The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

Security teams may be missing targeted attacks and advanced exploits if attackers are using evasive techniques to avoid detection. Defenders need to up their game.

Attackers today combine state-of-the-art obfuscation and adaptive environment-specific features to avoid detection by traditional malware analysis systems. If your security team is relying on legacy approaches, like traditional sandboxing, to scan files entering your network, they may miss these dangerous exploits targeting your organization. If your security teams are spending their time with easy-to-detect, common vulnerabilities and not on the targeted attacks, they are exposing your organization to unnecessary risk from cybercriminals.

Nothing about this pattern is new: Researchers develop new anti-malware technology to detect malware attacks. Cybercriminals adapt their malware variants to avoid detection. And the cycle continues.

Attackers are adopting techniques, such as machine fingerprinting and geofencing, where they use information about the victim's application stack and system environments to compromise systems.

**Gotta Catch 'Em All: Geofencing**

There are many ways for malware to get on a victim's machine. Once there, some malware variants remain dormant if the victim's machine or network is not in a specific country. That comes courtesy of geofencing.

The malware looks up the external IP address geographic region via an external database or service and checks whether the device is located in the target region. If the device's geographic location is in a region of interest, the malware detonates. It may install a second-stage malware; steal useful information, such as administrator credentials; exfiltrate data to a system controlled by criminals; and remove all traces of its activity on the machine.

Attackers add geofencing features to malware for many reasons. It may be easier to evade detection by locations with strong security postures. Sometimes they don't want to infect networks in their home countries, where they could face prosecution. Savvy criminals target wealthy countries inhabited by trusting folks who are more likely to open documents and pay ransom. Or they may know that business leaders in a specific region rely on weak defensive postures or are less likely to use two-factor authentication.

One example of a region–specific attack: The South Korean government widely uses the Hangul Word Processor (HWP). North Korean attackers write malware in Hangul to penetrate critical government systems. Trying to use this malware to compromise US government employees, however, would be a waste of resources.

**Finding the Golden Image: Fingerprinting**

Malware authors rely on diverse fingerprinting techniques to determine whether machines are susceptible to their attack chains. Fingerprinting helps malware avoid detection by appearing harmless to antivirus technologies.

The malware remains dormant on the victim's machine unless the environment meets predefined conditions — such as having a specific application installed or certain configuration settings enabled. Attackers also use fingerprinting techniques to figure out whether the compromised system is actually a virtual machine using a preconfigured, out-of-the-box or initial install image. If that is the case, the malware does not detonate.

**What Adaptive and Dynamic Analysis Looks Like**

Traditional sandboxes may not detect advanced malware or targeted zero-day attacks if the attacker is using techniques such as geofencing or fingerprinting. For example, malware that uses geofencing must look up IP addresses to determine its geographic location. In contrast, adaptive dynamic analysis technology can help detect very specific, targeted attacks because it can detect and automatically bypass environment and anti-analysis checks. 

Adaptive analysis performs execution only of instructions related to the malware, as opposed to traditional sandboxes, which are fully virtualized operating systems executing instructions of every service and application on the system. As a result, the total resource utilization for adaptive analysis is significantly lower. Being able to extract intelligence in the form of indicators of compromise (IOCs) enables threat hunting, proactive self-defense improvements, and threat actor attribution.

Threat Actors Evade Detection Through Geofencing & Fingerprinting

Amid escalating cyber activity, two separate cybersecurity frameworks are targeting the satellite arena, highlighting the ease in attacking the infrastructure and the difficulty in defending it.

With cyberattacks becoming a reality against the space sector's infrastructure in 2022, two groups are aiming to get ahead of future attacks by creating framework initiatives.

The goal of the frameworks is to better understand not only potential threats — in terms of the traditional tactics, techniques, and procedures (TTPs) applied to the space sector — but also to help companies and government agencies create countermeasures against attacks targeting satellites and spacecraft.

On Jan. 3, the US National Institute of Standards and Technology (NIST) and the MITRE Corp., which is also a government contractor, released a version of the NIST Cybersecurity Framework tailored to the ground-based portion of the space sector. The NIST publication complements another effort by nonprofit government contractor The Aerospace Corp., which created in October the Space Attack Research and Tactics Analysis (Sparta) matrix, a version of the MITRE ATT&CK framework applied to threats against space-based infrastructure.

**Cyberattacks Are Now Targeting Satellites**

Early in 2022, the FBI and CISA warned that attacks against satellite ground-based and space-based infrastructure could become a reality — and it soon did. The year saw nation-state operations targeting Viasat and SpaceX's Starlink satellites, and forcing governments and aerospace companies to create defenses against the attacks.

