Attackers are leveraging well-executed brand impersonation in a Google ads malvertising effort that collects both credit card and bank details from victims.

Threat actors are impersonating the United States Post Office (USPS) in a legitimate-looing malvertising campaign that diverts victims to a phishing site to steal payment-card and banking credentials, researchers have found.

A malicious ad appears on Google searches for both mobile and desktop users looking to track packages via the USPS website, Jérôme Segura, director of threat intelligence at Malwarebytes Labs revealed in a blog post published July 5.

Though it looks "completely trustworthy," it isn't, he said. Instead, it redirects victims to a malicious site that first collects their address and credit card details, and then requires them to log into their bank account for verification, eventually stealing that info as well.

Segura cites Jesse Baumgartner, marketing director at Overt Operator, as the person who first discovered the campaign. Baumgartner shared screenshots of his experience attempting to track a package that led him onto a scam website in a LinkedIn post.

Malwarebytes Labs researchers set out to find the scam themselves and were immediately able to find the authentic-looking ad by performing a simple Google search for "usp tracking."

"Incredibly, the ad snippet contains the official website _and_ logo of the United States Postal Service and yet, the 'advertiser' whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it," Segura wrote.

Malwarebytes Labs has reported the campaign to Google and for its part, Cloudflare has already flagged the domains as phishing sites.

The campaign is yet another reminder that no matter how much awareness there is about malicious ads, links, and websites lurking on the Internet, threat actors still successfully wield oft-used tactics that abuse and impersonate trusted entities to trick and defraud Internet users, he said.

"Malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands," Segura wrote in the post.

A recent malvertising campaign in January also leveraged trusted brands by targeting users searching for Bitwarden and 1Password's Web vaults on Google. Threat actors used paid ads with links to cleverly spoofed sites for stealing credentials to the unsuspecting users' password vaults.

**Creating a Convincing Phishing Campaign**

Segura broke down how the actor or actors behind the USPS campaign managed to make it look so convincing to an end user. Essentially, they used tactics that can apply to various types of malvertising, he said.

There are two ad campaigns — one that targets mobile users, and the other targeting desktop users. While the ads appear to use the official USPS URL while redirecting victims to an attacker-controlled domain, the URLs shown in the ad "are pure visual artifacts that have nothing to do with what you actually click on," Segura explained.

"When you click on the ad, the first URL returned is Google's own which contains various metrics related to the ad, followed by the advertiser's own URL," he said. "Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous."

Victims that click on the ad land on a website that asks them to enter their package tracking number, just as any page for this type of request would. However, upon submitting that information they receive an error informing them that their package couldn't be delivered "due to incomplete information in delivery address."

This might arouse suspicion, but likely not, as it's pretty typical for someone tracking a package to receive this type of notification, Segura noted. However, the next step of the attack — in which users are then asked to enter their full address again as well as submit their credit-card data to pay a small fee of 35 cents — should raise a red flag, he said.

It's at this point where victims enter the phishing site and attackers can steal their data, making the small fee "completely irrelevant," since giving up payment-card data — which can be used by the threat actor or resold on criminal markets — can result in much more damage to someone, Segura observed.

The final step of the attack is a request that victims enter credentials for their financial institution through a dynamic page that generates a template based on the credit-card info provided. For instance, if a person submits data for a Visa card associated with JP Morgan Bank, the page will ask the target to login to the JP Morgan page. Other banks and cards will result in different templates specific to the data provided, Segura said, similar to how banking Trojan overlays work.

**Recommendations to Thwart Malvertising**

As mentioned, malvertising is already a well-known method used by cybercriminals to steal user credentials. However, while awareness is key to avoid falling victim to a campaign, "training can only go so far" because of how legitimate modern malicious scams created by attackers look, Segura wrote.

One way to stop these campaigns before they reach end users is for search engines to apply stricter controls to combat the brand impersonation that threat actors have adopted so successfully, he said.

"When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot, Segura wrote, noting that Microsoft's Bing already has applied policy with success.

Applying real-time browser protection that can disrupt the malvertising kill chain from the initial ad all the way to the payload — whether it be malware, phishing, or another type of scam — also can prevent and mitigate this type of attack.

Google Searches for 'USPS Package Tracking' Lead to Banking Theft

Email fraud is a confidence game that costs the economy billions. An effective defense takes technology and vigilance.

Last year the FBI registered over 21,000 complaints about business email fraud, with adjusted losses of over $2.7 billion. Today this line of attack shows no sign of slowing down. Business email compromise (BEC) techniques are increasingly sophisticated; cybercrime-as-a-service (CasS) has lowered the barrier to entry for threat actors while also making it easier to evade "impossible travel" alerts, among other safeguards. 

BEC is a confidence game. The technology aspects — links that download malware, take users to spoofed sites, or motivate a financial transaction — require social engineering to gain trust and motivate a click. 

