

Crypto scams

185\[.\]149\[.\]120\[.\]77

IP

Crypto scams

185\[.\]149\[.\]120\[.\]89

IP

Crypto scams

185\[.\]149\[.\]120\[.\]95

IP

Crypto scams

185\[.\]149\[.\]120\[.\]107

IP

Crypto scams

185\[.\]149\[.\]120\[.\]9

IP

Malware distribution

185\[.\]149\[.\]120\[.\]123

IP

Malware distribution

185\[.\]149\[.\]120\[.\]133

IP

Malware distribution

185\[.\]149\[.\]120\[.\]61

IP

Stolen credit card store

185\[.\]236\[.\]228\[.\]114

IP

RobinBanks phishing

3houzz\[.\]com

Domain

Fake store

Crypto-inspired Magecart skimmer surfaces via digital crime haven

The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.
Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called

Cyberespionage / Threat Analysis

The Russian cyberespionage group known as **Turla** has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.

Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker **UNC4210**, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013.

"UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers said in an analysis published last week.

Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware.

Since the onset of Russia's military invasion of Ukraine in February 2022, the adversarial collective has been linked to a string of credential phishing and reconnaissance efforts aimed at entities located in the country.

In July 2022, Google's Threat Analysis Group (TAG) revealed that Turla created a malicious Android app to supposedly "help" pro-Ukrainian hacktivists launch distributed denial-of-service (DDoS) attacks against Russian sites.

The latest discovery from Mandiant shows that Turla has been stealthily co-opting older infections as a malware distribution mechanism, not to mention taking advantage of the fact that ANDROMEDA spreads via infected USB keys.

"USB spreading malware continues to be a useful vector to gain initial access into organizations," the threat intelligence firm said.

In the incident analyzed by Mandiant, an infected USB stick is said to have been inserted at an unnamed Ukrainian organization in December 2021, ultimately leading to the deployment of a legacy ANDROMEDA artifact on the host upon launching a malicious link (.LNK) file masquerading as a folder within the USB drive.

The threat actor then repurposed one of the dormant domains that were part of ANDROMEDA's defunct C2 infrastructure – which it re-registered in January 2022 – to profile the victim by delivering the first-stage KOPILUWAK dropper, a JavaScript-based network reconnaissance utility.

Two days later, on September 8, 2022, the attack proceeded to the final phase with the execution of a .NET-based implant dubbed QUIETCANARY (aka Tunnus), resulting in the exfiltration of files created after January 1, 2021.

The tradecraft employed by Turla dovetails with prior reports of the group's extensive victim profiling efforts coinciding with the Russo-Ukrainian war, potentially helping it tailor its follow-on exploitation efforts to harvest the information of interest to Russia.

It's also one of the rare instances where a hacking unit has been identified targeting victims of a different malware campaign to meet its own strategic goals, while also obscuring its role.

"As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," the researchers said.

"This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts."

**COLDRIVER Targets U.S. Nuclear Research Labs**

The findings also come as Reuters reported that another Russian state-sponsored threat group codenamed COLDRIVER (aka Callisto or SEABORGIUM) targeted three nuclear research labs in the U.S. in early 2022.

To that end, the digital assaults entailed creating fake login pages for Brookhaven, Argonne, and Lawrence Livermore National Laboratories in an attempt to trick nuclear scientists into revealing their passwords.

The tactics are consistent with known COLDRIVER activity, which recently was unmasked spoofing the login pages of defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

The Automated Libra group is deploying all components of its campaign in an automated manner via containers, stealing free trial resources for cryptomining, but the threat could get larger.

More information has become available on "PurpleUrchin," a malicious campaign in which a threat group called Automated Libra is using DevOps and continuous integration/continuous deployment (CI/CD) practices to mine cryptocurrency on cloud platforms using free trial accounts.

The campaign began in August 2019 and has mainly targeted platforms such as GitHub, Heroku, and ToggleBox. Security vendor Sysdig first reported on the campaign last October. This week, Palo Alto Networks' Unit 42 threat hunting team provided fresh insight on the campaign based on a recent analysis of the threat group's activities — and noted that while cryptomining is the game now, the infrastructure could be used to deliver much worse threats down the road.