In the early days of Russia's invasion of Ukraine, for example, Russia-aligned hackers targeted the ground-based segment of Viasat's satellite communications network, taking Internet modems offline throughout Europe. Soon after, Russia also targeted the distributed satellite Internet service Starlink, according to government officials and SpaceX CEO Elon Musk, which has been critical for providing the Ukraine war effort with Internet connectivity.

"Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but \[attackers are\] ramping up their efforts," Musk stated on Twitter last May.

In November, Starlink was in the crosshairs again, with Russia-linked Killnet APT targeting it with a DDoS campaign that made the service inaccessible for several hours.

As a corollary, satellites have also become proposed targets of non-cyberattacks as well. In the most recent example, Chinese researchers proposed a 10 megaton nuclear blast 50 miles from the Earth's surface as a way to disable Starlink satellites that pass through the radioactive cloud.

**Computers, Not Lost in Space**

Cyberattackers in this arena are far more likely to be advanced persistent threats (APTs) sponsored by nation-states — often looking to disable satellites and spacecraft. But much of today's ground-based satellite infrastructure uses common computer and communications technologies, which could open the door to other players.

The similarities allow attackers to more easily exploit the systems underpinning satellite systems, while the complex supply chain makes the infrastructure easier to attack, Neil Sherwin-Peddie, head of space security for defense and government contractor BAE Systems Digital Intelligence, stated in a recent column for Dark Reading_._

"Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections," he wrote. "These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals."

The attack on Viasat consisted of two components and underscores that known attack methods can be tailored to ground-based and space-based satellite systems.

First, the attackers exploited "a misconfiguration in a VPN appliance to gain remote access" to the ground-based network, according to a Viasat advisory. The attackers then discovered and compromised the management network for the satellite network and issued commands to the ground-based modems.

"Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," the company stated.

These commands performed functions similar to a wiper attack, overwriting critical data to disrupt operations, a common approach in cyber-physical attacks, according to a subsequent analysis performed by independent cybersecurity researcher Ruben Santamarta.

New attack vectors are looming for the future, as well. 

"We will see more automation on the spacecraft, and therefore we will need more on-board autonomous cyber protection," says Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at The Aerospace Corp. "This means integrating items like segmentation, authentication, encryption, and intrusion detection \[and\] prevention on-board the spacecraft will be a must in the future."

**Frameworks Cover Both Ground & Space**

The NIST Cybersecurity Framework for the Satellite Ground Segment (NIST-IR-8401) builds on a common approach to cyber-defense that includes five major functions: the identification of assets and their cyber-risks, the development of technologies and procedures to protect those assets, the capability to detect attacks, the infrastructure needed to respond to any incident, and the ability to recover from attacks.

"The ground segment is becoming more interconnected and cloud-based ground infrastructures, however legacy space operations and the space vehicles themselves use custom software and hardware that was not generally created to be part of a modern highly interconnected cyber-ecosystem," NIST-IR-8401 states. "This can be especially problematic with legacy components that may have been created prior to the development of security best practices or that use obsolete security measures."

The Sparta framework aims to cover cyberattacks on the space-based components, such as satellites, spacecraft and other systems. The framework will grow and change as the field evolves and the TTPs used by attackers change, says Bailey of The Aerospace Corp.

"Cyber on the spacecraft side is relatively new field; therefore, as vulnerabilities — like PCSpoof — are disclosed, we will add TTPs and countermeasures," he says. "We also intend on working with the Space ISAC, and as it matures ... we will incorporate threat information and TTPs that are identified."

Space Race: Defenses Emerge as Satellite-Focused Cyberattacks Ramp Up

**SANTA CLARA, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** Netskope, a leader in Secure Access Service Edge (SASE), on the heels of its recognition as Cloud Security Services Vendor of the Year, its sixth straight ranking on the Forbes Cloud 100 list of top cloud companies, and its recognition as a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE), today announced an oversubscribed investment round of $401M.

The partners for this oversubscribed convertible note investment were four of the world's premier investors. The financing was led by investment funds managed by Morgan Stanley Tactical Value, with participation from Goldman Sachs Asset Management, Ontario Teachers' Pension Plan, and CPP Investments. Netskope plans to extend its technology and platform advantages and market reach through continued innovative worldwide platform development and expansion of strategic go-to-market activities, underscoring its leadership and momentum in what leading analysts estimate to be the $36 billion market opportunity for SASE by 2025.

This financing marks the latest among many recent business and financial milestones for Netskope and serves as another strong validation and indicator of the continued momentum and adoption of the company's vision, team, products, culture, and market opportunity. 

