Whether protecting a financial institution or a hospital, everyone needs an effective strategy for fending off slippery threats like those that hide in memory.

Advanced threats are now more accessible than ever. On the Dark Web you can buy or rent zero-day attacks, fileless malware, supply chain compromises, and malware that targets device memory processes.

In 2021, memory compromise was the most common of the top five MITRE attack techniques, and the number of fileless attacks increased by over 900%. The number of zero-days seen in the wild more than doubled from 2020, according to Google's Project Zero. In 2022 data breaches were just 60 short of the all-time record of 1,862 breaches, set in 2021. There was a notable dip in data breach volumes during the first half of 2022, likely because Russia-based cybercriminals were too distracted or preoccupied by the invasion of Ukraine, along with volatility in the cryptocurrency market.

Advanced cyberattacks against well-defended networks have resulted in crippled oil pipelines, school systems, and even entire countries. And we will never know how many successful attacks on major enterprises occurred that never went public.

**Threats Hide in Memory to Avoid Detection**

Detection technologies are essential defenses in any IT environment. They include next-generation antivirus (NGAV), endpoint protection platform (EPP), endpoint detection and response/extended detection and response (EDR/XDR), and managed detection and response (MDR). But the most advanced threats and new variants of existing threats are specifically designed to evade these tools, usually by hiding in memory.

Scanners try to identify malware and malicious activity by looking at known signatures. But even if you have multiple layers of security technologies, these scanners cannot see threats that don't have recognizable signatures, are fileless, or exist in memory, which is impossible to scan effectively at runtime. After all, if you don't know what to look for and can't see your environment in real time, you can't find what you can't see.

Memory is a major vulnerability in modern cybersecurity because standard cybersecurity tools can't find stealthy, unknown, and evasive threats in memory — certainly not fast enough to stop attacks. As a result, security teams end up one step behind threat actors.

**The Memory Security Gap Is Growing**

Threat actors are targeting memory because it's the best place to persist on a device while remaining invisible. This is because runtime memory is such a big space that it's basically impossible to scan without massively degrading performance, leaving it mostly undefended by security controls.

To avoid compromising performance, detection-based solutions like EDR must look at memory selectively. They depend on picking specific times and spaces in memory to scan and looking for certain indicators, such as the recently released Cobalt Strike Yara rules.

Because threats can hide in a vast space and be reconfigured to avoid triggering rulesets, scanning solutions miss evasive threats almost all the time.

In a device's run-time memory environment, threats can steal credentials, hijack legitimate processes, and even turn a low-privileged user into a system administrator.

For example, malicious versions of the pen-testing framework Cobalt Strike enable threat actors to deploy a loader in the memory of a legitimate application, such as PowerShell. This means the threat exists purely in the memory environment while an application is running.

**Adding Memory Defenses**

The only way to reliably prevent compromise by advanced threats is to deploy a layered security posture that makes attackers' lives difficult. This means building secure networks, hardening systems, and deploying security technologies like EDR, EPP, and AV to spot malicious behavior and keep security teams informed about network activity. Security teams also need to consider solutions that protect memory by denying access to untrusted actors.

One way to protect memory is by using moving target defense technology to randomize the run-time memory environment so attackers can't find what they're looking for, breaking their attack chain. Instead of a static, known target environment, an attacker faces a dynamic memory environment containing decoy traps that capture unauthorized activity for forensic analysis.

As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.

How Good Is Your Advanced Threat Management?

If companies prioritize communications and make the DevOps process more transparent, team members will better know what vulnerabilities to look for.

Customer satisfaction is today's business battleground. The winners are the companies that deliver the best, highest-functioning software and applications in the shortest amount of time.

ChatGPT is the latest example of a winning app. In just a few months, the tool has reached 100 million users, making it the fastest-growing consumer application ever. Its success has also set off an artificial intelligence (AI) apps arms race, with competitors, including Google, emerging to grab market share as fast as possible. This race illustrates the ongoing struggle companies face to quickly develop high-performing software and applications that are also highly secure. This is a delicate balance in today's environment, where trading security for speed could lead to disastrous consequences.