Unit 42's research showed that Automated Libra has so far created some 180,000 free trial accounts on various cloud platforms — substantially more than Sysdig had initially reported — using an automated container-based approach for spinning them up. At its peak last November, Automated Libra was creating between three and five new accounts on GitHub every minute. Sysdig previously had estimated that the coin-mining activity via free trial accounts was costing GitHub some $100,000 in lost revenue per user account.

**A Fully Containerized Operation**

Unit 42's analysis showed each individual component of PurpleUrchin's cryptomining operation — from user account creation to coin-mining and trading — shipped within a container and deployed in a highly automated manner. 

An initial container contains all the tools needed for automatic account creation. That container automatically creates new accounts on a targeted cloud provider's platform, while also pulling down tools for creating additional containers with cryptomining components for each of the user accounts.

These additional containers house the individual and unique containerized components of the larger operation, says William Gamazo, principal threat researcher for Unit 42 at Palo Alto Networks. For example, they include containers specific to the accounts created for each targeted cloud provider, containers created for system administration (like panel displays for monitoring the mining operation), and containers created for coin-miners themselves.

The threat actors have implemented each component in the architecture as a container, Gamazo says. "In some cases, the entire process starts with a single script," he notes. That script calls on a configuration file stored in DockerHub, GitHub, or BitBucket for its base operational guidelines, Gamazo tells Dark Reading.

"From here, the process becomes highly dynamic and modular, with the creation of a user account that pulls down a container that will start the mass container generation process — essentially a single container that builds all of the additional containers required to perform the mining operation."

The container functionality for initial account creation on GitHub also includes a feature that allows Automated Libra to bypass CAPTCHA images using relatively straightforward image analysis techniques. The CAPTCHA bypass technique basically reuses publicly available tools, though in some cases the threat actors did perform some custom processing.

"While we didn’t feel the actor was very sophisticated, they were very effective with this tactic," Gamazo notes.

**A DevOps Approach to Optimize Resource Utilization**

Unit 42 researchers assessed that Automated Libra had adopted the DevOps and CI/CD approaches to optimize its ability to utilize the limited resources available to them under the free trial programs that many cloud vendors offer. 

"We have not directly witnessed other threat actors performing these types of containerized operations," Gamazo says. "However, last year we saw DDoS attack implementations using containers as part of the deployment," he notes pointing to a pro-Ukrainian denial-of-service campaign that CrowdStrike reported on last May that involved compromised Docker honeypots.

To create user accounts for free trials, the threat actors likely used stolen or fake credit cards, Unit 42 said. In some cases, the attackers adopted what the security vendor described as a "play and run" approach where they used a cloud provider's resources for a certain period of time but then disappeared without paying the bill for those services. 

The largest unpaid balance that Unit 42 researchers were able to uncover during their research was just $190. But the unpaid balances in other fake accounts could have been much larger considering the scale and breadth of the PurpleUrchin cryptomining operation, they noted.

**Cryptomining Now; Much Worse Later?**

Cryptomining attacks — where a threat actor stealthily uses an organization's computing resources to mine for cryptocurrencies — have become extremely common in recent years. A study that Kaspersky conducted last year showed that threat actors mainly distribute malicious mining software via unpatched vulnerabilities. In 2022's third quarter, more than 15% of vulnerability exploits that Kaspersky analyzed involved cryptomining tools. In the same quarter, Kaspersky counted more than 150,000 new miner variants, or more than triple the number from 2021's third quarter.

Nathaniel Quist, manager of cloud threat intelligence at Unit 42, says that in the PurpleUrchin campaign, Automated Libra actors were using free or limited-use cloud services specifically for their CPU resources. But that doesn't mean that they couldn’t have used it for other purposes as well. The actors, for instance, could have used these resources to perform malicious operations targeting victim organizations such as scanning, brute-forcing accounts, or hosting malicious content.

