On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game _Axie Infinity_. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The explosion in connected devices, ranging from the Internet of Things to networking devices and operational technology (collectively known as the Extended Internet of Things, or xIoT), has created a vast, diverse, and largely unmapped attack surface that sophisticated adversaries are actively exploiting.

This growing risk is reflected in many recent reports from companies like Microsoft, Intel 471, and Zscaler that have found a significant uptick in both targeted and untargeted attacks on these devices, with a high rate of malware infections.

However, these threats — particularly when they target IoT devices — are often misunderstood or dismissed, as companies tend to view them as less significant than a traditional network attack. Part of the reason for this is the mistaken belief that IoT threats are mostly limited to botnet malware used for cryptomining and distributed denial-of-service (DDoS) attacks. In reality, IoT attacks are becoming much more sophisticated and now pose serious threats to corporate network integrity, data security, and even physical security systems.

Here are three xIoT attacks every company should be aware of:

**Pivoting From the xIoT Device**

Since many xIoT devices lack even basic native cybersecurity protections, disallow the installation of traditional endpoint security software, and are often unmonitored, they are an effective initial access point for attackers looking to gain a beachhead on a company and then move laterally across its network.

Once the xIoT device has been compromised, the adversary can use this foothold to upload tools, sniff network traffic, search for other exploitable devices, and exfiltrate sensitive data. For example, an attacker can transition from an IoT device into the main IT network, as well as the operational technology (OT) network.

This type of "pivot attack" has already been observed in the wild by multiple companies. My company has seen a growing number of corporate cyberattacks, in which the company was first compromised through a security camera, door controller, or other device, then targeted with ransomware, espionage, or data theft through its IT network.

In 2019, Microsoft Threat Intelligence Center detected an adversary that exploited three different IoT devices (a VoIP phone, a printer, and a video decoder), from which the actor established a presence on the network while looking for further access. Researchers also unveiled a proof-of-concept ransomware that can spread from an xIoT device to an IT network.

**Atypical Data Theft**

xIoT devices can also be direct targets of espionage and data theft.

Certain office devices like connected printers and document scanners are storehouses of sensitive corporate information that is largely unprotected. In the healthcare industry, CT scanners and MRI machines also contain valuable personal and medical information. Industrial devices can pose data breach risks too. Certain OT devices, like programmable logic controllers (PLCs), can contain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing.

This type of sensitive data storage in xIoT devices is often overlooked by traditional information security audits, and the devices themselves offer little, if any, data protection. For remote attackers, gaining access to these devices is usually a trivial matter.

My company has found that 50% of xIoT devices use default passwords, 68% of devices have high-risk or critical CVEs in their firmware, and 26% of these devices are end-of-life and no longer supported. This means in literally half of these cases, all an attacker needs to do is enter in a default password to gain access to privileged data.

**xIoT as a Persistence Strategy**

Threat actors who have already breached a corporate IT network through traditional means like phishing may also carry out a second-stage attack on xIoT devices to achieve long-term persistence inside the organization.

One example is the threat actor UNC3524, which Mandiant recently discovered had been installing a backdoor called QuietExit in opaque network appliances and IoT devices like security cameras, remaining undetected on victims' networks for at least 18 months.

xIoT devices are an ideal hiding place for sophisticated adversaries. These devices are poorly monitored, lack anti-malware and intrusion detection coverage, and are not easy to analyze during incident response. My company has found that over 80% of security teams can't even identify the majority of xIoT devices they have in their networks. They also fall into an administrative gray area in terms of who is responsible for managing them (is it the IT team, the security team, the operations team, or the vendor?), which leads to confusion and inaction.

An adversary can easily install a backdoor in any one of these overlooked xIoT devices that will be exceedingly difficult for the security team to detect. The average enterprise has anywhere from tens of thousands to millions of xIoT devices, and typically relies on manual processes for monitoring and maintaining them. Detecting such a backdoor will be like trying to find a needle in an enormous haystack (or haystacks).

**Preventing the Full Range of xIoT Attacks**

In spite of their many risks, xIoT devices can be sufficiently protected without imposing high costs on a company.

Basic measures such as strong password management and keeping firmware up to date will drastically reduce the risk. Accurate inventorying and regular monitoring are also key.