**Securing Modern Cloud Networks** 

As hybrid and remote work has become the new reality, and the use of the cloud accelerates, enterprises of all sizes need to transform their network and data security strategy and architecture. As a result, they are rapidly adopting SASE as a foundational part of their zero trust strategy, to safeguard data, support digital transformation efforts, and realize better efficiency by addressing security and networking challenges through a unified architecture. In addition, enterprises are increasingly seeking SASE capabilities from fewer sources to reduce vendor and tool sprawl. Gartner notes1 that, "by 2025, 65% of enterprises will have consolidated individual SASE components into one or two explicitly partnered SASE vendors, up from 15% in 2021."

The Netskope converged SASE platform includes Netskope's industry-leading Intelligent Security Service Edge (SSE) and Borderless SD-WAN technologies, all of which are crucial to providing the optimized access and zero trust-based security required in a modern networking and security technology stack. Netskope today is one of only a few providers of single-vendor SASE. It is also the only SASE provider recognized as a representative vendor in the 2022 Gartner Market Guide to Single Vendor SASE that also appears as a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. 

"Our vision from day one was that traditional network and security perimeters would transform, with users, data, and devices moving outside the confines of corporate network perimeters and requiring a new approach to security," said Sanjay Beri, Netskope CEO and co-founder. "With a cloud-first, data-first, and customer-centric philosophy, we built a market-leading SASE platform and one of the world's fastest and most-connected security cloud networks. We have enabled enterprises everywhere to allow their users to be mobile, efficient, and flexible while securing them and the data and applications they access, whether they are in the cloud, on the web, or are private applications on-prem and beyond. We are very proud of the team members, customers, industry luminaries, and existing and new partners announced today who are helping to enable Netskope's journey and secure the journey of all enterprises worldwide."

Over the past 12 months, Netskope has broadened its market reach in the following ways:

*   **Increased Customer Base** – to more than 2,400 total customers worldwide, including over 25 of the Fortune 100, and across all verticals including financial services, healthcare, retail, telecommunications, manufacturing, government, high tech, and beyond.
*   **Expanded SASE Platform** – through organic development of new endpoint data loss prevention, advanced cloud firewall, and zero trust network access products, as well as strategic acquisitions of WootCloud and Infiot to serve as core technology components of Netskope's innovative IoT Security and Borderless SD-WAN modules, respectively.
*   **Growing Patent Portfolio** – more than 100 global patents awarded to Netskope inventors, in data loss prevention, AI/ML, threat prevention, high speed cloud networking, and other strategic technology categories.
*   **Continued Expansion of NewEdge security private cloud** – now powered by full-compute data centers in more than 60 regions worldwide. Every Netskope NewEdge data center is accessible to every customer, with all Netskope SASE services available, providing low latency and high-performing infrastructure, and backed by industry-leading Service Level Agreements.
*   **New and Enhanced Go-to-Market Partnerships** – with some of the world's best-known cloud platform, service provider and systems integrator brands, including Orange, Deloitte, Telefonica, KPN, AWS, Google Cloud, CrowdStrike, Mimecast, Okta, and others which expand Netskope's global reach and ability to capture market share.
*   **Increased Corporate Footprint** – to more than 2,500 team members, active in over 40 countries, with open roles across teams and regions. In 2022, Netskope also enhanced its seasoned executive team with leaders from Salesforce, AWS, Cisco, Palo Alto Networks and others joining Netskope.
*   **Industry Recognition:** Recent Netskope highlights also include product, customer, and industry recognition, including:

*   Won 2022 CRN Cloud Services Vendor of the Year award
*   Won Best SASE Solution and Most Promising Unicorn awards from SC Media
*   Ranked among the highest two solutions for every single use case in the 2022 Gartner Critical Capabilities for Security Service Edge report
*   Named a Leader in the IDC Marketscape for Cloud Security Gateways
*   Awarded one of the first U.S. Federal Civilian Government SASE Contracts, led by the United States Patent and Trademark Office
*   Named for a sixth time to the Forbes Cloud 100, as one of only four security vendors to rank in the Top 50
*   Achieved best-in-class employer brand and employee experience ratings from Glassdoor
*   Achieved a Silver Medal from EcoVadis, highlighting commitment to ESG and business sustainability

"Cloud migration—and securing this modern network—represents one of the most significant and transformative technology shifts in decades," said Pedro Teixeira, managing director of Morgan Stanley and Co-Head of Morgan Stanley's Tactical Value Investing Team. "We seek to invest in high-quality companies that are driving their markets today and into the future.  Netskope epitomizes this, with its innovative SASE vision and solid execution, a robust platform with significant monetization ahead of it, a large global customer base, and defensible market leadership. We look forward to partnering with the team as they strive to realize the significant opportunity that lies ahead."