"If this happened, the victim would have been targeted by attacks originating from the trusted cloud service providers where the actors were creating these accounts," he notes.

The key takeaway for enterprise organizations is that threat actors will increasingly use containers for malicious infrastructure deployment in coming years. "Trusted sources such as cloud providers, cloud storage services, and public services hosted on clouds will be leveraged for launching attacks and it will be prevalent and difficult to detect," he says.

PurpleUrchin Gang Embraces DevOps in Massive Cloud Malware Campaign

Amid escalating cyber activity, two separate cybersecurity frameworks are targeting the satellite arena, highlighting the ease in attacking the infrastructure and the difficulty in defending it.

With cyberattacks becoming a reality against the space sector's infrastructure in 2022, two groups are aiming to get ahead of future attacks by creating framework initiatives.

The goal of the frameworks is to better understand not only potential threats — in terms of the traditional tactics, techniques, and procedures (TTPs) applied to the space sector — but also to help companies and government agencies create countermeasures against attacks targeting satellites and spacecraft.

On Jan. 3, the US National Institute of Standards and Technology (NIST) and the MITRE Corp., which is also a government contractor, released a version of the NIST Cybersecurity Framework tailored to the ground-based portion of the space sector. The NIST publication complements another effort by nonprofit government contractor The Aerospace Corp., which created in October the Space Attack Research and Tactics Analysis (Sparta) matrix, a version of the MITRE ATT&CK framework applied to threats against space-based infrastructure.

**Cyberattacks Are Now Targeting Satellites**

Early in 2022, the FBI and CISA warned that attacks against satellite ground-based and space-based infrastructure could become a reality — and it soon did. The year saw nation-state operations targeting Viasat and SpaceX's Starlink satellites, and forcing governments and aerospace companies to create defenses against the attacks.

In the early days of Russia's invasion of Ukraine, for example, Russia-aligned hackers targeted the ground-based segment of Viasat's satellite communications network, taking Internet modems offline throughout Europe. Soon after, Russia also targeted the distributed satellite Internet service Starlink, according to government officials and SpaceX CEO Elon Musk, which has been critical for providing the Ukraine war effort with Internet connectivity.

"Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but \[attackers are\] ramping up their efforts," Musk stated on Twitter last May.

In November, Starlink was in the crosshairs again, with Russia-linked Killnet APT targeting it with a DDoS campaign that made the service inaccessible for several hours.

As a corollary, satellites have also become proposed targets of non-cyberattacks as well. In the most recent example, Chinese researchers proposed a 10 megaton nuclear blast 50 miles from the Earth's surface as a way to disable Starlink satellites that pass through the radioactive cloud.

**Computers, Not Lost in Space**

Cyberattackers in this arena are far more likely to be advanced persistent threats (APTs) sponsored by nation-states — often looking to disable satellites and spacecraft. But much of today's ground-based satellite infrastructure uses common computer and communications technologies, which could open the door to other players.

The similarities allow attackers to more easily exploit the systems underpinning satellite systems, while the complex supply chain makes the infrastructure easier to attack, Neil Sherwin-Peddie, head of space security for defense and government contractor BAE Systems Digital Intelligence, stated in a recent column for Dark Reading_._

"Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections," he wrote. "These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals."

The attack on Viasat consisted of two components and underscores that known attack methods can be tailored to ground-based and space-based satellite systems.

First, the attackers exploited "a misconfiguration in a VPN appliance to gain remote access" to the ground-based network, according to a Viasat advisory. The attackers then discovered and compromised the management network for the satellite network and issued commands to the ground-based modems.

"Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," the company stated.

These commands performed functions similar to a wiper attack, overwriting critical data to disrupt operations, a common approach in cyber-physical attacks, according to a subsequent analysis performed by independent cybersecurity researcher Ruben Santamarta.

New attack vectors are looming for the future, as well. 

"We will see more automation on the spacecraft, and therefore we will need more on-board autonomous cyber protection," says Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at The Aerospace Corp. "This means integrating items like segmentation, authentication, encryption, and intrusion detection \[and\] prevention on-board the spacecraft will be a must in the future."