What are threat actors looking for? Along with useful data like employee records, payroll information, and proprietary business records, BEC actors want to convince someone to fulfill a request for payment or funds transfer using messages that look legitimate, with logos and designs that are copies of the real thing. 

With BEC fast becoming a specialty of cybercriminals, security teams need to stay ahead of these evolving threats. Through a combination of technology, policy, and culture, enterprise security teams can help preempt attacks and mitigate the risks of email fraud. Let’s look at how BEC works, along with six key steps to mitigate the risk.

**As-a-Service Fuels BEC Growth**

Phishing-as-a-service providers make it easy for threat actors to produce effective, authentic-looking BEC campaigns without needing high-level tech skills of their own. Criminal platforms, such as BulletProftLink, go even further, selling templates, automated services, and even a hosting platform. This not only opens up BEC as an avenue to any criminal organization willing to pay, but it also accelerates the ramp-up time, making it fast and easy to launch new campaigns.

**Localizing the Threat**

Most importantly, in a new trend BEC threat actors are also purchasing residential IP addresses from residential IP services, enabling them to mask where their emails originate. Armed with localized address space to support their malicious activities (in addition to usernames and passwords), BEC attackers can obscure movements, circumvent "impossible travel" flags, and open a gateway to conduct further attacks. 

Impossible travel alerts indicate that a user account might be compromised. They flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other. The specialization and consolidation of this sector of the cybercrime economy could escalate the use of residential IP addresses to evade detection.

**Defend Against BEC**

There are six key tips security teams can apply. Some can be implemented immediately, while others will require long-term thinking and reinforcement. 

*   **Inbox protection:** Configure mail systems to flag messages from outside of the enterprise. Enable alerts about unverified senders, and block senders who can’t be independently identified.

*   **Strong authentication:** Enabling multifactor authentication makes it harder for attackers to compromise user email.

*   **Secure email:** Cloud platforms with artificial intelligence and machine learning can provide enhanced protection, continuous updates, and centralized management of security policies.

*   **Identity and access management:** Control access to the organization's apps and data with zero trust and automated identity governance.

*   **Secure payments:** Replace emailed invoices with a system that authenticates payments and providers.

*   **Education and empowerment:** Regularly train and remind employees to think twice before clicking. Establish and enforce policies requiring employees to verify payment requests — not by clicking the link in the email, but with a phone call. Teach employees to take the initiative to stop BEC scams, and be sure to reinforce the consequences that a single mistake can cause.

Policy and governance are crucial to helping stop BEC. Security by default — for example, a domain-based message authentication, reporting, and conformance (DMARC) policy of "reject" — ensures that unauthenticated messages are rejected at the mail server. Updating policies for accounting, internal controls, payroll, and HR can help employees know how to handle inbound requests for access, money, or personal information, such as their Social Security numbers.

Thwarting BEC threat actors takes vigilance and an ongoing commitment. As their techniques get more sophisticated, their tricks become harder to spot. Putting the brakes on this con game takes the entire organization, from the C-suite and IT, compliance, and risk management teams to every business unit. Awareness, backed by policy and technology, is the crucial factor in a consistently strong defense.

6 Steps To Outsmart Business Email Compromise Scammers

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.

Thursday, July 6, 2023 08:07

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

There are now numerous companies with similar offerings, like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream representing just a small subset — there are likely more that are operating covertly today.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report). In this session, European Parliament members argued that the illicit usage of spyware has put “democracy itself at stake” and called for legislative changes and stricter regulation of the use of commercial spyware. The full press release and report can be found here.

**Commercial spyware companies don't care who is targeted by their products**

Commercial spyware companies advertise their products simply as a means of obtaining access and deny having any knowledge of who their customers’ targets are. This tactic is possibly a means of plausible deniability in the event that illegal targeting of individuals is traced back to their spyware. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. Such targets have repeatedly been journalists, politicians and activists who the host government perceives as competitors or existential threats. While these technologies may exist to fight terrorism and organized crime, their sale and usage must be regulated and subject to scrutiny by judicial authorities at an international level to prevent their misuse and abuse.  

One such example of limited repercussions within a host state is the case where a journalist in Greece was targeted with Predator Spyware, eventually leading to the resignation of Greece’s National Intelligence Service’s director in 2022 and the subsequent ban on the use of commercial spyware in Greece. Earlier in 2022, we also saw the departure of the NSO group’s CEO from the company amid widespread public outrage over the use of their spyware by Israeli Police forces.

**The untethered future of commercial spyware**

Mobile platform developers such as Google and Apple have repeatedly introduced and implemented protections and mitigations in their operating systems. However, commercial spyware providers often use zero-day, zero-click exploits to compromise victims’ mobile devices and are so confident in their ability to repeatedly compromise phones _without getting caught_ that, in some cases, they don't even deploy persistence mechanisms — a simple device reboot is enough to remove the implant from the device. However, a device reboot simply results in the commercial spyware outfit reinfecting the device using the zero-day, zero-click combination they had used during the initial compromise indicating the aggressive nature of these campaigns.

We see no indications that these commercial spyware offerings are slowing down. If anything, they are growing along with the constant availability of exploitable, unpatched/unknown vulnerabilities. Until the international community acts to regulate the technology, very little is going to change. When exposed by researchers, some of these companies just cease to exist. But in reality, they do not shut down, they just rebrand under a different name or merge with others sharing the technology they have produced. A typical example of such a case is the commercial spyware firm Cytrox, which was on the verge of disappearing, but was subsequently “rescued” and is now part of the Intellexa conglomerate.

Private and government organizations have taken steps to legally curb the use of commercial spyware, including attempts to hold them responsible for their actions in the past. Meta, formerly Facebook, is one of the first to move against commercial spyware companies by opening a lawsuit against the NSO Group for leveraging Meta-owned WhatsApp in their infection chain. The Biden administration has also taken an important step in fighting these companies with the Executive Order putting limitations on the U.S. government's ability to use commercial spyware to “discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

However, limited legal and legislative actions are yet to have an _immediate_ positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise.

**Risk profile**

For almost everyone on the planet, your Apple or Android phone’s built-in security features are more than sufficient to keep you protected. However, the commercial spyware industry has proven that it is easy to compromise targets if you have access to these products and the means to use them. We've seen numerous deeply concerning reports of people being compromised and are commonly met with the news that it was a journalist or dissident. The ability of these companies to repeatedly compromise devices, regardless of patch level, makes protection difficult.

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

_If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats._

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Gcore Radar is a quarterly report prepared by Gcore that provides insights into the current state of the DDoS protection market and cybersecurity trends. This report offers you an understanding of the evolving threat landscape and highlights the measures required to protect against attacks effectively. It serves as an insight for businesses and individuals seeking to stay informed about the

Gcore Radar is a quarterly report prepared by Gcore that provides insights into the current state of the DDoS protection market and cybersecurity trends. This report offers you an understanding of the evolving threat landscape and highlights the measures required to protect against attacks effectively. It serves as an insight for businesses and individuals seeking to stay informed about the latest developments in cybersecurity.

As we entered 2023, the cybersecurity landscape witnessed an increase in sophisticated, high-volume attacks. Here, we present the current state of the DDoS protection market based on Gcore's statistics.

**Key Highlights from Q1–Q2**

*   The maximum attack power rose from 600 to 800 Gbps.
*   UDP flood attacks were most common and amounted to 52% of total attacks, while SYN flood accounted for 24%. In third place was TCP flood.
*   The most-attacked business sectors are gaming, telecom, and financial.
*   The longest attack duration in the year's first half was seven days, 16 hours, and 22 minutes.
*   Most attacks lasted less than four hours.

**High-Volume Attacks: An Escalating Threat**

There has been a significant increase in the power and volume of DDoS attacks over the last two years:

*   In 2021, the capacity of DDoS attacks was up to 300 Gbps.
*   In 2022, the attack capacity was about 650 Gbps.
*   In Q1–Q2 of 2023, we see a capacity of about 800 Gbps.

Figure 1. Attack intrensity 2021–2023, Gbps

Alt Text: Illustration of attack raising from 300 Gbps in 2021 and 650 Gbps in 2021 to 800 Gbps in 2023

The alarming 50–100% annual increase in DDoS attack volume highlights the growing sophistication of cyber attackers and their utilization of increasingly powerful tools. This means that businesses need to invest in DDoS mitigation strategies and solutions to protect their networks, systems, and customer data. Failure to address these evolving threats can result in costly disruptions, reputational damage, loss of customer trust, and security breaches.

**DDoS Attack Techniques**

According to Gcore's statistics, in Q1–Q2 of 2023:

*   UDP flood became more popular among attackers and is the most common method
*   SYN flood is in second place
*   In third place is TCP flood
*   All other techniques combined accounted for just 5% of attack types

Figure 2. Attack type spread, Q1–Q2 2023

Alt Text: Attack types illustrated: 52% - UDP, 24% - SYN flood, 19% - TCP flood, 5% - other traffic

According to Andrey Slastenov, Head of **Web Security at Gcore**, there has been an increase in the frequency of complex, multi-vector attacks by attackers. Attackers are now employing adaptive strategies, such as combining high-volume UDP attacks with a massive number of TCP packets, and shifting from targeting the application layer with a large amount of traffic to using a high volume of small packets. These changes in tactics indicate a deliberate effort to intensify the DDoS assault by overwhelming the network infrastructure and potentially bypassing mitigation measures. The ultimate goal is to maximize the impact of the attack and disrupt services.

**DDoS Attacks by Business Sector**

DDoS attacks across different business sectors have revealed specific trends and impacts. According to Gcore's report, gaming, telecom, and financial industries were the most attacked sectors in Q1–Q2 of 2023.

Figure 3. Most attacked industries based on Gcore's statistics.

Alt Text: Attack types illustrated: 30.1% - Gaming, 24.7% - Telecom, 16.8% - Financial, 28.4% - Other

The **gaming industry** was the most targeted sector, accounting for a considerable proportion of the DDoS attacks. Gaming platforms, operating in real-time and catering to millions of active users, experience detrimental consequences from even short periods of downtime. Attackers aim to disrupt services, undermine player experiences, and potentially gain a competitive advantage. The financial implications are substantial, with gaming companies often incurring a cost of $25,000 to $40,000 per hour of downtime.

The **telecommunication sector** faces a significant volume of DDoS attacks, affecting internet service providers (ISPs) and other telecom services. These attacks can result in widespread internet outages, impacting not only the telecom companies themselves but also businesses and consumers relying on their services. The disruptive nature of such attacks on critical infrastructure can have far-reaching consequences, disrupting communications and various aspects of daily life and business operations for customers.

The **financial sector**, encompassing banks and financial technology (FinTech) companies, remains constantly threatened by DDoS attacks. The rise in digital banking and online financial services adoption has increased the potential for disruptive attacks that can bring financial operations to a complete halt.

**DDoS Protection from Gcore**

Gcore can protect you from DDoS attacks with protection against threats at L3, L4, and L7 wielding over 1 Tbps of filtering capacity. Its real-time traffic filtering selectively blocks malicious sessions, allowing normal business processes to continue during attacks. All Gcore DDoS Protection servers are equipped with high-performance 3rd generation Intel® Xeon® Scalable processors, enabling fast processing so we can respond to attacks as quickly as possible. Learn **how Gcore repelled** a 650 Gbps attack in January 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Surviving the 800 Gbps Storm: Gain Insights from Gcore's 2023 DDoS Attack Statistics

The startup, one of four finalists in Black Hat USA's 2023 startup competition, uses deterministic AI to optimize cloud security.

Cloud misconfigurations are a leading cause of breaches that lead to data loss for the enterprise, especially with the continued shift to cloud and multicloud environments. But surveying and monitoring all possible endpoints and connections with cloud services is too big a job for humans to accomplish alone — which is how such breaches proliferate. Gomboc.ai aims to solve the problem with a proprietary type of deterministic artificial intelligence (AI) that the company says sidesteps the issues with the more well-known generative AI model.

That hook — deterministic AI — earned Gomboc a spot in the finals of the second annual Startup Spotlight, presented by Black Hat USA. "We are solving the cloud security misconfiguration problem," says CEO and co-founder Ian Amit. That would be a huge accomplishment, since such problems cause most cloud breaches.

"Security misconfiguration backlogs are one of the highest priority issues CISOs deal with since they pose an immediate threat to the organization's cloud security posture, and existing solutions that focus on prioritization and ticketing do not provide a scalable way to address those," Amit adds.

**What Is Deterministic AI?**

Generative AI, which includes high-profile models like OpenAI's ChatGPT and Google's Bard, analyzes large collections of data to learn the structures well enough to assemble plausible new content from it — that is, it _generates_ outputs. Deterministic AI, on the other hand, defines data characteristics so that a specific problem will have one specific, correct solution that does not change — that is, the data values _determine_ the outputs.

Amit sees this as one of his company's great differentiators.

"\[W\]hen given the same input, Gomboc will always provide the same output — a crucial factor when writing secure code," he says. "Gomboc does not generate nor hallucinate any sort of IaC."

Generative, or stochastic, AI systems generate code based on statistical analysis, which Amit says can result in code that's inaccurate, imprecise, or bereft of context.

Instead, Gomboc built a proprietary ingestion engine that processes cloud service provider updates as they're released. It then applies the new data to clients' existing network policies, pushing any fixes live itself rather than issuing a ticket for a human to address. The tool works within existing DevSecOps environments, Amit says, keeping approval simple and easy to track.

    

Of course, deterministic AI, aka reactive AI or expert systems, is not an approach exclusive to Gomboc. Other security companies that employ deterministic AI include identity verification service Vouched and life-science compliance firm LighthouseAI. But by focusing on the highly complex and fraught multicloud environment, Gomboc is putting the technology to good use.

**What's Ahead for Gomboc**

The four finalists in the Black Hat Startup Spotlight — Gomboc, Binarly, Endor Labs, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. Eligible candidates included companies that are 2 years old or less and have fewer than 50 employees. Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begins at 4:30 p.m. PT.

Amit says that his company's future plans include expanding to more environments, especially multicloud and hybrid installations. At the Black Hat USA booth, he promises a product demo and merch, as well as a chance to talk to the team who built the product.

The story of the company name is an interesting one: A gomboc is a geometric solid with exactly two points of equilibrium, one stable and one unstable. That means it will always return to its stable equilibrium point, no matter how it's pushed or rolled.

"Our platform turns everyone's cloud infrastructure into a self-righting environment \[in a security sense\] no matter how a company grows or scales. A Gomboc is a shape that does exactly that: It always rights itself no matter how much you push it," Amit says. "We're big math nerds here at Gomboc, so the shape and analogy have a special place in our hearts."

**Speed Round**

**Website:** https://www.gomboc.ai/  
**Founded:** Late 2022 (Funded in November)  
**Funding stage:** Seed  
**Total funding raised so far:** $5.3M  
**Number of employees:** 10  
**If the company were a band, what would its band name be, and what kind of band would it be:** Ship or Be Shipped (Hard Rock/Metal)  
**Pineapple on pizza, yea or nay?:** "As New Yorkers, it's absolutely nay."

Startup Spotlight: Gomboc.ai Balances Cloud Infrastructure Security

Exposed and unpatched solar power monitoring systems have been exploited by both amateurs and professionals, including Mirai botnet hackers.

Hundreds of solar power monitoring systems are vulnerable to a trio of critical remote code execution (RCE) vulnerabilities. The hackers behind the Mirai botnet and even amateurs have already started taking advantage, and others will follow, experts are predicting.

Palo Alto Networks' Unit 42 researchers previously discovered that the Mirai botnet is spreading through CVE-2022-29303, a command injection flaw in SolarView Series software developed by the manufacturer Contec. According to Contec's website, SolarView has been used in more than 30,000 solar power stations.

On Wednesday, vulnerability intelligence firm VulnCheck pointed out in a blog post that CVE-2022-29303 is one of _three_ critical vulnerabilities in SolarView, and it's more than just the Mirai hackers targeting them.

"The most likely worst-case scenario is losing visibility into the equipment that's being monitored and having something break down," explains Mike Parkin, senior technical engineer at Vulcan Cyber. It's also theoretically possible, though, that "the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment."

**Three Ozone-Sized Holes in SolarView**

CVE-2022-29303 is borne from a particular endpoint in the SolarView Web server, confi\_mail.php, which fails to sufficiently sanitize user input data, enabling the remote malfeasance. In the month it was released, the bug received some attention from security bloggers, researchers, and one YouTuber who showed off the exploit in a still publicly accessible video demonstration. But it was hardly the only problem inside SolarView.

For one thing, there's CVE-2023-23333, an entirely similar command injection vulnerability. This one affects a different endpoint, downloader.php, and was first revealed in February. And there's CVE-2022-44354, published near the end of last year. CVE-2022-44354 is an unrestricted file upload vulnerability affecting yet a third endpoint, enabling attackers to upload PHP Web shells to targeted systems.

VulnCheck noted that these two endpoints, like confi\_mail.php, "appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation."

All three vulnerabilities were assigned "critical" 9.8 (out of 10) CVSS scores.

**How Big of a Cyber Problem Are the SolarView Bugs?**

Only Internet-exposed instances of SolarView are at risk of remote compromise. A quick Shodan search by VulnCheck revealed 615 cases connected to the open Web as of this month.

This, says Parkin, is where the unnecessary headache starts. "Most of these things are designed to be operated _within_ an environment and shouldn't need access from the open Internet under most use cases," he says. Even where remote connectivity is absolutely necessary, there are workarounds that can protect IoT systems from the scary parts of the wider Internet, he adds. "You can put them all on their own virtual local area networks (VLANs) in their own IP address spaces, and restrict access to them to a few specific gateways or applications, etc."

Operators might risk remaining online if, at least, their systems are patched. Remarkably, however, 425 of those Internet-facing SolarView systems — more than two thirds of the total — were running versions of the software lacking the necessary patch.

At least when it comes to critical systems, this may be understandable. "IoT and operational technology devices are often a lot more challenging to update compared to your typical PC or mobile device. It sometimes has management making the choice to accept the risk, rather than take their systems off-line long enough to install security patches," Parkin says.

All three CVEs were patched in SolarView version 8.00.

3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems

Dark Reading's latest special report looks at a missing, but necessary, ingredient to effective third-party risk management.

When it comes to enterprise risk, third-party cybersecurity risks have increased substantially in recent years. By implementing an effective third-party risk management program, organizations can mitigate much of their risk and better protect themselves from attacks that emanate from third parties. The key word here is "effective."

Dark Reading's latest special report, "How to Use Threat Intelligence to Mitigate Third-Party Risk," digs into how threat intelligence can be implemented to attain a continuous risk assessment on partners, suppliers, vendors, contractors, and other third parties.

Third-party threat intelligence helps security teams move beyond capturing a point-in-time view of security and regulatory compliance maturity and more accurately assess the risk over time. The convergence of threat intelligence and third-party risk management (TPRM) programs can ensure that third parties don't drastically increase the risk of data breaches or other cybersecurity events and, should such an incident occur, can help to minimize its impact.

**How TPRM Is Changing**

Historically, if TPRM was done at all, effective programs included identifying, categorizing, and assessing the risk of third parties, along with due-diligence questionnaires designed to gauge the maturing of their security and regulatory compliance program. Additionally, an enterprise would conduct a thorough independent investigation of vendors before signing any contract. Finally, the organization would include new partners and suppliers in their incident response planning so as to minimize any incident's impact.

"Organizations can send questionnaires, and they're going to provide some indication of the policies they have in place and their certifications," says senior research analyst at Forrester Alla Valente, who covers governance, risk, and compliance (GRC), third-party risk, and supply chain risk. "But that doesn't tell you everything happening inside their networks or systems. It also doesn't provide answers about broader risks, such as geography or if nation-states are targeting that vertical. These are all things you want to identify."

While there is scant data on how enterprises use TPRM threat intelligence to improve their third-party risk management, TPRM programs are gaining steam. In Prevalent's "2022 Third-Party Risk Management Industry Study," two-thirds of respondents reported that their TPRM programs have more visibility among executives and the board than the year before.

Read Dark Reading's "How to Use Threat Intelligence to Mitigate Third-Party Risk" for ideas on reducing third-party risks for your organization by leveraging threat intelligence.

Mitigating Risk With Threat Intelligence

By Deeba Ahmed
The researchers believe that the SmugX attack is an extension of a previously discovered campaign linked to Mustang Panda.
This is a post from HackRead.com Read the original post: SmugX: Chinese Hackers Targeting Embassies in Europe

**The attack method of the SmugX campaign includes attackers using HTML smuggling to target victims.**

Check Point Research’s (CPR) cyber threat intelligence researchers have discovered a disturbing attack trend. According to CPR’s report published on July 3, 2023, Chinese threat actors have become increasingly interested in targeting European governments, embassies, and foreign local policy-making entities. Eastern Europe is among their preferred targets, with prime targets being Slovakia, the Czech Republic, and Hungary.

This newly discovered campaign is dubbed SmugX. Researchers claim that this campaign has been active since December 2022, but they believe that it is an extension of a previously discovered campaign linked to Mustang Panda and RedDelta. Interestingly, both groups are Chinese.

As far as the attack method is concerned, research revealed that in SmugX, attackers are using HTML smuggling to target European embassies. In this method, the modular PlugX malware implant is smuggled (hidden) inside HTML documents.

Hackers use this technique to trick web security systems and evade antivirus mechanisms or security defences. HTML smuggling exploits HTML features to conceal malicious data documents from automated content filters, including them as JavaScript blobs that reassemble on the targeted device.

It is worth noting that PluxX is a commonly used tool for HTML smuggling. Multiple Chinese threat actors have used this malware previously, such as the group that targeted the Vatican in 2020 or the one that targeted the Indonesian Intelligence Service in 2021. The malware was also used to target users in Mongolia, Ghana, Papua New Guinea, Nigeria, and Zimbabwe in a USB drive-based campaign.

CPR researchers agree that SmugX’s primary objective is to obtain sensitive data on the foreign policies of the targeted countries. This analysis is based on the lure samples posted to the malware repository on VirusTotal. The filenames of these samples were self-explanatory.

Researchers wrote that the names strongly suggested that the attackers wanted to target diplomats and government entities, whereas the content contained mainly diplomatic-related content related to China. The attack utilizes several .docx and .pdf files containing diplomatic content.

CPR researchers obtained a letter from the Serbian embassy in Budapest, a document revealing the Swedish Presidency of the Council of the European Union’s priorities, and an invitation from the Hungarian foreign ministry for a diplomatic conference.

The researchers also discovered an article about the two Chinese human rights lawyers who had received a ten-year sentence. Here are the titles of these documents:

*   202305 Indicative Planning RELEX
*   Draft Prague Process Action Plan\_SOM\_EN
*   2262\_3\_PrepCom\_Proposal\_next\_meeting\_26\_April
*   Comments FRANCE – EU-CELAC Summit – 4th May
*   China jails two human rights lawyers for Subversion

One of the phishing documents (left) – Targeted countries (right)

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR researchers noted.

CPR is still investigating and monitoring SmugX activities and will share new details soon. Please continue to visit this platform for the latest updates on SmugX.

**RELATED ARTICLES**

1.  Killnet Hits European Parliament Website with DDoS Attack
2.  Research sector hit in new phishing attack using Google Drive
3.  Fake WHO Emails on COVID-19 Drop Nerbian RAT Across Europe
4.  European Spyware Vendor Offering Android & iOS Device Exploits
5.  Zimbra email platform flaw exploited to steal European govt emails

SmugX: Chinese Hackers Targeting Embassies in Europe

The National Defense Authorization Act may include new language forbidding government entities from buying Americans' search histories, location data, and more.

A “must-pass” defense bill wending its way through the United States House of Representatives may be amended to abolish the government practice of buying information on Americans that the country’s highest court has said police need a warrant to seize. Though it’s far too early to assess the odds of the legislation surviving the coming months of debate, it’s currently one of the relatively few amendments to garner support from both Republican and Democratic members. 

Introduction of the amendment follows a report declassified by the Office of the Director of National Intelligence—the nation’s top spy—which last month revealed that intelligence and law enforcement agencies have been buying up data on Americans that the government’s own experts described as “the same type” of information the US Supreme Court in 2018 sought to shield against warrantless searches and seizures. 

A handful of House lawmakers, Republicans and Democrats alike, have declared support for the amendment submitted late last week by representatives Warren Davidson, a Republican from Ohio, and Sara Jacobs, a California Democrat. The bipartisan duo is seeking stronger warrant requirements for the surveillant data constantly accumulated by people’s cellphones. They argue that it shouldn’t matter whether a company is willing to accept payment from the government in lieu of a judge’s permission.

“Warrantless mass surveillance infringes the Constitutionally protected right to privacy,” says Davidson. The amendment, he says, is aimed chiefly at preventing the government from “circumventing the Fourth Amendment” by purchasing “your location data, browsing history, or what you look at online.”

A copy of the Davidson-Jacobs amendment reviewed by WIRED shows that the warrant requirements it aims to bolster focus specifically on people’s web browsing and internet search history, along with GPS coordinates and other location information derived primarily from cellphones. It further encapsulates “Fourth Amendment protected information” and would bar law enforcement agencies of all levels of jurisdiction from exchanging “anything of value” for information about people that would typically require a “warrant, court order, or subpoena under law.”

The amendment contains an exception for anonymous information that it describes as “reasonably” immune to being de-anonymized; a legal term of art that would defer to a court’s analysis of a case’s more fluid technicalities. A judge might, for instance, find it unreasonable to assume a data set is well obscured based simply on the word of a data broker. The Federal Trade Commission’s Privacy and Identity Protection Division noted last year that claims that data is anonymized “are often deceptive,” adding that “significant research” reflects how trivial it often is to reidentify “anonymized data.”

The amendment was introduced Friday to defense legislation that will ultimately authorize a range of policies and programs consuming much of the Pentagon’s nearly $890 billion budget next year. The National Defense Authorization Act (NDAA), which Congress is required to pass annually, is typically pieced together from hundreds, if not thousands, of amendments. 

This year negotiations are particularly contentious, given the split chamber and a mess of interparty strife, and only one in six NDAA amendments introduced so far have apparent bipartisan support. 

Republican members Nancy Mace of South Carolina, Kelly Armstrong of North Dakota, and Ben Cline of Virginia have backed the Davidson-Jacobs amendment, according to the House Rules Committee website. They’re joined by Democrats Pramila Jayapal of Washington, Zoe Lofgren of California, and Veronica Escobar of Texas.

Jacobs previously coauthored a related amendment with Davidson that attempted to compel the US military to disclose annually how often its various spy agencies purchase Americans’ smartphone and web-browsing data. The amendment was stripped from the final version of last year’s NDAA.

The data broker report declassified last month by the US director of national intelligence, Avril Haines, stressed that neither presently, nor at any point in the past, would the government be permitted to force “billions of people to carry location-tracking devices on their persons at all times.” That is, nevertheless, what is happening today, independent of the government’s actions. The unceasing explosions of new technologies are clashing more and more frequently with the nation’s antiquated privacy laws, giving the Department of Homeland Security, Defense Intelligence Agency, and others like them an unmistakable loophole through which virtually anyone can be surveilled without a reason. 

Demand Progress senior policy counsel Sean Vitka, whose group has spent years lobbying for privacy reform in the face of the government’s growing and often secret reliance on data brokers, says the relatively untracked purchases—up to and including “turnkey lists of everyone who has gone to an abortion clinic, a place of worship, a rehab facility, or a protest”—represent an “existential threat” to the right to privacy. The Davidson-Jacobs amendment marks a “critical opportunity to get \[federal lawmakers\] on the record,” adds Vitka.

The American Civil Liberties Union intends to score how lawmakers vote on the amendment, WIRED has learned. The lawmakers’ effort is also being supported by the Electronic Frontier Foundation, National Association of Criminal Defense Lawyers, FreedomWorks, and the Brennan Center for Justice at NYU School of Law, among dozens of similar civil society organizations.  

Congressional staffers and others privy to ongoing conferencing over privacy matters on Capitol Hill say that regardless of whether the amendment succeeds, the focus on data brokers is just a prelude to a bigger fight coming this fall over the potential sunsetting of one of the spy community’s powerful tools, Section 702 of the Foreign Intelligence Surveillance Act, the survivability of which is anything but assured.

US Spies Are Buying Americans' Private Data. Congress Has a Chance to Stop It

Now is the time to build safeguards into nascent AI technology.

Are we in a golden age of artificial intelligence? It's tough to make predictions — and probably ill-advised. Who wants to predict the future of such a new technology?

We can, however, say some things for certain. A great deal is being made of AI's application to creative works, from voice acting to first drafts of screenplays. But AI is likely to be most useful when dealing with drudgery. This is good news for developers, if the promise matches early experiments — first drafts of code can be easily created and ready for developers to tweak and iterate upon.

However, it's important to remember that not every coder is working for a legitimate business. Just as cybersecurity threat actors have emulated their targets in becoming more businesslike, they're also adopting new technologies and techniques. We can expect AI to help in the development of malware and other threats in the coming years, whether we're entering a golden age of AI or not.

**Drafting Code and Scams**

One trend we've seen in recent years is a rise of "as-a-service" offerings. Early hackers were tinkerers and mischief-makers, tricking phone systems or causing chaos mostly as an exercise in fun. This has fundamentally changed. Threat actors are professional and often sell their products for others to use.

AI will fit very nicely into this way of working. Able to create code to tackle specific problems, AI can amend code to target vulnerabilities or take existing code and change it, so it's not so easily detected by security measures looking for specific patterns.

But the possibilities for AI's misuse doesn't stop there. Many phishing emails are detected by effective filtering tools and end up in junk folders. Those that do make it to the inbox are often very obviously scams, written so badly they're borderline incomprehensible. But AI could break this pattern, creating thousands of plausible emails that can evade detection and be well-written enough to fool both filters and end users.

Spear-phishing, the more targeted form of this attack, could also be revolutionized by this tech. Sure, it's easy to ignore an email from your boss asking you to wire cash or urgently buy gift cards — cybersecurity training helps employees avoid this sort of scam. But what about a deep-fake phone call or video chat? AI has the potential to take broadcast appearances and podcasts and turn them into a convincing simulacrum, something far harder to ignore.

**Fighting Back Against AI Cyberattacks**

There are two main ways to fight back against the benefits that AI will confer on the enemy — better AI and better training — And both will be necessary.

The advent of this new generation of AI has started a new arms race. As cybercriminals use it to evolve their attacks so will security teams need to use it to evolve their defenses.

Without AI, defenses rely on overworked people and monitoring for certain preprogramed patterns to prevent attacks. AI defensive tools will be able to predict attack vectors and pinpoint sensitive areas of the network and systems. They'll also be able to analyze malicious code, allowing a better understanding of how new attacks work and how they can be prevented.

AI could also work, in a pinch, as an emergency stop — disabling the network upon detecting a breach and locking down the entire system. While not ideal from a business continuity perspective, this could be far less damaging than a data breach.

But fighting AI with AI is not the only answer. We also need human intelligence. No matter how smart and targeted, the best defense against a phishing attack is an employee or customer who knows what to look for and is suspicious enough not to take the bait. Implementing robust security policies and best-practice cyber hygiene will remain key to defending against attacks.

This means that training will need to be updated to include the signs of an AI attack … whatever those might be. Training will need to evolve with AI — a single training course every few years isn't going to cut it anymore when that training is quickly out of date.

While the possible signs of an AI-driven cyberattack are changing rapidly, in general, attacks are:

*   **Fast and scalable**, exploiting multiple vulnerabilities in a short time span.
*   **Adaptive and evasive**, changing tactics and techniques to avoid detection and response.
*   **Targeted and personalized**, using AI to craft convincing phishing emails or social engineering campaigns.
*   **Deceptive and manipulative**, using AI to create fake or altered content such as deepfakes, voice cloning, or text generation.
*   **Stealthy and persistent**, hiding in the network infrastructure for a long time without being noticed.

These signs aren't exhaustive, and some AI-driven attacks may not exhibit all of them. However, they indicate the level of threat that AI poses to cybersecurity.

To effectively fight AI-driven cyberattacks, businesses must think beyond individual bad actors and prepare for coordinated attacks by state-sponsored actors or criminal organizations that may use AI to launch sophisticated campaigns using a risk-based approach. They should also have a proactive strategy that includes regular security audits, backups, encryption, and incident response plans. This is most easily accomplished by obtaining a well-known security certification such as PCI-DSS.

Finally, it's imperative that organizations improve the cybersecurity of their own AI systems by ensuring their integrity, confidentiality, and availability, and by mitigating the risks of adversarial attacks, data poisoning, and model stealing.

These strategies will help protect businesses, but they shouldn't standalone — security should be collaborative. By collaborating with other organizations, researchers, and authorities to share information, best practices, and failures that can be learned from, businesses will be better prepared for the new wave of AI security threats.

AI is both a new threat and a continuation of older threats. Businesses will have to evolve how they tackle cyber threats as these threats become more sophisticated and more numerous, but a lot of the fundamentals remain the same. Getting these right remains critical. Security teams don't need to pivot away from old ideas but build on them to keep their businesses safe.

Tag

#intel