One attack used 400 mule accounts to steal money by making fraudulent withdrawals, researchers say.

At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018. 

A new report from Group-IB explains it has been tracking OPERA1ER's activities since 2019; however, they waited to publish its findings until the group resurfaced after a 2021 break. Now the gang is back in action, the analysts explain, allowing Group-IB to document their OPERA1ER TTPs from 2019 through 2021, as well as the latest iteration in 2022. 

The researchers reported OPERA1ER has successfully breached the targets' systems at least 30 times since 2018. As an example of the group's sophistication and coordination, the report added, one of the of the group's attacks used more than 400 mule accounts to make fraudulent money withdrawals.

The group doesn't use exotic malware, in fact, the researchers said in the report that OPERA1ER's hallmark is easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. OPERA1ER delivers remote access Trojans (RATs) through French-language email phishing lures and takes its time gathering intelligence about its victims before "cashing out," the report added. 

"Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays," Rustam Mirkasymov, head of cyber-threat research at Group-IB Europe, said in a statement. "It correlates with the fact that they spend from three to 12 months from the initial access to money theft." 

Mirkasymov added the gang could be based out of Africa and the total number of OPERA1ER group members is unknown. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybercrime Group OPERA1ER Stole $11M From 16 African Businesses

SMBs concerned about tightening security budgets despite increased risks.

**WATERLOO, ON, Nov. 7, 2022 /PRNewswire/** — OpenText™ _(_NASDAQ: OTEX), (TSX: OTEX), today released results of the OpenText Security Solutions 2022 Global Small-Medium Business (SMB) Ransomware Survey. Findings show growing concern about ransomware attacks, the impact of geopolitical tensions, and rising inflation rates. Eighty-eight percent of respondents noted they are concerned or extremely concerned about an attack impacting their business.

"SMBs are a sweet spot for hackers to exploit because they often lack cybersecurity resources, both technology and security expertise," said Prentiss Donohue, Executive Vice President, OpenText Security Solutions. "Today's complex threat landscape presents a huge risk to SMBs that don't have sufficient cyber resiliency preparation to stop the spread and recover quickly from an attack. With adversaries becoming increasingly sophisticated and relentless, a multi-layered protection strategy is no longer a nice to have, it is a necessity."

**Spotlight findings:**

**SMBs fear tightening security budgets amid growing concern of increased ransomware risks due to heightened geopolitical** **tensions.**

*   More than half (57%) of SMBs are worried about their cybersecurity budget shrinking amid rising inflation rates.
*   Fifty-two percent of respondents feel more at risk of suffering a ransomware attack because of heightened geopolitical tensions.
*   Eighty-four percent are concerned about a ransomware attack impacting their business.

**There's a concerning lack of awareness among SMBs when it comes to knowing if they've suffered a ransomware attack. Meanwhile, budgets to protect against these risks are low.**

*   Nearly half (46%) of SMBs have experienced a ransomware attack, yet 67% still don't think or aren't sure they are a ransomware target.
*   The majority (60%) of respondents are not confident or only somewhat confident that they can fend off a ransomware attack.
*   Despite many having experienced an attack before, security budgets are minimal to protect against ransomware and other threats:

*   60% spend less than $50,000 per year.
*   50% spend less than $20,000 per year.
*   Only 10% spend more than $50,000 per year.

**Managed service providers (MSPs) are an appealing security option for SMBs to offset resource constraints.**

*   More SMBs outsource their security to an IT provider or MSP than not, with 58% using external security management support.
*   Concurrently, 65% of SMBs that don't currently use a MSP would consider doing so in the future.

**Survey Resources Now Available:**

To learn more about the findings of the OpenText Security Solutions 2022 Global SMB Ransomware Survey, view the infographic (PDF) or read the blog.

**Survey Methodology**

OpenText Security Solutions polled 1,332 security and IT professionals from small and medium-sized businesses (SMBs), up to 1,000 employees, in the United States, the United Kingdom, and Australia from September 24 to October 10, 2022. Respondents represented a range of roles from security and technical employees to the C-Suite, and across multiple industries including technology, retail, education, manufacturing, healthcare and more.

