Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

As digital threats against US water, food, health care, and other vital sectors loom large, a new project called UnDisruptable27 aims to help fix cybersecurity weaknesses where other efforts have failed.

An endless parade of data breaches, brutally disruptive ransomware attacks, and crippling IT outages has somehow become the norm around the world. And in spite of escalating impacts to critical infrastructure and daily life, progress has been intermittent and often fleeting. Something's gotta give—and at the BSides Las Vegas security conference this week, a longtime critical-infrastructure security researcher is launching a project to communicate with utility operators, municipalities, and regular people in creative ways about both urgency and optimism around protecting critical infrastructure now.

Dubbed UnDisruptable27, the project will start as a pilot with a $700,000 grant for the first year through Craig Newmark Philanthropies' Cyber Civil Defense coalition. Led by Josh Corman, who was chief strategist for the US Cybersecurity and Infrastructure Security Agency's Covid Task Force, in collaboration with the Institute for Security and Technology (IST), the project will focus on the critical interdependence of water, food, emergency medical care, and power as the backbone of human safety. Corman says that the key goal is to foster new discourse about these challenges inspired by the disaster management tenets “inform, influence, inspire.” In other words, people need to understand the risks and feel empowered that they can take action.

“We are overdependent on undependable things. No one should feel comfortable with the potential for harm here with our current state of defense,” Corman told WIRED ahead of the announcement. “Our dependence on connected tech has grown faster than our ability to secure it. People have been doing good things, but public policy takes time, and I think this year we need to cross certain thresholds on the sense of urgency.”

One of Corman's main motivations to launch the effort as quickly as possible came from comments made during a January congressional hearing about the cybersecurity threat China poses to the US. In the hearing, then Cyber Command head and NSA director Paul Nakasone, Cybersecurity and Infrastructure Security Agency director Jen Easterly, FBI director Christopher Wray, and head of the Office of the National Cyber Director Harry Coker Jr. testified about pressing threats to US critical infrastructure, including specific campaigns the Chinese hacking group known as Volt Typhoon has been conducting to pre-position itself in US water infrastructure. The goal of this targeting is apparently to create leverage and a credible threat against the US as part of a Chinese plan to invade Taiwan, potentially in 2027.

“The budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027, a year that, as this committee knows all too well, the CCP has circled on its calendar,” Wray told the US House of Representatives committee in January. “And that year will be on us before you know it. As I've described, the PRC is already today putting their pieces in place. I do not want those watching today to think we can't protect ourselves, but I do want the American people to know that we cannot afford to sleep on this danger.”

Having worked on embedded device security and critical infrastructure defense for years, including through the decade-old grassroots computer security and human safety initiative he founded known as I Am the Cavalry, Corman says that it felt significant that some of the nation's top intelligence officials were warning Congress of such specific threats to US infrastructure in an unclassified setting.

“It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

UnDisruptable27 will focus on interacting with communities who aren't reached by Washington, DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

“There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact," says Megan Stifel, IST's chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

“Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

“We must prioritize the security, safety, and resilience of critical infrastructure—including water, health care facilities, and utilities," Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. "The urgency of this issue requires affecting human behavior through storytelling.”

A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Source: Blackboard via Shutterstock

A convicted dealer of credit card accounts and identity documents and a hacker who helped steal sensitive data from companies to inform stock trades were among the eight Russian nationals traded last week to that country's government in exchange for 16 imprisoned Americans and Europeans.

In the most extensive prisoner exchange since the Cold War, the United States and its allies traded eight convicted Russian nationals — including cybercriminals Vladislav Klyushin and Roman Valeryevich Seleznev — for the release of four Americans, five Germans, and seven Russian political prisoners. Since 2017, Seleznev has been serving a 14-year sentence for participating in a massive cyber-fraud ring that stole more than $9 million from banks and $50 million in consumer losses. Klyushin was sentenced in September 2023 to nine years in prison for taking part in a hack-and-trade scheme.