**Legal Notices**

Morgan Stanley & Co. LLC served as the sole placement agent for the note offering. Pillsbury Winthrop Shaw Pittman LLP served as Netskope's legal counsel and Latham & Watkins LLP served as Morgan Stanley Tactical Value's counsel. J Wood Capital Advisors LLC acted as financial advisor to Netskope.

This press release does not constitute an offer to sell, or a solicitation of an offer to buy, any securities of Netskope.  The securities referenced herein have not been registered under the Securities Act of 1933, as amended, and may not be offered or sold in the United States absent registration or an applicable exemption from such registration requirements.

**Gartner Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Receives $401M In New Funding

**DALLAS****,** **Jan. 5, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has established CTOne, a new Trend Micro subsidiary focused on advancing 5G network security and beyond. The group's intellectual capital and leadership come from Trend Micro's culture of innovation and is the latest incubation project to launch as a standalone business.

_To learn more about CTOne's private 5G network solutions, please visit:_ https://www.ctone.com

Eva Chen**, CEO of Trend Micro:** "Trend Micro has been at the forefront of network transformations for over three decades. The 5G network technology has enabled new capabilities and applications requiring new cybersecurity infrastructure. With our foresight and over six years of dedicated research into network technology, we are confident that CTOne will safeguard organizations in all 5G network environments."

Organizations need to integrate resources to combat emerging threats in the private 5G networks more effectively. By pre-deploying a security net, CTOne strengthens the digital resilience of vertical application fields and provides security for landing applications in private 5G network environments and achieving comprehensive protection from network to endpoint.

Low latency, large bandwidth, and high-density capabilities have accelerated many organizations to adopt private 5G networks. According to a Grand View Research report\*, the global private 5G network market size was valued at USD 1.38 billion in 2021 and is expected to expand at a compound annual growth rate of 49% in the next year. Private 5G networks are usually considered the most secure wireless communications standard. However, with the widely used Open Radio Access (O-RAN) structure, the proliferation of cloud networks, open-source software, and the variety of IoT devices, the 5G environment faces more cyber threats than ever.

Jason Huang**, CEO of CTOne:** "Safety today doesn't guarantee Safety tomorrow. While the communications technology market is booming, business operations are facing exposure to more complex risks. CTOne enables enterprises to secure private 5G networks against potential cyberattacks and build a high-quality industrial application ecosystem. In the future, we will collaborate with partners to maximize the advantages of private 5G with comprehensive security solutions."

In addition to private 5G network end-to-end security solutions, CTOne is also developing O-RAN and edge computing security solutions to assist enterprises in mitigating cyber risk when deploying related technologies.

\* Private 5G Network Market Size, Share & Trends Analysis Report By Component (Hardware, Software, Services), By Frequency (Sub-6 GHz, mmWave), By Spectrum, By Vertical, By Region, And Segment Forecasts, 2022 – 2030, Grand View Research

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

**About CTOne**

CTOne, a global cybersecurity leader in communication technology, offers enterprise cybersecurity solutions for next-generation wireless networks. A subsidiary of Trend Micro, CTOne enables digital transformation and strengthens the resilience of communication technology. https://www.ctone.com

SOURCE Trend Micro Incorporated

Trend Micro Announces New Subsidiary for 5G Cybersecurity

When police infiltrated the EncroChat phone system in 2020, they hit an intelligence gold mine. But subsequent legal challenges have spread across Europe.

For a week in October 2020, Christian Lödden’s potential clients wanted to talk about only one thing. Every person whom the German criminal defense lawyer spoke to had been using the encrypted phone network EncroChat and was worried their devices had been hacked, potentially exposing crimes they may have committed. “I had 20 meetings like this,” Lödden says. “Then I realized—oh my gosh—the flood is coming.”

Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware the police secretly planted into the encrypted system siphoned off more than 100 million messages, laying bare the inner workings of the criminal underground. People openly talked about drug deals, organized kidnappings, planned murders, and worse.

The hack, one of the largest ever conducted by police, was an intelligence gold mine—with hundreds arrested, homes raided, and thousands of kilograms of drugs seized. But it was just the beginning. Fast-forward two years, and thousands of EncroChat users across Europe—including in the UK, Germany, France, and the Netherlands—are in jail. 

However, a growing number of legal challenges are questioning the hacking operation. Lawyers claim investigations are flawed and that the hacked messages should not be used as evidence in court, saying rules around data-sharing were broken and the secrecy of the hacking means suspects haven’t had fair trials. Toward the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world.

“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Lödden says. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.”

Hacking EncroChat

Around 60,000 people were signed up to the EncroChat phone network, which was founded in 2016, when it was busted by cops. Subscribers paid thousands of dollars to use a customized Android phone that could, according to EncroChat’s company website, “guarantee anonymity.” The phone’s security features included encrypted chats, notes, and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. Its camera, microphone, and GPS chip could all be removed.

Police who hacked the phone network didn’t appear to break its encryption but instead compromised the EncroChat servers in Roubaix, France, and ultimately pushed malware to devices. While little is known about how the hacking took place or the type of malware used, 32,477 of EncroChat’s 66,134 users were impacted in 122 countries, according to court documents. Documents obtained by Motherboard showed all data on the phones could potentially be hoovered up by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.)

Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.

Cops Hacked Thousands of Phones. Was It Legal?

**ATLANTA****,** **Jan. 4, 2023** **/PRNewswire/ --** CORL Technologies, the leading provider of risk management solutions for healthcare, today introduced Third-Party Incident Response (TPIR). This managed incident response solution allows healthcare providers to address third-party security incidents proactively. CORL's TPIR service tames the chaos of incident response by enabling healthcare companies to share information and provide total clarity about how each party will respond to industry-wide vulnerabilities and episodic data breaches.

According to SC Magazine, nine out of the ten most significant healthcare data breaches were caused by third-party vendors. The Verizon annual Data Breach Investigations Report indicates ransomware saw a 13% increase in 2022, making up almost 70% of malware breaches. Ransomware incidents can cause computer systems to be down for weeks, creating a ripple effect that can impact hundreds of providers and patients.

CORL's TPIR eliminates the chaos of third-party incident response for faster resolution. TPIR clarifies every stage in an incident lifecycle, including proactive preparedness profiles and scoring, impact mapping, managing outreach and response, automating communications, and identifying key metrics using standardized data. CORL offers healthcare companies numerous benefits, including:

*   **Improved preparedness** – Create a strong data foundation with readiness profiles, managed key contact rolodexes, and scores by vendor, vendor tier, and in aggregate.
*   **Extended visibility** – Understand incident implications using impact mapping, live response tracking, reports, and other tools.
*   **Reduced internal burden** – CORL serves as an expert partner providing scalable outreach, response management, and reporting.
*   **Well-defined course of action** – TPIR provides a clear communication plan for each vendor with correct contacts and escalations.

"We developed Third-Party Incident Response to prepare healthcare providers and vendors before an incident occurs," said Cliff Baker, Chief Executive Officer of CORL Technologies. "Vendor data breaches happen every day, and very few know who to contact or how to escalate when they don't get what they need. With TPIR we eliminate the chaos, provide clarity around points of contact, escalation, incident impact, remediation, etc., and do all the outreach, so there is no impact on the internal team."

TPIR provides preparedness at scale, starting with an accurate data foundation. CORL prepares a Third-Party Incident Preparedness (TPIP) profile and score for each vendor to identify gaps and improve preparedness across all vendors. CORL's managed Third-Party Incident Impact (TPI3) workflow provides rapid insight into how an incident impacts the business. The result is a coordinated plan of action that outlines responsibilities and eliminates duplicate efforts.

"CORL is committed to going beyond risk management tools that stop short of solving the problem," continued Baker. "Our managed assessment methodology, the way we utilize data, and decision-support tools address the healthcare industry's real-world security and privacy challenges. We are committed to integrating the best of technology and human intelligence to make third-party risk management a business enabler."

**About CORL Technologies**

CORL is a leading provider of vendor risk management solutions for the healthcare industry. CORL gets results by scaling organizational and vendor risk programs through our healthcare vendor risk clearinghouse solution, dashboard reporting that business owners can understand, and proven workflows that drive measurable risk reduction. CORL accelerates the speed of vendor risk assessments and holds vendors accountable for remediating risk exposures. Together with sister company Meditology healthcare's preeminent cybersecurity consulting firm and certification body, the company has offices in Atlanta, Philadelphia, Denver, San Diego, and St. Louis. 

For more information, visit http://corltech.com.

CORL Technologies Introduces Proactive Third-Party Incident Response Solution for Healthcare

Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.

Infrastructure as code (IaC) has gained rapid popularity for its ability to automate the management and provisioning of IT infrastructure by replacing manual processes with machine-readable configuration (definitions) files that contain specifications that are simple to edit, maintain, and distribute.

This approach is especially appealing and efficient when standing up and modifying infrastructure-as-a-service (IaaS) instances in cloud application environments.

But, like any technology, these gains aren't without some pain. One of the most formidable tasks is dealing with IaC management and security. While it's now incredibly fast and convenient to propagate changes across multiple production environments, errors and vulnerabilities can also spread like wildfire. This includes misconfigurations and incorrect default settings, all of which can potentially expose sensitive data, intellectual property (IP), and trade secrets.