Where companies will be challenged is in terms of the volume of devices they must protect. This is why automation is important, as manually changing passwords and updating firmware on such a vast array of devices isn't feasible for most companies.

3 xIoT Attacks Companies Aren't Prepared For

The China-linked nation-state hacking group referred to as Mustang Panda is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific.
That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include

Spear Phishing / Cyber Espionage

The China-linked nation-state hacking group referred to as **Mustang Panda** is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific.

That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include Vietnam, India, Pakistan, Kenya, Turkey, Italy, and Brazil.

Mustang Panda is a prolific cyber-espionage group from China that's also tracked under the names Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

It's believed to be active since at least July 2018, per Secureworks' threat profile, although indications are that the threat actor has been targeting entities worldwide as early as 2012.

Mustang Panda is known to heavily rely on sending weaponized attachments via phishing emails to achieve initial infection, with the intrusions eventually leading to the deployment of the PlugX remote access trojan.

However, recent spear-phishing attacks undertaken by the group targeting government, education, and research sectors in the Asia Pacific region have involved custom malware like PUBLOAD, TONEINS, and TONESHELL, suggesting an expansion to its malware arsenal.

The latest findings from BlackBerry show that the core infection process has remained more or less the same, even as Mustang Panda continues to utilize geopolitical events to their advantage, echoing prior reports from Google and Proofpoint.

Contained within the decoy archive is a shortcut to a Microsoft Word file, which leverages DLL side-loading – a technique that was also employed in attacks aimed at Myanmar earlier this year – to kick off the execution of PlugX in memory, before displaying the document's contents.

"Their attack chain remains consistent with the continued use of archive files, shortcut files, malicious loaders, and the use of the PlugX malware, although their delivery setup is usually customized per region/country to lure victims into executing their payloads in the hope of establishing persistence with the intent of espionage," BlackBerry's Dmitry Bestuzhev told The Hacker News.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities

A state-sponsored hacking group with links to Russia has been linked to attack infrastructure that spoofs the Microsoft login page of Global Ordnance, a legitimate U.S.-based military weapons and hardware supplier.
Recorded Future attributed the new infrastructure to a threat activity group it tracks under the name TAG-53, and is broadly known by the cybersecurity community as Callisto,

A state-sponsored hacking group with links to Russia has been linked to attack infrastructure that spoofs the Microsoft login page of Global Ordnance, a legitimate U.S.-based military weapons and hardware supplier.

Recorded Future attributed the new infrastructure to a threat activity group it tracks under the name **TAG-53**, and is broadly known by the cybersecurity community as Callisto, COLDRIVER, SEABORGIUM, and TA446.

"Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing," Recorded Future's Insikt Group said in a report published this week.

The cybersecurity firm said it discovered 38 domains, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs.

It's suspected that the themed domains are likely an attempt on part of the adversary to masquerade as authentic parties in social engineering campaigns.

"Notably, a consistent trend has emerged regarding the use of specifically tailored infrastructure by TAG-53 highlighting the long-term use of similar techniques for their strategic campaigns," the researchers said.

The development comes nearly four months after Microsoft disclosed that it took steps to disrupt phishing and credential theft attacks mounted by the group with the goal of breaching defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Enterprise security company Proofpoint has further called out the group for its sophisticated impersonation tactics to deliver rogue phishing links.

Terms used in TAG-53 linked domains

Additionally, the threat actor has been attributed with low confidence to a spear-phishing operation targeting Ukraine's Ministry of Defence coinciding with the onset of Russia's military invasion of the country earlier this March.

SEKOIA.IO, in a separate write-up, corroborated the findings, uncovering a total of 87 domains, with two of them alluding to private sector companies Emcompass and BotGuard. Also targeted were four NGOs involved in Ukraine crisis relief.

One of those attacks involved email communications between the NGO and the attacker using a spoofed email address mimicking a trusted source, followed by sending a malicious PDF containing a phishing link in an attempt to evade detection from email gateways.

"The email exchange shows that the attacker did not include the malicious payload in the ﬁrst email, but waited to get an answer to build a relationship and avoid suspicion before sending the payload to the victim," the cybersecurity company explained.

The use of typosquatted Russian ministry domains further adds weight to Microsoft's assessment that SEABORGIUM targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

SEKOIA.IO also characterized the targeting of CIJA as an intelligence gathering mission designed to amass "war crime-related evidence and/or international justice procedures, likely to anticipate and build counter narrative on future accusations."

The disclosures arrive as threat intelligence firm Lupovis revealed that Russian threat actors have compromised the networks belonging to several companies in the U.K., the U.S., France, Brazil, South Africa, and are "rerouting through their networks" to launch attacks against Ukraine.

Microsoft, in the meanwhile, has warned of "potential Russian attack in the digital domain over the course of this winter," pointing out Moscow's "multi-pronged hybrid technology approach" of conducting cyber strikes against civilian infrastructure and influence operations seeking to fuel discord in Europe.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier

Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims.
Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name DEV-0139, and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's Lazarus Group.
"DEV-0139 joined Telegram groups

Cryptocurrency / Threat Intelligence

Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims.

Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name **DEV-0139**, and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's Lazarus Group.

"DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members," the tech giant said.

The adversary subsequently impersonated another cryptocurrency investment company and invited the victim to join a different Telegram chat group under the pretext of asking for feedback on the trading fee structure used by exchange platforms across VIP tiers.

It's worth pointing out that the VIP program is designed to reward high-volume traders with exclusive trading fee incentives and discounts based on the 30-day trading volume.

This attack chain notably dovetails with Volexity's analysis of an October 2022 campaign, wherein the threat actor pivoted from using MSI installer files to a weaponized Microsoft Excel document displaying the supposed cryptocurrency coin rates.

Microsoft described the document as containing likely accurate data to increase the likelihood of success of the campaign, suggesting that DEV-0139 is well versed in the inner workings of the crypto industry.

The malware-laced Excel file, for its part, is tasked with executing a malicious macro that's used to stealthily drop and execute a second Excel worksheet, which, in turn, includes a macro that downloads a PNG image file hosted on OpenDrive.

This image file contains three executables, each of which is used to launch the next-stage payload, ultimately paving the way for a backdoor that lets the threat actor remotely access the infected system.

Furthermore, the fee structure spreadsheet is password-protected in a bid to convince the target into enabling macros, thereby initiating malicious actions. A metadata analysis of the file shows that it was created on October 14, 2022 by a user named Wolf.

DEV-0139 has also been linked to an alternative attack sequence in which an MSI package for a fake application named "CryptoDashboardV2" is delivered in place of a malicious Excel document to deploy the same implant.

The backdoor mainly enables remote access to the host by gathering information from the targeted system and connecting to a command-and-control (C2) server to receive additional commands.

"The cryptocurrency market remains a field of interest for threat actors," Microsoft said. "Targeted users are identified through trusted channels to increase the chance of success."

In recent years, Telegram has not only witnessed widespread adoption in the cryptocurrency industry, but also been co-opted by threat actors looking to discuss zero-day vulnerabilities, offer stolen data, and market their services through the popular messaging platform.

"With users losing confidence in the anonymity offered by forums, illicit marketplaces are increasingly turning to Telegram," Positive Technologies disclosed in a new study of 323 public Telegram channels and groups with over one million subscribers in total.

"The number of unique cyberattacks is constantly growing, and the market for cybercriminal services is expanding and moving into ordinary social media and messaging apps, thereby significantly lowering the entry threshold for cybercriminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Alerts Cryptocurrency Industry of Targeted Cyber Attacks

If compiling a software bill of materials seems daunting, attack surface management tools can provide many of the benefits.

A software bill of materials (SBOM) is an important tool enterprise defenders can use to track the impact of software security bugs, manage sane patch management, and protect the integrity of the software supply chain as a whole. Scores of industry leaders say so. The Office of the President of the United States says so.

So why are they not widely used yet? What are software vendors worried about? Do they know something that we don't?

In a recent CISO Forum in Whitehall, London, many CISOs felt that the challenges and speed of change in application security, particularly in a cloud-enabled environment, had left them a little nonplussed and challenged to change their architectural models and thinking to become fully cloud native. In particular, there was a reluctance to let go of legacy control methods such as IP-based access lists and endpoint-based security controls.

