Intel works closely with academic researchers on hardware flaws and coordinates efforts with other vendors to roll out fixes for emerging vulnerabilities. That wasn't always the case.

Source: Mentor58 via Alamy Stock Photo

The Spectre and Meltdown chip vulnerabilities could have been resolved much earlier had chip makers taken reports from academic researchers more seriously, says one researcher who helped unveiled the hardware bug.

Daniel Gruss, a researcher at Graz University of Technology, hasn't had a break since Meltdown and Spectre came to light. Chip vulnerabilities are multiplying with increasingly complex chip designs and the emergence of new technologies, such as graphics processing units (GPUs) and confidential computing.

"I think the number of bugs that we have in our systems will not get less over time," Gruss says.

Gruss and Intel fellow Anders Fogh will reflect on past chip vulnerabilities and explore emerging threats during their Black Hat USA 2024 on Thursday, Aug. 8. The presentation, "Microarchitecture Vulnerabilities: Past, Present, and Future," will cover recent side-channel attack techniques as exposed by Hertzbleed, Platypus, and Zenbleed. Gruss and Fogh will also explore how academic researchers and chip makers are collaborating to counter vulnerabilities and discuss top-line mitigation and patching strategies.

Gruss, now a professor in information security, says the chip makers hadn't been as responsive as the companies are now. His team reported the prefetch side-channel at the center of Spectre to Intel in 2016, but the chip maker dragged its feet.

"Intel could have had Spectre two years earlier than they had it ... if they would just have looked at our report a bit more closely and tried it out for a longer time on different machines and then investigated, but they didn't," Gruss says.

But that has changed, and Intel takes every security flaw reported very seriously, Gruss says.

**Communication Is Key**

Intel is in lockstep with researchers and also keeps communication lines open with rivals, such as AMD and Nvidia, as hardware bugs could affect multiple vendors, says Suzy Greenberg, vice president for Intel Product Assurance and Security Group.

Spectre and Meltdown used side-channel attacks to leak sensitive data that could include usernames and passwords. Hackers can conduct side-channel attacks by using system functions, such as frequency scaling and power consumption patterns.

Hundreds of papers on side-channel attacks have come out since the bugs were initially reported. However, no real-world break-ins based on the bugs have been reported, yet, according to Gruss and Intel. Side-channel attacks will always be there, and chip vendors won't be able to solve the bugs, Gruss says.

"The question is ... how can we keep them restricted enough so that attackers cannot exploit them for valuable information," Gruss says.

**Researchers Shift Focus to GPUs**

Researchers are also shifting their attention to exploring security bugs in GPUs, which are chips being used to serve artificial intelligence (AI).

A team of researchers including Gruss recently published research about a side-channel attack on Nvidia's GPUs. Nvidia last month issued 10 security alerts related to its GPU drivers and virtualization software.

"As we understand more and more about the microarchitecture on GPUs, and as they get more complex, we will also see more complex and more impactful attacks," Gruss says.

Side-channel attacks may also increase in the realm of confidential computing, which involves creating a secure enclave within hardware to run protected applications. Top chip makers Intel and AMD offer confidential computing chips for AI applications.

"Confidential computing adds attack surface from an academic perspective ... there is more to attack there than if you would be an unprivileged attacker," Gruss says.

Privileged users can get access to interfaces, instructions, and model-specific registers, which widens the attack surface.

Many new use cases and exploits are going to start coming with AI, Intel's Greenberg said.

"We're really trying to encourage that community to start looking at poking there because that's the big unknown," Greenberg says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Could Intel Have Fixed Spectre &amp; Meltdown Bugs Earlier?

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level.
Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform"

A Spanish-speaking cybercrime group named **GXC Team** has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level.

Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform" capable of targeting users of more than 36 Spanish banks, governmental bodies and 30 institutions worldwide.

The phishing kit is priced anywhere between $150 and $900 a month, whereas the bundle including the phishing kit and Android malware is available on a subscription basis for about $500 per month.

Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. As many as 288 phishing domains linked to the activity have been identified to date.

Also part of the spectrum of services offered is the sale of stolen banking credentials and custom coding-for-hire schemes for other cybercriminal groups targeting banking, financial, and cryptocurrency businesses.

"Unlike typical phishing developers, the GXC Team combined phishing kits together with an SMS OTP stealer malware pivoting a typical phishing attack scenario in a slightly new direction," security researchers Anton Ushakov and Martijn van den Berk said in a Thursday report.

What's notable here is that the threat actors, instead of directly making use of a bogus page to grab the credentials, urge the victims to download an Android-based banking app to prevent phishing attacks. These pages are distributed via smishing and other methods.

Once installed, the app requests for permissions to be configured as the default SMS app, thereby making it possible to intercept one-time passwords and other messages and exfiltrate them to a Telegram bot under their control.