As a result, it's wise to establish a framework — including the right strategy and technology tools — that can identify misconfigurations, fix incorrect values, and automate the sometimes-daunting process of checking IaC.

**Cracking the Code on IaC**

One of the things that makes infrastructure-as-code so appealing is the ability to automate infrastructure deployment processes as part of the development life cycle. This practice is usually referred to as creating a CI/CD pipeline — continuous development and continuous deployment. Manually provisioning, configuring, and managing systems is a time-consuming and error-prone task. IaC is an essential component for automating these processes. With the click of a button, it's possible to set up, delete, or make widespread changes to an existing environment across multiple cloud platforms using APIs

It's also possible to gain visibility into all these changes. So, if it is necessary to roll back a system to a particular date or configuration, the task is reasonably easy to manage. Because IaC typically has built-in support for things like declarative and imperative language, filters, and rules and settings, it's possible to create a standard deployable configuration file that tells a cloud provider exactly what resource to provision.

Eliminating manual processes doesn't prevent problems. IaC environments remain vulnerable to configuration errors. In many cases, IaC definition files mitigate the risk of introducing security misconfigurations due to human errors such as applying the wrong user access policy or important security settings. However, when human-made mistakes happen, they will affect all resources that are using the same definition files and may impact thousands of resources.

In fact, it's remarkably easy to miss configuration issues in IaC, especially when a large and complex cloud infrastructure is provisioned. And once the problem exists in the production environment it's usually a lot more difficult and time-consuming to fix. As a result, organizations should implement a shift-left approach to IaC security that's designed to fix issues directly when code is written or modified.

**Finding the Fix**

Addressing the problem involves scanning new IaC files for errors and fixing them before they are released to production, as well as discovering misconfigurations already deployed in cloud environments and modifying the IaC files. This requires following a clearly defined three-step process:

*   **Identify the misconfigurations.** This "hygiene" starts with state and resource aware scanning of configuration files to identify errors or policy violations that need to be fixed. These processes should scan the cloud runtime environment and take into account the plan and state outcomes. Once problems have been identified, it's critical to fix code for all files that touch the cloud environment. In some cases, thousands of configuration files might exist.
*   **Create a staging environment for testing.** One of the big advantages of IaC is that you can quickly create many instances of your entire infrastructure, it's simple to create a staging environment and a production environment. Once the review process is complete in the staging environment, transferring it to a live setting is a process that takes place at the push of a button.
*   **Inspect an IaC environment before provisioning to production so that it aligns with security policies.** The inspection process should include a review that ensures that a policy is correctly translated into a control, and the control is correctly embedded in the configuration file. For example, an organization might check to see that any sensitive data isn't stored in clear text or secrets are not exposed. It's critical to conduct a thorough review so that a new setting or configuration doesn't introduce a new issue.
*   **Add the correct values.** The next step is to fix the actual problem. This may be something as straightforward as encrypting a database that was previously unencrypted or something as complicated as changing a specific setting in all the virtual machines or storage devices in a particular region or country. Once this analysis is complete, it's possible to update configuration files or create new ones.
*   **Deploy the new or updated code.** After you have made the necessary changes, it's time to push out the new or updated configuration files. While IaC makes this task much easier, it's important to ensure that the update is going to the right place and that it will be deployed as intended, as part of a managed CI/CD process.

While IaC provides huge advances for deploying and managing today's highly complex cloud and IT environments, it does not address security issues and configuration errors that will inevitably occur. However, with the right processes, procedures, and tools it's possible to automate the detection and remediation of security risk in even the largest IaC deployments.

Understanding Infrastructure-as-Code Risks in the Cloud

**DUBLIN****,** **Jan. 4, 2023** **/PRNewswire/ --** The "Global Mobile Biometrics Market Size, Share & Industry Trends Analysis Report By Industry, By Technology, By Authentication Mode (Single Factor and Multi Factor), By Component (Hardware, Software and Service), By Regional Outlook and Forecast, 2022 - 2028" report has been added to  ResearchAndMarkets.com's offering.

The Global Mobile Biometrics Market size is expected to reach $91.9 billion by 2028, rising at a market growth of 21.8% CAGR during the forecast period.  
Mobile biometric authentication uses biometrics to recognize and confirm a person's identity when they attempt to access any mobile application. Authentication can be carried out using these mobile biometric devices in a number of different ways, including face recognition, fingerprint readers, voice recognition, and others. Mobile biometrics solutions straddle the line between identity and connectivity.  
They make use of smartphones, tablets, other forms of handheld devices, wearable technologies, and Internet of Things devices for their flexible deployment capabilities. Controlling access to information, locations, and systems have become more and more necessary over time. Many businesses currently use cards, PINs, or passwords to verify users' identities before granting access. However, there are significant problems with this conventional method.  
In recent years, biometric technology has gained popularity on mobile devices. The technology improved in terms of user-friendliness and consumer affordability. This biometric solution is a method used to authenticate a person who is in possession of a mobile device and uses it as a distinctive biometric identifier. Single-factor authentication (SFA) and multi-factor authentication (MFA) are the two different authentication mechanisms used by mobile biometric systems.  
These systems operate using a variety of techniques, including Deep Neural Networks and Keystroke Dynamics. Together, these procedures form a mobile biometrics system that provides coordinated security for mobile devices. The demand for this effective security solution typically increases significantly. In order to determine similarity, biometric authentication compares data for a person's features to that person's biometric "template".  
**COVID-19 Impact Analysis**  
The pandemic had a positive impact on the mobile biometrics market. This was due to a significant shift toward the rise of digital stores and e-commerce platforms, which has led to an increase in the use of online payments. The potential for an increase in cyberattacks in the form of fraud and identity theft also guided the market. Secure authentication services for different banking and financial applications, like client KYC and money transfer, are required in such a situation, and the usage of top-notch security tools is crucial.  
**Market Growth Factors**

**Increase In Platforms Using Biometric Authentication**  
The demand for biometric solutions has increased over the past few years as digital media and internet content delivery have grown. Traditional methods of authentication, like signatures and text-based credentials, have been shown to be more difficult for users to use because they are so vulnerable to contemporary cyberattacks. Furthermore, customers really need to develop faster methods of authentication due to the growing quantity of digital services.  
**Assurance Of Higher Security With Biometrics Usage**  
One of the key factors propelling the growth of mobile biometrics is the increasing demand for intelligence security devices in mobile devices to secure the data saved in the devices, such as bank account information, photos, recordings, contacts, and other personalized data. By confirming a physical, real-world characteristic that is (typically) specific to that person, such as fingerprints, facial features, voice articulation, and others, biometric solutions can give providers a higher level of assurance that the person is real.  
**Market Restraining Factors**

**Wrong And Inaccurate Results Through Biometrics**  
False positives and inaccuracy are two of the most significant challenges. Biometric authentication procedures rely on insufficient data to confirm a user's identity. For instance, during the enrollment step, a mobile biometric device will scan a whole fingerprint and turn it into data. Future fingerprint biometric authentication, however, will only require a portion of the print to confirm identity, making the process speedier overall.

**Scope of the Study**

**Market Segments Covered in the Report:**

**By Industry**

*   Public Sector
*   BFSI
*   Healthcare
*   IT & Telecommunication
*   Others

**By Technology**

*   Fingerprint Recognition
*   Face Recognition
*   Voice Recognition
*   Others

**By Authentication Mode**

*   Single Factor
*   Multi Factor

**By Component**

*   Hardware
*   Software
*   Service

**By Geography**

*   North America
*   US
*   Canada
*   Mexico
*   Rest of North America
*   Europe
*   Germany
*   UK
*   France
*   Russia
*   Spain
*   Italy
*   Rest of Europe
*   Asia Pacific
*   China
*   Japan
*   India
*   South Korea
*   Singapore
*   Malaysia
*   Rest of Asia Pacific
*   LAMEA
*   Brazil
*   Argentina
*   UAE
*   Saudi Arabia
*   South Africa
*   Nigeria
*   Rest of LAMEA

**Key Market Players**

**List of Companies Profiled in the Report:**

*   3M Company
*   Apple Inc.
*   NEC Corporation
*   BIO-key International, Inc.
*   Fujitsu Limited
*   HID Global Corporation
*   Precise Biometrics AB
*   M2SYS Technology, Inc.
*   Aware, Inc.

For more information about this report visit https://www.researchandmarkets.com/r/vwb2z6

Insights On the Mobile Biometrics Global Market To 2028 - Increase In Platforms Using Biometric Authentication Drives Growth

Ransomware: contemporary threats, how to prevent them and how the FBI can help
In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors,

**_Ransomware: contemporary threats, how to prevent them and how the FBI can help_**

In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet's most severe security crisis.

**The Ransomware Landscape**

Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade. Since 2015, ransomware gangs have been targeting organizations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars.

Ransomware is effective because it pressures victims in two, complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicize the attack. The second threat has an indirect impact, yet it is just as serious (if not more). Publication could trigger regulatory and compliance issues, as well as negative long-term brand effects.