**Hesitant to Set Off the SBOM**

There are several interesting possibilities that may be driving the tendency to delay providing SBOMs.

The first is **ignorance of their own supply chain**. It's possible that the vendors don't actually know the origin of some of their software. It is common practice in large development teams and long, complex projects to effectively "black box" entire sections of code.

If that is the case, the fact that the organization may not fully know the origins of its software raises a myriad of concerns. It could indicate anything from bad version tracking to the existence of potentially indispensable employees that hold the fate of the entire company in their coding hands. It's completely understandable that such a company would hesitate to release SBOMs for its products.

Another scenario that might make a company leery of SBOMs is **if the product is almost entirely an assembly of other products**. It's the reality of modern software development that programs are the result of custom code cobbled together with third-party libraries and components. If the company has written a very low percentage of its own code, then the SBOM could essentially become a recipe card for someone else to clone the product.

But the likely scenario is that software firms may **see no upside, only potential downside** to releasing SBOMs. Currently there's very little market pressure on releasing SBOMs for their product lines. They may have created one for internal use, but there is no real push to make them public. The main concern voiced by CISOs is that while an SBOM may improve visibility, it provides little impetus towards remediation and no liability for fixing software flaws — leaving the problem squarely in the lap of the end user, the CISO.

**Getting Past the SBOM**

It's unlikely that the industry or the purchasing public will be able to generate the market pressure required to force every major player to release an SBOM for all their products. In May 2021, the US government issued an executive order to improve the nation's cybersecurity that explicitly called for SBOMs as a control measure for the software supply chain. The EU government, for its part, has planned a Cyber Resilience proposal to echo and support the requirements of the US order.

If the main purpose of an SBOM is patch management and vulnerability attribution, there is a secondary layer of monitoring and protection that cybersecurity personnel should be looking at: attack surface management (ASM).

While it would be slightly easier for enterprise security teams to know that the software they use contain packages X, Y, and Z, that isn't the only way to manage application security. By tracking the security advisory history of these software suites, we can estimate the most likely attack vectors that they can fall victim to.

The combination of these vulnerabilities compiled from every piece of software that a company uses makes up an organization's attack surface. What ASM tries to do is intelligently categorize these weaknesses and automate the discovery, remediation, and continuous monitoring of new threats.

It's like tying together a vulnerability advisory service with an enterprise software management solution. The way that the ASM does this varies from product to product, but generally some amount of machine learning is involved. That way predictive models can be built so that when certain zero-day exploits are discovered, you will know how likely they are to apply to your attack surface even if you don't have a detailed SBOM from every vendor.

A good ASM has the additional benefit of treating ducks like ducks. You know: If it looks like a duck and quacks like a duck, it doesn't really matter if someone else labeled it as a swan instead. The ASM only cares about results. If a company insists that it's using the Open Dynamics Engine, but for some mysterious reason it falls victim to all the same vulnerabilities as the PhysX engine, ASM will completely ignore labels and suggest the fixes that actually fit the situation and not the ones that correspond to the names.

Even if the movement toward mainstream adoption of SBOM continues to be slow, security professionals have a strong alternative with ASM. It's also worth noting that ASM will complement any SBOM-based software governance with a dynamic risk mitigation system.

Instead of adopting and deploying something locally to cover your vulnerability discovery and monitoring needs, another alternative is to embrace an agentless security model that can monitor extended asset attack surfaces. The device intelligence firm Armis, for example, does this with a fully cloud-native approach. Think of it as an ASM solution that covers IoT devices, cloud instances, and edge networking setups, as well as traditional on-premises.

Such a model presents a different, more global way of looking at asset intelligence that might be more attractive to large enterprise operations. Smaller operations, however, would likely want to save their money for a good ASM and rely on extra vigilance for their extended network devices.

ASM Can Fill Gaps While Working to Implement SBOM

There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.

Securing critical infrastructure is complicated because of the vast network of facilities and management systems. Threats targeting this sector can have dire consequences, and when attacks do happen, they're often accompanied by a media storm. This generates interest among concerned citizens, which prompts a reaction from politicians, who are spurred into action to ensure the necessary cyber protections are implemented to calm the concerned citizens — the electorate.