**Security-Speed Balance**

One method that companies are embracing to strike this balance is implementing the "shift left." The shift left in this context refers to moving practices related to testing software as early in the development process as possible. By embracing the shift left, technology teams — specifically DevOps teams — can identify bugs, errors, and vulnerabilities early on and resolve them, resulting in high-performing, highly secure software, and applications.

Here are four steps DevOps teams can take to embrace the shift left, improve application performance, reduce vulnerabilities, and win the security battle.

**Step 1: Define the Security Strategy**

No army worth its salt heads into the field without a detailed map of the terrain, information on adversaries, and a hierarchy in place with responsibilities for every rank. The same should be true of any DevOps unit shifting left.

Companies should take the time to identify who will be in charge of what responsibilities, determine metrics for success, and formalize procedures. DevOps leaders should build appropriately staffed teams, implement processes that maximize security, and determine what kind of tests they will run and how often they will run them. Businesses should also identify and prepare for specific known vulnerabilities that could lead to issues.

Shifting left involves developing a new set of principles for software delivery and security; thus, planning and defining the strategy is very important.

**Step 2: Understand the Development Pipeline and Deployment Process**

As companies shift left, it's critical to have a thorough understanding of the software development pipeline and the deployment process.

This pipeline is the set of tools and processes in place to build and release software and applications. Once this analysis and understanding is complete, DevOps teams can begin carrying out tests in the build pipelines, checking code validity within development environments, and much more.

One solution that is helping DevOps teams map and understand their pipelines and embrace the shift left is observability. With observability, teams can help teams get a single-pane-of-glass view across applications, databases, and infrastructures that can be key to understanding application performance, user experience, and the overall environment required for modern application architecture. Some observability solutions even offer live code profiling that automatically sees potential user issues or performance bottlenecks before code is shipped.

**Step 3: Include Security Automation**

In enterprise technology, software teams have turned to automation to streamline testing for multiple reasons. First, manually testing software can introduce human error. Second, the shift left requires companies to test software as early and often as possible. And while these principles are meant to create more secure, better-performing products, this high volume of testing can also result in overloaded teams, requiring DevOps to manually evaluate every new feature the development team introduces.

To avoid this scenario, DevOps teams should use tools that automate running tests. Doing so will help reduce the stress placed on DevOps teams while also providing faster feedback related to any vulnerabilities that may be found in software code. Generally, automating tests in the development cycle allows organizations to increase the speed with which a product is completed while ensuring that fewer bugs or vulnerabilities are found later.

**Step 4: Build a Culture of Transparency**

While automation and modern technology can contribute significantly to an organization's success, a more human process and trait plays an equally important role — communication and transparency.

One of the key principles behind DevOps is narrowing the divide between development and production. Increasing communication and transparency across the product and software development life cycle can help narrow this divide. As it relates to the shift left, involving the appropriate team members as early as possible and during every step in the process is key to increasing transparency.

By prioritizing communication and adding transparency to the process wherever possible, team members will better understand how to test, what vulnerabilities to look for, and how to make software and applications more secure, better performing, and more resilient.

4 Steps for Shifting Left & Winning the Cybersecurity Battle

The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns.
To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in

Artificial Intelligence / Data Safety

The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns.

To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation (GDPR) laws.

"No information is provided to users and data subjects whose data are collected by Open AI," the Garante noted. "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies."

ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year, has not disclosed what it used to train its latest large language model (LLM), GPT-4, or how it trained it.

That said, its predecessor GPT-3 utilizes text sourced from books, Wikipedia, and Common Crawl, the latter of which maintains an "open repository of web crawl data that can be accessed and analyzed by anyone."

The Garante also pointed to the lack of any age verification system to prevent minors from accessing the service, potentially exposing them to "inappropriate" responses. Google's own chatbot, called Bard, is only open to users over the age of 18.