Here are some examples of real ransomware notes:

Ransomware as a Service (RaaS) has become the most widespread type of ransomware. In RaaS attacks, the ransomware infrastructure is developed by cyber criminals and then licensed out to other attackers for their use. The customer attackers can pay for the use of software or they can split the loot with the creators. Etay maor, Senior Director Security Strategy at **Cato Networks** commented, "There are other forms of RaaS. After receiving the ransomware payment some Ransomware groups sell all the data about the victim's network to other gangs. This means the next attack is much simpler and can be fully automated as it does not require weeks of discovery and network analysis by the attackers."

Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.

**How the FBI Helps Combat Ransomware**

An organization under attack is bound to experience frustration and confusion. One of the first recommended courses of action is to contact an Incident Response team. The IR team can assist with investigation, recuperation and negotiations. Then, the FBI can also help.

Part of the FBI's mission is to raise awareness about ransomware. Thanks to a wide local and global network, they have access to valuable intelligence. This information can help victims with negotiations and with operationalization. For example, the FBI might be able to provide profiler information about a threat actor based on its Bitcoin wallet.

To help ransomware victims and to prevent ransomware, the FBI has set up 56 Cyber Task Forces across its field offices. These Task Forces work closely with the IRS, the Department of Education, the Office of Inspector General, the Federal Protective Service and the State Police. They're also in close contact with the Secret Service and have access to regional forensics labs. For National Security cyber crimes, the FBI has a designated Squad.

Alongside the Cyber Task Force, the FBI operates a 24/7 CyWatch, which is a Watch Center for coordinating the field offices, the private sector and other federal and intelligence agencies. There is also an Internet Crime Complaint Center, ic3.gov, for registering complaints and identifying trends.

**Preventing Ransomware Attacks On Time**

Many ransomware attacks don't have to reach the point where the FBI is needed. Rather, they can be avoided beforehand. Ransomware is not a single-shot attack. Instead, a series of tactics and techniques all contribute to its execution. By identifying the network and security vulnerabilities in advance that enables the attack, organizations can block or limit threat actors' ability to perform ransomware. Etay Maor added "We need to rethink the concept that "the attackers need to be right just once, the defenders need to be right all the time". A cyber attack is a combination of multiple tactics and techniques. As such, it can only be countered with a holistic approach, with multiple converged security systems that all share context in real time. This is exactly what a **SASE architecture**, and no other, offers the defenders".

For example, here are all the steps in a REvil attack on a well-known manufacturer, mapped out to the MITRE ATT&CK framework. As you can see, there are numerous phases that took place before the actual ransom and were essential to its "success". By mitigating those risks, the attack might have been prevented.

Here is a similar mapping of a Sodinokobi attack:

Maze attack mapping to the MITRE framework:

Another way to map ransomware attacks is through heat maps, which show how often different tactics and techniques are used. Here is a heat map of Maze attacks:

One way to use these mappings is for network analysis and systems testing. By testing a system's resilience to these tactics and techniques and implementing controls that can mitigate any risks, organizations reduce the risk of a ransomware attack by a certain actor on their critical resources.

**How to Avoid Attacks - From the Horse's Mouth**

But don't take our word for it. Some ransomware attackers are "kind" enough to provide organizations with best practices for securing themselves from future ransomware attacks. Recommendations include:

*   Turning off local passwords
*   Using secure passwords
*   Forcing the end of admin sessions
*   Configuring group policies
*   Checking privileged users' access
*   Ensuring only necessary applications are running
*   Limiting the reliance of Anti-Virus
*   Installing EDRs
*   24 hour system admins
*   Securing vulnerable ports
*   Watching for misconfigured firewalls
*   And more

Etay Maor of Cato Networks highlights "Nothing in what several Ransomware groups say organizations need to do is new. These best practices have been discussed for years. The reason they still work is that we try to apply them using disjoint, point solutions. That didn't work and will not work. A SASE, cloud native, architecture, where all security solutions share context and have the capability to see every networks flow and get a holistic view of the attack lifecycle can level the playing field against cyber attacks".

**Ransomware Prevention: An Ongoing Activity**

Just like brushing your teeth or exercising, security hygiene is an ongoing, methodical practice. Ransomware attackers have been known to revisit the crime scene and demand a second ransom, if issues haven't been resolved. By employing security controls that can effectively mitigate security threats and having a proper incident response plan in place, the risks can be minimized, as well as the attackers' pay day. The FBI is here to help and provide information that can assist, let's hope that assistance won't be needed.

To learn more about ransomware attacks and how to prevent them, **Cato Networks' Cyber Security Masterclass series is available for your viewing.**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel