PRESS RELEASE

DENVER — June 25, 2024 — Optiv, the cyber advisory and solutions leader, has published its 2024 Threat and Risk Management Report, which examines how organizations’ cybersecurity investments and governance priorities are keeping up with the evolving threat landscape. 

Based on an independent Ponemon Institute survey, the report reveals a 59% increase in cyber budgets year-over-year. Additionally, 63% of organizations with more than 5,000 employees had an average of $26 million allocated to cybersecurity investments in 2024.

The report shows a significant rise in data breaches and security incidents, with 61% of respondents experiencing a data breach or cybersecurity incident in the past two years, and 55% of respondents experiencing four or more incidents in that timeframe. These numbers highlight the urgent need for organizations to further prioritize cybersecurity investments and strategies.

Download the full report: 2024 Cybersecurity Threat and Risk Management Report

“Cyber incidents are not slowing down, which means organizations must work at a speed above those of the threat actors attacking their environments. As we see security budgets increasing, many organizations are also recognizing the need to make smart investments in process and governance assessments to ensure compliance,” says Jason Lewkowicz, executive vice president and chief services officer at Optiv. “Establishing a more consistent, strategic approach to security technology, process and people management will be essential for organizational risk management and resilience.”

Additional key findings include:

*   Security Tool Overload — While organizations are investing in more technologies, 40% of respondents believe they have too many, hindering overall effectiveness. By contrast, only 29% feel that they have the right number of tools. This underscores the need for a strategic approach to cybersecurity investment, focusing on streamlining existing tools and ensuring a seamless technology stack integration.
    
*   Top Investment Areas — The top three areas of investment for 2024 cybersecurity budgets are internal security assessments (60%), identity and access management (IAM) programs (58%) and the acquisition of additional cybersecurity tools (51%).
    
*   Lack of Formal Budgeting Practices — Despite increasing budgets, only 36% of respondents have a formal approach to determining cybersecurity budgets. This lack of formal budgeting practices can lead to inefficiencies and missed opportunities to address critical security gaps.
    
*   Rising SOAR Adoption — The use of security orchestration automation and response (SOAR) technology is increasing, with 73% of respondents leveraging SOAR to automate incident response activities. This automation can help security teams respond more efficiently to threats. 
    

Artificial intelligence (AI) and machine learning (ML) capabilities are another growing focal area for cybersecurity organizations looking for ways to accelerate their threat detection, prevention and process automation capabilities to keep up with threat actors who are also using these tools.

More companies are leveraging AI in the form of use and prevention:

*   44% of respondents use AI/ML to prevent cyberattacks
    
*   35% purchased use-case specific tools
    

*   34% use automated processes and audits
    

Optiv’s report delves deeper into best practices employed by high-performing organizations, offering valuable insights for those seeking to strengthen their cyber defenses. It also explores additional challenges, such as the inconsistency of cybersecurity incident response plans (CSIRPs), navigating cyber insurance/governance requirements and the need for improved communication of cybersecurity risks to senior management.

“Our independent research for Optiv reveals the positive steps organizations are taking to reduce risk, while also addressing the challenges they face in the evolving cyber threat landscape,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Part of the complexity organizations continue to face in dealing with threats is due to the number of ineffective technology tools. Recognizing this, IT professionals and senior leadership are becoming more cognizant of the importance in strengthening their security posture, resulting in the increase of cybersecurity budgets and allocating funds based on proven effectiveness in reducing security incidents.”

Findings from Optiv’s report are based on responses from 650 IT and cybersecurity professionals.

For the latest news and updates from Optiv, visit https://www.optiv.com/company/optiv-newsroom.

You May Also Like

Optiv Report Shows Nearly 60% Increase in Security Budgets as Most Organizations Report Cyber Breaches and Incidents

