The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

*   Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. 
*   Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.
*   This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid\_memes” which is also present in other tools observed during the attacks, presumably by the same author.
*   Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid\_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. 

This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. 

The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” 

We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.

**Tracking BabyLockerKZ across the globe**

Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.

The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.

The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.

During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:

*   c:\\users\\<user>\\music\\advanced\_port\_scanner\_2.5.3869.exe
*   c:\\users\\<user>\\music\\hrsword\\hrsword install.bat
*   c:\\users\\<user>\\music\\killav\\build.004\\disabler.exe
*   c:/users/<user>/music/checker/checker(222).exe
*   c:/users/<user>/music/checker/invoke-thehash.ps1
*   c:/users/<user>/music/checker/checker (222).exe
*   c:/users/<user>/music/checker/invoke-smbexec.ps1
*   c:/users/<user>/music/checker/invoke-wmiexec.ps1
*   c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe
*   c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced\_port\_scanner.exe
*   c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced\_port\_scanner\_2.5.3869.tmp

These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.

Some of the publicly known tools used by the attacker are:

*   HRSword\_v5.0.1.1.rar: A tool used to disable AV and EDR software.
*   Advanced\_Port\_Scanner\_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.
*   Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.
*   Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.
*   PCHunter64.exe: A tool similar to processhacker.
*   Mimikatz: A tool to dump Windows user credentials from memory.

While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “**paid\_memes**”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.

Checker (E:\\**paid\_memes**\\wmi\_smb\_rdp\_checker\\Release\\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:

*   Remote Desktop Plus
*   PSEXEC
*   MIMIKATZ

And a set of scripts based on the Invoke-TheHash tool.

The tool also contains a GUI, as shown below, and a database to store the credentials.

As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.

**PTH project**

The PTH (D:\\Projects\\**paid\_memes**\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:

*   Invoke-SMBClient.ps1
*   Invoke-SMBEnum.ps1
*   Invoke-SMBExec.ps1
*   Invoke-TheHash.ps1
*   Invoke-WMIExec.ps1

These were also used in the checker tool and are part of Invoke-TheHash. According to the author: 

_“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”_

MIMIK (D:\\Projects\\**paid\_memes**\\mimik\\Release\\stub\_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.

The following command lines are examples of commands executed via the tool:

*   64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit 
*   C:\\Users\\user\\Desktop\\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit 
*   64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat

**BabyLockerKZ**

BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. 

A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. 

Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. 

This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:

*   No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.
*   No MDSLK reg key.
*   The PAIDMEMES Public and private keys.
*   The BabyLockerKZ run key.

The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Open-source Snort Subscriber Rule Set** customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0

**ClamAV** detections are also available for this threat:  
Win.Ransomware.MedusaLocker-10035000-1  
Win.Tool.PassTheHash-10034996-0  
Win.Ransomware.MedusaLocker-10035000-0

**Indicators of Compromise**

IOCs for this research can be found at our Github repository here

**BabylockerKZ:**

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

**PTH:**

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f

**Checker:**

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

**HOHOL1488:**

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

**PDB list:**

d:/projects/paid\_memes/virus/release/stub.pdb

e:/locker/bin/stub\_win\_x64\_encrypter.pdb

i:/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x86\_encrypter.pdb

d:/projects/paid\_memes/wmi\_smb\_rdp\_checker/release/checker.pdb

d:/projects/paid\_memes/mimik/release/stub\_mimik.pdb

i:/locker/x64/release/phantom.pdb

d:/projects/paid\_memes/pth/release/pth.pdb

**Registry keys:**

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKEY\_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

**Extension names observed being used by BabyLockerKZ samples:**

crypto125

crypto1317

crypto165

crypto41

crypto76

encrypted1

hazard11

hazard21

hazard23

hazard24

hazard25

hazard27

hazard31

hazard38

hazard49

hazard55

hazard56

hazard7

infected

lock2

lock3

lock5

locked9

lockfiles

meduza210

rapid1

rapid10

readtext13

readtext47

readtext49

recovery29

recovery70

virus2

virus3

virus57

**Encryption key BabyLockerKZ:**

PUTINHUILO1337

**MUTEX BabyLockerKZ:**

HOHOL1488

Threat actor believed to be spreading new MedusaLocker variant since 2022

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

INTERPOL has announced the arrest of eight individuals in Côte d'Ivoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.
Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes in West Africa, the agency said.
One such threat involved a large-scale phishing scam targeting Swiss citizens that resulted in financial losses to the tune

Cybercrime / Financial Fraud

INTERPOL has announced the arrest of eight individuals in Côte d'Ivoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.

Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes in West Africa, the agency said.

One such threat involved a large-scale phishing scam targeting Swiss citizens that resulted in financial losses to the tune of more than $1.4 million.

The cybercriminals posed as buyers on small advertising websites and used QR codes to direct victims to fraudulent websites that mimicked a legitimate payment platform.

This allowed victims to inadvertently enter personal information such as their credentials or card numbers. The perpetrators also impersonated the unnamed platform's customer service agents over the phone to further deceive them.

As many as 260 scam reports are said to have been received by Swiss authorities between August 2023 and April 2024, prompting a collaborative investigation that traced the roots of the campaign to Côte d'Ivoire.

The main suspect behind the attacks confessed to the scheme and making illicit financial gains of over $1.9 million. Five other individuals conducting cybercriminal activities at the same location have also been arrested.

In a separate case, authorities said it apprehended a suspect and their accomplice in Nigeria on April 27, 2024, in connection with a romance scam after Finnish authorities alerted the Nigerian Police Force via INTERPOL that a victim was scammed out of a "substantial amount of money."

Such financial grooming crimes entail scammers creating fake online identities on dating apps and social media platforms to develop romantic or close relationships with prospective victims, only to steal money from them.

"Leveraging the increased reliance on technology in every aspect of our daily lives, cybercriminals are employing a range of techniques to steal data and execute fraudulent activities," Neal Jetton, Director of the Cybercrime Directorate, said.

"These recent successful collaborations, under the umbrella of Operation Contender 2.0, demonstrate the importance of continued international cooperation in combating cybercrime and bringing perpetrators to justice."

The development comes as the U.S. Department of Justice (DoJ) said a 45-year-old dual citizen of Nigeria and the United Kingdom, Oludayo Kolawole John Adeagbo, has been sentenced to seven years in prison for his role in a multimillion-dollar business email compromise (BEC) scheme.

Adeagbo "conspired with others to participate in multiple cyber-enabled BEC schemes that defrauded a North Carolina university of more than $1.9 million, and attempted to steal more than $3 million from victim entities in Texas, including local government entities, construction companies, and a Houston-area college," the DoJ said.

It also follows an announcement from Meta that it's teaming up with U.K. banks to combat scams on its platforms as part of an information-sharing partnership program dubbed Fraud Intelligence Reciprocal Exchange (FIRE).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa

A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group.
This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who

A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group.

This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who allegedly supported an affiliate, and an administrator of a bulletproof hosting service in Spain used by the ransomware group, Europol said in a statement.

In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn\_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. Sanctions have also been announced against seven individuals and two entities linked to the e-crime gang.

"The United States, in close coordination with our allies and partners, including through the Counter Ransomware Initiative, will continue to expose and disrupt the criminal networks that seek personal profit from the pain and suffering of their victims," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith.

The development, part of a collaborative exercise dubbed Operation Cronos, comes nearly eight months after LockBit's online infrastructure was seized. It also follows sanctions levied against Dmitry Yuryevich Khoroshev, who was revealed to be the administrator and individual behind the "LockBitSupp" persona.

A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K. Also tracked as Gold Drake and Indrik Spider, the infamous hacking crew has been active since 2014, targeting banks and financial institutions with the ultimate goal of stealing users' credentials and financial information in order to facilitate unauthorized fund transfers.

The group, responsible for the development and distribution of the Dridex (aka Bugat) malware, has been previously observed deploying LockBit and other ransomware strains in 2022 in order to get around sanctions imposed against the group in December 2019, including key members Maksim Yakubets and Igor Turashev.

Ryzhenkov has been described by the U.K. National Crime Agency (NCA) as Yakubets' right-hand man, with the U.S. Department of Justice (DoJ) accusing him of deploying BitPaymer ransomware to target victims across the country since at least June 2017.

"Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands," officials said. "Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors)."

Additionally, Ryzhenkov's brother Sergey Ryzhenkov, who is believed to use the online alias Epoch, has been linked to BitPaymer, per cybersecurity firm Crowdstrike, which assisted the NCA in the effort.

"Throughout 2024, Indrik Spider gained initial access to multiple entities through the Fake Browser Update (FBU) malware-distribution service," it noted. "The adversary was last seen deploying LockBit during an incident that occurred during Q2 2024."

Notable among the individuals subjected to sanctions are Yakubets' father, Viktor Yakubets, and his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, underscoring the deep connection between Russian cybercrime groups and the Kremlin.

"The group were in a privileged position, with some members having close links to the Russian state," the NCA said. "Benderskiy was a key enabler of their relationship with the Russian Intelligence Services who, prior to 2019, tasked Evil Corp to conduct cyber attacks and espionage operations against NATO allies."

"After the U.S. sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort

Generative AI is being used to make cyberscams more believable. Here's how organizations can counter that using newly emerging tools and reliable methods.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

As cybercriminals finesse the use of generative artificial intelligence (GenAI), deepfakes, and many other AI-infused techniques, their fraudulent content is becoming disconcertingly realistic — and that poses an immediate security challenge for individuals and businesses alike. Voice and video cloning doesn't happen only to prominent politicians or celebrities; it's defrauding individuals and businesses of significant losses that run into millions of dollars.

AI-based cyberattacks are rising. According to a study by Deep Instinct, 85% of security professionals attribute this rise to generative AI.

**The AI Fraud Problem**

Earlier this year, Hong Kong police revealed that a financial worker was tricked into transferring $25 million to criminals through a multiperson deepfake video call. While this kind of sophisticated deepfake scam is still quite rare, advances in technology mean that it's becoming easier to pull off, and the huge gains make it a potentially lucrative endeavor. Another tactic is to target specific workers by making an urgent request over the phone, masquerading as their boss. Gartner now predicts that 30% of enterprises will consider identity verification and authentication solutions "unreliable" by 2026, primarily due to AI-generated deepfakes.

A common type of attack is the fraudulent use of biometric data, an area of particular concern given the widespread use of biometrics to grant access to devices, apps, and services. In one example, a convicted fraudster in the state of Louisiana managed to use a mobile driver's license and stolen credentials to open multiple bank accounts, deposit fraudulent checks, and buy a pick-up truck. In another, IDs created without facial recognition biometrics on Aadhar, India's flagship biometric ID system, allowed criminals to open fake bank accounts.

Another kind of biometric fraud is also rapidly gaining ground. Rather than mimicking the identities of real people, as in the previous examples, cybercriminals are using biometric data to inject fake evidence into a security system. In these injection-based attacks, the attackers game the system to grant access to fake profiles. Injection-based attacks grew a staggering 200% in 2023, according to Gartner. One common type of prompt injection involves tricking customer service chatbots into revealing sensitive information or allowing attackers to take over the chatbot entirely. In these cases, there is no need for convincing deepfake footage.

CISOs can take several practical steps to minimize AI-based fraud.

**1\. Root Out Caller ID Spoofing**

In keeping with many AI-based threats, deepfakes are effective because they work in combination with other tried-and-tested scamming techniques, such as social engineering and fraudulent calls. Almost all AI-based scams, for example, involve caller ID spoofing, which is when a scammer's number is disguised as a familiar caller. That increases believability, which plays a key part in the success of these scams. Stopping caller ID spoofing effectively pulls the rug out from under the scammers.

One of the most effective methods in use is to change the ways that operators identify and handle spoofed numbers. And regulators are catching up: In Finland, Traficom has led the way with clear technical guidance to prevent caller ID spoofing, a move that is being closely watched by the EU and other regulators globally.

**2\. Use AI Analytics to Fight AI Fraud**

Increasingly, security pros are joining cybercriminals at their own game — deploying the AI tactics scammers use, only to defend against attacks. AI and machine learning (ML) models excel at detecting patterns or anomalies across vast data sets. This makes them ideal for spotting the subtle signs that a cyberattack is taking place. Phishing attempts, malware infections, or unusual network traffic could all indicate a breach.

Predictive analytics is another key AI capability that the AI community can exploit in the fight against cybercrime. Predictive AI models can predict potential vulnerabilities — or even future attack vectors — before they are exploited, enabling preemptive security measures, such as using game theory or honeypots, to divert attention from the valuable targets. Enterprises need to be able to confidently detect subtle behavior changes taking place across every facet of their networks in real time, from users and devices to infrastructure and applications.

**3\. Zone in on Data Quality**

Data quality plays a critical role in pattern recognition, anomaly detection, and other ML-based methods used to fight modern cybercrime. In AI terms, data quality is measured by accuracy, relevancy, timeliness, and comprehensiveness. While many enterprises have relied on (insecure) log files, many are now embracing telemetry data, such as network traffic intelligence from deep packet inspection (DPI) technology, because it provides the "ground truth" upon which to build effective AI defenses. In a zero-trust world, telemetry data, like the kind supplied by DPI, provides the right kind of "never trust, always verify" foundation to fight the rising tide of deepfakes.

**4\. Know Your Normal**

The volume and patterns of data across a given network are a unique signifier particular to that network, much like a fingerprint. For this reason, it is critical that enterprises develop an in-depth understanding of what their network's "normal" looks like so that they can identify and react to anomalies. Knowing their networks better than anyone else gives enterprises a formidable insider advantage. However, to exploit this defensive advantage, they must address the quality of the data feeding their AI models.

In summary, cybercriminals have been quick to exploit AI, and in particular GenAI, for increasingly realistic frauds that can be implemented at a scale previously not possible. As deepfakes and AI-based cyber threats escalate, businesses must leverage advanced data analytics to strengthen their defenses. By adopting a zero-trust model, enhancing data quality, and utilizing AI-driven predictive analytics, organizations can proactively counter these sophisticated attacks and protect their assets — and reputations — in an increasingly perilous digital landscape.

**About the Author**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

4 Ways to Fight AI-Based Fraud

Despite a $10 million bounty on one member, APT45 is not slowing down, pivoting from intelligence gathering to extorting funds for Kim Jong-Un's regime.

Source: Nature Picture Library via Alamy Stock Photo

A well-known North Korean advanced persistent threat (APT) has shifted its focus to targeting private companies in the US for financial gain.

Researchers at Symantec's Threat Hunter Team said this week that the state-sponsored group it tracks as "Stonefly" (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) is flaunting an indictment and a $10 million bounty from the US Department of Justice (DoJ), in order to rack up more funds for the Kim Jong-Un regime.

Stonefly, which is part of North Korea's Reconnaissance General Bureau (RGB), mounted assaults on three organizations in the US in August, about a month after the DoJ moved against the group. The victims, the researchers noted, had "no obvious intelligence value," and were likely being prepped for a ransomware whammy — though the intrusions were detected before the endgame could play out.

The focus on snapping up funds is a relatively new flex for the group, Symantec researchers stressed, even though other North Korean APTs are dedicated to grifting foreign currency for the regime. Stonefly in the past targeted hospitals and other healthcare providers during the pandemic (which drew the DoJ scrutiny), and is known for going after high-value espionage targets like US Air Force bases, NASA Office of Inspector General, and government organizations in China, South Korea, and Taiwan.

"Since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets," according to the analysis. "It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property … \[Stonefly had\] appeared not to be involved in financially motivated attacks."

**Look for Stonefly's IoCs to Swat Ransomware Attacks**

With Stonefly's less-targeted focus on siphoning funds from unsuspecting private companies, it pays for everyday businesses that might not normally think of themselves as APT targets to get familiar with the group's indicators of compromise (IoCs).

And there are many. While the ransomware never deployed in the August attacks, and the initial compromise path isn't clear, Stonefly still managed to smuggle in plenty of tools from its kit before being ultimately thwarted.

"In several of the attacks, Stonefly's custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed," according to Symantec's blog post. "In addition … attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign."

The toolbox also included Nukebot, which is a backdoor capable of executing commands, downloading and uploading files, and taking screenshots; Mimikatz; two different keyloggers; the Sliver open source cross-platform penetration testing framework; the PuTTY SSH client; Plink; Megatools; a utility that takes snapshots of folder structures on a hard drive and saves them as HTML files; and FastReverseProxy, which can expose local servers to the public Internet.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Korea's 'Stonefly' APT Swarms US Private Co's. for Profit

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Python-Based Malware Slithers Into Systems via Legit VS Code

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as…

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as legitimate platforms, these apps defraud investors, bypassing store checks and exploiting unsuspecting users globally.

A fraud campaign targeting **Apple iOS and Android users** has been discovered by GroupIB, involving fake trading apps. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors in Asia-Pacific, Middle East & Africa, and European regions.

Group-IB’s Threat Intelligence, and Fraud Protection analysts first discovered these fake mobile applications in May 2024 and have been investigating the campaign ever since.

According to their **report** shared with Hackread.com ahead of publishing on Wednesday, these applications were developed for Android using a single cross-platform framework. One was distributed through the Google Play store, while another targeted iOS devices.

What’s worse, unlike traditional mobile trojans, these applications had no typical malicious features and cybercriminals have created a facade of a legitimate trading platform to defraud victims.

The fraudulent apps check the current date and time to bypass Apple’s App Store checks, launching a fake activity with mathematical formulas and graphics if it is earlier than 22 July 2024, 00:00:00. Android samples were designed to display a fraudulent trading application hosted on the api.fxbrokerscc domain, part of a larger fraudulent infrastructure.

According to researchers, these fake trading apps and downloader apps mimic legitimate platforms and may include features like account settings, transaction history, and stock information. Downloader apps, found in the Apple App Store or distributed through phishing websites, prompt victims to install the fraudulent app.

Fake app on Apple Store (left) – Fake app on Google Play Store (Screenshot: Ground-IB)

The malware family used in the pig butchering scam is **UniShadowTrade**, classified under the UniApp Framework. This name is given by Group-IB analysts to categorize the fraudulent applications involved in the scam. For your information, the UniApp framework enables developers to create cross-platform applications with a single codebase, making it easier for scammers to develop and distribute malware.

****What Exactly is Pig Butchering?****

For your information, **Pig butchering** is a notorious digital scam that involves a meticulous process of grooming victims, building trust, and ultimately defrauding them of their money.

This particular campaign follows a specific pattern: target identification through social media, grooming and trust-building through social engineering techniques, offering a seemingly lucrative investment opportunity in cryptocurrency or other investments, encouraging a small initial investment, and building confidence through small profits.

Scammers pressure victims into making large investments, transfer funds they cannot withdraw, and disappear. This process continues until the victim is unable to withdraw the funds, causing significant financial loss and affecting their financial stability.

Nevertheless, scams Pig butchering can have devastating consequences for victims. Understanding scammers’ tactics and taking proactive measures can reduce the risk of falling victim to such fraud.

****Alert for Android and iOS users****

It is a fact that Google, which owns Android, and Apple, which owns the iOS App Store, try their best to keep the marketplace safe from malware and other cybersecurity threats. Despite constant monitoring, cybercriminals often slip into these stores with malicious apps, draining the bank accounts and crypto wallets of unsuspecting users.

Just last week, **Google approved** a crypto drainer app on the Play Store that stole over $70,000 from Android users. On the other hand, **in February 2024**, Apple approved a fake LastPass Password Manager app on its iOS App Store. The same month, Apple approved a **fake Rabby Wallet app** that stole millions from unsuspecting users.

Therefore, be extra careful when downloading an app from any of these stores. Check their reviews, search for the official app on Google, find their social media platforms, and confirm whether the app advertised on app stores is legitimate or not.

1.  **Phishing Scam Hits European Bank Users on iOS and Android**
2.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple, Google**
3.  **Pink Drainer Posed as Journalists, Stole $3M from Twitter Users**
4.  **Hackers Posed as Google Support to Steal $243 Million in Crypto**
5.  **Apple mistakenly approved malware masked as Adobe Flash Player**

Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores

Organizations looking to maximize their security posture will find AI a valuable complement to existing people, systems, and processes.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The global rise of increasingly sophisticated cybercrimes creates daily challenges for the cybersecurity industry, as security professionals grapple with new and evolving attacks, complex IT architecture, and the integration of artificial intelligence (AI) into nefarious actors' tactics, techniques, and procedures (TTPs). As a result, cybersecurity practitioners feel a sense of urgency to stay at the forefront of technological advances to defend against a growing arsenal of exploits.

In this environment, a methodical approach to the intentional use of AI for cybersecurity protocols will help avoid falling prey to the hype and myths of groupthink, such as these five myths of AI and cybersecurity: 

**1\. You'll fall behind if AI isn't your primary solution for cybersecurity.**

While AI can enhance cybersecurity tasks by analyzing large volumes of data to recognize nefarious identifying patterns, it can also be susceptible to false positives and negatives, be trained on bad data, or act in unexpected ways. Many common cyber threats can still be effectively mitigated through basic security practices like strong passwords, regular patching, and employee awareness about social engineering. Incorporating AI into security solutions is not a license to abandon proven tools and replace established best practices. Sophisticated attackers will find ways to evade AI-based detection, so adopting AI cannot be the only solution for security and defense. Time-tested security practices like organizational culture, leadership commitment, and employee training are still critical fundamentals of a robust organizational risk management practice. 

**2\. Threat actors are using AI, which will lead to an exponential increase in cyberattacks.**

AI is undoubtedly a powerful tool that can be used for both good and bad — it's not a guaranteed game-changer for threat actors. The cybersecurity landscape is a dynamic battleground, and the interplay between AI-powered attacks and defenses is complex. AI may increase the speed and sophistication of certain attacks, such as better phishing attempts; however, it has not fundamentally changed the attack vectors or the attack surface within organizations. A mature security posture using foundational defensive practices continues to be a sound approach to reducing risk and thwarting attacks. 

**3\. AI-powered tools are better, and every tool needs an AI feature.**

AI-aided tools can provide powerful additions to a defensive infrastructure with quicker, more comprehensive data discovery. Left unchecked, AI is capable of producing sometimes comical but altogether bad results, such as the Google Overview suggestion of adding glue to homemade pizza sauce, or the McDonald's AI drive-through putting bacon on ice cream. In cybersecurity, erroneous results have serious consequences, including loss of trust, excessive costs, and endangering human safety. The potential benefit of any AI-powered resource must be balanced against the potential cost of error. The safest use of AI is within a layered defense model, which allows for verification and redundancy in protective solutions. 

**4\. You can only combat AI with AI.**

AI is a valuable tool in the cybersecurity quiver, but it's not impenetrable. Like any other defensive technique, attackers can exploit vulnerabilities in AI models or develop exploits to bypass AI defenses. Combating AI threats requires a multilayered approach that combines AI with human expertise, traditional security measures, and a strong focus on prevention, detection, and response. Using AI to combat AI may also raise ethical and legal concerns, particularly around issues like autonomous decision-making, accountability, and potential for misuse. These concerns must be carefully considered before implementation, to ensure responsible, ethical use of AI in cybersecurity. By leveraging the strengths of both humans and AI, organizations can build a more resilient and effective cybersecurity posture. 

**5\. AI is going to replace your job.**

Companies who are hiring fewer entry-level people for cybersecurity roles are not doing so because AI has eliminated those jobs; rather, they are limited by shrinking budgets and a need to hire people who can make an immediate impact when they come onboard. AI excels at automating repetitive tasks, analyzing vast amounts of data and identifying patterns, but human intuition and judgment is still needed to interpret those insights, make critical decisions, and adapt strategies to combat evolving threats. At its best, AI allows humans to focus on creative and strategic thinking to deliver complex problem-solving. The prominence of AI has created new jobs like AI engineers and AI ethicists to manage AI systems. AI-related roles, along with roles in cybersecurity, will continue to emerge and evolve. AI won't replace people, but people who know how to work with AI may replace people who don't. 

Effective cybersecurity requires a multilayered approach that combines technology, processes, and people. Solely relying on AI for cybersecurity can create a false sense of security, and AI-based cybersecurity solutions can be costly and complex. While AI is transforming the workforce, it's unlikely to lead to widespread job displacement. Instead, it likely will change the nature of work and require adaptation and development of new skills.

Progressive companies will see the value of investing in training programs and implementing policies that support workforce transition. Organizations looking to maximize their security posture with enhanced value, productivity, creativity, and innovation will find AI a valuable complement to existing people, systems, and processes.  

**About the Authors**

Senior Vice President & Executive Dean, Western Governors University

Paul Bingham is the senior vice president and executive dean at Western Governors University’s School of Technology, which currently serves 60,000 students nationwide and is the top conferrer of cybersecurity degrees in the country. Prior to WGU, Paul spent 24 years as an FBI agent, leading and managing domestic and international cybersecurity investigations and FBI SWAT teams on over 100 high-risk tactical missions. 

SIEM & Data Analytics Engineer, H2L Solutions Inc.

Micah VanFossen is a cybersecurity engineer currently working as a SIEM & Data Analytics Engineer at H2L Solutions Inc., where he focuses on data ETL (enrich, transform, load) processes, detections, and data analysis. He is a lifelong learner, spending time researching, studying, and educating others through his blog, The Purple Van. Micah is also a member of the SIII Tiger Team for the US Cyber Games Program and holds an MS in cybersecurity and information assurance from WGU.

Top 5 Myths of AI &amp; Cybersecurity

Improvements in cybersecurity and basics like patching aren't keeping pace with the manufacturing sector's rapid growth.

Source: Robert Evans via Alamy Stock Photo

In the past year, the manufacturing industry has been the top target for ransomware groups, due to the sector's lack of technological advancement, even as its digital footprint continues to grow.

According to a study released by Black Kite, the manufacturing sector accounts for 21% of ransomware attacks and places manufacturing entities at a significantly high risk, making them more than three times as likely to suffer a ransomware attack.

Not just this, but out of the 5,000 companies that were examined, 80% of manufacturing companies have "critical" CVSS-rated vulnerabilities, 67% of which are already listed in the Known Exploited Vulnerabilities (KEV) catalog maintained by the Cybersecurity and Infrastructure Agency (CISA). 

"The manufacturing industry stands at a critical juncture, where the stakes of third-party risk have never been higher," the Black Kite researchers wrote. "The rapid pace of digital transformation has opened new avenues for efficiency and innovation but has also introduced significant vulnerabilities."

The threat actors are aware of the weak links that have opened up due to the industry's rapid growth and are aware that "these companies play critical roles within global supply chains."

When one operation or company in the chain gets attacked, it can lead to a domino effect and "cascading operational disruption and financial and reputational damage." In short — when threat actors target both manufacturing and supply chains, they get more bang for their buck if they succeed.

**Manufacturing a New Defense**

So, what can enterprises that are more likely to fall victim to an attack do to prevent the worst from happening?

First, organizations must recognize that though many systems will be affected when updated, that doesn't justify allowing systems to become exposed on the Internet. 

"Patch management is the first line of defense, yet it's widely neglected in this industry," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, tells Dark Reading. With a majority of these organizations having Internet-facing assets that are likely rife with vulnerabilities, Dikbiyik says this is low-hanging fruit for threat actors and must be addressed as quickly as possible.

In addition, organizations must address exposed credentials and better secure their Web applications to prevent becoming the next ransomware statistic, he adds.

"Cybersecurity doesn't have to be a barrier to innovation — it can be a growth enabler," Dikbiyik says. "With the right cyber defenses in place, manufacturers can protect their expanding digital operations while continuing to grow without sacrificing safety."

Tag

#intel