**Frameworks Cover Both Ground & Space**

The NIST Cybersecurity Framework for the Satellite Ground Segment (NIST-IR-8401) builds on a common approach to cyber-defense that includes five major functions: the identification of assets and their cyber-risks, the development of technologies and procedures to protect those assets, the capability to detect attacks, the infrastructure needed to respond to any incident, and the ability to recover from attacks.

"The ground segment is becoming more interconnected and cloud-based ground infrastructures, however legacy space operations and the space vehicles themselves use custom software and hardware that was not generally created to be part of a modern highly interconnected cyber-ecosystem," NIST-IR-8401 states. "This can be especially problematic with legacy components that may have been created prior to the development of security best practices or that use obsolete security measures."

The Sparta framework aims to cover cyberattacks on the space-based components, such as satellites, spacecraft and other systems. The framework will grow and change as the field evolves and the TTPs used by attackers change, says Bailey of The Aerospace Corp.

"Cyber on the spacecraft side is relatively new field; therefore, as vulnerabilities — like PCSpoof — are disclosed, we will add TTPs and countermeasures," he says. "We also intend on working with the Space ISAC, and as it matures ... we will incorporate threat information and TTPs that are identified."

Space Race: Defenses Emerge as Satellite-Focused Cyberattacks Ramp Up

Attackers have compromised a Colombian financial institution and are using a bevy of leaked customer details in further malicious activity to spread an info-gathering remote access Trojan (RAT).

Threat actors are using data stolen from a Colombian bank as a lure in what appears to be a malicious campaign aimed at spreading the BitRAT malware, researchers have found. The activity demonstrates the evolution of how attackers are using commercial, off-the-shelf malware in advanced threat scenarios, they said.

Researchers at IT security and compliance firm Qualys were investigating "multiple lures" for BitRAT when they identified that the infrastructure of a Colombian cooperative bank had been hijacked. Attackers were using sensitive data gleaned from that compromise to try to capture victims, they reported in a blog post published Jan. 3.

"While digging deeper into the infrastructure, we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps," Akshat Pradhan, senior engineer of threat research at Qualys, wrote in the post.

Overall, threat actors leaked 4,18,777 rows of sensitive data from the bank's customers, including details such as Colombian national ID numbers — called "Cedula" numbers — as well as email addresses, phone numbers, customer names, payment records, salary, home addresses, and other data, researchers said.

So far, researchers have not seen the data dumped on any hacker forums or Dark Web sites, and are following standard breach-disclosure guidelines as they further investigate, they said.

**A Commercial RAT With a Long Tail****

Threat actors began marketing BitRAT on underground cybercriminal markets starting in February 2021. The RAT is notorious for its social media presence and its relatively low price of $20, which makes it popular among cybercriminals, researchers said.

Key capabilities of BitRAT include: data exfiltration, execution of payloads with bypasses, distributed denial of service (DDoS), keylogging, webcam and microphone recording, credential theft, Monero mining, and running tasks for process, file, and software, among others.

BitRAT is an example of how the use of commercial RATs has evolved not only with new capabilities for propagation, but also by harnessing the use of legitimate infrastructures to host malicious payloads, Pradhan said. This is something that enterprises now need to account for in their respective security defense postures, he noted.

To that end, researchers advised that all organizations employ endpoint detection and response (EDR) solutions to detect malware such as BitRAT as it inserts itself into a network endpoint, they said. Functions like asset management, vulnerability detection, policy compliance, patch management, and file-integrity monitoring capabilities across a system are key for combating malware like this, they added.

Enterprises should also implement external attack surface management solutions, which allow for continuous monitoring and reduction of the entire enterprise attack surface — including internal and Internet-facing assets and discover previously unidentified exposures — to counter evolving threats, researchers said.

****Anatomy of the BitRAT****

Researchers found and analyzed a cache of Excel sheets — all authored by "Administrator" — being used as lures for a BitRAT campaign, with data from the tables being reused in Excel maldocs as well being included in the database dump, they said.

"The Excel contains a highly obfuscated macro that will drop an .inf payload and execute it," Pradhan wrote in the post. "The .inf payload is segmented into hundreds of arrays in the macro."

A de-obfuscation routine performs arithmetic operations on the arrays to rebuild the payload once it's ready for execution, with the macro then writing the payload to "temp" and executing it via a file called advpack.dll, he said.

The macro itself also includes a hex-encoded, second-stage .dll payload that is decoded via certutil, written to "%temp%\\," and executed by the command "rundll32," researchers found. After this process is executed, the temp files are then deleted, they said.

It's this .dll file that uses various anti-debugging techniques to download and execute the final BitRAT payload. The file also uses the WinHTTP library to download BitRAT-embedded payloads from a GitHub repository created in mid-November by a "throwaway" account to the "%temp%" directory, Pradhan wrote.

In the final stage of BitRAT execution, the .dll uses WinExec to start the "%temp%" payload and exits. To maintain persistence on a user's machine, the BitRAT sample starts and then relocates the loader to the user's startup, the researchers said.

**

BitRat Malware Gnaws at Victims With Bank Heist Data

A new Linux malware developed using the shell script compiler (shc) has been observed deploying a cryptocurrency miner on compromised systems.
"It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system," AhnLab Security Emergency Response Center (ASEC) said in a report published

A new Linux malware developed using the shell script compiler (shc) has been observed deploying a cryptocurrency miner on compromised systems.

"It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system," AhnLab Security Emergency Response Center (ASEC) said in a report published today.

shc allows shell scripts to be converted directly into binaries, offering protections against unauthorized source code modifications. It's analogous to the BAT2EXE utility in Windows that's used to convert any batch file to an executable.

In an attack chain detailed by the South Korean cybersecurity firm, a successful compromise of the SSH server leads to the deployment of an shc downloader malware along with a Perl-based DDoS IRC Bot.

The shc downloader subsequently proceeds to fetch the XMRig miner software to mine cryptocurrency, with the IRC bot capable of establishing connections with a remote server to fetch commands for mounting distributed denial-of-service (DDoS) attacks.

"This bot supports not only DDoS attacks such as TCP flood, UDP flood, and HTTP flood, but various other features including command execution, reverse shell, port scanning, and log deletion," ASEC researchers said.

The fact that all the shc downloader artifacts were uploaded to VirusTotal from South Korea suggests that the campaign is mainly focused on poorly secured Linux SSH servers in the country.

It's recommended that users follow password hygiene and rotate passwords on a periodic basis to prevent brute-force attempts and dictionary attacks. It's also advised to keep the operating systems up-to-date.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner

There are a few reasons that the topic of API security has been popping up more and more as 2022 comes to a close.

Back in July 2021, Gartner predicted that by 2022, application programming interface (API) attacks will become the most frequent attack vector, causing data breaches for enterprise web applications.

Was the analyst firm right? It's too early to know for sure since OWASP is still tallying the results.

API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.

When we talk about API security, we're referring to the measures and practices that we use to secure APIs and the data they transmit. We might be worried about unauthorized access, adverse reaction to a DDoS (more than one API has fallen over and left the underlying system wide open and completely insecure), or other malicious attacks.

There's an art to securing APIs; a light touch and a delicate combination of technical and organizational skills are required to do it right.

On the technical side we’re looking at measures such as authentication and authorization, encryption, automated testing, and monitoring. On the organizational side, you need to know exactly who in the org chart the API was designed to serve, and tailor access accordingly. For external APIs, you need to know how much data should be available to the outside world, and how that data needs to be curated and presented.

**How Are APIs Protected?**

There's a sane order of operations when you're trying to secure your company's APIs.

First, find and catalog every API. The number of companies that actually do this and keep their API inventory up to date is small indeed. Developer convenience, rapid website development, and the increasing push towards federated services all contribute to mystery APIs popping up out of the blue without any kind of compulsory registration structure in place.

To avoid this kind of API creep, every single one of them should be registered centrally with the following information:

*   Name
*   Tools and packages used to build the API
*   Servers that it runs on
*   Services that rely on that API
*   Documentation of all valid uses and error codes
*   Typical performance metrics
*   Expected uptime or downtime windows

All of this information goes into a repository run by the cybersecurity team.

Second, set up security and performance automation for every API. This is why you asked for all of that information, and this is how you keep everything secure. Using the data provided by the developers (and DevOps team, the Web team, etc.), the cybersecurity and/or testing team can put together automation that tests the API regularly.

Functional tests are important because they make sure that everything is working as expected. Non-functional tests are important because they probe the reliability and security of the API. Remember that APIs must fail securely. It isn't enough to know that one has fallen over — you need to know the consequences of that failure.

Finally, add the API to the normal threat prevention suite. If any of the tools or packages used to build the API are found to be buggy, you need to know. If any of the protocols that it uses are deemed insecure when you do detect trouble, you need to have the team shut the APIs down until they can be examined and rebuilt.

Doing these things once is great; creating a programming and security culture that allows you to maintain fully cataloged and documented APIs is the long-term goal.

**Specific API Behaviors to Note**

When pen testing and securing an API, some techniques are more useful than others.

1.  **Start with behavioral analysis.** This tests whether or not the reality matches the documentation in terms of the level of access granted, the protocols and ports used, the results of successful and unsuccessful queries, and what happens to the system as a whole when the API itself stops functioning.
2.  **Next is service levels.** This involves the priority of the process itself on the server, rate limiting for transactional APIs, minimum and maximum request latency settings, and availability windows. Some of these details are important for DDoS prevention (or blunting). Others are useful to monitor whether there are any slow memory leaks or garbage collection issues that might be a long-term threat to the integrity of the server itself.
3.  **Authentication and sanitation issues** speak directly to the level of trust you have for the API's users. As you would with any service, queries need to be sanitized before they're accepted. This prevents code injection, buffer overflows, and the like.

There needs to be some level of authentication with APIs that are designed for a specific user base. However, this can get complex. Federation is one issue that you need to deal with, determining which central identification and authentication servers you'll accept. You might want to have two-factor authentication for particularly sensitive or powerful APIs. And of course authentication itself isn't necessarily a password these days; biometrics is a valid way to wall off an API. To make a long story short: Apply the standards that you find reasonable, and test the limitations that you've set on a regular basis.

Finally, encryption and digital signatures need to be part of the conversation. If it's on the Web, then we're talking about TLS at minimum (repeat the mantra: We don't REST without TLS!). Other interfaces also need encryption, so pick your protocols wisely. Remember that the static information, be it a database or a pool of files somewhere, also needs to be encrypted. No flat text files anywhere, no matter how "innocent"; salt and hash should be the standard. And checksums are a must when providing or receiving files that are known entities (size, contents, etc.).

Finally, key management can be difficult to get right. Don't expect every DevOps person to have perfect digital key implementation when a decent portion of the cybersecurity folks are half-assing it themselves. When in doubt, go back to the OWASP Cheat Sheet! That's what it's there for.

**Responding to an API Attack**

The cardinal rule is: If your API is going to fail, pinch off access. Under no circumstance should services fail in an open or accessible state. Remember to rate-limit and keep error messages short and generic. Don't worry about honey pots or API jails — worry about survival.

Custom-crafted API attacks on an individual basis need to be treated like any other breach attempt. Whether you caught the attempt yourself or via AI/ML analysis, follow your SOP. Don't cut corners because it's "just" an API.

API security separates the mediocre CISO who focuses solely on infrastructure from the masterful CISO who addresses actual business threats and ensures survivability. Create a system for API security, create reusable interface testing automation, and keep your API inventory up to date.

API Security Is the New Black

The effectiveness of attacks largely depends on organizations' distributed denial-of-service defenses.

As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.

Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.

What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.

And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

**2022: A Record-Setting Year for DDoS**

The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.

To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.

Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.

Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.

But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.

One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.

**Don't Become Collateral Damage**

DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.

In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.

Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.

In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

Tag

#ddos