SSSCIP reports a strategic shift in Russian cyber operations in H1 2024. Targeting Ukraine’s defence sectors, attacks doubled,…

SSSCIP reports a strategic shift in Russian cyber operations in H1 2024. Targeting Ukraine’s defence sectors, attacks doubled, focusing on intelligence gathering. Ukrainian experts respond with red teaming to strengthen cyber defences against targeted threats.

Recent reports from Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) reveal a significant shift in Russian cyber operations against Ukraine in the first half of 2024. The new strategy marks a departure from previous broad-spectrum attacks to a more targeted approach focusing on Ukraine’s military and defence sectors.

According to the SSSCIP’s “Russian Cyber Operations (H1 2024)” **report**, cyber attacks targeting Ukraine’s defence industries more than doubled from 111 to 276 from the latter half of 2023 to the former half of   2024. This surge reflects a concerted effort by Russian-aligned threat actors to gather intelligence directly related to the ongoing conflict.

In response to these escalating threats, Ukrainian cybersecurity experts have intensified their **red teaming** efforts, simulating sophisticated attacks to identify and address vulnerabilities in their defence systems. This proactive approach has helped strengthen Ukraine’s cyber resilience against increasingly targeted Russian operations.

****Key Threat Actors and Tactics****

The majority of the activity comes down to five Russian-attributed threat groups: **UAC-0149**, UAC-0020, UAC-0180, UAC-0184, UAC-0200. These groups have been employing remote access Trojans (RATs) to compromise Ukrainian Forces computers that use Windows.

Russian cyber tactics have changed direction over the past couple of years. In 2022, Russian hackers focused on dismantling critical infrastructure IT systems and exfiltrating databases. This focus shifted to broad information collection within many different Ukrainian industries in 2023, before honing in on military targets in 2024.

****Messaging Apps: The New Frontier****

A concerning trend highlighted in the report is the increased use of messaging apps including WhatsApp, Telegram and Signal. The Signal app in particular has been used to target high-value military and government personnel. Hackers, particularly those associated with UAC-0184, gather personal information to impersonate known contacts and build trust with certain targets, akin to a phishing attack.

The screenshot shows malicious messages on Signal, WhatsApp and Telegram sent by Russian hackers (Credit: SSSCIP)

Once trust is established, the attackers send malicious archives disguised as relevant content. This might be combat footage or recruitment information, for example. When opened, these archives secretly infect the target’s system with malware. It is worth noting that UAC-0184 is known for its multi-stage attack and for using **XWorm malware and Remcos RAT** against its targets.

****Rising Cyber Incidents and Malware Infections****

The total number of cyber attacks that were reported in Ukraine **rose by 19%** to 1,739 in Q1 and Q2 of 2024 compared to Q3 and Q4 of 2023. This rise is primarily attributed to more incidents considered to be less severe, and more critical breaches went down.

Malware infections are becoming a central part of these cyberattacks. The number of infections recorded in Q1 and Q2 of 2024 was 196, up from 103 in Q3 and Q4 of 2023. This surge is partly down to a rise in unlicensed software that has been pirated but with backdoors baked into it.

****Importance of Licensed Software****

The SSSCIP continues to hone in on the importance of using licensed software because unlicensed software creates more vulnerabilities. For example, Office, MDM, Windows, EDR, etc. This applies to the Ukrainian military, but also civilian organizations, as they try to mitigate vulnerabilities that stem from infections.

As the conflict enters its third year, cyberspace remains core to the warfare. The SSSCIP warns that cyberattacks targeting military personnel are likely to remain important.

1.  **Ukraine’s Cyberattack Cripples Russia’s Tax System**
2.  **Ukraine Claims Cyber Attack Disrupted Russian ATMs**
3.  **Ukrainian Hackers Trick Russian Military Wives for Personal Info**
4.  **Ukraine Claims Destruction of 280 Russian Servers, 2 Petabytes Lost**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

Russian Cyber Offensive Shifts Focus to Ukraine’s Military Infrastructure

The addition of Network Perception will provide Dragos with enhanced network visibility, compliance and segmentation analytics to the Dragos OT cybersecurity platform.

Source: ElenaBs via Alamy Stock Photo

Industrial control systems (ICS) provider Dragos today announced that it has acquired Network Perception for an undisclosed sum, a move aimed at expanding its threat detection and visualization capability for operational technology (OT) environments.

Since its founding in 2016, Dragos has emerged as one of the leading providers of cybersecurity protection for ICS systems. It has amassed $440 million in Series D funding and has over 400 employees. The company that Dragos bought, Network Perception, is lesser known and considerably smaller. It has only 27 employees and has raised $15.73 million, most of which is Series A funding from 2022.

The Dragos threat intelligence platform, designed for OT infrastructure, includes sensors that monitor networks for anomalies and IOCs and visualization tools to track assets and risks and provide response playbooks.

Adding Network Perception promises to fill a gap in the Dragos platform, company officials told Dark Reading. Network Perception's NP-View tool provides network visibility, compliance monitoring, segmentation analytics and reporting for various large electric utilities.

**Early Ties with Government and Industry Regulators**

Network Perception was incubated roughly a decade ago at the University of Illinois at Urbana-Champaign (UIUC) cybersecurity research lab. At the time, co-founder and CEO Robin Berthier says he and his team were working on the U.S. Department of Energy's 10-year cybersecurity roadmap, which developed a prototype for what is now NP-View.

"We grew pretty fast to become the de facto solution in the electric industry as the OT network visibility and segmentation analysis solution, which is extremely important in the case of compliance for the regulation in this industry," Berthier says.

He credits Network Perception's initial success to the decision by the industry's key regulators, North American Electric Reliability Corp. (NERC) and the Federal Energy Regulatory Commission (FERC), to use NP-View to conduct audits nationwide in 2017. According to Berthier, Network Perception has since tallied about 100 customers.

Berthier claims that NP-View is unique because it ingests only configuration files from firewalls, routers and switches deployed in OT networks, not log data or telemetry from sensors.

"From those configuration files, we build a model of the environment, and we can then show a topology map of those complex networks and check all the potential pathways inside those environments, which is very complementary to what Dragos is doing," Berthier explains.

Further, he notes that while Dragos' sensors monitor network traffic, security operators still must decide what steps to take to address suspicious activity and anomalies. "It's really important to have the context around the network's access policy, like the zone-to-zone accessibility," Berthier says.

**Modeling Network Traffic for Threats**

NP-View models an adversary's potential targets, including which ports and services are vulnerable and what's permitted by the firewalls, according to Berthier. "It is that part of the modeling of networks that gives you that information that is extremely complex and sophisticated," he says.

"It's a level of sophistication today that no human, even expert analysts, can comprehend because of the different layers of logic that the firewalls are using, from VPNs to VLANs to access rules to network address translation," Berthier adds. "We model and present that in a very simple, comprehensive way for both technical as well as non-technical users.”

When integrated, the Dragos platform will be able to consume the data ingested into NP-View to add context around the different levels of suspicious activity that is needed, he notes.

The addition of Network Perception will likely boost Dragos' visualization and risk-based capabilities while enhancing customers’ cyber resilience and compliance efforts, predicts Omdia principal analyst for IoT cybersecurity, Hollie Hennessy.

"Many OT organizations are struggling with challenges such as skills shortage and resource issues, meaning compliance can be a struggle--thus being able to automate functions such as reporting instantly, can alleviate some of those issues," she says. "Network perception also has micro segmentation capabilities which again can help to mitigate risk - something that will enrich Dragos' preventative capabilities and can also help with compliance."

Dragos field technology officer Phil Tonkin says that half of Network Perception's customer base, which is all in the electric sector, uses the Dragos platform. While Dragos's earliest customers were electric utilities, the company has expanded its base to include oil and gas providers, manufacturers, water utilities, transportation and mining.

In the coming quarters, Tonkin says Dragos will integrate NP-View into its platform and offer it as an option to its customers in adjacent OT sectors. "Although the driver to get capabilities like this into the electric sector in the US has often been driven by compliance, we're seeing more and more people understanding the need to carry out those same actions just to manage their risks," he says.

The deal marks only the second acquisition for Dragos. The company bought assessment tool provider NexDefense in 2019. Though isn’t ruling out other potential acquisitions, Dragos is not currently shopping for other companies. “Right now, our focus is to just build on the strengths that we've just gained by bringing Network Perception into the team,” Tonkin says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Dragos Expands ICS Platform with New Acquisition

The bug gives attackers a way to run arbitrary code on affected servers and take control of them.

Source: Color4260 via Shutterstock

Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.

The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far.

**Attacks Began Sept. 28**

Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. 28 and have continued unabated. In a series of posts on X, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. The emails contain base64-encoded malicious code in the CC field instead of normal email addresses. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said.

"Some emails from the same sender used a series of CC'd addresses attempting to build a Web shell on a vulnerable Zimbra server," Proofpoint said. "The full CC list is wrapped as a string, and if the base64 blobs are concatenated, they decode to a command to write a Web shell."

The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field," the vendor noted. "If present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

**Patch Yesterday**

Ivan Kwiatkowski, a threat researcher at HarfangLab, said the malcious emails are coming from 79.124.49\[.\]86, which appears to be based in Bulgaria. "If you're using @Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday."

Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. "It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation," Lesnewich says. "We would expect the email server and payload servers to be different entities in a more mature operation."

Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.

**Input Sanitization Error**

Researchers at the open source Project Discovery released a proof-of-concept for the vulnerability on Sept. 27. They identified the issue as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. Zimbra's patched versions of the software have addressed the issue and neutralized the ability for direct command injection, the researchers wrote. Even so, "it's crucial for administrators to apply the latest patches promptly," they noted. "Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation."

Thousands of companies and millions of users use Zimbra Collaboration Suite for email, calendaring, chat, and video services. Its popularity has made the technology a big target for attackers. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (CVE-2023-37580) to target government agencies worldwide. Zimbra patched the flaw in July 2023 a month after the attacks began. Last February, researchers at W Labs spotted North Korea's prolific Lazarus Group attempting to steal intelligence from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Zimbra RCE Vuln Under Attack Needs Immediate Patching

PRESS RELEASE

VIENNA, Va., Oct. 1, 2024 /PRNewswire/ -- The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today announced that Pam Lindemoen will join the organization as Chief Security Officer & VP of Strategy. In this role, she will oversee the organization's security operations, including cybersecurity and information security, while also leading strategic planning and partner engagement. With nearly 30 years of experience, Lindemoen brings a wealth of knowledge in information security, application development, and infrastructure to the organization.

"We're thrilled to welcome Pam Lindemoen to the RH-ISAC team," said Suzie Squier, president of RH-ISAC. "Her extensive experience in navigating complex regulatory environments and fostering robust security postures will be invaluable to our members. Pam's strategic vision and proven track record in developing comprehensive cybersecurity programs align perfectly with our mission to enhance the security of consumer-facing industries through collaboration."

Lindemoen's expertise spans various industries, including healthcare, technology, financial services, and manufacturing. Most recently, she served as CISO Advisor at Cisco. In this role, among other duties, she was instrumental in facilitating the CISO Leadership Development Program that RH-ISAC provided to develop talent in the industry. Lindemoen also serves on the advisory board for Cyber Florida: The Florida Center for Cybersecurity.

Lindemoen's appointment comes at a critical time for the retail and hospitality industries, which face increasing cybersecurity threats and complex regulatory requirements. Her multifaceted expertise in information security, application development, and infrastructure positions her uniquely to address the diverse challenges faced by RH-ISAC members. As CSO, Lindemoen will play a key role in shaping the organization's strategic initiatives and supporting members in their cybersecurity efforts.

Learn more about RH-ISAC and memberships at rhisac.org.

ABOUT RH-ISAC  
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org.

You May Also Like

Retail &amp; Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

PRESS RELEASE

NEW YORK and SANTA CLARA, Calif., Oct. 1, 2024 /PRNewswire/ -\- Palo Alto Networks (NASDAQ: PANW) and Deloitte today announced an expansion of their strategic alliance into EMEA and JAPAC regions, making Palo Alto Networks® AI-powered cybersecurity solutions and joint offerings available to Deloitte clients globally. The new agreement builds on the long-standing collaboration between the two organizations, accelerating the adoption of leading cybersecurity capabilities and helping clients realize the benefits of platformization.

Many organizations struggle to manage an increasing number of cybersecurity products to secure their business. This can create a heterogeneous environment that may increase operational complexity and difficulty to achieve essential security outcomes. Platformization, the shift to an integrated platform as opposed to incompatible point solutions, helps reduce the boundaries of these disparate solutions to help organizations enhance security posture while driving operational efficiencies. Embracing this, Deloitte has consolidated multiple point solutions by adopting Palo Alto Networks Cloud and Network Security platforms.

"True transformations require a solution that unites AI-powered platforms with deep industry insights and managed services - what Palo Alto Networks and Deloitte provide clients through our alliance," said Kristy Friedrichs, chief partnerships officer, Palo Alto Networks. "By significantly expanding the availability for our joint offerings and helping mutual customers move to unified platforms, we're addressing their evolving needs and helping them achieve better security outcomes."

"We are focused on helping our clients solve their most complex cybersecurity challenges, which requires ongoing innovation and distinct approaches to technology integration leading to cyber transformation," said Emily Mossburg, Deloitte Global Cyber Leader and a principal, Deloitte & Touche LLP. "Expanding our alliance with Palo Alto Networks enhances our global ability to deliver integrated and platformed security solutions to help global clients improve their security posture through harnessing efficiency and integrating the power of AI to combat the evolving threat landscape."

Deloitte will offer Palo Alto Networks security solutions across its network, cloud, and security operations platforms in order to help clients drive toward consolidation and realize the benefits of AI-powered solutions that ingest integrated data, creating better outcomes and actionable AI insights, including the following:

*   Cyber Detection & Response: Helps enable clients to transform their security operations through the Precision AI-powered Cortex XSIAM® platform that combines the capabilities of  SIEM, SOAR and XDR to simplify operations and accelerate response to cyber threats. Deloitte's intellectual property (IP) can accelerate SOC modernization through consolidation of a heterogeneous tech stack, adoption of complex incident response playbooks, integration with leading IT Service Management (ITSM) platforms and event log aggregation and orchestration, to assist clients in reducing technical complexity while enhancing operational efficiency.
    
*   Cloud Security: Helps to create a more proactive security posture for clients to safeguard their environments, from code to cloud. Deloitte and Palo Alto Networks joint cloud security offerings, launched a year ago, can help enhance the security of ever-changing, cloud-native applications and infrastructure. Deloitte's IP and industry-specific knowledge helps clients mitigate risk and promotes "shift left" security where Deloitte's harmonized cloud security framework, operational workflows and AI-powered automation and orchestration capabilities are deployed to enhance the native capabilities of Palo Alto Networks Prisma® Cloud.
    
*   Zero Trust Adoption: Helps organizations strategize, design, implement, operate and accelerate Zero Trust adoption with the combination of Palo Alto Networks integrated, innovative Network Security platform and Deloitte's IP, workflow integrations and managed services.
    

Learn more about the Palo Alto Networks and Deloitte alliance here.   
Follow Palo Alto Networks on X (formerly Twitter), LinkedIn, Facebook and Instagram.

About Palo Alto Networks   
Palo Alto Networks is the global cybersecurity leader, committed to making each day safer than the one before with industry-leading, AI-powered solutions in network security, cloud security and security operations. Powered by Precision AI, our technologies deliver precise threat detection and swift response, minimizing false positives and enhancing security effectiveness. Our platformization approach integrates diverse security solutions into a unified, scalable platform, streamlining management and providing operational efficiencies with comprehensive protection. From defending network perimeters to safeguarding cloud environments and ensuring rapid incident response, Palo Alto Networks empowers businesses to achieve Zero Trust security and confidently embrace digital transformation in an ever-evolving threat landscape. This unwavering commitment to security and innovation makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021-2024), with a score of 100 on the Disability Equality Index (2024, 2023, 2022), and HRC Best Places for LGBTQ+ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks, Cortex, Cortex XSIAM, Prisma Cloud and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.

About Deloitte   
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 8,500 U.S.-based private companies. At Deloitte, we strive to live our purpose of making an impact that matters by creating trust and confidence in a more equitable society. We leverage our unique blend of business acumen, command of technology, and strategic technology alliances to advise our clients across industries as they build their future. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Bringing more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 460,000 people worldwide connect for impact at www.deloitte.com.

Palo Alto Networks and Deloitte Expand Strategic Alliance Globally

US Immigration and Customs Enforcement’s one-year contract with Paragon’s US subsidiary comes amid the Biden administration’s years-long crackdown on commercial spyware vendors.

US Immigration and Customs Enforcement has signed a $2 million contract with Israeli commercial spyware vendor Paragon Solutions, according to documents reviewed by WIRED.

The one-year contract between the company’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations Division 3 was signed on September 27 and covers a “fully configured proprietary solution including license, hardware, warranty, maintenance and training.”

Paragon has received the award under the FAR 6.302-1 rule reserved for unique and innovative services not otherwise available to the government and not via the typical competitive process.

It is unknown whether the contract is for the deployment of Paragon’s flagship product, Graphite—a spyware that reportedly extracts data primarily from cloud backups—or another of the company’s products or services. ICE and Paragon did not immediately respond to WIRED’s requests for comment.

This is not Paragon’s first government agency contract. The New York Times reported in December 2022 that the US Drug Enforcement Administration had used Graphite. Similarly, an intelligence publication reported in March 2023 that Paragon had landed a major contract in Singapore worth “tens of millions of dollars.”

Paragon’s contract comes amid a comprehensive effort by the US government to reshape the commercial spyware market over the past three years. Measures have included placing spyware vendors like NSO Group and Intellexa on the so-called Entity List to prevent any US companies from doing business with them; enacting a visa restriction policy against multiple individuals “who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved,” and imposing consecutive rounds of sanctions against spyware vendors.

Many of these efforts followed President Joe Biden signing an executive order in March 2023 that effectively restricted the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

On a global level, the US is leading an initiative stipulated in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which now counts 21 signatories, including Germany, France, UK, Japan, and South Korea, while it recently announced that it would fund governments and civil society groups around the world to develop spyware-related research and regulation.

Paragon, which characterizes itself as a scrupulous kind of spyware maker, is likely responding to the US government’s global push for responsible surveillance. On the website of its US subsidiary, the company boasts that it provides its customers with “ethically based tools,” while one of its investors maintains that the company’s software provides “cutting-edge capabilities that make the world safer.”

Elsewhere, Paragon states that it limits its extraction of information from targeted devices “to conversations on chat apps” and that it “works solely with police forces and intelligence agencies that meet the standards of an enlightened democracy, which includes only 39 countries.”

Paragon was founded in 2019 by veterans from the Israel Defense Forces’ powerful intelligence Unit 8200 with the active involvement of former Israeli prime minister Ehud Barak as an investor who is estimated to own a sizable slice of the company.

The company has received investment from the Boston-headquartered Battery Ventures, “considered to be one of the world’s top venture capital firms,” and two of its founders formerly worked for Blumberg Capital, another large US venture capital firm.

Israeli media reported in June that a US private equity fund with a portfolio of security companies has been in talks to acquire control of Paragon, estimating its valuation at $1 billion.

To secure its unique US-approved, “ethical” positioning, Paragon has made “deliberate efforts” since its establishment to break into the US market, notes the Atlantic Council.

In 2019, as Paragon was developing Graphite, the company enlisted WestExec Advisors, a prominent Washington, DC, consulting firm cofounded by former Obama administration officials, including current US secretary of state Antony Blinken, to advise on its “strategic approach to the US and European markets,” a company executive told the Financial Times. Avril Haines, a former WestExec staffer, is now the US director of national intelligence.

To remain in the US government’s “good graces,” Paragon in February 2023 hired another DC-based lobbying firm, Holland & Knight, “with a good track record in avoiding sanctions,” as some reports point out. Lobbying expenditure disclosure reveals a spend of a minimum $280,000 in 2023 and 2024 for this campaign.

The fact that the spyware vendor has neither been placed on an entity list nor have any of its executives been sanctioned by the Biden administration suggests that Paragon’s lobbying efforts have been successful.

In addition, Biden’s executive order leaves enough margin for the deployment of tools like Graphite. When a senior US administration official was asked specifically about potential abuses of Paragon’s flagship product, they said that the executive order “requires the heads of agencies to review any activity that might be relevant,” without excluding the possibility of lawful use.

Meanwhile, the company continues to grow and is advertising several roles in Israel. In the US, Paragon boosted its presence in the wake of the signing of the executive order and started hiring intelligence veterans, including former CIA and FBI officers at its subsidiary, “hoping it would pick up new business.” Fresh reports from February 2024 confirmed the steady growth.

Paragon’s $2 million contract with ICE is tangible proof that the company’s approach is paying off. It remains to be seen whether Graphite's deployment will align with the protection of human rights, privacy, and democracy.

ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions

UK law enforcement and international partners have released new details about the cybercriminal gang Evil Corp, including its use of the Lockbit ransomware platform and ties to Russian intelligence.

International law enforcement has worked for years to disrupt the cybercriminal gang Evil Corp and its egregious global crime spree. But in a crowded field of prolific Russian cybercriminals, Evil Corp is most notable for its singular relationship with Russian intelligence.

On Tuesday, the United Kingdom's National Crime Agency released new details about the real-world identities of alleged Evil Corp members, the group's connection to the LockBit platform, and the gang's ties to the Russian state. Researchers have increasingly established that there are loose, quid pro quo connections between Russian cybercriminals and the country's government. But NCA officials emphasize that Evil Corp is an unusual example of a gang that has direct relationships with multiple Russian intelligence agencies—including Russia's Federal Security Service, or FSB; Foreign Intelligence Service, or SVR; and military intelligence agency known as the GRU. And the NCA reports that before 2019, Evil Corp was specifically “tasked” by Russia's intelligence services with conducting espionage operations and cyberattacks against unidentified “NATO allies.”

For more than a decade, Evil Corp has used its Dridex malware and other hacking tools to compromise thousands of bank accounts around the world and steal funds. In 2017, the group expanded into ransomware, using strains like Hades and PhoenixLocker, and then using the LockBit platform as an affiliate beginning in 2022. The group has extorted at least $300 million from victims on tops of its other spoils, and the United States Department of State is offering a $5 million reward for information leading to the arrest of the gang's alleged leader, Maksim Yakubets.

“Evil Corp’s story is a prime example of the evolving threat posed by cybercriminals and ransomware operators,” the NCA wrote on Tuesday in a joint report with the FBI and Australian Federal Police. “In their case, the activities of the Russian state played a particularly significant role, sometimes even co-opting this cybercrime group for its own malicious cyber activity.”

Unlike many Russian cybercrime groups that have evolved a distributed leadership structure online, NCA officials say that Evil Corp is organized like a more traditional crime syndicate around Yakubets' family and friends. His father, Viktor Yakubets, allegedly has a background in money laundering, and Maksim's brother Artem, along with cousins Kirill and Dmitry Slobodskoy, are all allegedly involved with the group. Officials also allege that the group has operated out of physical locations, including Chianti Café and Scenario Café in Moscow.

Officials say that Maksim Yakubets has always been the primary liaison between Evil Corp and Russian intelligence. But other members, including his father-in-law, Eduard Benderskiy, also allegedly contribute to the relationships. Benderskiy is reportedly a former FSB official who worked in the mysterious ‘Vympel’ unit and, according to Bellingcat, may have been involved in a series of overseas assassinations. NCA officials say that after the US's 2019 sanctions and indictments against Evil Corp members, Benderskiy worked to protect the gang's senior members within Russia.

In spite of its longtime dominance, Evil Corp has had to continue evolving to keep making money. While it denies a relationship, the group seemed to have used the notorious ransomware-as-a-service platform LockBit to conduct attacks since 2022. And Yakubets’ alleged second in command, whom NCA officials named on Tuesday as Aleksandr Ryzhenkov, was apparently overseeing this work. After international law enforcement launched a major disruption of LockBit in February, the gang has been operating in a diminished capacity, according to the NCA.

“Born out of a coalescing of elite cybercriminals, Evil Corp’s sophisticated business model made them one of the most pervasive and persistent cybercrime adversaries to date,” the NCA wrote. “After being hampered by the December 2019 sanctions and indictments, the group have been forced to diversify their tactics as they attempt to continue causing harm whilst adapting to the changing cybercrime ecosystem.”

Notorious Evil Corp Hackers Targeted NATO Allies for Russian Intelligence

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."
"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition."

"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware.

"The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation."

First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others.

The malware continues to have an active presence despite suffering bans from underground forums like Exploit and XSS for targeting entities within Russia and the former Soviet Union, with its developer, who goes by the name "kingcrete" (aka "kingcrete2022"), finding ways to market the new versions on Telegram, Jabber, and TOX.

The cybersecurity company, which is set to be acquired by Mastercard for $2.65 billion, said the stealer is sold on a subscription basis for $250 per month (or $550 for 90 days), allowing its customers to harvest a wide range of sensitive information from compromised hosts.

This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications, while simultaneously taking steps to complicate analysis efforts within sandboxed environments.

Version 0.7.0, the most recent version of Rhadamanthys released in June 2024, significantly improves upon its predecessor 0.6.0, which came out in February 2024.

It comprises a "complete rewrite of both client-side and server-side frameworks, improving the program's execution stability," Recorded Future noted. "Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases."

Also included is a feature to allow threat actors to run and install Microsoft Software Installer(MSI) files in an apparent effort to evade detection by security solutions installed on the host. It further contains a setting to prevent re-execution within a configurable time frame.

Rhadamanthys's high-level infection chain

A noteworthy aspect of Rhadamanthys is its plugin system that can augment its capabilities with keylogger, cryptocurrency clipper, and reverse proxy functionality.

"Rhadamanthys is a popular choice for cybercriminals," Recorded Future said. "Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of."

The development comes as Google-owned Mandiant detailed Lumma Stealer's use of customized control flow indirection to manipulate the execution of the malware.

"This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections," researchers Nino Isakovic and Chuong Dong said.

Rhadamanthys and Lumma, alongside other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake, have also been found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing newly introduced security mechanisms like app-bound encryption.

On top of that, the developers behind the WhiteSnake Stealer have added the ability to extract CVC codes from credit cards stored in Chrome, highlighting the ever-evolving nature of the malware landscape.

That's not all. Researchers have identified an Amadey malware campaign that deploys an AutoIt script, which then launches the victim's browser in kiosk mode to force them to enter their Google account credentials. The login information is stored in the browser's credential store on disk for subsequent harvesting by stealers such as StealC.

These ongoing updates also follow the discovery of new drive-by download campaigns that deliver information stealers by tricking users into manually copying and executing PowerShell code to prove they are human by means of a deceptive CAPTCHA verification page.

As part of the campaign, users searching for video streaming services on Google are redirected to malicious URL that urges them to press the Windows button + R to launch the Run menu, paste an encoded PowerShell command, and execute it, according to CloudSEK, eSentire, Palo Alto Networks Unit 42, and Secureworks.

The attack, which ultimately delivers stealers such as Lumma, StealC, and Vidar, is a variant of the ClickFix campaign documented in recent months by ReliaQuest, Proofpoint, McAfee Labs, and Trellix.

"This novel attack vector poses significant risk, as it circumvents browser security controls by opening a command prompt," Secureworks said. "The victim is then directed to execute unauthorized code directly on their host."

Phishing and malvertising campaigns have also been observed distributing Atomic macOS Stealer (AMOS), Rilide, as well as a new variant of a stealer malware called Snake Keylogger (aka 404 Keylogger or KrakenKeylogger).

Furthermore, information stealers like Atomic, Rhadamanthys, and StealC have been at the heart of over 30 scam campaigns orchestrated by a cybercrime gang known as Marko Polo to conduct cryptocurrency theft across platforms by impersonating legitimate brands in online gaming, virtual meetings and productivity software, and cryptocurrency.

"Marko Polo primarily targets gamers, cryptocurrency influencers, and software developers via spear-phishing on social media — highlighting its focus on tech-savvy victims," Recorded Future said, adding "likely tens of thousands of devices have been compromised globally."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Red Hat Insights makes it much easier to maintain and manage the security exposure of your Red Hat Enterprise Linux (RHEL) infrastructure. Included is the Insights malware detection service, a monitoring and assessment tool that scans RHEL systems for the presence of malware, utilizing signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team. This gives your threat assessment and IT incident-response team important information that they can use to formulate a response tailored to your organization’s requirements. The malware detection service ha

Red Hat Insights makes it much easier to maintain and manage the security exposure of your Red Hat Enterprise Linux (RHEL) infrastructure. Included is the Insights malware detection service, a monitoring and assessment tool that scans RHEL systems for the presence of malware, utilizing signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team. This gives your threat assessment and IT incident-response team important information that they can use to formulate a response tailored to your organization’s requirements. The malware detection service has been evolving, and new functionality has been added to make the management of malware detections even more robust.

You can now review and set the status for malware signature matches at both the system and signature levels. This allows you to remove irrelevant messages and information from your environment and more efficiently review the status of malware results, so you can remove excess noise and better focus on what needs your attention. You can change the status of each signature match while you continue your investigation and management of malware matches. This helps your stakeholders to stay informed of the progress of evaluating malware matches and cleaning. You can also decide which matches are irrelevant or whether they pose low or no threat to your systems.

A new **Total matches** column has also been added. You can use this to see how many times a signature has matched on a system and review the historical status of those matches. Insights retains matches indefinitely so this creates a de facto historical record. Note that if you have Malware Administrator permissions, you will also have the ability to delete individual matches.

The **New matches** column shows the number of new matches for a signature which includes any **Not reviewed** status matches that are less than 30 days old. This helps a reviewer more easily prioritize anything newly detected in their environment.

Any feedback about the malware detection service and features can be sent to us using the feedback button inside of Insights. Check out the new malware detection features today.

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

**Browse by channel**

**Automation**

The latest on IT automation for tech, teams, and environments

**Security**

The latest on how we reduce risks across environments and technologies

**Edge computing**

Updates on the platforms that simplify operations at the edge

**Infrastructure**

The latest on the world’s leading enterprise Linux platform

**Applications**

Inside our solutions to the toughest application challenges

**Original shows**

Entertaining stories from the makers and leaders in enterprise tech

A smarter way to manage malware with Red Hat Insights

Critics viewed the bill as seeking protections against nonrealistic "doomsday" fears, but most stakeholders agree that oversight is needed in the GenAI space.

Source: CoreDESIGN via Shutterstock

California Gov. Gavin Newsom (D) has vetoed SB-1047, a bill that would have imposed what some perceived as overly broad — and unrealistic — restrictions on developers of advanced artificial intelligence (AI) models.

In doing so, Newsom likely disappointed many others — including leading AI researchers, the Center for AI Security (CAIS), and the Screen Actors Guild — who perceived the bill as establishing much-needed safety and privacy guardrails around AI model development and use.

**Well-Intentioned but Flawed?**

"While well-intentioned, SB-1047 does not take into account whether an AI system is deployed in high-risk environments, or involves critical decision-making or the use of sensitive data," Newsom wrote. "Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Newsom's veto announcement contained references to 17 other AI-related bills that he signed over the past month governing the use and deployment of generative AI (GenAI) tools in the state, which is a category that includes chatbots such as ChatGPT, Microsoft Copilot, Google Gemini, and others.

"We have a responsibility to protect Californians from the potentially catastrophic risks of GenAI deployment," he acknowledged. But he made clear that SB-1047 was not the vehicle for those protections. "We will thoughtfully — and swiftly — work toward a solution that is adaptable to this fast-moving technology and harnesses its potential to advance the public good."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

There are numerous other proposals at the state level, seeking similar control over AI development amid concerns about other countries overtaking the US on the AI front.

**The Need for Safe & Secure AI Development**

California State senators Scott Wiener, Richard Roth, Susan Rubio, and Henry Stern proposed SB-1047 as a measure that would impose some oversight over companies like OpenAI, Meta, and Google, which are all pouring hundreds of millions of dollars into developing AI technologies.

At the core of the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act are stipulations that would have required companies that develop large language models (LLMs) — which can cost more than $100 million to develop — to ensure their technologies enable no critical harm. The bill defined "critical harm" as incidents involving the use of AI technologies to create or use chemical, biological, nuclear, and other weapons of mass destruction, or those causing mass casualties, mass damage, death, bodily injury and other harm.

Related:Reachability Analysis Pares Down Static Security-Testing Overload

To enable that, SB-1047 would have required covered entities to comply with specific administrative, technical, and physical controls to prevent unauthorized access to their models, misuse of their models, or unsafe modifications to their models by others. The bill included a particularly controversial clause that would have required the OpenAIs, Googles, and Metas of the world to implement nuclear-like failsafe capabilities to "enact a full shutdown" of their LLMs in certain circumstances.

The bill won broad bipartisan support and easily passed California's state Assembly and Senate earlier this year. It headed to Newsom's desk for signing in August. At the time, Weiner cited the support of leading AI researchers such as Geoffrey Hinton (a former AI researcher at Google), professor Yoshua Bengio, and entities such as CAIS.

Even Elon Musk, whose own xAI company would have been subjected to SB-1047, came out in support of the bill in a post on X saying Newsom should probably pass the bill given the potential existential risks of runaway AI, which he and others have been flagging for many months.

Related:Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

**Fear Based on Theoretical, Doomsday Scenarios?**

Others, however, perceived the bill as based on unproven doomsday scenarios about the potential for AI to wreak havoc on society. In an open letter, a coalition that included several entities including the Bay Area Council, Chamber of Progress, TechFreedom, and Silicon Valley Leadership Group called the bill fundamentally flawed.

The group claimed that the harms that SB-1047 sought to protect against were completely theoretical, with no basis in fact. "Moreover, the latest independent academic research concludes, large language models like ChatGPT cannot learn independently or acquire new skills, meaning they pose no existential threat to humanity." The coalition also took issue with the fact that the bill would hold developers of large AI models responsible for what others do with their products.

Arlo Gilbert, CEO of data-privacy firm Osano, is among those who views Newsom's decision to veto the bill as a sound one. "I support the governor's decision," Gilbert says. "While I'm a great proponent for AI regulation, the proposed SB-1047 is not the right vehicle to get us there."

As Newsom has identified, there are gaps between policy and technology, and the balance between doing the right thing and supporting innovation is one that merits a cautious approach, he says. From a privacy and security perspective, small startups or smaller companies that would have been exempt from this rule can actually present a greater risk of harm due to their relative access to resources to protect, monitor, and disgorge data from their systems, Gilbert notes.

In an emailed statement, Melissa Ruzzi, director of artificial intelligence at AppOmni, identified SB-1047 as raising issues that need attention now: "We all know AI is very new and there are challenges in writing laws around it. We cannot expect the first laws to be flawless and perfect — this will most likely be an iterative process, but we have to start somewhere."

She acknowledged that some of the biggest players in the AI space, such as Anthropic and Google, have put a big focus on ensuring their technologies do no harm. "But to make sure all players will follow the rules, laws are needed," she said. "This removes the uncertainty and fear from end users about AI being used in an application."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#intel