**About OpenText Security Solutions**

As attack surfaces expand, OpenText Security Solutions help organizations of every size achieve cyber resilience with Webroot Security, Carbonite Data Management, BrightCloud® Threat Intelligence, and EnCase Digital Forensics and Threat Response. With a united front of best practices paired with layered solutions, we prevent, detect, and restore small, mid-sized and enterprise business operations in the event of a cybersecurity attack.

**About OpenText**  
OpenText, The Information Company™, enables organizations to gain insight through market leading information management solutions, powered by OpenText Cloud Editions. For more information about OpenText (NASDAQ: OTEX, TSX: OTEX) visit opentext.com.

**Connect with us:**  
OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise.

Copyright © 2022 OpenText. All Rights Reserved. Trademarks owned by OpenText. One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.

**SOURCE:** Open Text Corporation

OpenText Security Solutions Global SMB Ransomware Survey Reveals Heightened Worry About Increased Cyberattacks Due to Geopolitical Tensions

Plus: Liz Truss’ phone-hacking trouble, Cash App’s sex-trafficking problem, and the rising cost of ransomware.

Open internet proponents were relieved last month when an American candidate beat a Russian challenger in an election to run the International Telecommunications Union, an important international standards body tasked with cross-boundary communications. Meanwhile, though, we took a look at the fragility of the world’s internet infrastructure and the vulnerability of crucial undersea cables.

Researchers see evidence that the US’s new legal climate for abortion access is promoting a culture of community surveillance, a hallmark of authoritarian states in which neighbors and friends are encouraged to report possible wrongdoing. And surveillance is on the rise in soccer stadiums around the world as well. The eight stadiums in use during the 2022 World Cup in Qatar, for example, will be packed with more than 15,000 cameras to monitor spectators and to conduct biometric scanning.

The more secure, “memory safe” programming language Rust is making inroads across the tech industry, offering hope that a massive swath of common vulnerabilities could eventually be preempted and eliminated. In the meantime, we’ve got a roundup of the most important vulnerabilities that you can—and should!—patch right now.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

There’s no longer a question about whether TikTok staff in China can access Europeans’ data. The company this week announced that it plans to update its privacy policy to explicitly list China as one of the countries where workers can access data from users in the European Union, such as location data that users opt to share. TikTok’s policy update comes amid a yearlong investigation by Ireland’s Data Protection Commission, which is looking into its data-transfer policies under the EU’s General Data Protection Regulation. The inquiry is part of Western governments’ increased scrutiny of the video-sharing platform, which some US officials have characterized as a national security threat due to frequently close relationships between Chinese companies and the government in Beijing. TikTok, which is owned by China-based ByteDance, says in its announcement that its privacy policy update is meant to “include greater transparency into how we share user information outside of Europe and how we collect user location information.” The new policy goes into effect on December 2.

Liz Truss is having a rough time. Soon after her historically brief stint as the UK prime minister, the _Mail on Sunday_ reported that agents working on behalf of Russia had hacked her personal cell phone when she was foreign minister. The breach allegedly allowed these Russian operatives to intercept messages between Truss and officials in other countries, including messages about Ukraine. The _Mail_ report further claims that former prime minister Boris Johnson and cabinet secretary Simon Case suppressed the breach. While the breach remains unconfirmed, Labor Party officials are calling for an “urgent investigation” into their Conservative opponents. "There are immensely important national security issues raised by an attack like this by a hostile state which will have been taken extremely seriously by our intelligence and security agencies," Labor Party shadow home secretary Yvette Cooper said last weekend. "There are also serious security questions around why and how this information has been leaked or released right now, which must also be urgently investigated."

Another of Jack Dorsey’s corporate creations is facing new heat this week. According to a _Forbes_ investigation, the Cash App is helping fuel sex trafficking in the US and elsewhere. Based on police records, “hundreds of court filings,” and claims by former Cash App employees, the investigation found rampant use of the Cash App in sex trafficking and other crimes. The company, which is owned by Dorsey-led Block Inc., maintains that it “does not tolerate illegal activity on Cash App” and has staff dedicated to working with law enforcement. Meanwhile, the National Center for Missing and Exploited Children says that although rival payment platforms like PayPal provide the the center with tips about potential child abuse facilitated by their services, _Forbes_ writes, “Block hasn’t provided any tips, ever.”

The US Treasury Department this week said US financial institutions facilitated ransomware payments totaling nearly $1.2 billion in 2021—a 200 percent increase since 2020. The report landed amid an international White House summit aiming to combat the rise of ransomware, a type of malware that allows attackers to encrypt a target’s files and hold them for ransom until the victim pays. Himamauli Das, acting director of the Treasury Department’s Financial Crimes Enforcement Network, said in a statement that “ransomware—including attacks perpetrated by Russian-linked actors—remain a serious threat to our national and economic security. While $1.2 billion in payments is already painful enough, the number does not take into account the costs and other financial consequences that come with a ransomware attack outside of the payment itself.

TikTok Admits Staff in China Can Access Europeans’ Data

Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.
The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that

Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that organizations patch such exploits in a timely manner.

This also corroborates an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits.

This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, leading to the increased use of zero-days for espionage activities designed to advance its economic and military interests.

Some of the vulnerabilities that were first exploited by Chinese actors before being picked up other adversarial groups include -

*   **CVE-2021-35211** (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.
*   **CVE-2021-40539** (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).
*   **CVE-2021-44077** (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).
*   **CVE-2021-42321** (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the Tianfu Cup hacking contest on October 16-17, 2021.
*   **CVE-2022-26134** (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged against an unnamed U.S. entity days before the flaw's disclosure on June 2.

The findings also come almost a month after CISA released a list of top vulnerabilities weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.

"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation state and criminal actors," the company said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Dark Reading's analysis suggests that Human Security's acquisition of clean.io will significantly expand the company's fraud prevention and anti-malvertising portfolio.

When dealing with a medium as flexible as the Web, it’s impossible for the site owner to fully control what a user sees. The user doesn't need the site's consent to change the user interface or experience through add-ons, custom browser properties, proxies, and firewall settings.

However, certain things are still within the site owner’s control, such as advertiser selection, security, pricing, and content policy. That's the idea behind _site integrity_, that the user or third parties can't try to force a change on the server or the site's backend operations without consent. If someone, or something, can violate site integrity, that is a threat with real business impact.

An example is malvertising, when cybercriminals abuse the programmatic advertising ecosystem to deliver malware to end users via online advertisements. Exposing users to malware is bad enough, but malvertising creates a significant brand reputation problem for the brands and platforms delivering the ads.

How does Human Security's acquisition of clean.io — announced on Thursday for an undisclosed amount — change the market for anti-malvertising technology? Dark Reading's analysis of the two companies suggests that by joining forces, Human Security and clean.io will be able to offer publishers, platforms, and brands a full range of anti-fraud and anti-abuse tools for the advertising ecosystem.

**What's So Great About Clean Humans?**

Safeguarding the advertising ecosystem means ensuring the industry's $500 billion annual ad spend reaches real humans rather than funding criminal schemes. Toward that goal, clean.io employs real-time behavioral protections on the page, as opposed to relying on static creative reviews and pre-scanning techniques offline, according to Human Security. Integrating clean.io's client-side JavaScript behavioral analysis and mitigation to Human Security's Human Defense Platform will make malvertising incredibly costly for bad actors, the company says.

"Human and clean.io have long been strategic partners to help combat two of the most important problems we face in programmatic advertising: malvertising and fraud," Ron Lissack, senior vice president and chief architect at Xandr, said in the release announcing the acquisition. "This type of consolidation in the ecosystem is welcome news and brings with it a true and holistic, 360-degree approach to fighting cybercrime."

**A Solution to the Cart Problem**

Many merchants and retailers rely on coupons to help boost sales (more than 90% of online consumers say they search for and use coupon codes while shopping online), but when those coupons are abused, they have to deal with lost revenue and damaged brand reputation. Between taking the hit on the coupons themselves, having to pay affiliate fees to the coupon app folks, and getting false impressions about the success of certain ad campaigns, coupon fraud is no joke.

Fraud prevention is Human's bread and butter, and Dark Reading's analysis suggests that cart protection is one of the areas that will benefit from the clean.io acquisition. Human Security can expand its concept of site integrity to include fighting checkout fraud and automated coupon and affiliate code replication. By integrating clean.io's cleanCart technology into its BotGuard product, Human Security can expand coverage beyond the detection and elimination of fake leads from the first-party marketing pool.

This combination will eliminate fake affiliates from the pool in some cases, and in others drastically reign in affiliate payouts for out-of-scope automated coupon redemptions.

It's a potent combination; cleanCart was already boasting a 3% conversion rate boost, while claiming to pay for itself entirely within 90 days of purchase. Add BotGuard's improvement to lead quality and conversion rates, and the percentage of fraudulently sourced clients making it through the checkout process should be low.

**Final Analysis**

Human Security is creating a significant pattern of scalable growth through innovation and acquisition. While the recent merger with PerimeterX took them deep into the enterprise e-commerce checkout process, the clean.io acquisition will help stop fraud at its source through its anti-malvertising leadership and bridge the gap, making potential tech partnerships with e-commerce solutions as a whole (Shopify, WooCommerce, et al.) and cart-specific solutions (X-Cart, OpenCart, etc.) even more attractive.

The acquisition of clean.io by Human Security should give a significant boost to the company's real-time fraud detection capabilities and increase its ability to catch novel threats in the wild. The sheer amount of threat intelligence the combined company will have visibility into is another significant product advantage.

"With the clean.io acquisition, the Satori team will gain invaluable talent and threat intelligence. This will help us defend our customers from future attacks and support disruption efforts like 3ve, Methbot, PARETO, and most recently, Scylla," Gavin Reid, vice president of threat intelligence and research at Human Security, said in a statement. "We're looking forward to expanding our investigative power and strengthening our takedown mechanisms to continue safeguarding all of our clients and the industry as a whole."

Human Security Tackles Malvertising With Clean.io Buy

An analysis of the RomCom APT shows the group is expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). It's a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).

During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations. The researchers determined the UK and other English-speaking countries were new RomCom targets based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.

Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberry's analysis.

"It's predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia," Bestuzhev says.

Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.

"Information is valuable, and when it's strategic, it helps the attacker build better offensive strategies and take advantage in any domain," Bestuzhev adds. "Geopolitics will set new targets. Since RomCom has been widely exposed, it's reasonable to believe the group behind it might change their TTPs."

This isn't the first shift in strategy for the group. "When RomCom was discovered, it was publicly associated with ransomware," Bestuzhev says. "The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets."

**RomCom RAT's Wrap**

The trojanizing scheme isn't terribly complicated, the BlackBerry team explained in its report.

RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain that's likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.

The wrapping approach isn't new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and groups like FIN7 have used similar tactics.

"This attack looks like it's a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or 'wrapped' with malware," Barratt says. "The 'wrapping' process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment."

**RomCom Targeting Humans**

To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.

"With the current geopolitical situation, it's quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets," Parkin explains to Dark Reading. "They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface."

RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author have involved young women with profile photos that appear to be generated by artificial intelligence (AI) tools.

We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology. AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people. Fake accounts sometimes use these convincing, AI-generated profile photos to make their fake LinkedIn profile appear more authentic.

Responding to a recent surge in AI-generated bot accounts, **LinkedIn** is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.

LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.

LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).

“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.

For example, on October 10, 2022, there were 576,562 **LinkedIn** accounts that listed their current employer as **Apple Inc.** The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at **Amazon** fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.

“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s **Oscar Rodriguez** wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”

It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and **Indeed**, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

LinkedIn Adds Verified Emails, Profile Creation Dates

Authentication idea advanced but not yet fulfilled

Authentication idea advanced but not yet fulfilled

ANALYSIS Advances in technology over the last decade have enabled academics to make progress in creating so-called one-time programs.

One-time programs (OTPs) – originally presented at the Crypto ‘08 conference – describe a type of cryptographically obfuscated computer program that can be run only once, a special property that makes them useful for several applications and use cases.

OTPs were first proposed by researchers Goldwasser, Kalai, and Rothblum.

The general idea is that ‘Alice’ can send ‘Bob’ a computer program that is encrypted in such a way that:

1.  Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2.  Bob can learn nothing about the secret program by running it.

The run-only-once requirement runs into trouble because it would be trivial to install a run-once-only program on multiple virtual machines, trying each one with different inputs. This would violate the whole premise of the technology.

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.

No such tokens were ever made, so the whole idea has lain dormant for more than a decade.

**OTP revived**

But now a team of computer scientists from Johns Hopkins University and NTT Research have laid the groundwork for how it might be possible to build one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.

More specifically they have hacked ‘counter lockbox’ technology and applied its use to an unintended purpose. Counter lockboxes protect an encryption key under a user-specified password, enforcing a limited number of incorrect password guesses (typically 10) before the protected information is erased.

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to cheat the system – the focus of the research.

**Garbled circuits**

The researchers’ work shows how multiple counter lockboxes might be chained together to form so-called ‘garbled circuits’, a construction that might be used to build one-time programs.

A paper describing this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography conference (TCC 2022).

The clearest application for OTPs is preventing brute-force attacks, says one researcher

  
**Hardware-route discounted**

One alternative means of constructing one-time programs, considered by the paper, is using tamper-proof hardware. But tamper-proof hardware would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Matthew Green, a professor at Johns Hopkins University and one of the co-authors of the paper.

“This would be costly and worse, \[and\] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” Green explains.

RELATED Post-quantum cryptography hits standardization milestone

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.

In practical terms, someone could realize this technology by creating multiple iCloud or Google accounts and then using Apple’s iCloud Key Vault \[pdf\] or Google’s Titan Backup service to store a ‘backup key’ for each of them. This is anything but elegant and the computer scientists at John Hopkins are inviting other researchers to progressing their research by coming up with neater schemes.

**A bastion against brute-force attacks**

Harry Eldridge from Johns Hopkins University, who is lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords,” Eldridge explained. “For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.

“However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords \[such as a four-digit PIN\] can actually be pretty secure,” Eldridge added.

More generally this could be applied to other forms of authentication – for example if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.

**‘Autonomous’ ransomware risk**

One danger posed by the approach is that bad guys might use the technique to develop ‘autonomous’ ransomware.

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”

Read more of the latest encryption security news

The feedback on the work so far has been “generally positive”, according to Eldridge.

“\[Most agree\] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high,” Eldridge told The Daily Swig. “There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”

Professor Alan Woodward, a computer scientist at the University of Surrey, welcomed the research.

“It’s a nice paper and it doesn’t claim to be the ultimate answer: it gives a solution in the hope that others may find better ways of doing the same thing,” Prof. Woodward told The Daily Swig.

“If achievable it means one-time programs become viable, and that opens up an interesting array of applications where you want someone to be able to run your program but not to be able to undertake differential analysis to learn about how the program functions.”

RECOMMENDED Matrix address flaws that break message encryption assurances

Boffins rekindle one-time program cryptographic concept

The settlement muddies the waters even further for the viability of war exclusion clauses when it comes to cyber insurance.

Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.

The snack giant originally brought the suit against Zurich American Insurance back in 2018, after NotPetya had completed its global cyber-ransacking of major multinational corporations, and the case has since been tied up in court. Terms of the deal have not been disclosed, but a "settlement" would indicate a compromise resolution — illustrating just how thorny an issue cyber-insurance exclusion clauses can be.

**NotPetya: Act of War?**

The lawsuit hinged on the contract terms in the cyber insurance policy — specifically, an exclusion carve-out for damages caused by acts of war.

NotPetya, which the US government in 2018 dubbed the "most destructive and costliest cyberattack in history," started out as compromising Ukrainian targets before spreading globally, ultimately impacting companies in 65 countries and costing billions in damage. It spread rapidly thanks to the use of the EternalBlue worming exploit in the attack chain, which is a leaked NSA weapon that allows malware to self-propagate from system to system using Microsoft SMB file shares. Notable victims of the attack included FedEx, shipping behemoth Maersk, and pharmaceutical giant Merck, among many others.

In the case of Mondelez, the malware locked up 1,700 of its servers and a staggering 24,000 laptops, leaving the corporation incapacitated and reeling from more than $100 million in damages, downtime, lost profits, and remediation costs.

As if that weren't tough enough to swallow, the food kahuna soon found itself choking on the response from Zurich American when it filed a cyber insurance claim: The underwriter had no intention of covering the costs, citing the aforementioned exclusion clause that included the language "hostile or warlike action in time of peace or war" by a "government or sovereign power."

Thanks to world governments' attribution of NotPetya to the Russian state, and the original mission of the attack to strike a known kinetic adversary of Moscow, Zurich American had a case — despite the fact that the Mondelez attack was certainly unintended collateral damage.

However, Mondelez argued that Zurich American's contract left some disputed crumbs on the table, as it were, given the lack of clarity in what could and could not be covered in an attack. Specifically, the insurance policy clearly stated that it would cover "all risks of physical loss or damage" — emphasis on "all" — "to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction." It's a situation that NotPetya perfectly embodies.

Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that the lack of clear cyber insurance policy-wording left the door open for Mondelez' appeal — and should act as a cautionary message to others negotiating coverage.

"The scope of coverage, and the application of war exclusions, remains one of the most challenging areas for insurers as cyber threats continue to evolve, businesses increase their dependencies on digital operations, and geopolitical tensions continue to have widespread impact," she tells Dark Reading. "It is paramount for insurers to be familiar with the terms of their policy and seek clarification where needed, but also opt for modern cyber-policies that can evolve and adapt at the pace their risk and exposures do."

**War Exclusions**

There's one glaring issue in making war exclusions stick for cyber insurance: he difficulty in proving that attacks are indeed "acts of war" — a burden that generally requires determining on whose behalf they're carried out.

In the best of cases, attribution is more of an art than a science, with a shifting set of criteria underpinning any confident finger-pointing. Rationales for advanced persistent threat (APT) attribution often rely on far more than quantifiable technology artifacts, or overlaps in infrastructure and tooling with known threats.

Squishier criteria can include aspects such as victimology (i.e., are the targets consistent with state interests and policy goals?; the subject matter of social-engineering lures; coding language; level of sophistication (does the attacker need to be well-resourced? Did they use an expensive zero day?); and motive (is the attack bent on espionage, destruction, or financial gain?). There's also the issue of false-flag operations, where one adversary manipulates these levers to frame a rival or adversary.

"What is shocking to me is the idea of verifying that these attacks can be reasonably attributed to a state — how?" says Philippe Humeau, CEO and co-founder of CrowdSec. "It is well known that you can hardly track a decently skilled cybercriminal's base of operations, since air-gapping their operations is the first line of their playbook. Two, governments are not willing to actually admit they do provide cover for the cybercriminals in their countries. Three, cybercriminals in many parts of the world are usually some mix of corsairs and mercenaries, faithful to whatever entity/nation-state may be funding them, but totally expandable and deniable if there are ever questions about their affiliation."

That's why, absent a government taking responsibility for an attack a la terrorism groups, most threat-intelligence firms will caveat state-sponsored attribution with phrases like, "we determine with low/moderate/high confidence that XYZ is behind the attack," and, to boot, different firms may determine different sources for any given attack. If it's that difficult for professional cyber-threat-hunters to pin down the culprits, imagine how difficult it is for cyber-insurance adjusters operating with a fraction of the skills.

If the standard for proof of an act of war is wide governmental consensus, this also poses issues, Humeau says.

"Accurately attributing attacks to nation-states would require cross-country legal cooperation, which has historically proven to be both difficult and slow," says Humeau. "So the idea of attributing these attacks to nation-states who will never 'fess up to it leaves too much room for doubt, legally speaking."

**An Existential Threat to Cyber Insurance?**

To Thompson's point, one of the realities in today's environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and advisory council member at data security company Theon Technology, notes that if more and more insurers simply deny all claims stemming from such activity, there could be very few payouts indeed. And, ultimately, companies may not see cyber-insurance premiums as worth it anymore.

"If a significant number of judges actually begin allowing carriers to exclude coverage for cyberattacks just upon a claim that a nation-state was involved, this will be as devastating to the cyber insurance ecosystem as 9/11 was (temporarily) to commercial real estate," he says. "As a result, I do not think many judges will buy this, and proof, in any event, will almost always be difficult."

In a different vein, Ilia Kolochenko, chief architect and CEO of ImmuniWeb, notes that the cybercriminals will find a way to use the exclusions to their advantage — undercutting the value of having a policy even further.

"The problem stems from a possible impersonation of well-known cyber-threat actors," he says. "For instance, if cybercriminals — unrelated to any state — wish to amplify the damage caused to their victims by excluding the eventual insurance coverage, they may simply try to impersonate a famous state-backed hacking group during their intrusion. This will undermine trust in the cyber-insurance market, as any insurance may become futile in the most serious cases that actually require the coverage and justify the premiums paid."

**The Question of Exclusions Remains Unsettled**

Even though the Mondelez-Zurich American settlement would seem to indicate that the insurer succeeded in at least partially making its point (or perhaps neither side had the stomach for incurring further legal costs), there is conflicting legal precedent.

Another NotPetya case between Merck and ACE American Insurance over the same issue was put to bed in January, when the Superior Court of New Jersey ruled that act of war exclusions only extend to real-world physical warfare, resulting in the underwriter paying up a heaping $1.4 billion serving of claims settlement.

Despite the unsettled nature of the area, some cyber-insurers are going forward with war exclusions, most notably Lloyd's of London. In August the market stalwart told its syndicates that they will be required to exclude coverage for state-backed cyberattacks beginning in April 2023. The idea, the memo noted, is to protect insurance companies and their underwriters from catastrophic loss.

Even so, success for such policies remains to be seen.

"Lloyd's, and other carriers, are working on making such exclusions stronger and absolute, but I think this, too, ultimately will fail because the cyber-insurance industry likely could not survive such changes for long," Theon's Cunningham says.

Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit

Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year's most prolific ransomware families.

That's the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.

**A Collection of Custom Tools**

SentinelOne's investigation into Black Basta's activities also unearthed new information about the threat actor's attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim's Active Directory environment.

They found Black Basta operators are exploiting last year's PrintNightmare vulnerability in Windows Print Spooler service (CVE-2021-34527) and the ZeroLogon flaw from 2020 in Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging "NoPac," an exploit that combines two critical Active Directory design flaws from last year (CVE-2021-42278 and CVE-2021-42287). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.

SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect's network scanner, and WMI. It's after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as selling access to compromised networks to Black Basta and other ransomware operators. 

"We assess it is highly likely the Black Basta ransomware operation has ties with FIN7," SentinelOne's SentinelLabs said in a blog post on Nov. 3. "Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7."

**Sophisticated Ransomware Threat**

The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as having a sophisticated encryption routine that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it. 

In the third quarter of 2022, Black Basta ransomware infections accounted for 9% of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.

"Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector," says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. "The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation."

FIN7 has been a thorn in the side of the security industry for a decade. The group's initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV. 

"So, it would not be surprising to see yet another potential association," this time with FIN7, Hoffman says. "However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together."

According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.

Tag

#intel