Additionally, the regulator raised questions about the accuracy of the information surfaced by ChatGPT, while also highlighting a data breach the service suffered earlier this month that exposed some users' chat titles and payment-related information.

In response to the order, OpenAI has blocked its generative AI chatbot from being accessed by users with an Italian IP address. It also said it's issuing refunds to subscribers of ChatGPT Plus, in addition to pausing subscription renewals.

The San Francisco-based company further emphasized that it provides ChatGPT in compliance with GDPR and other privacy laws. ChatGPT is already blocked in China, Iran, North Korea, and Russia.

In a statement shared with Reuters, OpenAI said it actively works to "reduce personal data in training our AI systems like ChatGPT because we want our AI to learn about the world, not about private individuals."

OpenAI has 20 days to notify the Garante of the measures it has taken to bring it in compliance, or risk facing fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.

The ban, however, is not expected to impact applications from other companies that employ OpenAI's technology to augment their services, including Microsoft's Bing search engine and its Copilot offerings.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

The development also comes as Europol warned that LLMs like ChatGPT are likely to help generate malicious code, facilitate fraud, and "offer criminals new opportunities, especially for crimes involving social engineering, given its abilities to respond to messages in context and adopt a specific writing style."

This is not the first time AI-focused companies have come under the radar. Last year, controversial facial recognition firm Clearview AI was fined by multiple European regulators for scraping users' publicly available photos without consent to train its identity-matching service.

It has also run afoul of privacy laws in Australia, Canada, and the U.S., with several countries ordering the company to delete all of the data it obtained in such a manner.

Clearview AI told the BBC News last week that it has run nearly a million searches for U.S. law enforcement agencies, despite being permanently banned from selling its faceprint database within the country.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns

An agency database WIRED obtained reveals widespread use of so-called 1509 summonses that experts say raises the specter of potential abuse.

US Immigration and Customs Enforcement agents are using an obscure legal tool to demand data from elementary schools, news organizations, and abortion clinics in ways that, some experts say, may be illegal. 

While these administrative subpoenas, known as 1509 custom summonses, are meant to be used only in criminal investigations about illegal imports or unpaid customs duties, WIRED found that the agency has deployed them to seek records that seemingly have little or nothing to do with customs violations, according to legal experts and several recipients of the 1509 summonses. 

A WIRED analysis of an Immigration and Customs Enforcement (ICE) subpoena tracking database, obtained through a Freedom of Information Act request, found that agents issued custom summons more than 170,000 times from the beginning of 2016 through mid-August 2022. The primary recipients of 1509s include telecommunications companies, major tech firms, money transfer services, airlines, and even utility companies. But it’s the edge cases that have drawn the most concern among legal experts, 

The outlier cases include custom summonses that sought records from a youth soccer league in Texas; surveillance video from a major abortion provider in Illinois; student records from an elementary school in Georgia; health records from a major state university’s student health services; data from three boards of elections or election departments; and data from a Lutheran organization that provides refugees with humanitarian and housing support.

In at least two instances, agents at ICE used the custom summons to pressure news organizations to reveal information about their sources. 

All of this is done without judicial oversight. 

“This is really dangerous,” says Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, a digital rights nonprofit. He adds that the frequent and apparently widespread use of 1509 summonses creates “a situation where this agency can fully go rogue” by using this tool in investigations that fall outside the scope of the law.

Two current agents from ICE’s Homeland Security Investigations (HSI) arm cautioned against drawing conclusions about potential abuse of the summons without additional context about each investigation referenced in the database. The agents, who asked not to be named because they are unauthorized to speak to the media, argue that because the agency is responsible for enforcing hundreds of laws pertaining to customs—including the distribution of child sexual abuse material (CSAM)—it’s possible that each summons was issued for a permissible investigation under the law. 

However, a former high-level Department of Homeland Security (DHS) official, who spoke on the condition of anonymity because their current employer forbids them from speaking to the press, expressed serious concern about many of the summonses. “It seems reasonable that ICE should be able to inspect records from a company like Amazon for customs investigations,” they say. “But what possible use or authority would ICE have for subpoenaing records from an abortion clinic?”

“It's like all power,” the official adds. “If it's not controlled, it gets abused.”

Casting a Wide Net

The 1509 customs summons is an administrative subpoena explicitly and exclusively meant for use in investigations of illegal imports or unpaid customs duties under a law known as Title 19 US Code 1509. Its goal is to provide agencies like ICE with a way to obtain business records from companies without having to go to a judge for a warrant. 

The subpoena-tracking database that WIRED obtained offers the most detailed breakdown of how ICE has been using the customs summons to date. The data shows that between January 4, 2016, and August 22, 2022, ICE issued 172,679 summonses, averaging more than 70 per day. Half of these were sent to telecommunications companies like AT&T, T-Mobile, and Comcast. Big technology companies like Google, Meta, and Microsoft collectively received nearly 15,000 summonses. Of the thousands of summonses sent to social media companies, Meta and Snapchat make up the vast majority.

ICE Is Grabbing Data From Schools and Abortion Clinics

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.

**Welcome to Gitee**

Continue with Google

Continue with Github

OR

please enter your vaild email

Continue with Email

By creating an account, you agree to the Terms of Use as well as Non-active Account Processing Specification

如果您是中国用户，可以 跳转到中文版登陆页 ，或者中文版注册页

return

**No Gitee account related to this email**

**Only one step left to create a account**

email

verification code

Send me the verification code

Resend

Create account

return

**Your email has a Gitee account**

**If Gitee account is yours, please bind it with your account by verifying your password**

Yes，that's mine

Go Back

return

**This will bind your account with Gitee account. If it's binding another account,it will unbind first.**

email

password

Log in

Forget password?

CVE-2023-27025: Login - Gitee.com

Launching CSPM, container workload security, and cloud vulnerability management to modernize cloud security operations.

**MOUNTAIN VIEW, Calif.--(****BUSINESS WIRE****)--** Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch, today announced expanded capabilities for Elastic Security including Cloud Security Posture Management (CSPM) for AWS, container workload security, and cloud vulnerability management. Building on the previously released Kubernetes security posture management (KSPM) and Cloud Workload Protection Platform (CWPP) capabilities, Elastic now delivers a comprehensive security analytics solution that includes complete Cloud Native Application Protection for AWS.

According to Gartner, more than 85% of organizations are moving to a cloud-first model and 95% of new digital workloads are being deployed on cloud-native platforms. However, 99% of cloud failures will be the customer’s fault due to mistakes like cloud misconfigurations. Research from Elastic Security Labs found that nearly 1 in 3 (33%) attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and fail to configure and protect them adequately.

“Many companies have a fragmented approach to cloud security, as security and devops teams pivot between multiple dashboards,” said **Ken Buckler, Research Analyst - Security and Risk Management, Enterprise Management Associates.** “Unified visibility across all cloud resources, as well as on-premises systems, is critical to quickly identify and stop security threats at scale, especially when attackers repeatedly cross boundaries between cloud and on-premise in attempts to evade detection. With Elastic Security, organizations can streamline their cloud security operations by establishing real-time, unified visibility across their environments in a single interface.”

Elastic’s comprehensive suite of cloud security capabilities includes:

*   **Cloud Workload Protection** (generally available) — Expands on existing runtime security for traditional endpoints, enabling cloud security teams to gain deep visibility into the entire runtime workload including standalone Linux workloads, virtual machines, and infrastructure hosted in AWS, Google Cloud, and Microsoft Azure.
*   **Container Workload Protection** (beta) — Provides cloud security teams deep visibility into container workloads in managed Kubernetes environments with pre-execution runtime analysis for workloads running in Amazon EKS, GKE, and AKS environments.
*   **Cloud Security Posture Management** (beta) — Enables cloud security teams to continuously detect and remediate misconfigurations across workloads in AWS and Amazon EKS in real-time with Center for Information Security (CIS) benchmark controls, out-of-the-box integrations, and posture management dashboards and reports.
*   **Cloud Vulnerability Management** (beta) — Uncovers cloud-native vulnerabilities in AWS EC2 workloads with minimal resource utilization on workloads and enumerating vulnerabilities with risk context to help cloud security teams identify and respond to potential risk.

“Elastic Security is a unified security solution offering SIEM, endpoint, and cloud security capabilities—rooted in data management and analytics—that enables customers to protect, investigate and respond to threats across their entire infrastructure,” said **Santosh Krishnan, General Manager of Elastic Security, Elastic**. “The expansion of Elastic Security’s comprehensive cloud security capabilities provides organizations with the power they need to modernize their cloud security operations, improve attack surface visibility, reduce vendor complexity, and accelerate remediation.”

For more information, read the blog.

Gartner Press Release, "Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences," November 10, 2021.

**About Elastic:**

Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,900+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.

The release and timing of any features or functionality described in this document remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

_Elastic_ and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Elastic Expands Cloud Security Capabilities for AWS

The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

Russian intelligence services, together with a Moscow-based IT company, are planning worldwide hacking operations that will also enable attacks on critical infrastructure facilities.

The release of thousands of pages of confidential documents has exposed Russian military and intelligence agencies' grand plans for using their cyberwar capabilities in disinformation campaigns, hacking operations, critical infrastructure disruption, and control of the Internet.

The papers were leaked from the Russian contractor NTC Vulkan and show how Russian intelligence agencies use private companies to plan and execute global hacking operations. They include project plans, software descriptions, instructions, internal emails, and transfer documents from the company.

The takeover of railroad networks and power plants are also part of a training seminar held by Vulkan to train hackers.

The leak also exposes the company's close links to the FSB, Russia's domestic spy agency, the GOU and GRU, the respective operational and intelligence divisions of the armed forces, and the SVR, Russia's foreign intelligence organization.

The documents, which were leaked by an unnamed source to a German reporter working for the Süddeutsche Zeitung at the start of Russia's invasion of Ukraine, have since been analyzed by global media outlets including The Washington Post and German media outlets Paper Trail Media and Der Spiegel.

According to the Spiegel report (in German), Vulkan has developed tools that allow state hackers to efficiently prepare cyberattacks, filter Internet traffic, and spread propaganda and disinformation on a massive scale.

The Spiegel report notes that analysts from Google reportedly discovered a connection between Vulkan and the hacker group Cozy Bear years ago; the group has successfully penetrated systems of the US Department of Defense in the past.

**Amezit, Skan-V Programs Revealed**

One offensive cyber program described in the documents is internally codenamed "Amezit."

The wide-ranging platform is designed to enable attacks on critical infrastructure facilities in addition to total information control over specific areas.

The program's goals include using special software to derail trains or paralyze airport computers, but it was not clear from the materials whether the program is currently being used against Ukraine.

Another project, called "Skan-V," is supposed to automate cyberattacks and make them much easier to plan.

Whether and where the programs were used cannot be traced, but the documents prove that the programs were ordered, tested, and paid for.

"People should know the dangers this poses," shared the anonymous source who leaked the docs to the media. The Russian invasion of Ukraine had motivated the source to make the documents public.

**As the Sandworm Turns**

A trail also leads to the state hacker group Sandworm, one of the most dangerous advanced persistent threats (APTs) in the world, responsible for some of the most serious cyberattacks of recent years. For instance, the threat actor has been targeting the Ukrainian capital since as far back as December 2016 when it used the malware tool Industroyer to cause a temporary power outage in Kyiv.

Until now, it was not known that the group used tools from private companies.

Sandworm has previously been linked to GRU.

Since the start of the war, at least five Russian, state-sponsored or cybercriminal groups — including Gamaredon, Sandworm, and Fancy Bear — have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.

Tag

#google