The fact that the two cybercriminals were included in the exchange shows the importance that the Russian government puts on cyber operations, says Waithera Junghae, associate on the incident response team at S-RM, a global corporate intelligence and cyber security consultancy.

"Cyber activity aligns closely with real-world events such as conflict in Russia-Ukraine, and therefore it's perhaps not unsurprising that we see individuals engaged in this activity feature in negotiations and resulting releases," she says.

The massive exchange involved US diplomacy as well as the cooperation of at least five allies: Germany, Norway, Poland, Slovenia, and Turkey. The United States and its allies gained the release of three American citizens, an American green card holder, five German citizens, and seven Russian political prisoners, according to the White House. In addition to the two cybercriminals, Russia freed Vadim Krasikov, previously held by Germany after being convicted of assassinating a Chechen separatist in Berlin, news reports stated.

In remarks on Aug. 1, President Joe Biden stressed that the five countries who helped make the deal possible — either by releasing prisoners or in helping with logistics — showed the importance of the United States' alliance partners.

"They all stepped up, and they stood with us," Biden said. "They stood with us, and they made bold and brave decisions, released prisoners being held in their countries who were justifiably being held, and provided logistical support to get the Americans home. So, for anyone who questions whether allies matter, they do. They matter."

**Cybercriminals Pursued Unique Approaches**

The two cybercriminals released by US authorities included Klyushin, 42, who monetized hacks in an uncommon — if not unique — way. The Russian businessman, who owned the Moscow-based IT-security firm M-13, worked with four other co-conspirators to steal information on corporate earnings from publicly traded businesses, making trades around more than 2,000 "earnings events," according to a statement by the US Attorney's Office for the District of Massachusetts. The scheme netted the group around $93 million.

The "hack-to-trade" scheme is not unique, but it is a rare way for financially motivated cybercriminals to make money, Junghae says.

"Financially motivated cybercriminals typically opt for the quickest and easiest routes to make money, including encrypting and exfiltrating data or engaging in payment diversion schemes," she says. "However, in this particular case, Klyushin's strategy involved hacking companies to obtain confidential information for trading purposes."

Meanwhile, Seleznev — as part of the credit-card theft ring, Carder.su — created an automated portal for selling credit card data, allowing members to log in, search for specific types of account holders and card information, and then purchase the data by checking out. Seleznev, who used the handles Track2, Bulba, and Ncux, was sentenced to 14 years in prison in 2017, following a guilty plea. Law enforcement charged more than 55 individuals related to Carder.su as part of a concerted investigation dubbed Operation Open Market.

The scale and ease of the cybercriminal operation made Selznev, a pioneer at the time, Junghae says.

"High-profile cases like Seleznev's can embolden other cybercriminals, encouraging them to pursue similar activities under the belief that they too can evade detection and prosecution," she says. "The techniques and methods Seleznev employed can be adapted and refined by other criminals, thereby enhancing their capabilities."

**Not a Major Factor for Law Enforcement**

Some international policy experts have argued that the successful negotiated release of legitimately convicted Russian criminals poses a risk: Rogue governments could be incentivized to trump up charges and arrest other nations' citizens. Since 2021, the Biden administration has negotiated the release of prisoners from Russia, Iran, and Venezuela, according to Reuters.

"While it is or would be great to have these individuals released, it underscores how hostage-taking has become a prominent and frequent — if not growing — element of Russian strategy toward the U.S. and the West," Ian Brzezinski, a former US defense official, told Reuters.

Yet, the prisoner exchange will not change how law enforcement agencies pursue and prosecute cybercriminals, S-RM's Junghae says.

"This was an historic move, years in the making, that likely won't be repeated for some time," she says. "So, it would be remiss for countries and their government administrations to base future activity around further negotiated releases."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam. 
The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam.

The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to trick targets into sending money or divulging confidential company information.

Such attacks can take place in myriad ways, including gaining unauthorized access to a finance employee or a law firm's email account to send fake invoices or impersonating a third-party vendor to email a phony bill.

"On 15 July, the firm had received an email from a supplier requesting that a pending payment be sent to a new bank account based in Timor-Leste," INTERPOL said in a press statement. "The email, however, came from a fraudulent account spelled slightly different to the supplier's official email address."

The Singaporean company is said to have transferred $42.3 million to the non-existent supplier on July 19, only for it to realize the blunder on July 23 after the actual supplier said it had not been compensated.

However, by taking advantage of INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism, authorities in Singapore managed to detect $39 million and froze the counterfeit bank account a day later.

Separately, seven suspects have been arrested in the Southeast Asian nation in connection with the scam, leading to the further recovery of $2 million.

Back in June, I-GRIP was used to trace and intercept the illicit proceeds stemming from fiat and cryptocurrency crime, successfully recovering millions and intercepting hundreds of thousands of BEC accounts as part of a global police operation named First Light.

"Since its launch in 2022, INTERPOL's I-GRIP mechanism has helped law enforcement intercept hundreds of millions of dollars in illicit funds," the agency said.

"INTERPOL is encouraging businesses and individuals to take preventative steps to avoid falling victim to business email compromise and other social engineering scams."

The disclosure follows the law enforcement seizure of an online digital wallet and cryptocurrency exchange known as Cryptonator for allegedly receiving criminal proceeds of computer intrusions and hacking incidents, ransomware scams, various fraud markets, and identity theft schemes.

Cryptonator, launched in December 2013 by Roman Boss, has also been accused of failing to institute appropriate anti-money laundering controls in place. The U.S. Justice Department indicted Boss for founding and operating the service.

Blockchain intelligence firm TRM Labs said the platform facilitated more than 4 million transactions worth a total of $1.4 billion, with Boss taking a small cut from each transaction. This comprised money exchanged with darknet markets, scam wallet addresses, high-risk exchanges, ransomware groups, crypto theft operations, mixers, and sanctioned addresses.

Specifically, cryptocurrency addresses controlled by Cryptonator transacted with darknet markets, virtual exchanges, and criminal marketplaces like Bitzlato, Blender, Finiko, Garantex, Hydra, Nobitex, and an unnamed terrorist entity.

"Hackers, darknet market operators, ransomware groups, sanctions evaders and others threat actors gravitated to the platform to exchange cryptocurrencies as well as cash out crypto into fiat currency," TRM Labs noted.

The popularity of cryptocurrency has created plenty of opportunities for fraud, with threat actors constantly devising new ways to drain victims' wallets over the years.

Indeed, a recent report from Check Point found that fraudsters are abusing legitimate blockchain protocols like Uniswap and Safe.global to conceal their malicious activities and siphon funds from cryptocurrency wallets.

"Attackers leverage the Uniswap Multicall contract to orchestrate fund transfers from victims' wallets to their own," researchers said. "Attackers have been known to use the Gnosis Safe contracts and framework, coaxing unsuspecting victims into signing off on fraudulent transactions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security.

David O'Berry, vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

August 6, 2024

4 Min Read

Source: Science Photo Library via Alamy Stock Photo

COMMENTARY

Quantum computing has been projected to enable market-defining and life-changing capabilities since its inception more than three decades ago. From financial portfolio optimization and improved electric vehicle (EV) battery production to enhanced drug discovery and advanced semiconductor manufacturing, quantum computers can perform complex calculations at faster speeds than both traditional and super computers. 

Thanks to the recent artificial intelligence (AI) boom, quantum computing is predicted to become even more significant in the coming years. Quantum computers will facilitate advancements in AI algorithms — better known as quantum AI or QAI. These quantum-enabled AI models will be faster as well as more accurate and efficient, due to quantum computers' parallel processing abilities that can simultaneously solve complex problems and prepare large datasets. This also means that quantum computing can deliver more energy-efficient AI algorithms, as well as hybrid architecture, neural network-enabled data modeling, and improved AI and data security.

Despite the positivity surrounding quantum computing, there is also a dark side to this burgeoning technology. Cybersecurity criminals are increasingly using quantum computing techniques to attack enterprises and break encryptions. It is believed that in the next five to 10 years, quantum computers will be able to break the majority of today's cryptographic algorithms.

This reality leaves corporate leaders and cybersecurity experts with one choice — prepare for the future of post-quantum cryptography (PQC) before it's too late.

**Current State of Post-Quantum Cryptography**

Encryption has been a highly divisive cybersecurity tool in the United States for several decades. In fact, if it was not for the work of experts like Phil Zimmerman catalyzing public-private discussion during the Crypto Wars, we could be living in a more vulnerable world, where encryption was still widely outlawed. 

Fortunately, after years of debate and a growing onslaught of concerning cyberattacks, cryptography is now a broadly accepted security technique, backed by the US government. Encryption is used to protect everything from emails to cryptocurrencies to private wireless networks. However, of all the cryptographic applications, post-quantum cryptography in particular is now the gold standard.

In 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act to ensure all federal entities will have quantum-resilient plans and technology in the coming years. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) also collectively developed the "Quantum Readiness: Migration to Post-Quantum Cryptography" information sheet last year, to advise US defense agencies and private enterprises alike on the new reality of cybersecurity in our post-quantum world. 

This surge in PQC legislation is largely due to the fact that most of our existing encryption is weak and cannot withstand a quantum-enabled attack. And while there is some work being done to advance quantum-proof algorithms, it is not nearly enough. Organizations across industries will be subjected to quantum-led attacks, including government agencies, financial and insurance enterprises, government suppliers — such as aerospace and defense companies — and corporations managing critical infrastructure like telcos and utilities. In other words, PQC is a matter of national security and personal privacy. 

**Bolstering Unbreakable Security**

Cyber leaders have always been tasked with preparing for the unpredictable, but now perhaps for the first time, they must prepare for the unknown. Cyber teams have limited knowledge of both quantum-enabled attacks and quantum-resistant encryption. So how can leaders across sectors bolster their defenses in the unfolding era of PQC?

To start, preparations should begin with risk assessments and inventories to help organizations understand where they have cryptographic gaps. Cyber teams should ask themselves where and how they are using encryption. Moreover, they should identify the various kinds of encryption algorithms and their current use cases across the enterprise. This will, in turn, help companies achieve crypto agility across systems. 

Leaders must also enable a cultural and technological reset. Most cybersecurity professionals will need to be trained to identify, mitigate, respond to, and even predict and prevent quantum-driven threats. These upskilling and reskilling initiatives will typically require third-party support from cyber vendors with deep expertise in quantum technologies.

In order to ultimately protect data and secure AI models using post-quantum cryptographic protocols, algorithms, and systems, organizations will also have to revamp their key management strategy, public key infrastructure deployments, and certificate life cycle management practices. 

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security. The US government has seen the writing on the wall — and now, enterprises must meet the unknown head-on as well. 

**About the Author**

vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

David currently leads the vCISO Practice for the Converged OT/IT, Enterprise, and Cyber Resilience Towers for the North America Cybersecurity Practice at Capgemini. In this role, David also works on the creation of Capgemini’s Cybersecurity Delivery Center of Excellence in North America. Most recently, David served as the chief architect for a large North American utility, helping to lead a $100 million-plus cybersecurity transformation initiative. David has more than 30 years of experience in IT, OT, converged IT/OT, network security, and consulting services.

Preparing for the Future of Post-Quantum Cryptography

Everyone loves the double-agent plot twist in a spy movie, but it’s a different story when it comes to securing company data. Whether intentional or unintentional, insider threats are a legitimate concern. According to CSA research, 26% of companies who reported a SaaS security incident were struck by an insider. 
The challenge for many is detecting those threats before they lead to full

SaaS Security / Threat Detection

Everyone loves the double-agent plot twist in a spy movie, but it's a different story when it comes to securing company data. Whether intentional or unintentional, insider threats are a legitimate concern. According to CSA research, 26% of companies who reported a SaaS security incident were struck by an insider.

The challenge for many is detecting those threats before they lead to full breaches. Many security professionals assume there is nothing they can do to protect themselves from a legitimate managed user who logs in with valid credentials using a company MFA method. Insiders can log in during regular business hours, and can easily justify their access within the application.

Cue the plot twist: With the right tools in place, businesses _can_ protect themselves from the enemy from within (and without).

Learn how to secure your entire SaaS stack from both internal and external threats

**Subduing Identity-Centric Threats with ITDR**

In SaaS security, an Identity Threat Detection & Response (ITDR) platform looks for behavioral clues that indicate an app has been compromised. Every event in a SaaS application is captured by the application's event logs. Those logs are monitored, and when something suspicious takes place, it raises a red flag, called an Indicator of Compromise (IOC).

With outside threats, many of these IOCs relate to login methods and devices, as well as user behavior once they've gained access. With insider threats, IOCs are primarily behavioral anomalies. When IOCs reach a predetermined threshold, the system recognizes that the application is under threat.

Most ITDR solutions primarily address endpoint and on-prem Active Directory protection. However, they are not designed to address SaaS threats, which require deep expertise in the application and can only be achieved by cross-referencing and analyzing suspicious events from multiple sources.

**Examples of Insider Threats in the World of SaaS**

*   **Data Theft or Data Exfiltration:** Excessive downloading or sharing of data or links, particularly when sent to personal email addresses or third parties. This may occur after an employee has been laid off and believes the information could be useful in their next role, or if the employee is very unhappy and has malicious intentions. The stolen data may include intellectual property, customer information, or proprietary business processes.
*   **Data Manipulation**: The deletion or modification of critical data within the SaaS application, potentially causing financial loss, reputational damage, or operational disruption.
*   **Credential Misuse**: Sharing of login credentials with unauthorized users, either intentionally or unintentionally, allowing access to sensitive areas of the SaaS application.
*   **Privilege Abuse:** A privileged user takes advantage of their access rights to modify configurations, bypass security measures, or access restricted data for personal gain or malicious intent.
*   **Third-Party Vendor Risks:** Contractors or third-party vendors with legitimate access to the SaaS application misuse their access.
*   **Shadow Apps:** Insiders install unauthorized software or plugins within the SaaS environment, potentially introducing vulnerabilities or malware. This is unintentional but is still introduced by an insider.

Each of these IOCs on their own doesn't necessarily indicate an insider threat. There may be legitimate operational reasons that can justify each action. However, as IOCs accumulate and reach a predefined threshold, security teams should investigate the user to understand why they are taking these actions.

Take a deeper look at how ITDR works together with SSPM

**How ITDR and SSPM Work Together to Prevent and Detect Insider Threats**

The Principle of Least Privilege (PoLP) is one of the most important approaches in the fight against insider threats, as most employees typically have more access than required.

SaaS Security Posture Management (SSPM) and ITDR are two parts of a comprehensive SaaS security program. SSPM focuses on prevention, while ITDR focuses on detection and response. SSPM is used to enforce a strong Identity-First Security strategy, prevent data loss by monitoring share settings on documents, detect shadow apps used by users and monitor compliance with standards designed to detect insider threats. Effective ITDRs enable security teams to monitor users engaging in suspicious activity, enabling them to stop insider threats before they can cause significant harm.

Get a 15 minute demo and learn more about ITDR and it's different use cases

Note:

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Suspicious Minds: Insider Threats in The SaaS World

Home users are being targeted by a ransomware called Magniber which locks up files and demands money for the key.

If you’ve been following any news about ransomware, you may be under the impression that ransomware groups are only after organizations rather than individual people, and for the most part that’s true.

However, Magniber is one ransomware that does target home users. And it’s back, with full force, demanding four figure ransoms to unencrypt data.

BleepingComputer, which has a dedicated forum for ransomware victims, reports:

> “A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.”

This surge was confirmed by ID-Ransomware, which helps users to identify the ransomware family that has infected their systems. ID-Ransomware has received well over 700 requests from visitors who had their files encrypted by Magniber since July 20, 2024. Malwarebytes’ telemetry also shows an uptick in Magniber detections in July.

Magniber first emerged in 2017 when it 2024 targeted South Korean systems. In 2018, it started infecting computers with a much more developed version which also targeted other Asian countries like Malaysia, Taiwan, and Hong Kong.

The new campaign does not limit itself to specific regions and uses tried and trusted methods to reach home users’ systems. The ransomware is often disguised in downloads for cracks or key generators of popular software, as well as fake updates for Windows or browsers. In some cases, the group takes advantage of unpatched Windows vulnerabilities.

When infected, victims are presented with this ransom notice:

> Your important files have been encrypted due to the suspicion of the illegal content download!
> 
> Your files are not damaged! Your files are modified only. This modification is reversible.
> 
> Any attempts to restore your files with the third party software will be fatal to your files!
> 
> To receive the private key and decryption program follow the instructions below:

The instructions will tell you to visit a website which can only be reached by using the Tor browser.

Once the ransomware has encrypted the targeted files, it will typically request a ransom in the region of $1,000 which is raised to around $5,000 if the victim does not pay within three days. Unfortunately, old decryptors that were available for free don’t work for this version.

**How home users can prevent ransomware**

There are some rules that can help you avoid falling victim to this type of ransomware:

*   Make sure your system and software are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
*   Run a trusted anti-malware solution.
*   Never download illegal software, cracks, and key generators.
*   Use a malicious content blocker to stop your browser from visiting bad sites.
*   Don’t open unexpected email attachments.
*   Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

Malwarebytes Artificial Intelligence module blocks the latest Magniber versions as Malware.AI.{ID-nr}. Older versions will be detected as Ransom.Magniber or Ransom.Magniber.Generic.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Magniber ransomware targets home users 

Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years.

Source: Tero Vesalainen via Shutterstock

An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.

Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.

**Post-Exploit Malware**

"LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims' devices," Kaspersky researcher Dmitry Kalinin wrote in a blog post this week. "It remains unclear which vulnerability the attackers might have exploited in the former scenario."

LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the NSO Group's Pegasus Software and the Intellexa alliance's Predator. Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.

In many instances — as was the case with last year's Operation Triangulation iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed BadBazaar last year and another espionage tool dubbed SandStrike in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.

**A Three Year Campaign**

Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.

Unlike some so-called zero-click spyware tools, LianSpy's ability to function depends, to a certain extent, on user interaction.  When launched, the malware first checks to see if it has the required permissions to execute its mission on the victim's device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name ("mu" instead of "su") to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.

"Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges," Kalinin wrote. "This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone."

**Data Harvesting and Exfiltration**

LianSpy's primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.

"The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder," Kaspersky said in a technical writeup on the malware.

One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. "Interestingly, root privileges are used so as to prevent their detection by security solutions," the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.

"Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion," Kalinin said. "Unlike financially motivated spyware, LianSpy's focus on capturing instant message content indicates a targeted data-gathering operation."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Sophisticated Android Spyware Targets Users in Russia

A ransomware group called Dark Angels made headlines this past week when it was revealed the crime group recently received a record $75 million data ransom payment from a Fortune 50 company. Security experts say the Dark Angels have been around since 2021, but the group doesn't get much press because they work alone and maintain a low profile, picking one target at a time and favoring mass data theft over disrupting the victim's operations.

A ransomware group called **Dark Angels** made headlines this past week when it was revealed the crime group recently received a record $75 million data ransom payment from a Fortune 50 company. Security experts say the Dark Angels have been around since 2021, but the group doesn’t get much press because they work alone and maintain a low profile, picking one target at a time and favoring mass data theft over disrupting the victim’s operations.

Image: Shutterstock.

Security firm **Zscaler** **ThreatLabz** this month ranked Dark Angels as the top ransomware threat for 2024, noting that in early 2024 a victim paid the ransomware group $75 million — higher than any previously recorded ransom payment. ThreatLabz found Dark Angels has conducted some of the largest ransomware attacks to date, and yet little is known about the group.

**Brett Stone-Gross**, senior director of threat intelligence at ThreatLabz, said Dark Angels operate using an entirely different playbook than most other ransomware groups. For starters, he said, Dark Angels does not employ the typical ransomware affiliate model, which relies on hackers-for-hire to install malicious software that locks up infected systems.

“They really don’t want to be in the headlines or cause business disruptions,” Stone-Gross said. “They’re about making money and attracting as little attention as possible.”

Most ransomware groups maintain flashy victim leak sites which threaten to publish the target’s stolen data unless a ransom demand is paid. But the Dark Angels didn’t even have a victim shaming site until April 2023. And the leak site isn’t particularly well branded; it’s called **Dunghill Leak**.

The Dark Angels victim shaming site, Dunghill Leak.

“Nothing about them is flashy,” Stone-Gross said. “For the longest time, they didn’t even want to cause a big headline, but they probably felt compelled to create that leaks site because they wanted to show they were serious and that they were going to post victim data and make it accessible.”

Dark Angels is thought to be a Russia-based cybercrime syndicate whose distinguishing characteristic is stealing truly staggering amounts of data from major companies across multiple sectors, including healthcare, finance, government and education. For large businesses, the group has exfiltrated between 10-100 terabytes of data, which can take days or weeks to transfer, ThreatLabz found.

Like most ransom gangs, Dark Angels will publish data stolen from victims who do not pay. Some of the more notable victims listed on Dunghill Leak include the global food distribution firm **Sysco**, which disclosed a ransomware attack in May 2023; and the travel booking giant **Sabre**, which was hit by the Dark Angels in September 2023.

Stone-Gross said Dark Angels is often reluctant to deploy ransomware malware because such attacks work by locking up the target’s IT infrastructure, which typically causes the victim’s business to grind to a halt for days, weeks or even months on end. And those types of breaches tend to make headlines quickly.

“They selectively choose whether they want to deploy ransomware or not,” he said. “If they deem they can encrypt some files that won’t cause major disruptions — but will give them a ton of data — that’s what they’ll do. But really, what separates them from the rest is the volume of data they’re stealing. It’s a whole order of magnitude greater with Dark Angels. Companies losing vast amounts of data will pay these high ransoms.”

So who paid the record $75 million ransom? **Bleeping Computer** posited on July 30 that the victim was the pharmaceutical giant **Cencora** (formerly **AmeriSourceBergen Corporation**), which reported a data security incident to the **U.S. Securities and Exchange Commission** (SEC) on February 21, 2024.

The SEC requires publicly-traded companies to disclose a potentially material cybersecurity event within four days of the incident. Cencora is currently #10 on the Fortune 500 list, generating more than $262 billion in revenue last year.

Cencora did not respond to questions about whether it had made a ransom payment in connection with the February cybersecurity incident, and referred KrebsOnSecurity to expenses listed under “Other” in the restructuring section of their latest quarterly financial report (PDF). That report states that the majority of the $30 million cost in “Other” was associated with the breach.

Cencora’s quarterly statement said the incident affected a standalone legacy information technology platform in one country and the foreign business unit’s ability to operate in that country for approximately two weeks.

Cencora’s 2024 1st quarter report documents a $30 million cost associated with a data exfiltration event in mid-February 2024.

In its most recent State of Ransomware report (PDF), security firm **Sophos** found the average ransomware payment had increased fivefold in the past year, from $400,000 in 2023 to $2 million. Sophos says that _in more than four-fifths (82%) of cases funding for the ransom came from multiple sources_. Overall, 40% of total ransom funding came from the organizations themselves and 23% from insurance providers.

Further reading: ThreatLabz ransomware report (PDF).

Tag

#intel