"In the final stage the app opens a genuine bank's website in WebView allowing users to interact with it normally," the researchers said. "After that, whenever the attacker triggers the OTP prompt, the Android malware silently receives and forwards SMS messages with OTP codes to the Telegram chat controlled by the threat actor."

Among the other services advertised by the threat actor on a dedicated Telegram channel are AI-infused voice calling tools that allow its customers to generate voice calls to prospective targets based on a series of prompts directly from the phishing kit.

These calls typically masquerade as originating from a bank, instructing them to provide their two-factor authentication (2FA) codes, install malicious apps, or perform other arbitrary actions.

"Employing this simple yet effective mechanism enhances the scam scenario even more convincing to their victims, and demonstrates how rapidly and easily AI tools are adopted and implemented by criminals in their schemes, transforming traditional fraud scenarios into new, more sophisticated tactics," the researchers pointed out.

In a recent report, Google-owned Mandiant revealed how AI-powered voice cloning have the capability to mimic human speech with "uncanny precision," thus allowing for more authentic-sounding phishing (or vishing) schemes that facilitate initial access, privilege escalation, and lateral movement.

"Threat actors can impersonate executives, colleagues, or even IT support personnel to trick victims into revealing confidential information, granting remote access to systems, or transferring funds," the threat intelligence firm said.

"The inherent trust associated with a familiar voice can be exploited to manipulate victims into taking actions they would not normally take, such as clicking on malicious links, downloading malware, or divulging sensitive data."

Phishing kits, which also come with adversary-in-the-middle (AiTM) capabilities, have become increasingly popular as they lower the technical barrier to entry for pulling off phishing campaigns at scale.

Security researcher mr.d0x, in a report published last month, said it's possible for bad actors to take advantage of progressive web apps (PWAs) to design convincing login pages for phishing purposes by manipulating the user interface elements to display a fake URL bar.

What's more, such AiTM phishing kits can also be used to break into accounts protected by passkeys on various online platforms by means of what's called an authentication method redaction attack, which takes advantage of the fact that these services still offer a less-secure authentication method as a fallback mechanism even when passkeys have been configured.

"Since the AitM can manipulate the view presented to the user by modifying HTML, CSS and images or JavaScript in the login page, as it is proxied through to the end user, they can control the authentication flow and remove all references to passkey authentication," cybersecurity company eSentire said.

The disclosure comes amid a recent surge in phishing campaigns embedding URLs that are already encoded using security tools such as Secure Email Gateways (SEGs) in an attempt to mask phishing links and evade scanning, according to Barracuda Networks and Cofense.

Social engineering attacks have also been observed resorting to unusual methods wherein users are enticed into visiting seemingly legitimate websites and are then asked to manually copy, paste, and execute obfuscated code into a PowerShell terminal under the guise of fixing issues with viewing content in a web browser.

Details of the malware delivery method have been previously documented by ReliaQuest and Proofpoint. McAfee Labs is tracking the activity under the moniker ClickFix.

"By embedding Base64-encoded scripts within seemingly legitimate error prompts, attackers deceive users into performing a series of actions that result in the execution of malicious PowerShell commands," researchers Yashvi Shah and Vignesh Dhatchanamoorthy said.

"These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer."

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

KnowBe4 detailed the incident in a recent blog post as a warning for other potential targets.

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company's network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog post this week, calling it a cautionary tale that was fortunately detected before causing any major problems.

"First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. “This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team. The firm hired a person who, it turns out, was from North Korea and was "using a valid but stolen US-based identity" and a photo that was "enhanced" by artificial intelligence. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4's blog post called "an Insider Threat/Nation State Actor."

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides security awareness training, including phishing security tests, to corporate customers. If you occasionally receive a fake phishing email from your employer, you might be working for a company that uses the KnowBe4 service to test its employees' ability to spot scams.

**Person Passed Background Check and Video Interviews**

KnowBe4 hired the North Korean hacker through its usual process. "We posted the job, received résumés, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," the company said.

Even though the photo provided to HR was fake, the person who was interviewed for the job apparently looked enough like it to pass. KnowBe4's HR team "conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application," the post said. "Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI 'enhanced.'"

The two images at the top of this story are a stock photo and what KnowBe4 says is the AI fake based on the stock photo. The stock photo is on the left, and the AI fake is on the right.

The employee, referred to as "XXXX" in the blog post, was hired as a principal software engineer. The new hire's suspicious activities were flagged by security software, leading KnowBe4's Security Operations Center (SOC) to investigate:

> On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
> 
> The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX's device.

**“Fake IT Worker From North Korea”**

The SOC analysis indicated that the loading of malware "may have been intentional by the user," and the group "suspected he may be an Insider Threat/Nation State Actor," the blog post said.

"We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea," Sjouwerman wrote.

KnowBe4 said it can't provide much detail because of the active FBI investigation. But the person hired for the job may have logged into the company computer remotely from North Korea, Sjouwerman explained:

> How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm." They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.

_This story originally appeared on_ _Ars Technica._

A North Korean Hacker Tricked a US Security Vendor Into Hiring Him—and Immediately Tried to Hack Them

"Peace is the virtue of civilization. War is its crime. Yet it is often in the furnace of war that the sharpest tools of peace are forged." - Victor Hugo.
In 1971, an unsettling message started appearing on several computers that comprised ARPANET, the precursor to what we now know as the Internet. The message, which read "I'm the Creeper: catch me if you can." was the output of a program named

Digital Warfare / Cybersecurity Training

> "Peace is the virtue of civilization. War is its crime. Yet it is often in the furnace of war that the sharpest tools of peace are forged." - Victor Hugo.

In 1971, an unsettling message started appearing on several computers that comprised ARPANET, the precursor to what we now know as the Internet. The message, which read "I'm the Creeper: catch me if you can." was the output of a program named Creeper, which was developed by the famous programmer Bob Thomas while he worked at BBN Technologies. While Thomas's intentions were not malicious, the Creeper program represents the advent of what we now call a computer virus.

The appearance of Creeper on ARPANET set the stage for the emergence of the first Antivirus software. While unconfirmed, it is believed that Ray Thomlinson, famously known for inventing email, developed Reaper, a program designed to remove Creeper from Infected Machines. The development of this tool used to defensively chase down and remove a malicious program from a computer is often referred to as the inception of the cybersecurity field. It highlights an early recognition of a cyberattack's potential power and the need for defensive measures.

The revelation of the need for cybersecurity shouldn't come as much of a surprise, as the cyber realm is nothing more than an abstraction of the natural world. In the same way that we grew from fighting with sticks and stones to swords and spears to now bombs and aircraft, so too has the war over the cyber realm progressed. In the beginning, it all started with a rudimentary Creeper virus that was a cheeky representation of what could be a harbinger of digital doom. The discovery of weaponized electronic systems necessitated the invention of antivirus solutions such as Reaper, and as the attacks grew more complex, so too did the defensive solutions. Fast forward to the era of network-based attacks, and digital battlefields began to take shape. Firewalls emerged to replace vast city walls, load balancers act as generals directing resources to ensure one singular point isn't overwhelmed, and Intrusion Detection and Prevention systems replace sentries in watch towers. This isn't to say that all systems are perfect; there is always the existential dread that a globally favored benevolent rootkit that we call an EDR solution could contain a null pointer dereference that will act as a trojan horse capable of bricking tens of millions of Windows devices.

Putting aside catastrophic, and all be it accidental, situations still leaves the question of what's next. Enter Offensive AI, the most dangerous cyber weapon to date. In 2023, Foster Nethercott published a whitepaper at SANS Technology Institute detailing how threat actors could abuse ChatGPT with minimal technical capability to create novel malware capable of evading traditional security controls. Numerous other articles have also examined the use of generative AI to create advanced worms such as Morris II and polymorphic malware such as Black Mamba.

The seemingly paradoxical solution to these growing threats is further development and research into more sophisticated offensive AI. Plato's adage, "Necessity is the mother of invention," is an apt characterization of cybersecurity today, where new AI-driven threats drive the innovation of more advanced security controls. While developing more sophisticated offensive AI tools and techniques is far from morally commendable, it continues to emerge as an inescapable necessity. To effectively defend against these threats, we must understand them, which necessitates their further development and study.

The rationale for this approach is rooted in one simple truth. You cannot defend against a threat you do not understand, and without the development and research into these new threats, we cannot hope to understand them. The unfortunate reality is that bad actors are already leveraging offensive AI to innovate and deploy new threats. To try and refute this would be misguided and naive. Because of this, the future of cybersecurity lies in the further development of offensive AI.

If you want to learn more about Offensive AI and gain hands-on experience in implementing it into penetration testing, I invite you to attend my upcoming workshop at SANS Network Security 2024: Offensive AI for Social Engineering and Deep Fake Development on September 7th in Las Vegas. This workshop will be a great introduction to my new course, SEC535: Offensive AI - Attack Tools and Techniques, to be released at the beginning of 2025. The event as a whole will also be an excellent opportunity to meet several leading experts in AI and learn how it is shaping the future of cybersecurity. You can get event details and the complete list of bonus activities here.

**Note:** _This article is expertly written by Foster Nethercott, a United States Marine Corps and Afghanistan veteran with nearly a decade of experience in cybersecurity. Foster owns the security consulting firm Fortisec and is an author for SANS Technology Institute, currently developing the new course SEC 535 Offensive Artificial Intelligence._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Offensive AI: The Sine Qua Non of Cybersecurity

The European Commission is allocating €7.3 billion for defense research over the next seven years. From drones and tanks of the future to battleships and space intelligence, here's what it funds.

From €142 million to €1 billion ($1.1 billion) a year. The European Commission is pressing the accelerator on investment in weapons and defense technologies. From a total €590 million invested between 2017 and 2020, Brussels has moved to a €7.3 billion ($7.9 billion) package for the 2021 to 2027 period. This year alone, the European Defense Fund (EDF) has put €1.1 billion on the plate, divided into 34 calls for as many military-related research topics. From developing new drone models to sensors to increase radar capabilities. From systems to counter hypersonic missile attacks to enhancements in the analysis of images collected by satellites. From “smart weapons” to advanced communication technologies. The bidding process opened in late June, and there is time until November 5 to share a slice of the pie—and then a year to deliver the project.

The project for a common defense has distant origins and was formalized in 2015, but it was Russia's invasion of Ukraine that accelerated the European Commission's march to spend on arms, ammunition, and military technology. One only has to scroll through the list of projects vying for 2024 funding to get an idea of what Brussels is looking for. On the plate is €100 million to develop a new long-range, medium-altitude drone equipped with advanced intelligence, surveillance, target acquisition, and recognition systems (or Istar) and piloted remotely. On a similar project, the European Union has already invested, allocating €98 million of the total €290 million needed to develop a similar aircraft, dubbed Eurodrone, to a consortium consisting of France's Airbus and Dassault Aviation plus Italy's Leonardo. Another €11 million from the EDF goes to the prototype of a small, autonomously guided aerial drone.

**Telecommunications and AI**

Much of the resources go to strengthening communication and data exchange channels—in order to prevent, for example, someone from taking over the controls of the remotely piloted drone. The EDF allocates €25 million to a 5G network intended for the military sphere, the same amount to prototypes for satellite communications, and €24 million to develop dedicated systems for undersea drones. Information needed to feed algorithms and automatic analysis tools will have to be transferred through these secure channels. One grant awards €45 million for an AI software prototype that would make automated means and operations centers operated by live personnel talk to each other.

According to an article by Anthony King, professor at the University of Exeter, published in the Journal of Global Security Studies, so far in the military, “AI has not been used primarily to produce robotic or autonomous weapon systems. Over the past two decades, the military has sought to leverage big data to generate a richer and deeper understanding of the battlefield by tracking the footprints left in cyberspace by their adversaries. Because there is such a vast amount of digital data in cyberspace, the armed forces have begun to leverage the potential of AI, algorithms, and machine learning to identify patterns and signatures, thereby improving their awareness and so that crucial pieces of information are not missed.”

It's a pattern also pursued by European investments. Already last year, the EDF supported with €4 million a communication model to command swarms of autonomous vehicles, and as much went to strengthening undersea cables, the backbone of the internet and a military target. To make sure the data collected from space “speaks,” and provides a real-time and accurate representation of potential risks, there is a €157 million project, run by Leonardo, Airbus, and ArianeGroup (an aerospace company), to integrate information on a single platform, following in the footsteps of two previous projects. But if we add up all the intelligence programs through sensors, satellites, and other digital sources, the 2023 plan alone has deployed another €70 million on the subject. With another €6 million, the EU also tries to guard against communications blackouts, supporting an Estonian-driven plan for drone navigation technology that works even without satellite signals, relying on real-time analysis of what the machine sees.

**New Weapons**

The European Defense Fund, however, is also hunting for prototypes of new weapons. There is €25 million for the next generation of armored vehicles, €30 million for the creation of smart and increasingly accurate weapons, and €20 million earmarked for identifying at least four potential solutions for navigating a drone in “non-permissive” environments, which, translated from diplomatic jargon, means areas of war or those characterized by great instability.

Another €50 million concerns the creation of a new ground drone, equipped with “lethal functions.” What kind? This is best explained in an annex to the Commission's green light for EDF 2024. It says the program is to study a “fully autonomous process of targeting against different targets and solutions for mobility and engagement,” but also to produce an analysis of the “ethical and legal aspects of integrating autonomous combat drones into European armed forces.” With a clarification: “If necessary, research should be included to support recommendations and decisions” on these aspects. As in: Give us material to plead the case.

In the case of smart weapons, on the other hand, the EU calls for greater accuracy of missiles and rockets, but also refers to “loitering munitions,” i.e., suicide drones, which circle a defined area until they locate the target and hit it, bringing it down—a controversial military technology. The EU is also interested in copying the Iron Dome model, Israel's missile shield.

**Tanks and Corvettes of the Future**

Shortly before opening the new calls for proposals, the Commission also announced the 54 winning projects for the 2023 program. These include Marte, or the Main ARmored Tank of Europe, a program to develop new technologies to be integrated on a tank. Sharing the €20 million in funding is a string of some 40 companies, including the two defense champions from Italy and Germany, Leonardo and Rheinmetall, respectively. Just as much has been received by a similar project, again to upgrade the tank's architecture, which France's Thales is leading instead. From Brussels, €154 million will help fund the approximately €288 million needed to develop the new EU patrol corvette (Epc2), with Italy's Fincantieri among the project leaders. Another €25 million is earmarked for the construction of a prototype self-driving boat, 12 meters long, that rides on hydrofoils (i.e., with the hull out of the water).

Leonardo is spearheading a project to develop counter-aircraft systems for military drones, exploiting sensors, disturbances in telecommunications networks, and other technologies. France's Cilas, on the other hand, is spearheading a program to develop Europe's first laser weapon, backed by €25 million. A prototype electro-magnetic-propelled missile launcher has grossed €4 million, €26 million for an artificial intelligence agent called to autonomously manage protection and counterattack in response to cyber aggression, €80 million for a study on defense from hypersonic weapons. Another €27 million will support the creation of a new missile system with a range of 150 kilometers, €40 million is going to a military cargo ship, and €44 million is allocated for offensive technologies on undersea drones.

**Funds and Alliances**

But the channels for fueling Europe's military industry are varied. Alongside the EDF is Eudis, a scheme worth €2 billion for the seven-year period that supports the acceleration of startups and small and medium-size enterprises (target: 400 per year). There's also the European Investment Fund (EIF), managed by the European Investment Bank (EIB), which helps fund the defense sphere, particularly when it comes to dual (civilian and military) technologies. Its aim is to act as a key investor, consequently attracting other players willing to share the risk, but until 2027 it has €175 million to spend. The European Security Industry Bank can mobilize another €8 billion, also over the next three years.

Seven deals have already been signed. These include €10 million to Germany's Quantum Systems for vertical-takeoff drones, €30 million to Spain's Skydweller for its solar-powered self-driving aircraft, and €600 million on two space communications programs. Italy's Leonardo also benefited from EIB loans, which provided €260 million for research and development activities in various technological fields.

Europe Is Pumping Billions Into New Military Tech

The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world.
"Rim Jong Hyok and his co-conspirators deployed

The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world.

"Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea's illicit activities," said Paul Abbate, deputy director of the Federal Bureau of Investigation (FBI). "These unacceptable and unlawful actions placed innocent lives at risk."

Concurrent with the indictment, the U.S. Department of State announced a reward of up to $10 million for information that could lead to his whereabouts, or the identification of other individuals in connection with the malicious activity.

Hyok, part of a hacking crew dubbed Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), is said to be behind extortion-related cyber attacks involving a ransomware strain called Maui, which was first disclosed in 2022 as targeting organizations in Japan and the U.S.

The ransom payments were laundered through Hong Kong-based facilitators, converting the illicit proceeds into Chinese yuan, following which they were withdrawn from an ATM and used to procure virtual private servers (VPSes) that, in turn, were employed to exfiltrate sensitive defense and technology information.

Targets of the campaign include two U.S. Air Force bases, NASA-OIG, as well as South Korean and Taiwanese defense contractors and a Chinese energy company.

In one instance highlighted by the State Department, a cyber attack that began in November 2022 led to the threat actors exfiltrating more than 30 gigabytes of data from an unnamed U.S.-based defense contractor. This comprised unclassified technical information regarding material used in military aircraft and satellites.

The agencies have also announced the "interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity."

Andariel, affiliated with the Reconnaissance General Bureau (RGB) 3rd Bureau, has a track record of striking foreign businesses, governments, aerospace, nuclear, and defense industries with the goal of obtaining sensitive and classified technical information and intellectual property to further the regime's military and nuclear aspirations.

Other recent targets of interest encompass South Korean educational institutions, construction companies, and manufacturing organizations.

"This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India," the National Security Agency (NSA) said. "The group funds their espionage activity through ransomware operations against U.S. healthcare entities."

Initial access to target networks is accomplished by means of exploiting known N-day security flaws in internet-facing applications, enabling the hacking group to conduct follow-on reconnaissance, filesystem enumeration, persistence, privilege escalation, lateral movement, and data exfiltration steps using a combination of custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities at their disposal.

Other documented malware distribution vectors entail the use of phishing emails containing malicious attachments, such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files inside ZIP archives.

"The actors are well-versed in using native tools and processes on systems, known as living-off-the-land (LotL)," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration."

Microsoft, in its own advisory on Andariel, described it as constantly evolving its toolset to add new functionality and implement novel ways to bypass detection, while exhibiting a "fairly uniform attack pattern."

"Onyx Sleet's ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors," the Windows maker noted.

Some of the noteworthy tools highlighted by Microsoft are listed below -

*   TigerRAT - A malware that can steal confidential information and carry out commands, like keylogging and screen recording, from a command-and-control (C2) server
*   SmallTiger - A C++ backdoor
*   LightHand - A lightweight backdoor for remote access to infected devices
*   ValidAlpha (aka Black RAT) - A Go-based backdoor that can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands
*   Dora RAT - A "simple malware strain" with support for reverse shell and file download/upload capabilities

"They have evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian speaking cybercrime groups," Alex Rose, director of threat research and government partnerships at Secureworks Counter Threat Unit, said.

"This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisition."

Andariel is just one of the myriad state-sponsored hacking crews operating under the direction of the North Korean government and military, alongside other clusters tracked as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.

"For decades, North Korea has been involved in illicit revenue generation through criminal enterprises, to compensate for the lack of domestic industry and their global diplomatic and economic isolation," Rose added.

"Cyber was rapidly adopted as a strategic capability that could be used for both intelligence gathering and money making. Where historically these objectives would have been covered by different groups, in the last few years there has been a blurring of the lines and many of the cyber threat groups operating on behalf of North Korea have also dabbled in money making activities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Source: Panther Media GmbH via Alamy Stock Photo

Email security providers are increasingly adding human risk management (HRM) tools to their portfolios to broaden their data loss prevention (DLP) capabilities. The latest to sharpen its focus on HRM is Mimecast, which acquired insider risk tool provider Code42 for undisclosed terms this week.

The deal marks Mimecast's second acquisition of an HRM company this year. In January, it made its foray into human risk management with the acquisition of Elevate Security, which resulted in last week's release of Mimecast's Engage risk management platform.

Omdia senior principal analyst Fernando Montenegro says Mimecast's competitors, such as Proofpoint, Sophos, ESET, OpenText (Webroot), and Barracuda Networks, have made similar moves into HRM.

"We have seen similar packaging of messaging security with user training and human factors in many vendors," Montenegro says. "This makes sense as we think there is a long-standing evolutionary pattern to cybersecurity to be better aligned to business outcomes and concerns, and this fits well into this narrative."

Mimecast is playing catch-up to Proofpoint, its most formidable competitor, which released its Proofpoint Nexus People Risk Explorer in 2021. Earlier, Proofpoint made its foray into insider threat management by acquiring ObserveIT, known for its insider threat management platform.

**Insider Risk Tied to Data Breaches**

According to Verizon's "2024 Data Breach Investigations Report" (DBIR), insiders were involved in 68% of all breaches in 2023. Forrester Research forecasts that figure could rise to 90% in 2024, according to its "Predictions 2024" report.

"HRM solutions and programs have surfaced to help CISOs evaluate their firm's human risk, determine whether they are getting a return on their training investment, whether their training is really changing anyone's behavior and improving the firm's cybersecurity posture, and determine what to manage human risk in addition to training people," the report's authors noted.

Weeks after closing the Elevate acquisition in January, Marc van Zadelhoff was tapped as Mimecast's new CEO, replacing co-founder Peter Bauer. Tasked with expanding Mimecast's emerging HRM portfolio, Zadelhoff inked a partnership with Code42 to integrate Code42 Incydr with the Mimecast platform.

By integrating Code42 Incydr's Watchlists for employees with a history of engaging in risky behavior (such as those who frequently fall for phishing attempts) with Mimecast's Profile Groups, organizations can automate the formation, management and policy enforcement among user groups. Likewise, Incydr can be used to manage Mimecast Profile Groups. The integration also lets Mimecast administrators detect and manage exfiltration activity.

Mimecast CEO Marc van Zadelhoff tells Dark Reading that the plan was to leverage that capability to emphasize Mimecast's human risk detection and management capabilities.

"We had been talking to Code42 for a while, and we did the partnership," van Zadelhoff says. "One thing led to another in terms of strengthening it."

Van Zadelhoff says the two acquisitions mark the company's entry into HRM.

"The partnership exposed to us that we had a lot of joint customer interest," he says. "In fact, during that time, we saw an increasing number of our customers adopt Code42 in a fairly short amount of time. As we started leveraging the human risk dashboard and the human risk platform, we started to see that when you add Code42 into the score, it really adds a lot of value on identifying the riskiest segment of the population out there.

**Product Portfolios to Remain Intact With Common Dashboard**

According to van Zadelhoff, there is no overlap between the products Mimecast now offers and Code42's portfolio.

"We tested the product around scalability and how it would work with our technology stack," he says. "It is incredibly compatible. There's zero overlap."

Further, van Zadelhoff insists no products from either company will be deprecated in the wake of the acquisition; the Code42 products will be rebranded Mimecast. Also, in the coming months, Mimecast will create a common human risk dashboard tied to its distinct offerings.

At next month's Black Hat USA Conference in Las Vegas, the company will demonstrate and roll out new artificial intelligence (AI) tools to detect exfiltration risk when employees upload files into generative AI platforms, such as Chat GPT.

"What we're really focused on is understanding when someone takes data from their corporate organizations or from a key repository and exfiltrates that to a public generative AI location," says Rob Juncker, Code42's CTO. "AI is something that we all have to deal with now. So it will be in our base product for all customers effective immediately."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mimecast Joins Human Risk Management Fray With Code42 Deal

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

How your organization can leverage the disruptive CrowdStrike update to become more resilient.

Chip Stewart, Director–Security, Privacy, and Risk Consulting, RSM US

July 25, 2024

5 Min Read

Source: Illia Uriadnikov via Alamy Stock Photo

COMMENTARY

In the wake of global IT issues caused by a defect in a content update for CrowdStrike's Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it's easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.

It's important to acknowledge the scale of this disruption, with 8.5 million incapacitated PCs across all sectors and organizational sizes. Small businesses, global conglomerates, government agencies, hospitals, and critical infrastructure were all met with the dreaded blue screen of death.

Even those who were not CrowdStrike customers felt the impact, with flights delayed and canceled, gas stations and grocery stores unable to complete transactions, and critical services like police and fire dispatch delayed.

However, there are lessons that every organization can take away from this event to help improve their ability to respond to a cyberattack.

**Detection**

The mean time to detect, or MTTD, is a metric in cyber operations describing how long it takes between when an incident begins and when the organization identifies that something has happened. This metric has been trending down for the past several years, partially because incidents resulting in ransomware deployment are glaringly and quickly apparent. This speedy detection contrasts with incidents where a sophisticated threat actor is siphoning private data from a network, which typically takes longer to discover.

This behavior parallels the obviousness of the CrowdStrike event. Computers across the network became unavailable, displaying a cryptic message about a failed driver. With this event, we have clarity on the start time, with organizations experiencing blue screens around 04:09 UTC.

Organizations should evaluate how long their teams took to detect the outage and how quickly they could reasonably speculate on the root cause. These metrics matter when threat actors deploy ransomware on a network.

**Response**

As IT teams confirmed the cause of the system issues, organizations scrambled to begin restoring systems. Many organizations struggled with incomplete asset inventories, partially managed devices, and no way to prioritize recovery activities reliably. Some found themselves locked out of the password vaults needed to restore critical systems. Others struggled to scale quickly to reimage laptops of remote users scattered across the country. 

These challenges mirror those expected during a ransomware incident and highlight the importance of maintaining an accurate accounting of IT assets that informs prioritization during recovery. Also, recovery plans must consider the operating environment and support reconstituting services in time frames that align with business objectives.

Organizations should evaluate the effectiveness of their response plans during this event, including their ability to prioritize systems that support critical functions and develop or test the granular recovery plans necessary to expedite the reconstitution of these services. They should also determine where there were gaps in asset management and the underlying causes of those discrepancies.

**Business Continuity**

As IT teams worked around the clock to restore systems and get users back online, this event forced many organizations to execute their business continuity plans and restore mission-critical functions. Organizations frequently confuse BCPs with disaster recovery plans (DRPs), resulting in an inability to execute mission-critical functions during this event.

Organizations frequently experience challenges in this area during a ransomware event, with no plan to reconstitute the capabilities that support mission-critical functions. With several high-profile ransomware attacks affecting health departments across the United States (including one during my tenure as the chief information security officer for the State of Maryland), seemingly simple administrative tasks, such as issuing death certificates, become impossible.

To prepare for ransomware events or other cyber disruptions, organizations should conduct a business impact analysis (BIA) and integrate the outputs into comprehensive BCPs, reducing the risk of protracted business disruption from a ransomware incident.

**Supply Chain and Vendor Risk**

The scale of this event has highlighted the risks of cyber events affecting supply chains more than any event in recent history, with financial transactions stalled, logistics companies unable to deliver goods, and hospitals unable to replenish lifesaving supplies. 

In 2021, Kronos, a human capital and workforce management SaaS provider, experienced substantial downtime due to a ransomware event, preventing employees from being paid and stopping work activities at thousands of organizations around the globe. With many organizations relying on their partners to recover quickly from a cyber incident, few were prepared to sustain operations in the event of an incident affecting their supply chain.

Organizations should consider and plan for cyber incidents that have negative consequences on their supply chains as part of their business continuity plans and ensure their partners do the same. 

**Improving Resilience From This Event**

For organizations affected by the CrowdStrike disruption, there is a unique opportunity to reflect on what went well and what your organization should focus on improving through the lens of a ransomware incident. While the disruption certainly should not be minimized, the reality of a ransomware incident includes exorbitant costs, weeks to months of downtime, regulatory challenges, potential lawsuits, and numerous other adverse effects that represent long-term organizational damage.

For organizations that experienced indirect impact through partners in their supply chain, there is an opportunity to ensure adequate supply chain diversification and contingency planning is happening.

For organizations lucky enough to have not experienced any adverse impact from this event, it's crucial to recognize that this could have happened to your organization just as easily, and it's better to be prepared than to be lucky.

For everyone, this is an opportunity to reflect on what you should be doing to improve your organization's resilience.

**About the Author(s)**

Director–Security, Privacy, and Risk Consulting, RSM US

Chip Stewart is a director in RSM's Security, Privacy, and Risk Consulting practice and the former CISO for the state of Maryland, where his charge was to build a statewide security program from the ground up. In this role, he championed the creation of the MD-ISAC, an advanced cyber-threat intelligence center focused on helping all levels of government in Maryland proactively protect their networks from cyber threats by providing them with real-time information.

Unexpected Lessons Learned From the CrowdStrike Event

Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack."

Thursday, July 25, 2024 14:00

You’re not going to believe this, but there was a lot of misinformation on social media over the weekend after the massive CrowdStrike/Microsoft outage.  

As airlines cancelled flights, hospitals had to reschedule patients and some companies just flat-out couldn’t work on Friday, people were quick to assume that the outage, which was actually caused by a faulty CrowdStrike Falcon update, was a cyber attack. 

Media headlines posed the question: “Cyber attack, or outage?” Social posters quickly assumed this was some sort of “hack.”  

On the one hand, I get it. Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack,” because that’s how they’ve always been displayed in works of fiction or as the generic image of a “hack” anytime there is actually a real cyber attack.  

That’s not to say there aren’t many lessons to be learned from this outage, and at some point, we’ll be ready to dig into those. But also calling this a cyber attack can spread unnecessary FUD, especially when threat actors are trying to capitalize on the outage to spread malware in _actual_ cyber attacks.  

**The one big thing **

Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, accounting for 60 percent of engagements. Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.   

**Why do I care? **

Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.    

**So now what? **

The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts to prevent the spread of BEC. 

**Top security headlines of the week **

**A false narrative spread over the weekend that Southwest Airlines was using a very old version of Windows, which allowed it to escape the CrowdStrike-related outage.** Many news outlets reported that Southwest’s system relies on Windows 3.1, released more than 20 years ago. However, this does not actually appear to be the case, though Southwest’s systems may still be outdated compared to its competitors. Instead, Southwest may have been largely unaffected by the outage simply because it doesn’t use CrowdStrike. Delta, American, Spirit, Frontier, United and Allegiant airlines all reported that they were affected by the outage, forcing the cancellation of thousands of flights across the globe. The source of the story that Southwest uses Windows 3.1 appears to come from posts on social media, the original one of which provided no sources, links or background information to back this statement up. Another popular piece of fake news that made the rounds during the widespread outage was that the Las Vegas Sphere was a victim of the outage, with a fake image spreading online appearing to show the “blue screen of death” on the outside of the concert and event venue. (Kotaku, OSNews) 

**U.K. police arrested a teenager suspected of being a member of the Scattered Spider hacking group and a perpetrator of the massive MGM ransomware attack last year.** The arrest is part of a larger investigation conducted by the National Crime Agency in the U.K. and the U.S.’s FBI into a hacking group that is known to breach networks, steal data and deploy ransomware. While not named explicitly in the arrest announcement, this group is largely known as Scattered Spider. The group breached MGM’s network last year, taking hotel and casino services offline for several days, even just forcing some casino operations to stop altogether. MGM eventually paid a multi-million dollar ransomware to the attackers. Scattered Spider is a group of English-speaking threat actors, some of whom are as young as 16, and commonly communicate via Telegram channels and Discord servers. An English detective involved in the operation stated that the 17-year-old in question was part of a group that “targeted well-known organizations with ransomware, and they have successfully targeted multiple victims around the world, taking from them significant amounts of money.” (Bleeping Computer, Dark Reading) 

**Russian state-sponsored actors or hacktivist groups are likely to try and disrupt the upcoming Olympic games in France via cyber attacks, misinformation campaigns and deepfake photos and videos.** Russia has been excluded from the Summer Olympics because of its involvement in an alleged doping scheme with its athletes and has been increasingly hostile toward the West for its support of Ukraine. Russian threat actors have already been spreading disinformation, with Microsoft warning that some actors have been deploying influencers deploying artificial intelligence to “denigrate the reputation of the \[International Olympic Committee\]” and “creating the expectation of violence” at the Olympics. French authorities have also already arrested a Russian national who the government alleges was planning various events to “destabilize” the games. Researchers from FortiGuard Labs have also reported that there has been a spike of dark web activity among known Russian adversaries, including Cyber Army Russia Reborn and LulzSec, specifically saying they plan to target the Olympics. Russia may also seek to use its influence on hacktivist groups to do its bidding so that the Russian government has plausible deniability in any activities. (Forbes, Financial Times) 

**Can't get enough Talos?**

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

Tag

#intel