The 2021 ransomware attack on Colonial Pipeline, which caused long lines at gas stations, followed this very timeline and served as a much-needed wake-up call to protect critical infrastructure services against cyberattacks. The attack prompted action at the highest levels of US government, causing the president to expedite an executive order aimed at strengthening US cybersecurity defenses. The executive order, in brief, requires disclosure of incidents, creates a federal playbook for incidents, mandates cybersecurity upgrades, creates a review board, and, importantly, encourages an ethos of cyber-intelligence sharing between government agencies and the private sector.

**Wake-Up Call**

The emphasis on cybersecurity due to the increased threats to critical infrastructure — including cybercriminals attempting to monetize their efforts, terrorism, and the conflict in Ukraine — is unprecedented. In the current budget proposal, the Cybersecurity and Infrastructure Security Agency (CISA) will receive $2.93 billion, $417.1 million more than it requested. There are numerous grants available to critical infrastructure organizations to assist funding the much-needed improvements to cybersecurity; in April 2022, CISA and FEMA began rolling out the first $1 billion from the Rescue Act to help state and local entities improve cybersecurity. Testifying before the House Homeland Security Subcommittee, Jen Easterly, director of the CISA, used the cyberattack on the Oldsmar, Fla., water utility plant as an example of an attack on critical infrastructure to justify the original request.

Enormous would be an underestimate of the task of upgrading the cybersecurity of water supply and wastewater systems in the US. According to American Water, there are 53,000 water supply and sanitation providers in the US. The Environmental Protection Agency (EPA) calculates this differently, and lists 148,000 public water systems (not companies).

If, like me, you live in a rural community, the company supplying your water is likely a small local business providing a critical infrastructure service. On Feb. 5, 2021, the water treatment system servicing Oldsmar City suffered a cyber incident: A poorly secured remote-access solution based on TeamViewer was accessed by a perpetrator, who adjusted the amount of sodium hydroxide in the water from 100 parts per million to 11,000 parts per million. Fortunately, a city water plant operator noticed the increase and reversed it, stopping the attack and the potential poisoning of thousands of people. It was later disclosed that the system accessed wasn't protected by two-factor authentication and was protected by a weak, shared password. There really is no excuse.

The Wall Street Journal's CIO Journal suggests that technology spending as a percentage of revenue in banking and securities is around 7%, and in construction and manufacturing just 2%. Given that water supply is a critical infrastructure service and has been specifically called out as needing cybersecurity investment, it is reasonable to expect spending on IT, including cybersecurity, to be at the higher of these two levels. A report by Deloitte breaks this number out for cybersecurity spending, which they estimate to be 10.9%.

**The $2.5 Billion Scope of the Problem**

What does this mean in a rural water system company, without shaming any particular company? I will use a real-life example without naming the company. Company X has a total revenue budget of $12.4 million per year, with an operating cost for computer services of $211,000 for the same period. There are some costs for IT-related items that may be outside of the operating budget and are attributed to capital spending. For the fiscal year 2021–22, the only item that could have cybersecurity element is a $50,000 cost for SCADA/telemetry/electrical control replacement.

This equates to IT spending (listed as computer services) of 1.7%, and even allowing that 50% of the capital expenditure item is cybersecurity, which is unlikely, this becomes 1.9%. Using the earlier mentioned cybersecurity estimate of 10.9%, the spending on cybersecurity is just under $22,000 per year, for an organization with $12.4 million in revenue. In a sector under continual threat, it's not unreasonable to expect spending to replicate that of financial organizations, which, in this instance, would equate to an IT spending of $868,000, with cybersecurity accounting for just under $94,000 per year.

The water sector does benefit from federal assistance, and the EPA has requested $25 million in fiscal year 2023 for a new grant program to advance cybersecurity infrastructure capacity and protections within the water sector. If you do raw math on this and distribute it among the 54,000 organizations, it equates to less than $500 each. There may be other funding and grants available, but the point isn't the numbers, it’s the magnitude of the problem. To fund each water supply organization $50,000 for cybersecurity, a more realistic number, a budget of $2.5 billion would need to be set aside.

Years of underinvestment in critical infrastructure security isn't something fixable in the short term. The complexity of dealing with 53,000 organizations (around 50,000 of them rural) and attempting to bring them all to a basic level of compliance is a mammoth task. All of this comes at a time when inflation is rampant, and the cost of energy is high.

**One Possible Solution**

There is always a solution. One idea is that the IT services of water supply companies would be better serviced if they were grouped together, centralizing internal services.

If, for example, 10 companies joined together for IT and cybersecurity, there would be numerous benefits: financial, resources, communication, compliance, policy, etc. This would be similar to the way individual schools are part of a school district, with one, single governing body. This is just one solution, and I'm sure there are many options that could be pursued that could help alleviate the financial and resources burden facing the critical infrastructure sector.

What Will It Take to Secure Critical Infrastructure?

Red Hat Security Advisory 2022-8809-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:8809-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8809  
Issue date:        2022-12-06  
CVE Names:         CVE-2022-1158 CVE-2022-2639   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* x86/intel: processors require energy_perf_bias setting (BZ#2102103)

* System crashes due to list_add double add at  
iwl_mvm_mac_wake_tx_queue+0x71 (BZ#2112264)

* Fix SCHED_WARN_ON deadlock (BZ#2125422)

* Starting VMs on a KVM-host with EL8.6-kernel sometimes produces timejumps  
into the future for other already running guest-VMs [rhel.8] (BZ#2125671)

* RHEL8.4 - zfcp: fix missing auto port scan and thus missing target ports  
(BZ#2127850)

* vfio zero page mappings fail after 2M instances (BZ#2128516)

* The kernel needs to offer a way to reseed the Crypto DRBG and atomically  
extract random numbers from it (BZ#2129728)

* ice: Driver Update up to 5.19 (BZ#2130993)

* virtio-net: support XDP when not more queues (BZ#2131740)

* VMs hang after migration (BZ#2131756)

* Update NVME subsystem with bug fixes and minor changes (BZ#2132555)

* [HPE BUG] Premature swapping with swappiness=0 while there’s still plenty  
of pagecache to be reclaimed. (BZ#2133831)

* nf_conntrack causing nfs to stall (BZ#2134089)

* Fix issue that enables STABLE_WRITES by default and causes performance  
regressions (BZ#2135814)

* [ice] Intel E810 PTP clock glitching (BZ#2136037)

* ice: arp replies not making it to switch (BZ#2136043)

* [ice]configure link-down-on-close on and change interface mtu to 9000,the  
interface can't up (BZ#2136217)

* ice: dump additional CSRs for Tx hang debugging (BZ#2136514)

* crypto/testmgr.c should not list dh, ecdh as .fips_allowed = 1  
(BZ#2136525)

* FIPS module identification via name and version (BZ#2136540)

* FIPS self-tests for RSA pkcs7 signature verification (BZ#2137316)

* After upgrading to ocp4.11.1, our dpdk application using vlan strip  
offload is not working (BZ#2138158)

* WARNING: CPU: 0 PID: 9637 at kernel/time/hrtimer.c:1309  
hrtimer_start_range_ns+0x35d/0x400 (BZ#2138954)

* [DELL EMC 8.6-RT BUG] System is not booting into RT Kernel with perc12.  
(BZ#2139217)

* Cannot trigger kernel dump using NMI on SNO node running PAO and RT  
kernel (BZ#2139581)

* Laser bias information can't be shown by ethtool on rhel8.6 (BZ#2139638)

* Nested KVM is not working on RHEL 8.6 with hardware error 0x7  
(BZ#2140144)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
kernel-4.18.0-372.36.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.36.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.36.1.el8_6.aarch64.rpm  
perf-4.18.0-372.36.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.36.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.36.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.36.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.36.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.36.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.36.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.36.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.36.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.36.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.36.1.el8_6.s390x.rpm  
perf-4.18.0-372.36.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.36.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.36.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.36.1.el8_6.x86_64.rpm  
perf-4.18.0-372.36.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.36.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.36.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.36.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.36.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.36.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY487zdzjgjWX9erEAQjEAQ/9EQTsnAHyVlEVQ08iCd0RdZ1vLUr0P+oE  
N6krR4vXBkgdKc3A+I96Ak6M4HywsWhN837xIoa6l2OdaVhhjB28KawcgxeRNaD1  
RuVL8MxMSt6ySf6nDNVirdvRMdQNGRLkAsWcDOlKOj1hTm+KKKJhueARR0L/pbY1  
lk0Pi8HpL6YDbzw7+rmLONxA8o1nLeExAbm1oyi7gYXa/1j0W1fZWL8rABs4AiTV  
hF058uUfVSJ4pyDBqmIH8NojXPirkH5GkgrJ9B1yhgzMbB/sNq8XWnbWTHqBUmA0  
wG9e/2lhcQbWtUBidpgeK+mKZPrMdkLYKV8Kxedvi7+dPeFhULuxcQlzYGh2p0bs  
CqaDMnjzy0kLbneShZKYV0EmS8AyQBxVBBjgx1zSXEFExRnIOBl4uixXnMqlFtSn  
Oxh4TYezIf0dNW+mLI+px+Ej/LESDKwjWJtBmS47RCdeAFo5R7ntkRzUmrHsvxZT  
tZt962uZKlrke2DqDdHMYc0AmFvG+v+Lvf9GRe9Lg/OPPsdMnbxt2CxTBrhct7LL  
6wVNrw3TMve7W3k9ARzmR/xGHxozQ8HOTbfMSOBZbz4ppqzVQI92IkSzGfQVMM0e  
ERmVVMR/fymyPKk+HI/BzSAwXjbymD7qMD4HGqVLAZ+9VEfFWLGDIOJyyxjhvy0K  
6SkDuUnTzgM=  
=ZN/9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8809-01

Global security technology provider with 20+ years of experience embraces the next evolution of its business with refreshed brand and invigorated leadership.

**MELVILLE, NY, Dec. 6, 2022 —** Intellicene, a provider of intelligent software platforms that empower organizations to better understand and respond to mission-critical events, today announced the close of its acquisition by Volaris Group and the launch of its new brand. Previously known as Cognyte Situational Intelligence Solutions (SIS), the new Intellicene embodies a strategic new direction and an ambition to being a global security intelligence leader of choice.Led by veteran security executive Alan Stoddard, Intellicene incorporates former SIS employees and assets, including the Symphia suite of technologies. The new name and strategic direction also introduces “The Age of Intelligence” which showcases Intellicene’s mission to transform security management from a reactive endeavor to a proactive process that is highly effective, data-driven, and measurable.

The launch of Intellicene follows an incredibly successful year, which saw the company strengthen its presence with new customer wins. Volaris’ buy-and hold philosophy provides stability, shared best practices and a global footprint that can create new opportunities for Intellicene.Sitting at the nexus of awareness, insight, and action, Intellicene delivers integrated, intelligent software platforms that help leaders better understand and respond to critical situations across their organizations. The company has provided intelligent security management platforms to a wide variety of mission-critical, global businesses for more than 20 years since its formation under Verint Systems in 2002.

“We are excited for Intellicene to enter this next chapter and together with Volaris see compelling opportunities to accelerate our growth trajectory and enhance customer focus,” said CEO Alan Stoddard. “With the strong support of our new owners, we are well positioned to capitalize on the many opportunities before us, and we see tremendous potential to expand our reach into new markets and drive new innovations and capabilities.”

Intellicene is focused on ensuring stakeholders have the right tools to help protect operations, assets, and people. With extensive expertise in the security and IT realms, the company and its team has helped ensure the safety of well-regarded brands by developing solutions that help leaders better understand and respond to critical situations. Its Symphia software platform connects to and correlates data from virtually any device, system, or software, providing the real-time awareness and actionable insights needed to identify potential threats and respond effectively.

“We’re pleased to complete this acquisition and support Alan and the management team in building their vision for Intellicene,” said Carl Bruce, Volaris Group. “We see this market as holding tremendous opportunity, and under our ownership, Intellicene is well positioned for future growth.”

Stoddard brings significant experience in leading global organizations and has more than 12 years of experience in the security industry. In addition to Stoddard, the senior leadership team includes Uri Shaffer, Vice President of Sales for EMEA and APAC; Craig Levin, Chief Financial Officer; Yosi Rahamim, Vice President of Research and Development; Mike Howanitz, Vice President of Sales and Business Operations; Joey Caluori, Vice President of Operations; Eran Wachman, Vice President of Product Management; Tracy Markum, Vice President of Sales for the Americas; and Jeffrey Lewis, Chief Marketing Officer.

**About Intellicene**

Intellicene sits at the nexus of awareness, insight, and action. Our mission is to help organizations worldwide harmonize security, business continuity, and risk management to protect what matters most. By delivering integrated, intelligent software platforms that help you better understand and respond to mission-critical events, Intellicene empowers you to manage the most complex security and business operations efficiently. From mobile applications and AI-driven analytics to infinitely scalable software and intelligent devices, we’re building advanced technology that raises the bar and makes the world safer. For more information, visit intellicene.com.

**About Volaris Group**

Volaris acquires, strengthens, and grows vertical market technology companies. As an Operating Group of Constellation Software Inc., Volaris is all about strengthening businesses within the markets they compete and enabling them to grow – whether that growth comes through organic measures such as new initiatives and product development, day-to-day business, or through complementary acquisitions. Learn more at volarisgroup.com.

Intellicene Brand Launches After Completion of Acquisition by Volaris Group

Hackers with ties to the Iranian government have been linked to an ongoing social engineering and credential phishing campaign directed against human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East.
At least 20 individuals are believed to have been targeted, Human Rights Watch (HRW) said in a report published Monday, attributing the

Privacy / Threat Intelligence

Hackers with ties to the Iranian government have been linked to an ongoing social engineering and credential phishing campaign directed against human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East.

At least 20 individuals are believed to have been targeted, Human Rights Watch (HRW) said in a report published Monday, attributing the malicious activity to an adversarial collective tracked as APT42, which is known to share overlaps with Charming Kitten (aka APT35 or Phosphorus).

The campaign resulted in the compromise of email and other sensitive data belonging to three of the targets. This included a correspondent for a major U.S. newspaper, a women's rights defender based in the Gulf region, and Nicholas Noe, a Lebanon-based advocacy consultant for Refugees International.

The digital break-in entailed gaining access to their emails, cloud storage, calendars, and contacts, as well as exfiltrating the entire data associated with their Google accounts in the form of archive files through Google Takeout.

"Iran's state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups," Abir Ghattas, information security director at Human Rights Watch, said.

The infection chain commences with the targets receiving suspicious messages on WhatsApp under the pretext of inviting them to a conference and luring the victims into clicking a rogue URL that captured their Microsoft, Google, and Yahoo! login credentials.

These phishing pages are also capable of orchestrating adversary-in-the-middle (AiTM) attacks, thereby making it possible to breach accounts that are secured by two-factor authentication (2FA) other than a hardware security key.

15 of the targeted high-profile individuals are confirmed to have received the same WhatsApp messages between September 15 and November 25, 2022, the international non-governmental organization said.

HRW further pointed out inadequacies in Google's security protections, as the victims of the phishing attack "did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google's account activity do not push or display any permanent notification in a user's inbox or send a push message to the Gmail app on their phone."

The option to request data from Google Takeout lines up with a .NET-based program called HYPERSCRAPE that was first documented by Google's Threat Analysis Group (TAG) earlier this August, although HRW said it could not confirm if the tool was indeed employed in this specific incident.

The attribution to APT42 is based on overlaps in the source code of the phishing page with that of another spoofed registration page that, in turn, was associated to a credential theft attack mounted by an Iran-nexus actor (aka TAG-56) against an unnamed U.S. think tank.

"The threat activity is highly likely indicative of a broader campaign that makes use of URL shorteners to direct victims to malicious pages where credentials are stolen," Recorded Future disclosed late last month. "This tradecraft is common among Iran-nexus advanced persistent threat (APT) groups like APT42 and Phosphorus."

What's more, the same code has been connected to another domain utilized as part of a social engineering attack attributed to the Charming Kitten group and disrupted by Google TAG in October 2021.

It's worth pointing out that despite APT35 and APT42's links to Iran's Islamic Revolutionary Guard Corps (IRGC), the latter is geared more towards individuals and entities for "domestic politics, foreign policy, and regime stability purposes," per Mandiant.

"In a Middle East region rife with surveillance threats for activists, it's essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region's embattled activists, journalists, and civil society leaders," Ghattas said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel