Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on…

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. Learn how this advanced persistent threat (APT) is evading detection and the steps you can take to protect yourself.   

Cybersecurity researchers at Group-IB report that the North Korean state-backed **APT Lazarus group**, is now deploying a new macOS trojan called “RustyAttr.” This malware, along with a new evasion technique, lets Lazarus carry out its operations while remaining undetected.

Since May 2024, the Lazarus Group has been employing a technique that hides malicious code within the extended attributes (EAs) of files on macOS systems, utilizing the RustyAttr trojan. Extended attributes are hidden data containers attached to files, enabling the storage of additional information beyond standard attributes such as size or creation date.

This method is particularly tricky because these attributes are invisible by default in applications like Finder or Terminal. However, using the .xattr command, attackers can easily access and exploit this hidden data.

In 2020, **Bundlore adware** used a similar technique to hide its payload in resource forks which stored structured data on older macOS systems, researchers noted in the **blog post** shared with Hackread.com.

The possible attack scenario involves a legitimate-looking malicious application, built using the Tauri framework. It displays **fake PDF files** related to job opportunities or cryptocurrency, a theme consistent with Lazarus. 

For your information, the Tauri framework is a web-based tool for creating lightweight desktop applications, enabling developers to use HTML, CSS, JavaScript, and Rust for front and backend, respectively, to execute malicious scripts.

The shell scripts reveal two types of decoys: one fetches a PDF file from a file hosting service, containing questions related to game project development and funding, and the other displays a dialogue stating that the app does not support the specified version, while a web request to the staging server processes in the background. The malicious script is hidden within a custom extended attribute named “test”. 

The application leverages a JavaScript file named “preload.js” to interact with the hidden script. This JavaScript code, using **Tauri’s functionalities**, retrieves the script from the extended attribute and executes it. 

Example of one of the malicious PDF files pushing a fake job advert (Via Group-IB)

“Interestingly, the next behaviour is as follows – if the attribute exists, no user interface will be shown whereas, if the attribute is absent, the fake webpage will be shown,” the researchers revealed.

The malicious components are hidden within the extended attributes, making them invisible to antivirus scanners. The applications were initially signed with a leaked certificate (revoked by Apple now) but remained unnotarized, bypassing another layer of possible detection.

While the researchers haven’t identified any confirmed victims yet, they believe Lazarus might be experimenting with this technique for future attacks. This discovery is important because it’s a completely new tactic, not yet documented in the MITRE ATT&CK framework, a standard reference for attack techniques.

The Lazarus group’s sophistication and continuous expansion of tactics show their efforts to evade detection and compromise systems. To stay safe, verify the source and legitimacy of files before downloading or executing them, and avoid downloading harmless content like PDFs without checking even if it appears legitimate.

Keep **macOS Gatekeeper** on as it prevents the execution of untrusted applications. Lastly, utilize advanced threat intelligence solutions to remain aware of emerging threats and develop effective protection strategies.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

Experts expect Donald Trump’s next administration to relax cybersecurity rules on businesses, abandon concerns around human rights, and take an aggressive stance against the cyber armies of US adversaries.

For American companies grousing about new cybersecurity rules, spyware firms eager to expand their global business, and hackers trying to break AI systems, Donald Trump’s second term as president will be a breath of fresh air.

For nearly four years, president Joe Biden’s administration has tried to make powerful US tech firms and infrastructure operators more responsible for the nation’s cybersecurity posture, as well as restrict the spread of spyware, apply guardrails to AI, and combat online misinformation. But when Trump takes office in January, he will almost certainly eliminate or significantly curtail those programs in favor of cyber strategies that benefit business interests, downplay human-rights concerns, and emphasize aggressive offense against the cyber armies of Russia, China, Iran, and North Korea.

“There will be a national security focus, with a strong emphasis on protecting critical infrastructure, government networks, and key industries from cyber threats,” says Brian Harrell, who served as the Cybersecurity and Infrastructure Security Agency’s assistant director for infrastructure security during Trump’s first term.

From projects whose days are numbered to areas where Trump will go further than Biden, here is what a second Trump administration will likely mean for US cybersecurity policy.

**Full Reversal**

The incoming Trump administration is likely to scrap Biden’s ambitious effort to impose cyber regulations on sectors of US infrastructure that currently lack meaningful digital-security safeguards. That effort has borne fruit with railroads, pipelines, and aviation but has hit hurdles in sectors like water and health care.

Despite mounting cyberattacks targeting vital systems—and despite this year’s Republican Party platform promising to “raise the security standards for our critical systems and networks”—conservatives are unlikely to support new regulatory mandates on infrastructure operators.

There will be “no more regulation without explicit congressional authorization,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.

Harrell says “more regulation will be dismantled than introduced.” Biden’s presidency was “riddled with new cyber regulation” that sometimes confused and overburdened industry, he adds. “The new White House will be looking to reduce regulatory burdens while streamlining smart compliance.”

This approach may not last, according to a US cyber official who requested anonymity to discuss politically sensitive issues. “I think they’ll eventually recognize that the efforts focused on regulation in cyber are needed to ensure the security of our critical infrastructure.”

“Regulation is the only tool that works,” Lewis says.

Some Biden cyber rules might be overturned in court, now that the Supreme Court has eliminated the deference that judges previously gave to agencies in disputes over their regulations. John Miller, senior vice president of policy at the Information Technology Industry Council, a major tech trade group, says it’s also possible that Trump officials “might not wait for the courts” to void those rules.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, predicts that the Trump administration will emphasize cooperation and incentives in its efforts to protect vulnerable industries. He points to a House GOP plan for water cybersecurity standards as an example.

Trump’s election also likely spells doom for CISA’s work to counter mis- and disinformation, especially around elections. After Trump lost the 2020 election, he fired CISA’s first director for debunking right-wing election conspiracy theories, and the conservative backlash to anti-misinformation work has only grown since then.

In 2022, Trump outlined a “free speech policy initiative” to “break up the entire toxic censorship industry that has arisen under the false guise of tackling so-called ‘mis-’ and ‘dis-information.’” Elon Musk, the billionaire owner of Tesla, SpaceX, and X whom Trump has tapped to colead a “government efficiency” initiative, enthusiastically shared the plan last week.

CISA has already dramatically scaled back its efforts to combat online falsehoods following a right-wing pressure campaign, but Trump appointees are almost certain to smother what remains of that mission. “Disinformation efforts will be eliminated,” Montgomery predicts.

Harrell agrees that Trump would “refocus” CISA on core cyber initiatives, saying the agency’s “priorities have mistakenly bordered on social issues lately.”

Also likely on the chopping block: elements of Biden’s artificial intelligence safety agenda that focus on AI’s social harms, like bias and discrimination, as well as Biden’s requirement for large AI developers to report to the government about their model training.

“I expect the repeal of Biden’s executive order on AI, specifically because of its references to AI regulation,” says Nick Reese, a director of emerging technology policy at the Department of Homeland Security under Trump and Biden. “We should expect a change in direction toward less regulation, which would mean less compulsory AI safety measures.”

Trump is also unlikely to continue the Biden administration’s campaign to limit the proliferation of commercial spyware technologies, which authoritarian governments have used to harass journalists, civil-rights protesters, and opposition politicians. Trump and his allies maintain close political and financial ties with two of the most prolific users of commercial spyware tools, Saudi Arabia and the United Arab Emirates, and he showed little concern about those governments’ human-rights abuses in his first term.

“There’s a high probability that we see big rollbacks on spyware policy,” says Steven Feldstein, a senior fellow in the Carnegie Endowment for International Peace’s Democracy, Conflict, and Governance Program. Trump officials are likely to care more about spyware makers’ counterterrorism arguments than about digital-rights advocates’ criticisms of those tools.

Spyware companies “will undoubtedly receive a more favorable audience under Trump,” Feldstein says—especially market leader NSO Group, which is closely affiliated with the Trump-aligned Israeli government.

**Dubious Prospects**

Other Biden cyber initiatives are also in jeopardy, even if their fates are not as clear.

Biden’s National Cybersecurity Strategy emphasized the need for greater corporate responsibility, arguing that well-resourced tech firms must do more to prevent hackers from abusing their products in devastating cyberattacks. Over the past few years, CISA launched a messaging campaign to encourage companies to make their products “secure by design,” the Justice Department created a Civil Cyber-Fraud Initiative to prosecute contractors that mislead the government about their security practices, and White House officials began considering proposals to make software vendors liable for damaging vulnerabilities.

That corporate-accountability push is unlikely to receive strong support from the incoming Trump administration, which is almost certain to be stocked with former business leaders hostile to government pressure.

Henry Young, senior director of policy at the software trade group BSA, predicts that the secure-by-design campaign will “evolve to more realistically balance the responsibilities of governments, businesses, and customers, and hopefully eschew finger pointing in favor of collaborative efforts to continue to improve security and resilience.”

A Democratic administration might have used the secure-by-design push as a springboard to new corporate regulations. Under Trump, secure-by-design will remain at most a rhetorical slogan. “Turning it into something more tangible will be the challenge,” the US cyber official says.

**Chipping Away at the Edges**

One landmark cyber program can’t easily be scrapped under a second Trump administration but could still be dramatically transformed.

In 2022, Congress passed a law requiring CISA to create cyber incident reporting regulations for critical infrastructure operators. CISA released the text of the proposed regulations in April, sparking an immediate backlash from industry groups that said it went too far. Corporate America warned that CISA was asking too many companies for too much information about too many incidents.

Trump’s election could throw a wrench in CISA’s ambitious incident-reporting plans. New appointees at the White House, DHS, and CISA itself could force agency staff to rewrite the rules to be more industry-friendly, exempting entire swaths of critical infrastructure or eliminating requirements for companies to report certain data. Trump’s team has months to revise the final rule before its required publication in late 2025.

BSA’s Young expects Trump’s team to scale back the regulations, which he says “take a very broad view of the authority CISA believes Congress granted it.”

The current rule is “particularly vulnerable to a court challenge” because it exceeds Congress’s intent, ITI’s Miller warns, and Trump’s team “may direct CISA to scale it back” if the agency doesn’t “proceed cautiously” on its own.

**New Urgency**

One area where Trump might pick up the baton from the Biden administration is the government’s use of military hacking operations and its response to foreign adversaries’ cyberattacks.

Under Biden, the military’s US Cyber Command has scaled up its overseas hacker-hunting engagements with allies. But Republicans have pressed Biden to respond more muscularly to Chinese, Russian, and Iranian hacks, and Trump is likely to embrace that approach—particularly after picking representative Mike Waltz, an advocate for cyberattacks on Russia, North Korea, and Mexican cartels, as his national security adviser.

“A much more aggressive stance will be taken against China, which is sorely needed,” Harrell says, predicting that Chinese hackers penetrating US critical infrastructure “will be held to account.”

Montgomery agrees that Trump may “adopt a more aggressive approach” to national cyber defense, including giving the National Guard “a more significant role” in protecting domestic infrastructure.

Montgomery also says he expects more frequent and more muscular offensive operations by Cyber Command, which Trump elevated to a full combatant command during his first term. He predicts the Trump administration will “look more favorably” on creating a separate military cyber service, which the Biden administration opposed, and “take a more skeptical view” of the joint leadership of Cyber Command and the National Security Agency, which the Biden administration supported.

Trump could also harness other tools to constrain China, including authorities he created during his first term to block the use of risky technology in the US. “The Trump administration will look at the full set of policy levers when deciding how to push back on China in cyberspace,” says Kevin Allison, a consultant on geopolitics and technology.

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

PRESS RELEASE

WATERLOO, ON, Oct. 31, 2024 /PRNewswire/ -- OpenText (NASDAQ: OTEX), (TSX: OTEX), has revealed its highly anticipated "Nastiest Malware of 2024" list, spotlighting the year's most notorious cyber threats. Now in its seventh year, OpenText's cybersecurity experts have identified the most relentless and adaptive malware trends impacting industries worldwide. This year, ransomware aimed at critical infrastructure takes center stage, highlighting an urgent call for reinforced security to protect vital services. In response, organizations are projected to increase their cybersecurity investments by 14.3% in 2024, reaching more than $215 billion.

Once again, ransomware group LockBit secures the #1 spot as the nastiest malware of the year. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns. According to the FBI's 2023 2023 Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The ongoing standoff between the FBI and LockBit shows the gritty persistence of today's ransomware market and its growing sophistication. For several months now, the battle for dominance between the FBI and LockBit has highlighted the persistence of the ransomware market and how as technology evolves these threats continually lurk in the shadows.    

"Ransomware attacks on critical infrastructure are on the rise, and cybercriminals are increasingly using artificial intelligence to develop highly personalized threats, which significantly endangers national security and public safety," said Muhi Majzoub, EVP and Chief Product Officer, OpenText. "However, the increased attention on ransomware and cybersecurity is encouraging, as more organizations are proactively prioritizing cybersecurity investments. This commitment highlights their dedication to safeguarding essential services from evolving threats." The 2024 list showcases how adaptive and innovative each ransomware is, but also how well these threats push boundaries. With their malicious capabilities and evasiveness, these cybercriminals continue to find new ways to surpass our darkest expectations.

2024's Nastiest Malware Hall of Infamy: 

1.  LockBit: This ransomware-as-a-service (RaaS) heavyweight leads the pack again, unfazed by FBI efforts to take it down. LockBit's aim? Target one million businesses before calling it quits, solidifying its spot as a top ransomware menace in 2024.
    
2.  Akira: A fresh and ferocious entry, Akira brings a splash of '80s aesthetics to the dark web, quickly climbing the ranks with ruthless encryption tactics and swift deployment. It's especially active in healthcare, manufacturing, and finance, cementing itself as a go-to Ransomware-as-a-Service (RaaS) model for affiliates.
    
3.  RansomHub: Rumored to be a descendant of the Black Cat (ALPHV) group, RansomHub burst onto the scene targeting high-profile organizations. After attacking Planned Parenthood, this group made headlines by stealing and ransoming sensitive patient data, threatening public exposure.
    
4.  Dark Angels: Known for its laser-focused, high-impact attacks on top-tier targets, Dark Angels doesn't hold back. Using advanced infiltration methods, they've secured ransom payments as high as $75 million, leaving their mark on one of the year's biggest Fortune 50 attacks.
    
5.  Redline: Not ransomware but still formidable, Redline Stealer specializes in stealing credentials and sensitive information with skillful evasion tactics, making it a persistent headache across various sectors.
    
6.  Play Ransomware: Making waves with high-profile attacks, Play Ransomware is as versatile as it is relentless. From targeting public and private sectors to exploiting FortiOS vulnerabilities and RDP servers, this group keeps victims on their toes with ever-evolving techniques.
    

Want the full rundown? Visit the OpenText Cybersecurity Community, view the infographic, and join us for our "Nastiest Malware Webinar" to dive deeper into this year's findings and stay ahead of emerging threats!

About OpenText Cybersecurity  
OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified/end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high-efficacy products, compliant experience and simplified security to help manage business risk.

About OpenText   
OpenText™ is the leading Information Management software and services company in the world.  We help organizations solve complex global problems with a comprehensive suite of Business Clouds, Business AI, and Business Technology.  For more information about OpenText (NASDAQ/TSX: OTEX), please visit us at www.opentext.com.

Connect with us:

OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn 

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies, and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Readers are cautioned not to place undue reliance upon any such forward-looking statements, which speak only as of the date made. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. Further, readers should note that we may announce information using our website, press releases, securities law filings, public conference calls, webcasts and the social media channels identified on the Investors section of our website (https://investors.opentext.com). Such social media channels may include the Company's or our CEO's blog, Twitter account or LinkedIn account. The information posted through such channels may be material. Accordingly, readers should monitor such channels in addition to our other forms of communication.

OpenText Cybersecurity Unveils 2024's Nastiest Malware

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

PRESS RELEASE

(Paris, France) – October 31, 2024 – As counterfeiting represents a global issue for brands and societies alike, Cypheme, a pioneering French company focused on AI-powered anti-counterfeiting solutions, today announced that Vrai AI, its AI anti-counterfeit technology that can detect fake products based on just a picture of a specific detail of a product or label, purely with visual analysis, is now available to brands worldwide. This ground-breaking artificial intelligence, which is perfect for companies across multiple verticals (i.e.: jewelry, pharmaceuticals, electronics, fashion, etc.), is easy to implement and only requires the use of a smartphone to keep a brands’ reputation and customers safe.

Lacoste, a world-renowned fashion brand, is the first company to pioneer the use of this technology, marking a major milestone in the worlds of AI development, the fashion industry and the global fight against counterfeiting. Already, Cypheme’s ground-breaking solution has achieved a near perfect level of accuracy of 99.7% for Lacoste, helping them easily identify fake products and remove them from the market.

By incorporating Cypheme’s powerful technology, which examines microscopic visual details of a specific feature of the product, the AI can differentiate a real from a fake, much in a way similar to a human expert. No modification of the product, no special label, or hidden marker is needed. For Lacoste, Cypheme uses the famous and iconic crocodile logo to identify fakes among a wide variety of Lacoste products. This represents an unprecedented technological leap in the fight against counterfeiting that could play a major part in solving or mitigating crisis linked to the criminal activity across multiple regions and sectors.

For certain types of products, however, the use of Cypheme’s “Noise Print Label,” a proprietary fingerprint anti-counterfeit label that protects every product it is affixed on, is also available. Noise Print is an anti-copy label that utilizes an advanced set of algorithms powered by an artificial neural network that verifies a product’s authenticity. However, it doesn’t stop there. Noise Print can also help trace back the origin points where fake products are known to be made.

“Today, according the European Union Agency for Law Enforcement Cooperation, counterfeiting represents 2.5% of the world’s trade, or $461 billion, and puts low-quality goods on the market, generating risks for health, well-being, security and safety,” explains Hugo Garcia-Cotte, CEO, Cypheme. “Implementing anti-counterfeiting technologies helps brands combat piracy, secure operations, enhance revenue and improve customer engagement, however they do not stop at just that, they have a much larger impact, helping shape safer societies overall.”

About Cypheme  
Cypheme is a pioneering French company focused on AI-powered anti-counterfeiting solutions. With their AI technology, Vrai AI, they aim to make counterfeit trade an unattractive activity for all people of the world. Cypheme’s technology is used in many different industries and countries to safeguard people from the negative impact of fake goods. For more information, visit https://www.cypheme.com/.

Lacoste First to Use AI-Powered Anti-counterfeiting Solution

The consolidation folds Cybereason's endpoint detection and response (EDR) platform into Trustwave's managed security services offerings, such as managed detection and response (MDR).

Source: nespix via Adobe Stock Photo

Managed services provider Trustwave and endpoint detection and response (EDR) company Cybereason announced a definitive merger agreement on Tuesday. The merger reflects the market appetite for integrated cybersecurity solutions, as seen in Check Point's acquisition of Cyberint earlier this year.

Trustwave and Cybereason will "function independently but collaborate strategically on value-added services and capabilities," the companies said in a statement. Cybereason has a significant presence in Japan and Europe, and Trustwave is strong in the Americas and Australia.

The combined company portfolio will span managed detection and response, EDR, offensive security, security research, digital forensics and incident response, and threat intelligence services. Trustwave and Cybereason have complementary product offerings in EDR, email security, and database security.

For example, Cybereason can offer "combined EDR and MDR solutions," said Eric Gan, chairman and CEO of Cybereason said, a statement.

Together, Trustwave and Cybereason will focus on strengthening client consulting services and managed detection and response (MDR) capabilities to develop an all-in-one solution with Cybereason's EDR for midmarket organizations, as well as help customers integrate and optimize Microsoft Security. A primary areas for strategic investment is a purpose-built AI that can detect known and unknown threats with greater speed and accuracy.

Singtel acquired Trustwave in 2015 for $770 million; it sold the company to MC² Security Fund, a private equity fund sponsored by The Chertoff Group, in January of this year for $205 million. Cybereason has raised over $850 million to date from a variety of investors.

SoftBank, Cybereason's largest shareholder, will remain as the majority investor. Trustwave's current owner and MC² Security Fund will remain as a channel partner and strategic adviser.

Financial details of the merger were not disclosed. The transaction is expected to close in early 2025, pending customary closing conditions and regulatory approvals.

Trustwave-Cybereason Merger Boosts MDR Portfolio

PRESS RELEASE

NEW YORK, Oct. 30, 2024 /PRNewswire/ -- Industrial manufacturers ranked network security as their top cybersecurity investment to guard against adverse cyber events, according to a recent State of Technology in Manufacturing survey by global technology intelligence firm ABI Research. With increasingly connected and digitized industrial assets providing ever more information about processes and workforce, manufacturers are focusing their security on network security technologies such as authentication and access control. Coupled with a growing body of industrial-focused security regulation and an expanding cybercrime element (for whom data in discrete manufacturing processes are extremely high value), this puts pressure on manufacturers to safeguard their operations better.

Network breaches can have significant repercussions on industrial manufacturers. Unplanned downtime impacts production, which could lead to revenue loss or potential regulatory liability for data breaches. In Europe alone, three regulatory instruments impose financial penalties for non-compliance: the General Data Protection Regulations, the NIS2 Directive, and the Cyber Resilience Act.

"Industrial manufacturers are one of the top targeted sectors by threat actors. Not only is counterfeiting in contract manufacturing rife, but ransomware is a prevalent threat," says Michela Menting, Senior Research Director. "Supply chain vulnerabilities and social engineering constitute important vectors for threat actors, and manufacturers are understandably concerned about security as they increasingly connect their industrial assets to operational networks."

Demand for cybersecurity solutions focused on operational technologies is growing quickly as a result, with ABI Research forecasting a US$2 billion market globally in 2024. Much of it is driven by demand for network security and segmentation technologies. This correlates with the survey findings, with manufacturers citing network security solutions such as access control, authentication, and threat detection as their top security investments.

These findings are from ABI Research's Industrial and Manufacturing Survey 1H 2024: Cybersecurity Impacts and Investments report. This report is part of the company's OT Cybersecurity research service, which includes research, data, and ABI Insights.

About ABI Research

ABI Research is a global technology intelligence firm delivering actionable research and strategic guidance to technology leaders, innovators, and decision makers around the world. Our research focuses on the transformative technologies that are dramatically reshaping industries, economies, and workforces today.

ABI Research是一家国际科技情报公司，为全球科技领袖、创新人士和决策者提供实用的市场研究和战略性指导。我们密切关注一切为各行各业、全球经济和劳动市场带来颠覆性变革的创新与技术。

For more information about ABI Research's services, contact us at +1.516.624.2500 in the Americas, +44.203.326.0140 in Europe, +65.6592.0290 in Asia-Pacific, or visit www.abiresearch.com.

You May Also Like

20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

The shift to cloud means securing your organization's digital assets requires a proactive, multilayered approach.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

The network structure of organizations has drastically changed post-pandemic with the adoption of cloud, and security teams are struggling to keep up with the pace. Cloud security is different — dynamic, unpredictable, and complex — when compared to on-premises security. The perimeterless architecture of the cloud, use of multicloud infrastructure and applications, and shared responsibility model between cloud security providers and enterprises that use them make cloud security an entirely different ballgame.

With over 72% of organizations using multicloud applications, malicious actors are fishing in troubled waters. As more enterprises move to the cloud to run their businesses more efficiently, attackers are sharpening their tactics and techniques regarding cloud exploits. They have started adopting cutting-edge technologies, like artificial intelligence (AI), machine learning, and deepfakes, to expand their attack surface, especially to exploit cloud networks.

Lack of visibility contributes to the most common cloud security threats, which stem from misconfigurations, unauthorized access, and more. The lift-and-shift approach, which businesses have increasingly adopted in recent times, continues to accelerate cloud threats by enabling these misconfigurations and identity-based threats to be exploited.

While organizations might have security systems in place, ensuring cloud security can be challenging due to the complexity of architecture and the shared responsibility mechanism. A proactive approach to cybersecurity is critical in protecting an organization from potential cloud security threats. Here are five key points to consider when implementing a proactive approach.

**Reduce the Cloud Attack Surface**

As attackers increasingly target the organization's cloud environment with cloud-specific exploits and malware, organizations must consider reducing the attack surface. If defenders have a limited view of the environment, attackers can lurk in the cloud for a longer time and potentially cause more destruction.

Reducing the attack surface does not necessarily mean reducing the number of cloud applications a business uses. To limit adversaries' access to cloud resources, CISOs should adopt layered security and regularly conduct cloud security risks assessments and audits. Ensuring a healthy cloud security posture and adopting AI-based behavior profiling should be part of the cloud security strategy. These help security operations centers (SOCs) proactively function and reduce the cloud surfaces exposed to adversaries.

**Pair Investigation and Response With Protection and Detection**

Organizations have been focusing on spotting threats using various threat detection mechanisms and even proactively hunting vulnerabilities that will lead to potential security threats. However, they must understand that no security system guarantees the prevention of all threats. It's imperative for CISOs to invest in technologies and analytical platforms that facilitate quick investigation of threats and automate responses to remediate threat conditions. When a threat or attack occurs in the cloud, assessing the potential impact across the distributed and multitenant surface is challenging. Therefore, it is essential to use a centralized platform for investigating threats across the multicloud environment and have a response center that can automate workflows by orchestrating with different cloud apps to reduce the mean time to resolve (MTTR) a threat or incident.

**Correlate Events Across the Network**

The correlation between network events and cloud activities is largely similar, but there are specific considerations for detecting cloud security data. Correlation rules for cloud security must be meticulously designed, tested, and implemented with precision. In comparison, detecting data exfiltration in an on-premises environment is relatively simpler since it involves correlating suspicious access to sensitive data with abnormal communication channel activities. The effectiveness of data exfiltration detection depends on the extent to which defense systems capture and analyze unusual traffic behaviors, such as atypical protocol usage or unauthorized access to cloud storage or accounts, Web services, or any other unconventional means.

In the cloud, data exfiltration, particularly from cloud applications, is often identified by correlating access and security logs from the respective applications. For example, when investigating potential customer data exfiltration from a cloud-based CRM tool, SOC professionals should correlate the application's logs with those of other cloud applications, such as email or collaborative platforms. Correlating an individual's suspicious activities within the CRM application with their corresponding account logs in a collaborative platform can uncover two potential threats: compromises of the user's account in the collaborative platform and exfiltration of customer data through the CRM. This correlation rule facilitates a comprehensive assessment of the incident's impact by correlating compromised user account activities across all synchronized applications by employing single sign-on across multiple cloud apps.

**Tackle Shadow IT**

One of the biggest challenges the cloud brings is shadow IT. Even though organizations sanction secure applications for employees to use, at times employees use certain applications that don't fall under the purview of the security teams. These applications can lead to security loopholes and vulnerabilities, causing a massive threat to the organization.

**Take an Identity-Based Approach to the Cloud**

As enterprises move to the cloud, identity security will overtake endpoint security. Security teams are increasingly interested in finding out "who" more than "how" and "why." Taking an identity-based approach to cloud security can help map cloud activities to the respective users in the network. Contextual data can be derived by analyzing who accessed cloud resources and data rather than from where. Identity mapping and AI-behavioral analytics will be the cornerstone for most cloud security threat detection.

In conclusion, a proactive approach to cybersecurity is essential for protecting an organization's assets and maintaining trust with stakeholders. In addition to the above points, organizations can better defend against potential cyberthreats by conducting regular risk assessments, providing employee education and training, regularly updating software and security tools, implementing multifactor authentication, and having a well-defined incident response plan.

It is important to remember that cybersecurity is an ongoing process that requires constant attention and adaptation to stay ahead of evolving threats. By implementing these practices and continuously evaluating and improving them, organizations can effectively mitigate risks and ensure the safety of their digital assets.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

vice president, ManageEngine

Manikandan Thangaraj is Vice President at ManageEngine, the enterprise IT management division of Zoho Corporation, and has been with the company for over 20 years. During Zoho’s journey from being a bootstrapped startup to becoming an enterprise software company, Manikandan has been instrumental in building solutions for some of the industry's most complex challenges like cybersecurity, identity and access management, cloud, and the Microsoft ecosystem. Currently, he spearheads a dynamic team of passionate engineers, marketing experts, solutions consultants, and product managers—all IT enthusiasts at heart, committed to changing the status quo of major business challenges with an intuitive and solution-centric approach.

Tag

#intel