Ubuntu Security Notice 6819-4 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6819-4June 26, 2024linux-oracle-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oracle-6.5: Linux kernel for Oracle Cloud systemsDetails:Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly validate H2C PDU data, leading to a null pointerdereference vulnerability. A remote attacker could use this to cause adenial of service (system crash). (CVE-2023-6356, CVE-2023-6535,CVE-2023-6536)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - PowerPC architecture;   - RISC-V architecture;   - S390 architecture;   - Core kernel;   - x86 architecture;   - Block layer subsystem;   - Cryptographic API;   - ACPI drivers;   - Android drivers;   - Drivers core;   - Power management core;   - Bus devices;   - Device frequency scaling framework;   - DMA engine subsystem;   - EDAC drivers;   - ARM SCMI message protocol;   - GPU drivers;   - IIO ADC drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - Media drivers;   - Multifunction device drivers;   - MTD block device drivers;   - Network drivers;   - NVME drivers;   - Device tree and open firmware driver;   - PCI driver for MicroSemi Switchtec;   - Power supply drivers;   - RPMSG subsystem;   - SCSI drivers;   - QCOM SoC drivers;   - SPMI drivers;   - Thermal drivers;   - TTY drivers;   - VFIO drivers;   - BTRFS file system;   - Ceph distributed file system;   - EFI Variable file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - GFS2 file system;   - JFS file system;   - Network file systems library;   - Network file system server daemon;   - File systems infrastructure;   - Pstore file system;   - ReiserFS file system;   - SMB network file system;   - BPF subsystem;   - Memory management;   - TLS protocol;   - Ethernet bridge;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Logical Link layer;   - MAC80211 subsystem;   - Multipath TCP;   - Netfilter;   - NetLabel subsystem;   - Network traffic control;   - SMC sockets;   - Sun RPC protocol;   - AppArmor security module;   - Intel ASoC drivers;   - MediaTek ASoC drivers;   - USB sound devices;(CVE-2023-52612, CVE-2024-26808, CVE-2023-52691, CVE-2023-52618,CVE-2023-52463, CVE-2023-52447, CVE-2024-26668, CVE-2023-52454,CVE-2024-26670, CVE-2024-26646, CVE-2023-52472, CVE-2024-26586,CVE-2023-52681, CVE-2023-52453, CVE-2023-52611, CVE-2023-52622,CVE-2024-26641, CVE-2023-52616, CVE-2024-26592, CVE-2023-52606,CVE-2024-26620, CVE-2023-52692, CVE-2024-26669, CVE-2023-52623,CVE-2023-52588, CVE-2024-26616, CVE-2024-26610, CVE-2024-35839,CVE-2023-52490, CVE-2023-52672, CVE-2024-26612, CVE-2023-52617,CVE-2023-52697, CVE-2024-26644, CVE-2023-52458, CVE-2023-52598,CVE-2024-35841, CVE-2023-52664, CVE-2023-52635, CVE-2023-52676,CVE-2023-52669, CVE-2024-26632, CVE-2023-52486, CVE-2024-26625,CVE-2023-52608, CVE-2024-26634, CVE-2023-52599, CVE-2024-26618,CVE-2024-26640, CVE-2023-52489, CVE-2023-52675, CVE-2023-52678,CVE-2024-26583, CVE-2023-52693, CVE-2023-52498, CVE-2024-26649,CVE-2023-52670, CVE-2023-52473, CVE-2023-52449, CVE-2023-52667,CVE-2023-52467, CVE-2023-52686, CVE-2024-26633, CVE-2023-52666,CVE-2024-35840, CVE-2024-26629, CVE-2024-26595, CVE-2023-52593,CVE-2023-52687, CVE-2023-52465, CVE-2024-26627, CVE-2023-52493,CVE-2023-52491, CVE-2024-26636, CVE-2024-26584, CVE-2023-52587,CVE-2023-52597, CVE-2023-52462, CVE-2023-52633, CVE-2023-52696,CVE-2024-26585, CVE-2023-52589, CVE-2023-52456, CVE-2023-52470,CVE-2024-35838, CVE-2024-26645, CVE-2023-52591, CVE-2023-52464,CVE-2023-52609, CVE-2024-26608, CVE-2023-52450, CVE-2023-52584,CVE-2023-52469, CVE-2023-52583, CVE-2023-52451, CVE-2023-52495,CVE-2023-52626, CVE-2023-52595, CVE-2023-52680, CVE-2023-52632,CVE-2024-26582, CVE-2024-35837, CVE-2023-52494, CVE-2023-52614,CVE-2023-52443, CVE-2023-52698, CVE-2023-52448, CVE-2024-26615,CVE-2023-52452, CVE-2023-52492, CVE-2024-26647, CVE-2023-52468,CVE-2023-52594, CVE-2023-52621, CVE-2024-26638, CVE-2024-26594,CVE-2024-26673, CVE-2023-52457, CVE-2023-52677, CVE-2023-52607,CVE-2024-26623, CVE-2023-52488, CVE-2023-52497, CVE-2023-52445,CVE-2024-26607, CVE-2023-52610, CVE-2024-35842, CVE-2023-52690,CVE-2023-52683, CVE-2023-52444, CVE-2024-26671, CVE-2023-52455,CVE-2023-52679, CVE-2024-26598, CVE-2023-52674, CVE-2023-52627,CVE-2023-52619, CVE-2023-52487, CVE-2023-52446, CVE-2024-35835,CVE-2023-52682, CVE-2023-52685, CVE-2023-52694, CVE-2024-26631)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-6.5.0-1024-oracle   6.5.0-1024.24~22.04.1   linux-image-6.5.0-1024-oracle-64k  6.5.0-1024.24~22.04.1   linux-image-oracle              6.5.0.1024.24~22.04.1   linux-image-oracle-64k          6.5.0.1024.24~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6819-4   https://ubuntu.com/security/notices/USN-6819-1   CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446,   CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450,   CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454,   CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458,   CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465,   CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470,   CVE-2023-52472, CVE-2023-52473, CVE-2023-52486, CVE-2023-52487,   CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491,   CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495,   CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52584,   CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591,   CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597,   CVE-2023-52598, CVE-2023-52599, CVE-2023-52606, CVE-2023-52607,   CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611,   CVE-2023-52612, CVE-2023-52614, CVE-2023-52616, CVE-2023-52617,   CVE-2023-52618, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622,   CVE-2023-52623, CVE-2023-52626, CVE-2023-52627, CVE-2023-52632,   CVE-2023-52633, CVE-2023-52635, CVE-2023-52664, CVE-2023-52666,   CVE-2023-52667, CVE-2023-52669, CVE-2023-52670, CVE-2023-52672,   CVE-2023-52674, CVE-2023-52675, CVE-2023-52676, CVE-2023-52677,   CVE-2023-52678, CVE-2023-52679, CVE-2023-52680, CVE-2023-52681,   CVE-2023-52682, CVE-2023-52683, CVE-2023-52685, CVE-2023-52686,   CVE-2023-52687, CVE-2023-52690, CVE-2023-52691, CVE-2023-52692,   CVE-2023-52693, CVE-2023-52694, CVE-2023-52696, CVE-2023-52697,   CVE-2023-52698, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536,   CVE-2024-23849, CVE-2024-24860, CVE-2024-26582, CVE-2024-26583,   CVE-2024-26584, CVE-2024-26585, CVE-2024-26586, CVE-2024-26592,   CVE-2024-26594, CVE-2024-26595, CVE-2024-26598, CVE-2024-26607,   CVE-2024-26608, CVE-2024-26610, CVE-2024-26612, CVE-2024-26615,   CVE-2024-26616, CVE-2024-26618, CVE-2024-26620, CVE-2024-26623,   CVE-2024-26625, CVE-2024-26627, CVE-2024-26629, CVE-2024-26631,   CVE-2024-26632, CVE-2024-26633, CVE-2024-26634, CVE-2024-26636,   CVE-2024-26638, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644,   CVE-2024-26645, CVE-2024-26646, CVE-2024-26647, CVE-2024-26649,   CVE-2024-26668, CVE-2024-26669, CVE-2024-26670, CVE-2024-26671,   CVE-2024-26673, CVE-2024-26808, CVE-2024-35835, CVE-2024-35837,   CVE-2024-35838, CVE-2024-35839, CVE-2024-35840, CVE-2024-35841,   CVE-2024-35842Package Information:   https://launchpad.net/ubuntu/+source/linux-oracle-6.5/6.5.0-1024.24~22.04.1

Ubuntu Security Notice USN-6819-4

Threat actors with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world between 2021 and 2023.
While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean

Threat actors with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world between 2021 and 2023.

While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean state-sponsored groups, cybersecurity firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News.

This includes ChamelGang's attacks aimed at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware, as well as targeting a government entity in East Asia and an aviation organization in the Indian subcontinent.

"Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence," security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele said.

Ransomware attacks in this context not only serve as an outlet for sabotage but also allow threat actors to cover up their tracks by destroying artifacts that could otherwise alert defenders to their presence.

ChamelGang, first documented by Positive Technologies in 2021, is assessed to be a China-nexus group that operates with motivations as varied as intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations, according to Taiwanese cybersecurity firm TeamT5.

It's known to possess a wide range of tools in its arsenal, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and a ransomware strain known as CatB, which has been identified as used in attacks targeting Brazil and India based on commonalities in the ransom note, the format of the contact email address, the cryptocurrency wallet address, and the filename extension of encrypted files.

Attacks observed in 2023 have also leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities such as dropping additional tooling and exfiltrating NTDS.dit database file.

Furthermore, it's worth pointing out that custom malware put to use by ChamelGang such as DoorMe and MGDrive (whose macOS variant is called Gimmick) have also been linked to other Chinese threat groups like REF2924 and Storm Cloud, once again alluding to the possibility of a "digital quartermaster supplying distinct operational groups with malware."

The other set of intrusions involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks affecting various industry verticals in North America, South America, and Europe. As many as 37 organizations, predominantly the U.S. manufacturing sector, are estimated to have been targeted.

The tactics observed cluster, per the two cybersecurity companies, are consistent with those attributed to a Chinese hacking crew dubbed APT41 and a North Korean actor known as Andariel, owing to the presence of tools like the China Chopper web shell and a backdoor known as DTrack.

"Cyber espionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities," the researchers said.

"The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyber espionage, providing adversaries with advantages from both strategic and operational perspectives."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

The China-nexus cyber-threat actor has been operating since at least 2019 and has notched victims in multiple countries.

Source: Herr Loeffler va Shutterstock

A likely China-backed advanced persistent threat (APT) group has been systematically using ransomware to disguise its relatively prolific cyber-espionage operations for the past three years, at least.

The threat actor, who researchers at SentinelOne are tracking as ChamelGang (aka CamoFei), has recently targeted critical infrastructure organizations in East Asia and India.  

**Ransomware as a Distraction**

Some of ChamelGang's victims in that region include an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences (AIIMS). But the group's previous victims include government and private sector organizations — including those in critical infrastructure sectors — in the US, Russia, Taiwan, and Japan.

According to SentinelOne, what makes ChamelGang's operations noteworthy is its regular use of a ransomware tool called CatB to distract from and conceal its cyber-espionage focus.

"Cyberespionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities," the security vendor said in a report shared with Dark Reading. "Furthermore, misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations."

Significantly, ransomware also gives cyber-espionage actors a way to conveniently cover their tracks by destroying artifacts and evidence that would have pointed to their data theft activities, SentineOne said.

ChamelGang is not the first China-nexus cyberespionage player to use ransomware in this manner. Other examples include APT41 — an umbrella group of multiple smaller subgroups — and Bronze Starlight, whose victims include organizations in the US and multiple other countries.

"Current and historical evidence suggests that cyberespionage clusters use ransomware primarily for disruption or financial gain," says Aleksandar Milenkoski, senior threat researcher at SentinelOne's SentinelLabs.

In ChamelGang's case, the threat actor has typically tended to deploy its ransomware toward the end of its missions where covertness is no longer an operational objective, Milenkoski says. Ransomware can be used as a cover for exfiltrating intelligence-relevant data and deflecting blame, so victims of a ransomware attack should not ignore this aspect when responding to an attack, he says: "Depending on the potential value of the targeted organization to adversaries from an intelligence perspective, these dimensions of ransomware activities should be considered when assessing the situation."

**Data Espionage & Theft**

ChamelGang is a threat actor that others such as Positive Technologies and Team5 have previously identified as focused on data theft and cyber espionage. Positive Technologies reported on the group's activities in September 2021 following a breach investigation at an energy company where the threat actor disguised its malware and infrastructure to look like legitimate Microsoft, Google, IBM, TrendMicro, and McAfee services.

Team5, which tracks the group as Camo Fei, has assessed the threat actor as having been active since at least 2019 and using a variety of malware tools in its campaigns, including Cobalt Strike, DoorMe, IISBeacon, MGDrive, and the CatB ransomware tool. Team5's research showed the threat actor is primarily focused on targets in the government sector and, to a lesser extent, the healthcare, telecommunications, energy, water, and high-tech sectors as well.

SentinelOne itself has assessed ChamelGang's current focus on East Asia and the Indian subcontinent as resulting from geopolitical tensions, regional rivalries and a race for technological and economic superiority. The company's investigations showed the group deployed CatB ransomware in its 2022 attacks on India's AIIMS and against the Brazilian government after using tools such as BeaconLoader and Cobalt Strike during earlier phases of the intrusion.

The interest of threat actors in conducting both cyber espionage and financially motivated activities to actually collect a ransom depends on their objectives when targeting an organization, Milenkoski says. "Historically, a common case where threat actors have shown no interest in collecting ransom is when deploying ransomware for disruptive purposes," he says. "But we note that interest in ransom payment may represent a cover by itself."

'ChamelGang' APT Disguises Espionage Activities With Ransomware

Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S.
The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis

Android Security / Threat Intelligence

Cybersecurity researchers have discovered an updated version of an Android banking trojan called **Medusa** that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S.

The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week.

The new Medusa samples feature a "lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications," security researchers Simone Mattia and Federico Valentini said.

Medusa, also known as TangleBot, is a sophisticated Android malware first discovered in July 2020 targeting financial entities in Turkey. It comes with capabilities to read SMS messages, log keystrokes, capture screenshots, record calls, share the device screen in real-time, and perform unauthorized fund transfers using overlay attacks to steal banking credentials.

In February 2022, ThreatFabric uncovered Medusa campaigns leveraging similar delivery mechanisms as that of FluBot (aka Cabassous) by masquerading the malware as seemingly harmless package delivery and utility apps. It's suspected that the threat actors behind the Trojan are from Turkey.

Cleafy's latest analysis reveals not only improvements to the malware, but also the use of dropper apps to disseminate Medusa under the guise of fake updates. Furthermore, legitimate services like Telegram and X are used as dead drop resolvers to retrieve the command-and-control (C2) server used for data exfiltration.

A notable change is the reduction in the number of permissions sought in an apparent effort to lower the chances of detection. That said, it still requires Android's accessibility services API, which allows it to stealthily enable other permissions as required and avoid raising user suspicion.

Another modification is the ability to set a black screen overlay on the victim's device to give the impression that the device is locked or powered off and use it as a cover to carry out malicious activities.

Medusa botnet clusters typically rely on tried-and-tested approaches such as phishing to spread the malware. However, newer waves have been observed propagating it via dropper apps downloaded from untrusted sources, underscoring continued efforts on the part of threat actors to evolve their tactics.

"Minimizing the required permissions evades detection and appears more benign, enhancing its ability to operate undetected for extended periods," the researchers said. "Geographically, the malware is expanding into new regions, such as Italy and France, indicating a deliberate effort to diversify its victim pool and broaden its attack surface."

The development comes as Symantec revealed that fictitious Chrome browser updates for Android are being used as a lure to drop the Cerberus banking trojan. Similar campaigns distributing bogus Telegram apps via phony websites ("telegroms\[.\]icu") have also been observed distributing another Android malware dubbed SpyMax.

Once installed, the app prompts the user to enable the accessibility services, allowing it to gather keystrokes, precise locations, and even the speed at which the device is moving. The collected information is then compressed and exported to an encoded C2 server.

"SpyMax is a remote administration tool (RAT) that has the capability to gather personal/private information from the infected device without consent from the user and sends the same to a remote threat actor," K7 Security Labs said. "This enables the threat actors to control victims' devices that impacts the confidentiality and integrity of the victim's privacy and data."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

Source: Primakov via Shutterstock

A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.

WordPress.org's Plug-in Review team warned users on Monday that a plug-in called Social Warfare was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org plug-ins injected with the same code, according to a blog post published by Wordfence on June 24.

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1.

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that's been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.

**Malicious Behavior**

The malicious code injected in the plug-ins "attempts to create a new administrative user account and then sends those details back to the attacker-controlled server" located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.

"The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow," Chamberland added.

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don't know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.

**Mitigating Attacks Via WordPress Plug-Ins**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.

As such an attack demands greater vigilance, Wordfence — which focuses on the security of the WordPress platform — is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and "go into incident-response mode," Chamberland said.

"We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan" to remove any malicious code, she said.

Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

Source: Ianni Dimitrov Pictures via Alamy Stock Photo

COMMENTARY

In October 2023, the British Library underwent a crippling cyberattack that took down its website, a majority of its online services, including card transitions, reader registrations, and ticket sales, along with access to its digital library catalog. The attack cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year. 

Analyzing the British Library's initial response reveals that it effectively executed a carefully planned response strategy. With its vast store of 170 million items, the national library of Great Britain acknowledged a critical oversight in not having a security team on retainer and readily available, resulting in overreliance on an external team unfamiliar with the environment and scrambling in the eleventh hour. 

Welcoming transparency, the institution issued its report outlining details of the attack and sharing valuable lessons of benefit to other organizations in their cyber preparedness and mitigation efforts. 

**How Did Attackers Breach the British Library?**

While the exact method of entry is unknown due to the extensive damage caused by the attackers, investigators were able to trace unauthorized access at the Terminal Services server, which was installed in 2020 — COVID era — to facilitate remote access for external partners and internal IT administrators. 

Many of these outside parties had privileged access to specific servers and software. It is believed that the root cause behind the attack could have been the compromise of privileged account credentials, possibly via phishing, spear-phishing, or brute-forcing credentials. The library admitted to having an unusually diverse and complex technology estate comprising a stack of legacy tools and infrastructure that led to the severity of the incident. Although the Terminal Services server was protected by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection — a gross oversight.

**What Did Hackers Steal?**

Like most ransomware attacks, these adversaries stole sensitive data that could be either monetized on underground marketplaces or used to demand a ransom payment. Threat actors are said to have copied 600GB of files. Attackers used three methods to identify sensitive data: 

*   Network drives were copied from finance, technology, and HR departments. 
    
*   Keyword attacks were launched to scan the network for sensitive words such as "passport" and "confidential." Files were also copied from the personal drives of staff members. 
    
*   Native utilities used to administer networks were hijacked, then used to create backup copies of 22 databases, including contact details of external users and customers.
    

**What Else Is Known About the Attackers?**

The infamous ransomware-as-a-service provider Rhysida claimed responsibility for the attack. This criminal group is also known for its attacks on the Chilean army, as well as attacks on schools, power plants, universities, and government institutions across Europe. Rhysida and its affiliates have an attack methodology that typically involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. It uses a host of anti-forensics tactics, covering its tracks by deleting log files, making it difficult to trace its activities. Rhysida demanded some 20 bitcoins from the British Library. UK government policy forbids the payment of ransom, so when the library refused to cooperate with the extortionists, the gang released images of employee passports and leaked most of the material to the Dark Web. 

**Takeaway Lessons Learned From the Library Attack**

*   Assess your technical debt: When a decision is made to use hardware and software beyond their supportable or useful life, it can leave gaping holes in the security posture. It is important that organizations know and evaluate this technical debt from a cyber perspective. Remember that recovery times and costs are far greater than building something new from scratch.
    
*   Maintain a holistic view of cyber-risk: Ensure that essential business stakeholders tasked with deciding on whether to accept, mitigate, or transfer cyber-risks have a thorough understanding of these risks. Such comprehension is crucial for effectively allocating resources, prioritizing necessary actions, and determining the order in which they should be conducted.
    
*   Practice good information governance: Contemporary threat actors often target specific assets for seizure. Lacking a solid grasp of your information governance can result in uncertainty regarding the location and significance of your most critical assets, leading to a protracted, arduous, and costly recovery process. That's why it's advisable to run simulation exercises frequently, just to understand where weaknesses reside. By urgently mobilizing needed resources within the first hour, organizations can significantly limit the blast radius.
    
*   Adopt a defense-in-depth approach: A defense-in-depth security approach is a type of layered security that can help curtail the blast radius and limit the damage even when an adversary infiltrates your environment. For example, had the British Library activated MFA on its servers, or had it segregated its network into multiple segments, it would have been in a superior position to detect the attacker’s presence early, limiting their progression to make lateral movements, and preventing data exfiltration.
    

The British Library attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow the above best practices to help protect themselves from sophisticated and destructive cyberattacks.

**About the Author(s)**

CEO, Information Security Forum

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions that meet the business needs of its members. He is a frequent speaker on the board's role in cybersecurity and technology.

Key Takeaways From the British Library Cyberattack

WikiLeaks founder Julian Assange has agreed to plead guilty to one count of espionage in US court on Wednesday, ending a years-long legal battle between the US government and a controversial publisher.

United States prosecutors have secured a deal with WikiLeaks founder Julian Assange requiring the long-embattled publisher to plead guilty to one count of espionage for his role in making public classified documents concerning the US wars in Iraq and Afghanistan.

The agreement, which follows more than a decade of efforts by Assange, 52, to avoid extradition from the United Kingdom, would draw to a close one of the longest-running national security investigations in US history. The deal was first disclosed in court documents made public in the UK.

Assange and his legal team, which have denied the accusations levied by the US, could not be immediately reached for comment.

“Julian Assange is free,” WikiLeaks wrote in a statement posted to X. “He left Belmarsh maximum security prison on the morning of 24 June, after having spent 1901 days there.”

A letter US prosecutors filed in the US District Court for the Northern Mariana Islands on Monday indicates that Assange will enter his guilty plea at a Wednesday hearing in Sapian, the island territory’s capital, having refused to travel to the continental US. He is then expected to return to his home country of Australia, having already served the expected 62-month sentence in London prison.

The case against Assange centers around the publishing of more than 750,000 stolen US documents by WikiLeaks between 2009 and 2011. It has drawn enormous attention for its clear implications on press freedoms internationally. Organizations such as the Committee to Protect Journalists in the US have for years warned the case could severely imperil the ability of journalists to obtain and publish classified information—even though the nation’s highest court has long recognized the right of journalists to do so.

Ahead of the 2016 US presidential election between Hillary Clinton and Donald Trump, WikiLeaks published a trove of emails stolen from the Democratic National Committee. The leak, which embarrassed the DNC and won Assange praise from right-wing figures, was later revealed to be the work of notorious Russian hacking groups known as Cozy Bear and Fancy Bear, both affiliated with Moscow’s GRU military intelligence agency.

US prosecutors initially charged Assange with a single count under the Computer Fraud and Abuse Act for allegedly conspiring with Chelsea Manning, who provided WikiLeaks with the trove of classified material related to the wars in Iraq and Afghanistan, to gain unauthorized access to government computers. Prosecutors later added an additional 17 charges under the Espionage Act—a move widely condemned as an attack on the free press.

Assange, forcibly removed from the Ecuadorian embassy in London in 2019 after seven years asylum, has been held in Belmarsh prison in London pending the outcome of his extradition hearings, which were delayed repeatedly over the course of the Covid-19 pandemic. His attorneys argued that due to his deteriorating mental health, extradition to the US would increase the likelihood of suicide.

US prosecutors secured, on appeal, permission to extradite the award-winning journalist, who married his longtime partner, Stella Moris, while in jail in 2022, by offering UK courts a slate of written assurances. Among other concessions, the US promised not to subject Assange to “special administration measures,” a term referring to the practice of wiretapping certain defendants’ phone calls citing national security concerns.

“This period of our lives, I’m confident now, has come to an end,” said Moris—now Assange—in a video prerecorded last week. “I think by this time next week, Julian will be free.”

Kristinn Hrafnsson, WikiLeaks editor in chief, said in the same video captured outside Belmarsh that he hoped to see Assange for the last time inside its walls. “If you’re seeing this, it means he is out.”

The Julian Assange Saga Is Finally Over

The most notorious deepfake sexual abuse website is hosting altered videos originally published as part of the GirlsDoPorn operation. Experts say this new low is only the beginning.

_This article contains descriptions of sex trafficking and abuse. Discretion is advised._

For years, nonconsensual deepfake pornography has been used to harass, silence, shame, and abuse women. Celebrities and influencers have their faces implanted into existing adult videos; men have used the technology to place “friends” into explicit videos; and boys have allegedly created “nude” images of their female classmates. However, among the ever growing harassment and abuse, deepfake creators have now, arguably, hit a new low: using videos of sex trafficking victims as the basis of the nonconsensual videos.

Over the past two months, an account on the largest deepfake sexual abuse website has posted 12 celebrity videos that are based on footage from GirlsDoPorn, a now-defunct sex trafficking operation that the US Department of Justice says its operators used to conspire and commit sex trafficking through “force, fraud, and coercion,” tricking five women—and allegedly hundreds more— into making sex videos that were subsequently posted online.

The dozen videos—which ran up to 21 minutes long and racked up tens of thousands of views before they were taken down following WIRED’s inquiry—used footage originally posted to the GirlsDoPorn website and had celebrity faces added using artificial intelligence. It appears that a startup’s face-swapping tool may have been abused to transform the videos into deepfakes, according to watermarks on the footage.

As deepfake technology has become increasingly capable of creating realistic imagery and easier to use, hundreds of websites and apps designed to create or host deepfake sexual abuse have appeared. Laws to limit the use of these tools and protect those targeted are lagging, even as the malicious use of AI has evolved to not just create new victims but to revictimize survivors.

From 2012 to 2019, the DOJ says, the creators of GirlsDoPorn worked by recruiting young women, using ads posted on Craigslist, for what they claimed were clothed modeling photo shoots. When the women responded, they were told the ads were for pornographic videos, and they were pressured into taking part, according to various lawsuits and survivor testimonies.

The individuals behind the scheme, according to the DOJ, told the women the videos would only be sold on DVDs outside of the United States and the footage would not be posted to the internet. Instead, they then posted short videoclips to online platforms, such as Pornhub, and full-length versions to their GirlsDoPorn website. The videos have circulated online since.

Multiple legal proceedings against the creators of GirlsDoPorn, people affiliated with the website, and Pornhub's parent company are ongoing or have been completed—with criminal charges being issued against several GirlsDoPorn organizers in October 2019.

Since then, 22 survivors have been awarded nearly $13 million in damages, and 402 victims were given copyright ownership of videos featuring them, making it easier to scrub them from the web. At the end of 2023, Pornhub’s parent company, Aylo Holdings, agreed to pay damages to women impacted by the sharing of the GirlsDoPorn videos.

Among those charged, Ruben Andre Garcia, a GirlsDoPorn producer and recruiter, was sentenced to 20 years in prison; Matthew Isaac Wolfe, who admitted to having a “wide range of responsibilities” at GirlsDoPorn, according to the DOJ, was sentenced to 14 years; cameraman Theodore Wilfred Gyi was sentenced to four years; and GirlsDoPorn bookkeeper Valorie Moser pleaded guilty to one charge of conspiracy to commit sex trafficking and is awaiting sentencing. Finally, in March this year, the alleged GirlsDoPorn mastermind, Michael Pratt, was extradited from Spain to the US to face charges linked to the operation. He has pleaded not guilty. In total, those involved in GirlsDoPorn have been ordered to pay more than $35 million in restitution.

Brian Holm, a managing attorney at the Holm Law Group and a longtime civil attorney for GirlsDoPorn survivors, confirmed that the videos posted to the deepfake sexual abuse website were originally from GirlsDoPorn. These include, Holm says, survivors who have been involved in the legal cases against GirlsDoPorn or against Pornhub.

“It’s a real double whammy for trafficking victims to see their videos used like this,” says Holm, adding that the videos are the tip of the iceberg. “From what I’ve seen on that site, I think there's 10 times the amount you sent me that I’ve seen on there.”

The 12 videos posted by the account seen by WIRED have received up to 15,000 views each, and several have a ‘girlsdoporn.com’ watermark on the footage. The account that posted the videos has a version of “GirlsDoPorn” as its username and included the sex trafficking site in the title of the videos.

WIRED is not naming the deepfake abuse website due to its role in spreading abusive content or the celebrities featured in the videos. The website is the largest website of its kind—hosting tens of thousands of videos and receiving millions of visitors. In April, the website blocked visitors from the UK after lawmakers in the country announced plans to make it a criminal offense to create nonconsensual explicit deepfakes.

“These creators of sexually explicit deepfakes have no regard whatsoever for the women and girls who are victims of sex trafficking and now being further abused through this deepfake sexual abuse,” says Clare McGlynn, a professor of law at Durham University, who works to counter image-based abuse.

“This website is actively choosing to share recordings of actual sexual assaults,” McGlynn says. “These are heinous acts, deliberately and knowingly causing life-shattering and life-threatening harms. The drive for profit, for fueling the trade in nonconsensual porn, knows no bounds. This shows a contempt for the rights of women and girls.”

Neither the account posting the deepfake GirlsDoPorn videos nor the site’s anonymous administrator’s replied to questions from WIRED.

At the end of March, another user on the website asked whether the GirlsDoPorn footage was allowed, saying it made them “feel sick.” They suggested some people may not know the history of GirlsDoPorn but pointed out: “This … one user clearly does tho, with branding themselves with a rape website.” A moderator replied saying they were not going to remove the videos but said if there was a “list” of videos confirmed to include sex trafficking victims they would notify the website’s administrators to take them down.

As well as the GirlsDoPorn watermark, the 12 videos hosted on the deepfake website also have a watermark of US company Akool, which offers generative AI services, including a “face-swapping” tool, to marketing professionals.

Jiajun Lu, the founder and CEO of Akool, says the company’s terms of service prohibit copyright violations, sexual and violent content, and it frequently bans accounts. “They are strictly forbidden on our platform, and we have multiple approaches to prevent it from happening, and more solutions are coming up soon,” he says. “We changed our watermarks a few months ago, and these videos might not come from our website.”

The CEO says that the company is working on new safety tools as it increases the security of its website: For instance, it is considering verifying the identity of people trying to use its face-swapping tool using face recognition, and initially the team is building more prominent warning notices about prohibited use cases.

Since 2016, Charles DeBarber, director of operations at technology firm Phoenix AI, has been undertaking the arduous task of discovering and trying to remove content from GirlsDoPorn that has been posted online. As part of Phoenix AI, this work—including building tools to automate online searches and using face recognition—has helped to remove around 60 GirlsDoPorn survivors’ footage from the web, DeBarber says.

“Not only does it open wounds of survivors already, but it's making new survivors and making new victims,” DeBarber, who has worked with GirlsDoPorn survivors for years, says of the deepfakes. The deepfake abuse website, DeBarber says, doesn’t take anything down when requests are made to it, and it is hosted by a company registered in the Seychelles.

Since deepfake sexual abuse videos appeared more than half a decade ago, those targeted by them have struggled to get them removed from the web, and US lawmakers have been slow to regulate or criminalize the abusive behavior. In many instances, including in wider cases of image-based abuse, people trying to remove abusive content from the web have had to resort to complaints made under the Digital Millennium Copyright Act. According to DeBarber, it’s not enough.

“Our laws are written in a way that protects intellectual property but not survivors, and it’s very demeaning for a lot of our survivors,” he says. “These are people that were treated like a commodity, and now we have to use intellectual property law to get it down.”

Deepfake Creators Are Revictimizing GirlsDoPorn Sex Trafficking Survivors

WikiLeaks founder Julian Assange has been freed in the U.K. and has departed the country after serving more than five years in a maximum security prison at Belmarsh for what was described by the U.S. government as the "largest compromises of classified information in the history" of the country.
Capping off a 14-year legal saga, Assange, 52, pleaded guilty to one criminal count of conspiring to

National Security / Wikileak

WikiLeaks founder Julian Assange has been freed in the U.K. and has departed the country after serving more than five years in a maximum security prison at Belmarsh for what was described by the U.S. government as the "largest compromises of classified information in the history" of the country.

Capping off a 14-year legal saga, Assange, 52, pleaded guilty to one criminal count of conspiring to obtain and disclose classified U.S. national defense documents. He is due to be sentenced to 62 months of time already served in the Pacific island of Saipan later this week.

According to the Associated Press, the hearing is taking place there because of Assange's "opposition to traveling to the continental U.S. and the court's proximity to Australia."

"This is the result of a global campaign that spanned grass-roots organizers, press freedom campaigners, legislators and leaders from across the political spectrum, all the way to the United Nations," WikiLeaks said in a statement.

"This created the space for a long period of negotiations with the U.S. Department of Justice, leading to a deal that has not yet been formally finalized."

Assange, who was granted bail by the High Court in London on Monday, and has since boarded a flight to Australia. He also faced separate charges of rape and sexual assault in Sweden, claims he has denied.

The U.S. Department of Justice (DoJ) in 2019 said Assange's actions "risked serious harm to United States national security to the benefit of our adversaries and put the unredacted named human sources at a grave and imminent risk of serious physical harm and/or arbitrary detention."

It's believed that the DoJ accepted the plea agreement with no additional prison time because of the fact that Assange had already served longer than most people charged with a similar offense.

Founded in 2006, WikiLeaks is estimated to have published more than 10 million documents related to war, spying and corruption, including military field logs from the wars in Afghanistan and Iraq. as well as diplomatic cables from the United States (dubbed Cablegate) and information about detainees at the Guantanamo Bay detention camp.

Notably, it also released a tranche of cyber warfare and surveillance tools allegedly created by the U.S. Central Intelligence Agency (CIA), a collection cumulatively known as Vault 7 and Vault 8, and documents detailing the National Security Agency's spying of France, Germany, Brazil, and Japan.

Joshua Schulte, a former CIA engineer who was accused of passing on the confidential trove of cyber weapons, has since been sentenced to 40 years in prison.

Another of Assange's collaborators, Chelsea Elizabeth Manning (born Bradley Edward Manning), was sentenced to 35 years in prison for disclosing to WikiLeaks hundreds of thousands of documents that came to be known as the Iraq War Logs and Afghan War Diary before then-president Barack Obama commuted her sentence in January 2017.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel