A new executive order tries to reassure Europeans that their data is safe on US soil, despite government surveillance.

The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.” This was the reassurance that US President Joe Biden offered concerned citizens across the Atlantic today by signing an executive order designed to restart the easy flow of data between Europe and the US.

For years, companies have been shuttling customer information between the two regions. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House said today. But two years ago, the EU Court of Justice in Luxembourg ruled that Europeans’ data sent to the US risked being snooped on by intelligence agencies, such as the US National Security Agency. As a result, the agreement that allowed companies to easily transfer data between the US and Europe was ripped up. Businesses instead had to make do with a costly and complex temporary replacement.

Biden’s executive order brings a new EU-US data privacy agreement one step closer and aims to restore trust among Europeans’ concerned by US government surveillance. The order creates a new body within the US Department of Justice that will oversee how US national security agencies access both Europeans’ and Americans’ data. But privacy campaigners say the order simply copies the wording of European law (adding in terms like _proportionate_ and _necessary_) without making any real changes. “We do not see a ban on bulk surveillance and no actual limitations,” says Max Schrems, the Austrian privacy activist whose legal complaint against Facebook eventually dismantled the transatlantic data pact back in 2020.

Before then, around 5,000 businesses had been sending data back and forth across the Atlantic under a system called Privacy Shield. “The pre-Schrems system worked,” says Morgan Reed, president of the App Association, which represents small- and medium-size companies, mostly app developers. But the EU court ruling made the Privacy Shield system suddenly invalid, plunging thousands of companies into legal limbo.

Although the court decision did not stop transfers, it made them more complicated. “What the Schrems decision did was raise costs and concern for a lot of small companies that don't have giant compliance departments’ and fleets’ worth of lawyers to do what are called standard contractual clauses,” says Reed. Standard contractual clauses are time-consuming data transfer agreements that force companies to take steps to assess whether they are safely moving data around the world. 

Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual. The executive order is the next step in the US and EU reaching a new privacy agreement. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” says Matt Schruers, president of the Computer and Communications Industry Association (CCIA), a lobbying group that represents tech giants including Google, Amazon, and Apple.

At Workday, a California-based HR software provider with more than 2,000 customers headquartered in Europe, the mood is optimistic. Chandler Morse, vice president of corporate affairs, believes this is evidence that the US and EU can reach an agreement on more than just the privacy shield problem. “There's a number of other tech issues that are pending in the EU-US bilateral, so for many of us this is a positive sign that the EU and the US can work together,” he says, adding that the EU AI Act and Data Act could also be beneficiaries of this new cooperation.

Yet privacy campaigners are not impressed—either by greater collaboration or Biden’s offer of a so-called Data Protection Review Court, which will allow EU citizens to challenge how US security agencies use their data.

“However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order,” says Ursula Pachl, deputy director general of the European Consumer Organization (BEUC). “The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”

Biden’s executive order will now be sent to Brussels, where EU officials could spend up to six months scrutinizing the details. A new data agreement is expected to be ready around March 2023, although privacy activists are expected to challenge the ruling in court. “The order is never going to be enough for the privacy community in Europe,” says Tyson Barker, head of technology and global affairs at the German Council on Foreign Relations.

The European Commission believes the new agreement could survive a court challenge. But the US has been quietly hedging its bets, says Barker. At a conference in October 2021, Christopher Hoff, deputy assistant secretary for services in the Biden Administration, said he supported the global expansion of a rival privacy agreement—the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. “The United States wants to say, actually, we have an alternative and we'd like to set this as the global standard,” Barker adds.

Schrems, however, is not worried about another privacy agreement curbing the EU’s influence. “I don’t personally care what standards other countries prefer,” he says. “I know the law in the EU.”

Biden’s Privacy Order Slaps a Band-Aid on the EU-US Data Crisis

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. A specially-crafted malformed file can cause memory corruption by using memory before buffer start, which can lead to code execution. A victim would need to access a malicious file to trigger this vulnerability.

**SUMMARY**

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. A specially-crafted malformed file can cause memory corruption by using memory before buffer start, which can lead to code execution. A victim would need to access a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Hancom Office 2020 Hancom Office 2020 11.0.0.5357

**PRODUCT URLS**

Hancom Office 2020 - https://office.hancom.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-124 - Buffer Underwrite (‘Buffer Underflow’)

**DETAILS**

Hancom Office is considered one of the more popular Office suites used within South Korea.

After enabling PageHeap for the application and HwordApp.dll, attempting to open the malicious file results in the following exception in the debugger:

    (150c.1f44): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=131d1490 ebx=00ef9fa4 ecx=dcbaaaaa edx=00000001 esi=00ef9f64 edi=00ef9ea0
    eip=6a55d80c esp=00ef9dac ebp=00ef9de4 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
    HwordApp!SetInitFontCallbackFunc+0x4f619c:
    6a55d80c 8b01            mov     eax,dword ptr [ecx]  ds:002b:dcbaaaaa=????????
    

A few assembly instructions prior, we see the following code (we assume the HwordApp.dll is loaded at the base address of 0x6a010000):

    .text:6A55D803 loc_6A55D803:
    .text:6A55D803 mov     eax, [esi+0A30h]
    .text:6A55D809 mov     ecx, [eax-4]                                  (1)
    .text:6A55D80C mov     eax, [ecx]                                    (2)
    .text:6A55D80E call    dword ptr [eax+10h]                           (3)
    

The pointer is decremented by 4 at location (1) and is dereferenced at (2) where the code eventually crashes.

At location (1), eax holds the pointer to memory allocated in the heap. Since we have enabled PageHeap, we can see metadata related to this heap allocation, like allocation size, the stack trace of the allocating code, etc. In memory, these metadata reside just before the heap allocation returned to the application. We can examine the metadata with the following command:

    0:002> dt _DPH_BLOCK_INFORMATION eax-20
    ntdll!_DPH_BLOCK_INFORMATION
       +0x000 StartStamp       : 0xabcdaaaa
       +0x004 Heap             : 0x84801000 Void
       +0x008 RequestedSize    : 4
       +0x00c ActualSize       : 0x2c
       +0x010 FreeQueue        : _LIST_ENTRY [ 0x48010c0 - 0x12bd4230 ]
       +0x010 FreePushList     : _SINGLE_LIST_ENTRY
       +0x010 TraceIndex       : 0x10c0
       +0x018 StackTrace       : 0x050f2284 Void
       +0x01c EndStamp         : 0xdcbaaaaa
    

The code attempts to dereference a pointer with the erroneous value of 0xdcbaaaaa, which is the EndStamp magic value at the end of PageHeap metadata.

As evident in the RequestedSize field, the application requested an allocation of 4 bytes. However, the code effectively attempts to dereference a pointer that resides 4 bytes prior to that allocation.

After reversing the code, it was found that the application crashes in an attempt to parse XML data, specifically the </w:p> XML tag. The malicious file is in the .docx format, which is a .zip file containing various XML files. Unzipping the malicious file, we see the following in word/document.xml:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    ...
    <w:body></w:p></w:body>
    

The </w:p> XML tag denotes the end of a paragraph in the .docx format. Providing the open tag <w:p> before the end tag, the application does not crash. From our analysis, it was evident that the application keeps a vector-type data structure containing pointers of objects. When there is an open tag followed by a close tag, the vector holds two pointers with a total size of 8 bytes (2 pointers of 4 bytes each) and the code works correctly. When there is only the close tag, the code assumes there is another element in the vector, decrements the pointer to the vector by 4 and attempts to dereference and call the erroneous pointer.

At location (3) in the code listing above, we see this pointer being used as a target to an indirect call, in a typical behaviour to a virtual function table call in C++. As a result, the code will attempt to make a call to an erroneous pointer that resides in memory.

Using heap spraying techniques, an attacker could force the application to allocate memory that resides immediately before the buffer and make it contain arbitrary data. As a result, the attacker could be able to control the pointer that will eventually be used for the indirect call, resulting in arbitrary code execution.

**TIMELINE**

2022-07-14 - Vendor Disclosure  
2022-09-30 - Vendor Patch Release  
2022-10-04 - Public Release

CVE-2022-33896: TALOS-2022-1574 || Cisco Talos Intelligence Group

Today, the processing of mountain-high stacks of alarms is considered "security." That system is failing customers and the cybersecurity workforce.

In one of my first jobs, I worked as a file clerk. I would arrive early in the morning to be greeted by a mountain-high stack of manila folders to process. I would spend the day knocking down the pile, only to be greeted by a new one the next day. It was clear that I was never going get ahead in that job.

Recently, I read a cybersecurity provider's infographic that depicts the logs from 350,000 machines feeding a security information and event management (SIEM) system, resulting in a data lake consisting of 1.1 billion security events. An artificial intelligence detection layer, employing thousands of algorithms, processes those billions of events into an investigation layer and visualization platform.

My first thought was, it's that clerk job all over again! How can a security operations center (SOC) team possibly get ahead in this environment? At a time when SOCs are more critical than ever, SOC analysts have never been stretched so thin from the relentless, reactive, and "always on" mode their job demands. As a result, the cybersecurity industry is in danger of losing a generation of talented analysts because of low morale, crushing workloads, and new security products that are built upon outdated approaches.

There is already a well-documented shortage of qualified security personnel today. According to the "(ISC)2 Cybersecurity Workforce Study," the shortage is estimated to reach 2.72 million globally. Increased workloads are a major contributor to burnout in our industry. In a survey conducted last fall, 51% of professionals surveyed were kept up at night by the stress of their jobs, and nearly half were working more than full-time hours.

Security teams are drowning in a sea of alert fatigue, incident response workload, and false positives. In today's cybersecurity ecosystem, the processing of mountain-high stacks of alarms is considered "security." That system is simultaneously failing customers and the cybersecurity workforce. Indeed, a recent study shows 45% of all daily security alerts are false positives, and 75% of organizations spend an equal amount — or more — on false positives than on legitimate attacks. In a multicontinent survey of security experts, 74% claimed their volume of false positives was steady or rising and 26% shared they "turn off alerts because they are too noisy." It comes as no surprise, therefore, that in 2022, many IT professionals are leaving their jobs — and the industry entirely.

Cybersecurity professionals are charged with protecting vital business as well as personal and national interests. With the average cost of a data breach now at an all-time high of $4.35 million and 83% of organizations having experienced more than one breach, the impact these professionals bring to the business is clear. A dearth of qualified people will only make the challenges of maintaining our vital interests more difficult, creating a terrible cycle. Providing the best work environment possible to retain and attract highly skilled professionals must become our highest priority as it is essential for long-term business success.

**Better Tools**

The problem cannot be solved by raising a few salaries. Instead, a transformative new approach is needed in which cybersecurity professionals have access to better tools and technologies so they can apply their talents and energies to address their actual priorities instead of chasing seemingly endless false positives and security alerts that lead nowhere and do not result in better organizational security. Not only will such a cybersecurity workforce be more fulfilled, but they will also be able to maintain a realistic work-life balance as well as deliver tangible value to business. Without this twofold approach to industry reform, we will continue to see the best and the brightest reconsider their chosen field and look elsewhere for opportunity, resulting in a massive destabilization of infrastructure.

We must immediately embrace new approaches that focus on prevention at scale and offer technologies that dramatically reduce incident response and false alerts. As singer-songwriter John Mayer describes gravity, "Twice as much ain't twice as good." Reducing the flood of alerts will make room for much-needed focus. Embracing a preventative approach will free up cybersecurity professionals to address their real priorities: protecting their clients, defeating malicious attackers, maintaining secure business continuity, and delivering more business value.

Cybersecurity professionals should be outthinking and outmaneuvering adversaries rather than being mired in alerts. The resulting security and protection will provide even more benefit to their organizations. It is possible to create a future for the cybersecurity industry that allows professionals to lead balanced lives while maintaining fulfilling careers without sacrificing the safety of critical networks.

Even though cyber threats continue to evolve and increase, forward-leaning organizations that embrace new, preventive approaches are benefiting from superior security, better business results, and meaningful, impactful work for their talented cybersecurity professionals. Employ a new preventative approach. Reduce the noise. Create better outcomes. Retain your best talent.

We Can Save Security Teams From Crushing Workloads. Will We?

Understanding the connection between GRC and cybersecurity
When talking about cybersecurity, Governance, Risk, and Compliance (GRC) is often considered the least exciting part of business protection. However, its importance can't be ignored, and this is why. 
While cybersecurity focuses on the technical side of protecting systems, networks, devices, and data, GRC is the tool that will help the

**Understanding the connection between GRC and cybersecurity**

When talking about cybersecurity, Governance, Risk, and Compliance (GRC) is often considered the least exciting part of business protection. However, its importance can't be ignored, and this is why.

While cybersecurity focuses on the technical side of protecting systems, networks, devices, and data, GRC is the tool that will help the entire organization understand and communicate how to do it.

What does it mean?

GRC tools like StandardFusion help companies define and implement the best practices, procedures, and governance to ensure everyone understands the risks associated with their actions and how they can affect business security, compliance, and success.

In simple words, GRC is the medium for creating awareness around cybersecurity's best practices to reduce risks and achieve business goals.

**Why is cybersecurity more relevant than ever before**

Cybersecurity aims to protect sensitive business data, intellectual property, personal and health information, and other company systems from cyber-attacks and threats. However, this task has become increasingly harder over the past few years.

Why is that?

Well, because of the ever-increasing global connectivity, new hybrid work models, the popularization of cloud services, and the evolution of technology, among others. Although all of these are great from a business perspective, they introduce new risks and challenges.

Here's the truth:

Cybersecurity has always been a critical part of organizations; however, in today's technological and interconnected landscape, they can't exist without it, at least in the long term.

**Understanding the principles of GRC**

Governance, Risk, and Compliance (GRC) is a business strategy for managing a company's overall governance, enterprise risk management, and regulatory compliance.

From a cybersecurity standpoint, GRC is a structured approach to aligning IT (people and operations) with business objectives while effectively managing risks and meeting regulatory needs.

In this context, to achieve business objectives and maximize the company's bottom line, organizations need to follow the best practices and procedures. This is why GRC exists... to mitigate any threat to productivity and the company's value by creating standards, policies, regulations, and processes.

More importantly, GRC helps build trust in the organization. This trust comes from improved efficiencies, better communication, employees' confidence to share information, and enhanced business outcomes.

That's not all.

GRC empowers companies to create a culture of value, giving everyone the education and agency to understand how they can protect the business's value, reputation and make better decisions.

**The crucial role of GRC in cybersecurity**

Organizations must align people, systems, and technologies with business objectives to achieve solid and effective cybersecurity. This means everyone should know and take the proper actions when executing their tasks — it's all about awareness and knowledge.

Governance, Risk, and Compliance is the best tool to create an integrated system that focuses on achieving objectives while addressing risks and acting with integrity.

GRC is crucial because it supports cybersecurity with vital business activities, such as:

*   Standardizing the best practices for everyone to act with integrity and security.
*   Assigns roles and responsibilities to business units and users, enhancing communication.
*   Helping with the implementation of data manipulation procedures.
*   Unifies vocabulary across departments and teams.
*   Supporting internal audits and encourages continuous control monitoring.
*   Assisting with risk mitigation internally and externally
*   Supporting meeting industry and government regulations.

GRC also provides a framework to integrate security and privacy with the organization's overall goals. Why is this important? Because it allows businesses to make informed decisions regarding data security risks quickly while mitigating the risk of compromising privacy.

**The role of GRC in cybersecurity – technical benefits**

The following are some of the vital benefits GRC offers cybersecurity:

**Third-party vendor selection:** Many organizations will use a third-party scorecard to gather basic information about potential vendors. This information includes: Corporate reputation, financials, network security, history of cyber breaches, geographic location, and more. A robust GRC model would support IT and security teams select and vet potential third-party vendors. More importantly, GRC will support the creation of vendor assessments and mitigation strategies.

**Risk mitigation:** IT can use GRC to understand the scope of cybersecurity and document the strengths and limitations of the current security program. GRC allows organizations to outline and act on different types of threats, potential damages, mitigation plans, and risk treatments.

**Regulatory compliance:** GRC is vital in keeping compliance in the loop as new regulations evolve worldwide. Moreover, it brings these evolving changes to the security team's attention ahead of time, providing time to plan and respond. Overall, GRC will help develop and manage the policies, regulations, and standards to meet the often-updated business and industry regulations.

**Audit support:** Modern organizations extend their procedures and protocols to provide proof and audit material to their auditors. Ensuring processes and best practices are well documented will show that the house is kept in order. Critical audit material may include: Incident response, cybersecurity awareness training, internal control test results, cybersecurity compliance reviews, and more. GRC helps craft and maintain a single source of truth for compliance that allows everyone to be on the right page.

**Data privacy:** GRC helps organizations stay on top of the ever-changing landscape of privacy regulations. How? by allowing the IT team to ensure that the appropriate protection, logging, geographic storage, etc. are in place to defend customers' and employees' data.

**Visibility:** GRC's integrated approach allows companies to get visibility into every aspect of their security compliance programs. This is vital as it enables different units, managers, and personnel to see the big picture and make data-drive and informed decisions.

In summary:

A well-planned GRC program enables organizations to:

*   Collect and maintain high-quality information
*   Improve decision making
*   Promote collaboration
*   Increase accountability
*   Build a strong culture
*   Increase efficiency and agility
*   Provide visibility
*   Reduces costs by supporting suitable investments
*   Increase integration
*   Protect the company's value and reputation

**GRC and Cybersecurity: Why do companies need an integrated approach?**

Integrating GRC and cybersecurity is imperative for organizations that want to build a long-term, successful security strategy. Aside from faster communication, congruent metrics, collaboration, and decision-making, the integration of GRC and cybersecurity offers other distinct advantages.

An integrated approach minimizes manual input and the potential for human error, reducing costs and giving organizations more time to create more value for the business.

More importantly, a strong integration helps the board to clearly and comprehensively visualize the organization's security posture. By understanding the cross-functional posture, business directors can tell better security stories to convey trust to customers and empower employees.

To sum up:

GRC and cybersecurity work hand in hand toward a lower-risk future and value creation, — they can't exist without each other. While cybersecurity aims to protect systems, networks, and data (from a technical perspective), GRC communicates the best method and practices to achieve so.

With an integrated approach, organizations will:

*   Increase efficiencies
*   Enhance security posture
*   Tell better security stories
*   Improve visibility across the board
*   Increase support from leadership
*   Avoid compliance/regulatory fines
*   IT and security teams set the tone for the entire company
*   Hand in hand toward a lower-risk future

**Empowering cybersecurity through GRC – methodology**

The OCEG has developed this Capability Model (Red Book) as an open-source methodology that merges the sub-disciplines of governance, risk, audit, compliance, ethics/culture, and IT into a unified approach.

Organizations can evolve this standard to address specific situations, from small projects to organization-wide rollouts. Some examples are:

*   Anti-corruption projects
*   Business continuity
*   Third-party management

The model is key to framing conversations about GRC capabilities with the board, senior executives, and managers. Also, organizations might use this GRC Capability Model with more specific functional frameworks, such as: ISO, COSO, ISACA, IIA, NIST, and others.

The GRC Capability Model encourages organizations to document best practices to:

*   Unify vocabulary across disciplines
*   Define common components and elements
*   Define common information requirements
*   Standardize practices for things like policies and training
*   Identify communication for everyone involved.

Now, let's see how it works.

The Capability Model has four parts:

1\. Learn

The main idea here is to identify the business culture, stakeholders, and organization's business practices to successfully guide their goals, strategy, and objectives.

As a process, it would look like this:

*   Learning business plans and goals
*   Understanding strategic objectives
*   Being aware of the current and future compliance activities
*   Connecting with the key stakeholders

2\. Align

This step focuses on unifying strategy with objectives and actions with strategies. The goal here is to have an integrated approach where senior leadership is engaged and supports the process of decision-making.

In simple words, this process needs:

*   Align business objectives with the strategy
*   Align executives with stakeholders' expectations
*   Align resource allocation planning with objectives

3\. Perform

After aligning business goals and objectives, it's time to perform. This step defines implementing appropriate controls and policies, preventing and remediating undesired risks, and monitoring to detect issues as soon as possible.

4\. Review

As a final step, it's imperative to review the design and operational performance of the current strategy and actions. More importantly, this step encourages organizations to analyze objectives to constantly enhance the integrated GRC activities.

What is the purpose of this model?

To develop a steady and integral improvement process to reach optimal performance and create value for the organization.

Get your free consultation with StandardFusion and learn how you can design an integrated GRC program to strengthen your cybersecurity and protect your organization's value.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The essentials of GRC and cybersecurity — How they empower each other

Blockchain investigators have uncovered at least $4 million—and counting—in cryptocurrency fundraising has reached Russia's violent militia groups.

As Russian troops have flooded into Ukraine’s borders for the past eight months—and with an ongoing mobilization of hundreds of thousands more underway—the Western world has taken drastic measures to cut the economic ties that fuel Russia’s invasion and occupation. But even as those global sanctions have carefully excised Russia from global commerce, millions of dollars have continued to flow directly to Russian military and paramilitary groups in a form that’s proven harder to control: cryptocurrency.

Since Russia launched its full-blown invasion of Ukraine in February, at least $4 million worth of cryptocurrency has been collected by groups supporting Russia’s military in Ukraine, researchers have found. According to analyses by cryptocurrency-tracing firms Chainalysis, Elliptic, and TRM Labs, as well as investigators at Binance, the world’s largest cryptocurrency exchange, recipients include paramilitary groups offering ammunition and equipment, military contractors, and weapons manufacturers. That flow of funds, often to officially sanctioned groups, shows no sign of abating and may even be accelerating: Chainalysis traced roughly $1.8 million in funding to the Russian military groups in just the past two months, nearly matching the $2.2 million it found the groups received in the five months prior. And despite the ability to trace those funds, freezing or blocking them has proven difficult, due largely to unregulated or sanctioned cryptocurrency exchanges—most of them based in Russia—cashing out millions in donations earmarked for invaders.

“Our aim is to identify all the crypto wallets being used by Russian military groups and the people helping them; to find, seize and block all this activity that is helping to buy the bullets, the ammunition of this occupation,” says Serhii Kropyva, who until recently served as deputy of Ukraine’s Cyber Police and advisor to the country’s prosecutor general. “With the close cooperation of companies like Chainalysis and Binance, we can see all the wallets involved in this criminal activity, these money flows of millions of dollars. But we can, unfortunately, see that the transfer is continuing all the time.”

In separate reports, the cryptocurrency-tracing firms and Binance’s investigations team each tracked donations to the Russian war effort that very often began with public posts on the messaging app Telegram soliciting crowdfunded donations. Chainalysis, for instance, found Telegram posts from organizations including the pro-Russian media sites Rybar and Southfront, as well as the paramilitary group Rusich—which has ties to the notorious Wagner mercenary group—all posting cryptocurrency donation addresses to Telegram. These posts told followers that the money raised there would be used for everything from weaponized drones to radios, rifle accessories, and body armor. In another instance, Chainalysis points to a fundraiser by a group called Project Terricon that attempted to auction NFTs to support pro-Russian militia groups in Eastern Ukraine, though the NFTs were removed from the marketplace they were hosted on before any bids were placed.

Binance’s investigations team, in its own report, found that a total of $4.2 million in crypto had been funneled to Russian military groups since February. The groups named in its research didn’t entirely overlap with those named in Chainalysis’ report, suggesting that the overall funding could be far greater than either Binance’s or Chainalysis’ total. Binance, for instance, points to a pro-Russian “cultural heritage” group known as MOO Veche that has carried out fundraisers for military equipment similar to the kinds funded by the groups Chainalysis flagged. While Binance, TRM Labs, and Elliptic all name MOO Veche as a major fundraiser, Elliptic traced $1.7 million in crypto donations to the group, far more than the other researchers.

A screenshot of a Russian-language Telegram post from the pro-Russian military MOO Veche group, describing equipment paid for with its fundraising, including “thermal imagers, binoculars with rangefinders, spotting scopes, car radios, collimators and first aid kits.“

Telegram via Andy Greenberg

Other organizations that Binance spotted raising money through cryptocurrency crowdfunding on Telegram include the pro-Russian nationalist groups Save Donbas and REAR, as well as the Russian arms manufacturer Lobaev, which it saw directly soliciting donations on the platform. Yet another group, known as Romanov Light, whose fundraising was spotted by TRM Labs and Elliptic, claimed to be collecting crypto for Russian special forces. Romanov Light raised as much as $330,000 worth of donations, according to Elliptic, which it told donors it spent on military equipment like weapon accessories, flashlights, and armor plates.

Despite the relative clarity of all that financial tracing, preventing cryptocurrency from continuing to bolster Russia’s unprovoked incursion into Ukraine hasn’t been simple. Exchanges can block or freeze funds at the points where they’re exchanged for traditional currency. But according to Chainalysis, the majority of the crypto funds the groups have raised have been cashed out through Russian exchanges, including Chatex, Suex, and Garantex—all of which have already been targeted with Western sanctions for their extensive use by criminals. Chatex and Garantex did not respond to WIRED’s request for comment. Suex no longer appears to have a public website, and no contact information for the exchange could be found.

Not every exchange that has served as an ATM for Russian military crypto crowdfunding is hosted in Russia, however. Blockchain analysts who spoke to WIRED pointed to seven other exchange services, some hosted in India and China, that have received funds from the pro-Russian groups they tracked, though they declined to name them on the record, in part because the amounts of those funds in most cases were in the single-digit thousands or less.

In one telling example of how hard it is to prevent these cash-outs, however, analysts saw MOO Veche send more than $150,000 worth of bitcoin to an exchange hosted on the infrastructure of the Chinese cryptocurrency exchange Huobi—a “nested” exchange that essentially uses Huobi as its trading platform. But any responsibility that Huobi might have for blocking or freezing those funds was complicated by another unknown intermediary service that analysts saw the money travel through before entering the Huobi-hosted service. When WIRED reached out to Huobi for comment, it wrote in a statement that it has a “know-your-customer” process “which ensures to the best of our ability that our clients’ source of funds are above board.”

Binance, for its part, says its exchange accounts were also used by four of the groups it tracked and received more than $208,000 worth of cryptocurrencies. It tells WIRED that it froze all four accounts it discovered. “We’re making sure that no harm comes to civilians as a result of the fundraising that happens in these extremist spaces,” says Jennifer Hicks, who manages Binance’s intelligence and investigations team. “When cryptocurrency exchanges know that something illicit is happening that will end in real-world, kinetic effects like this, it’s the exchange’s responsibility to put a stop to it as fast as possible.”

Even when exchanges do monitor for crypto sent from sanctioned groups like these pro-Russian fundraisers, that dirty money won’t always be straightforward to detect, warns Thibaud Madelin, who leads research at Elliptic. He says he’s increasingly seeing Russian sources of illicit funds use “bridges” or “coin swaps”—services that allow easy trading of one cryptocurrency for another, often without offering any identifying information—as money-laundering techniques. He’s watched those tools grow in popularity among dark-web black markets and cybercriminal users and expects the same will happen with those seeking to launder illicit arms funding. “It’s a bit early to say definitively. But what we’re seeing is that it’s likely to become a bigger problem,” says Madelin. “They’re likely to mirror the methodologies seen across dark net services users, enabling large-scale money laundering and potentially sanctions evasion.”

An image in Chainalysis’s report pulled from a pro-Russian social media fundraiser that shows items funded through cryptocurrency donations, including targeting equipment, drone components, and satellite radios.

Courtesy of Chainanalysis

Millions of dollars in cryptocurrency funding to Russian troops may be the least of Ukraine’s problems in a war where Russia has thrown billions into its invasion force. Ukraine, it’s worth noting, has also vastly out-raised Russia in cryptocurrency: By Elliptic’s count, the Ukrainian government has collected more than $77 million in crypto donations since the war began. But that is to be expected, given the West’s broad support of Ukraine following Russia’s unprovoked aggression and the global sanctions placed on Russia. And even the smaller amount of cryptocurrency Russian forces have raised demonstrates cryptocurrency’s ongoing potential to circumvent those sanctions and offer another financial lifeline to Russia’s war machine.

“It’s not like Russia is buying new tanks with this money. They’re paying for thermal imaging scopes and UAVs,” says Andrew Fierman, a sanctions-focused Chainalysis researcher. “But for grassroots facilitation of these militia efforts, any amount of money that they receive to bolster their gear is going to have an impact.” And despite all the light that cryptocurrency tracers can shine on that funding—and the West’s best efforts to stop it—the crypto flow into Russia’s war chest continues.

The Fight to Cut Off the Crypto Fueling Russia's Ukraine Invasion

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies.

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.  

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks **to help better secure user data in use**. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to **standardize** confidential computing at the container level and **simplify** its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

The CoCo project aims to integrate Trusted Execution Environments (TEE) infrastructure with the cloud-native world. A TEE is at the heart of a confidential computing solution. TEEs are isolated environments with enhanced security, provided by confidential computing (CC) capable hardware that prevents unauthorized access or modification of applications and data while in use. You’ll also hear the terms "enclaves", "trusted enclaves" or "secure enclaves." In the context of confidential containers, these terms are used interchangeably.

**What does this actually mean?** 

Using CoCo, you will be able to deploy your workload on infrastructure owned by someone else, significantly reducing the risk of any unauthorized entity accessing your workload data and extracting your secrets. The infrastructure can be owned by a cloud provider, a different division in your organization such as the IT department or even an untrusted third party. This new level of confidentiality is achieved by, among other things, encrypting the computer’s memory and protecting other low level resources your workload requires at the hardware level. This includes the state of the CPU, physical memory, interrupts and more. Cryptography-based proofs help validate that no one has tampered with your workload, loaded software you did not want, read or modified the memory used by your workload, injected a malicious CPU state to attempt to derail your software or succeeded in doing anything out of order. In short, CoCo helps confirm that if either your software runs without being tampered with or it fails to run you will know about it.

For additional details see the CoCo project overview. 

In this blog we will focus on the first community release targeted for September 2022. The next sections provide more insight into what are the goals of this release and the supported use cases. We will also give a short overview of the architecture components supported in this release. 

Detailed release notes are available on the confidential containers GitHub repository.

**Goals of the first release**

This release focuses on the following:

*   **Simplicity** - Using a dedicated Kubernetes operator, the CoCo operator, for deployment and configuration. Our goal is to make this technology as accessible as possible hiding away most of the hardware-dependent parts 
    
*   **Stability** \- Supporting continuous integration (CI) for the key workflows of the release. We want to ensure that as the community grows and more contributors join, existing use cases remain stable.
    
*   **Documentation** - Detailed and clear instruction of how to deploy and use this release. Confidential computing is a vast and evolving field with many acronyms, building blocks and technology layers. We’d like to provide the users with enough information to understand and try out the use cases we describe.
    

Non-goals for the release include:

*   Full support and CI testing for all commonly used hardware architectures.
    
*   Performance and resource optimizations
    
*   Full integration with third-party services for attestation or key brokering
    
*   Full functionality and security features for all standard Kubernetes tools: some commands, notably those that access sensitive data in the workload, may either fail to function (being blocked for security reasons), or still route data through insecure channels.
    
*   Support for upstream versions of containerd and CRIO (this release relies on a customized version of containerd, which the operator installs for you)
    

We expect these limitations to be addressed in subsequent releases.

**Use cases supported in this release**

This release supports the following use cases:

*   Creating a sample CoCo workload
    
*   Creating a CoCo workload using a pre-existing encrypted image
    
*   Creating a CoCo workload using a pre-existing encrypted image on hardware with support for Confidential Computing (CC HW)
    
*   Building a new encrypted container image and deploying it as a CoCo workload
    

**Some insight into the CoCo architecture **

The following diagram provides a high level view of the main components the CoCo solution consists of and interact with: 

The CoCo solution embeds a Kubernetes pod inside a virtual machine (VM) together with an engine called the _**enclave software stack**_. There is a one-to-one mapping between a Kubernetes pod and a VM-based TEE (or enclave). The container images are kept inside the enclave and can be either signed or encrypted.

The **enclave software stack** is _**measured**_, which means that a  trusted cryptographic algorithm is used to authenticate its content. It contains the _**enclave agent**_ which is responsible for initiating attestation and fetching of the secrets from the key management service.

Supporting components for the solution are the _**container image registry**_ and the _**relying party**_, which combines the _**attestation service**_ and _**key management service**_.

The **container image registry** is responsible for storing and delivering encrypted container images. A container image typically contains multiple layers, and each layer is encrypted separately. At least one layer needs to be encrypted for the workload to be efficiently protected.

The **attestation service** is responsible for checking the measurement of the enclave software stack against a list of approved workloads, and authorize or deny the delivery of keys.

The **key management service** is responsible for storing secrets that the workload needs in order to run, such as disk decryption keys, and for delivering these secrets to the enclave agent.

After the VM has been launched, we can then summarize the flow CoCo follows in the following 4 steps (colored in red in the diagram above):

1.  The enclave agent sends a request to the attestation service. The attestation service responds with a cryptographic challenge for the agent to prove the workload’s identity using the measurement of the enclave. If the enclave agent responds to this challenge successfully, the attestation service notifies the key management service that secrets can be delivered.
    
2.  If the workload is authorized to run, the key management service finds the secrets corresponding to the workload, and sends them to the agent. Among the necessary secrets are the decryption keys for the disks being used.
    
3.  The image management service inside the enclave downloads container images from the container images registry, verifies them, and decrypts them locally to encrypted storage. At that point, the container images become usable by the enclave.
    
4.  The enclave software stack creates a pod and containers inside the virtual machine, and starts running the containers (all containers within the pod are secured).
    

**Why is Red Hat investing in this project? **

As part of the move to open hybrid cloud and in an effort to consolidate its relevant security aspects, advancement in technology allows our customers to further protect the data in use by providing an additional layer of encryption. There are certain industries that are highly sensitive and need additional protection for their workloads. As regulatory environments change, Red Hat intends to provide the necessary tools.

Red Hat believes that confidential computing can be a game changer for software manufacturers and cloud providers. It combines the advantages of cloud and on-premise while keeping the processes simple.

CoCo makes these new technologies easier to consume. Being able to transparently integrate confidential containers in Red Hat OpenShift, which is built on Kubernetes, is expected to become an important addition to the Red Hat product portfolio.

What is the Confidential Containers project? 

The infosec conference named after the UK's calling code returned this year with a focus on building a healthy community.

44CON -- London — After a two-year break, information security conference 44CON returned to London, where passionate security evangelists were joined by architects and managers from leading technology companies to enjoy a two-day festival of cybersecurity research from global headliners. From Sept. 15 to 16, people came to meet, do business, talk, and learn, with the 44CON crew providing fun, great food, and cybersecurity-themed entertainment.

It was a bit like the Babylon 5 of the UK infosec community.

I asked Adrian Mahieu, the founder of 44CON and the driving force behind the conference's resurrection, what motivated him to start up again post-COVID. 

"I wanted to make a conference that I'd like to go to, with some serious, in-depth technical talks \[and\] a few interesting sponsors that are not the usual suspects you'll see at other technical security conferences," he said. "But most interesting for me is getting people talking and learning from each other."  

This focus was apparent even in simple aspects, such as the way conference organizers devoted a large communal area to tabled seating, allowing attendees to share coffee, enjoy some excellent food, or just have impromptu birds-of-a-feather sessions. People at all stages of their cybersecurity careers were present, from eager recent graduates making connections to industry leaders talent-spotting and team-building, as well as a good number of people who justify the descriptor "expert."

Multiple industry sectors were represented, including broadcast entertainment and cloud service providers. "I tell vendors that all they need to bring is a backdrop for their exhibitors table," Mahieu explained. "I don't want those big palatial booths taking up the communal space. I want everyone to feel free to talk together!"

The evening's entertainment included a security communications wargame designed and hosted by innovative game developers Stone Paper Scissors. Threat Condition simulated the problems and issues that ensue after a reputationally damaging cyberattack and highlighted the consequential organizational and communication challenges. SPS designed what I think may be the best tabletop disaster-recovery scenario wargame I have ever seen.

One thing that differentiates 44CON from other conferences is its COVID-19 precautions. 44CON installed high-powered air purifiers throughout the venue to provide clean, breathable air for attendees.

**Chatham House Chats**

Discussions were held under the Chatham House rule, allowing people to speak and share their research freely. In that capacity, I was able to have an in-depth conversation with one of the world's cloud security experts. We discussed the type of events he sees and which ones are the "fire-alarm" events.

"Identity is always first," he said. "Our CIRT responds in minutes to a credential leak on a public source-code repository." 

When considering identity-first security, the joiners, movers, and leavers problem gets writ large, as all the cloud service provider sees is a token. 

"We're faced with a choice when tuning the token lifetime — too short, and the user experience becomes sucky with overly frequent login challenges; too long, and the token becomes vulnerable in such cases as endpoint theft," he said. 

Risk-assessing every transaction from the endpoint is possible. But given the breadth of activity for any cloud service user, this quickly crashes into security's scalability barrier.

Always curious about how the insider problem is evolving, I took the opportunity to ask how leading cloud service providers are addressing traditionally tricky problems, such as data loss prevention, and how that migrates in a cloud environment. Many security practitioners still have trouble converting their legacy mindsets into a cloud-native one. 

My security expert was eager to illustrate: "We see a common problem where a business application user will exfiltrate information to personal AWS buckets. This means that the cloud log is in their personal bucket, and the business has no visibility of it. However, there is a simple answer — we advise business customers to create a service-aware policy that limits bucket access to corporation-owned buckets."

What this means is that many security practitioners are still limited to legacy thinking and architectural models, a key indicator of which is when practitioners try to filter based on IP address, basically trying to re-create their traditional data center in a cloud service environment. Cloud instances are ephemeral by nature, allowing savvy architects and devs to create and destroy instances on demand. IP addresses just don't matter in this context.

**Participating and Presenting**

Capture-the-flag (CTF) events are a staple for many cybersecurity conferences, but 44CON had its own spin. This year's CTF was organized by Trace Labs, a Canadian not-for-profit organization that partners with law enforcement agencies to leverage the power of crowdsourced OSINT collection to assist in ongoing missing persons investigations. Instead of hurling their exploit kits at a target, contestants were invited to "use their powers for good" and take real missing persons cases and hunt for missing pieces of open source intelligence, or flags. The more flags a team finds, the more points they get, all the while helping to make the missing-persons database more complete.

And saving the best for last — the talks! Headlined by James Forshaw of Google Project Zero, superb presentations allowed all of us to learn about the latest in vulnerabilities and exploitation, whether you are a red or blue teamer. Erlend Andreas Gjære, co-founder and CEO of security training adviser Secure Practice, talked about the need for a human touch in cybersecurity, and the mysterious stranger identified only as "cybergibbons" explained how he took control of cruise ships, oil rigs, and other merchant navy vessels in a talk called "I'm the captain now!"

Last but not least was an inspiring talk by Thinkst founder and CEO Haroon Meer, who closed the conference by exhorting attendees to unleash their innovation and create security products that the world needs. Meer observed how many of the products currently on the market are snake oil, peddled by people who you wouldn't leave alone in your home with your grandmother. He also pointed out that the path to a profitable software-as-a-security business is simply to find something that 1,000 people will want to use — possibly the best advice to budding entrepreneurs since Ron Gula's five-slide pitch deck.

Sharing Knowledge at 44CON

Categories: News
Tags: Microsoft SQL

Tags:  brute force

Tags:  Maggie

Tags:  Extended Stored Procedure

Researchers have found a backdoor that specifically targets Microsoft SQL servers. 



(Read more...)




The post Hundreds of Microsoft SQL servers found to be backdoored appeared first on Malwarebytes Labs.

Researchers at DCSO CyTec recently found a backdoor that specifically targets Microsoft SQL servers. The malware acts as an Extended Stored Procedure, which is a special type of extension used by Microsoft SQL servers.

After scanning approximately 600,000 servers worldwide, they found 285 servers infected with this backdoor, in 42 countries. The distribution shows a clear focus on the Asia-Pacific region.

**Extended Stored Procedure**

To understand how the malware works it is necessary to understand the role of an Extended Stored Procedure on a SQL server. Extended stored procedures are dynamic link library (DLL) files which are referenced by the SQL Server by having the extended stored procedure created, which then references functions or procedures within the DLL. The DLLs that are behind the extended stored procedures are typically created in a lower level language like C or C++.

Basically, the functions stored in the DLL can be triggered from the client application to Microsoft SQL Server and the extended stored procedure passes result sets and return parameters back to the server through the Extended Stored Procedure Application Programming Interface (API).

**Maggie**

Based on artifacts found in the malware, DCSO CyTec has dubbed this threat Maggie. According to its export directory, the file calls itself sqlmaggieAntiVirus_64.dll and only offers a single export called maggie.

Maggie uses the Extended Stored Procedure API to implement a fully functional backdoor controlled only using SQL queries. But to establish the connection an attacker has to drop the backdoor in a directory accessible by the Microsoft SQL server, and has to have valid credentials to load the Maggie Extended Stored Procedure into the server. Otherwise the server will never query the DLL for any functions. For now, it is unknown how the initial infection takes place. But there are some known vulnerabilities for Microsoft SQL server that may not have been patched by every organization.

**Capabilities**

Once installed, Maggie offers a variety of commands that allow the attacker to query for system information, interact with files and folders, execute programs, and to perform various network-related functions, including setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.

Once enabled, Maggie separates the attacker's connections from the others, so legitimate users are able to use the server without any interference by Maggie. This reduces the chance of the users noticing something is wrong. The separation is done based on an IP mask that redirects any incoming connection to a set IP and port, if the source IP address matches the user-specified IP mask.

**Brute force**

Maggie’s command set also includes two commands that seem designed to allow it to brute force logins to other MSSQL servers. To start a brute force scan, the threat actor has to specify a target host, user and password list file previously uploaded to the infected server.

The backdoor logs successful logins and then checks whether they have administrator permissions. It is logical to assume that this is intended to increase the number of victims. What the underlying purpose of Maggie is, remains to be seen.

**Targets**

Since the backdoor depends on the setup of a Microsoft SQL server, the researchers conducted a scan on publicly reachable Microsoft SQL servers in order to determine how prevalent the identified backdoor is. The scan revealed 285 infected servers on a total of around 600,000 scanned servers.

The scan also showed that most of the infected servers were located in South Korea, India and Vietnam, followed by China and Taiwan in the fourth and fifth place. Infections in other countries appear to be incidental.

**Malwarebytes**

Malwarebytes users are protected from this threat, since our Artificial Intelligence module detected this backdoor as Malware.AI.4207982868 right off the bat.

Hundreds of Microsoft SQL servers found to be backdoored

By Waqas
RatMilad can perform a wide range of malicious actions including file manipulation, audio recording, and application permission modification.
This is a post from HackRead.com Read the original post: Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App

An Iranian hacking group is using new Android spyware in an extensive campaign primarily targeting enterprise users, mobile security firm Zimperium has revealed.

The group involved in this campaign goes by the name of “AppMilad” while the spyware being used is dubbed “RatMilad.” It can perform a wide range of malicious actions after it is installed on a victim’s device including functionalities like file manipulation, audio recording, and application permission modification.

**Spyware Detailed Analysis**

According to Zimperium’s research, threat actors at AppMilad have devised the campaign to get the malicious app sideloaded onto unsuspecting users’ devices. Zimperium examined a spyware sample **using the VPN** and phone number spoofing app, which was identified as Text Me.

Another live RatMilad sample was distributed through a Text Me variant called NumRent. Moreover, scammers have developed a product website to distribute the app and socially engineer targets to believe that it is a legit app.

**RatMilad Capabilities**

Since it can cleverly obtain a broad range of permissions, the spyware is capable of accessing crucial device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages.

Additionally, attackers can access the camera and microphone of the device, which lets them record audio/video and capture photos. Other features include **collecting clipboard data**, SIM information, and performing read/write operations.

**Potential Targets and Modus Operandi**

The malware’s target is a **Middle Eastern** enterprise mobile device that is disguised as a VPN and phone number spoofing application. After the app is installed and the required permissions are granted, the spyware is quickly sideloaded on the devices and soon starts collecting information.

RatMilad functions as advanced mobile spyware capable of receiving/executing commands for the exfiltration of a versatile array of data from the compromised mobile endpoint. The app is distributed via social media links and communication platforms such as **Telegram**.

The malicious app being advertised on Telegram (I) – The website run by threat actors to push RatMilad download (II)

Zimperium **explained** that the Telegram channel was used to distribute the malware, with the post linking to the Android app boasting more than 4,700 views. It was shared over 200 times, but this isn’t a conclusive number. It tricks users into sideloading the app and allowing it wide-ranged permissions.

> “The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security.”
> 
> Richard Melick, Zimperium director of mobile threat intelligence

**More Iranian Threat Actor News**

1.  **Iranian hackers leak trove of Israeli LGBTQ dating app data**
2.  **Iranian hackers hit Israel with disk wiper in disguise of ransomware**
3.  **Iranian hackers use RDP to hit businesses with Dharma ransomware**
4.  **Exposed: 6 year old Iranian espionage attack using Android backdoor**
5.  **Microsoft seizes 99 sites used by Iranian hackers for phishing attacks**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App

A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.

A recent proliferation of phony executive profiles on **LinkedIn** is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.

Some of the fake profiles flagged by the co-administrator of a popular sustainability group on LinkedIn.

Last week, KrebsOnSecurity examined a flood of inauthentic LinkedIn profiles all claiming Chief Information Security Officer (CISO) roles at various Fortune 500 companies, including **Biogen**, **Chevron**, **ExxonMobil**, and **Hewlett Packard**.

Since then, the response from LinkedIn users and readers has made clear that these phony profiles are showing up en masse for virtually all executive roles — but particularly for jobs and industries that are adjacent to recent global events and news trends.

Hamish Taylor runs the **Sustainability Professionals** group on LinkedIn, which has more than 300,000 members. Together with the group’s co-owner, Taylor said they’ve blocked _more than 12,700 suspected fake profiles so far this year_, including dozens of recent accounts that Taylor describes as “cynical attempts to exploit Humanitarian Relief and Crisis Relief experts.”

“We receive over 500 fake profile requests to join on a weekly basis,” Taylor said. “It’s hit like hell since about January of this year. Prior to that we did not get the swarms of fakes that we now experience.”

The opening slide for a plea by Taylor’s group to LinkedIn.

Taylor recently posted an entry on LinkedIn titled, “**The Fake ID Crisis on LinkedIn**,” which lampooned the “60 Least Wanted ‘Crisis Relief Experts’ — fake profiles that claimed to be experts in disaster recovery efforts in the wake of recent hurricanes. The images above and below show just one such swarm of profiles the group flagged as inauthentic. Virtually all of these profiles were removed from LinkedIn after KrebsOnSecurity tweeted about them last week.

Another “swarm” of LinkedIn bot accounts flagged by Taylor’s group.

Mark Miller is the owner of the DevOps group on LinkedIn, and says he deals with fake profiles on a daily basis — often hundreds per day. What Taylor called “swarms” of fake accounts Miller described instead as “waves” of incoming requests from phony accounts.

“When a bot tries to infiltrate the group, it does so in waves,” Miller said. “We’ll see 20-30 requests come in with the same type of information in the profiles.”

After screenshotting the waves of suspected fake profile requests, Miller started sending the images to LinkedIn’s abuse teams, which told him they would review his request but that he may never be notified of any action taken.

Some of the bot profiles identified by Mark Miller that were seeking access to his DevOps LinkedIn group. Miller said these profiles are all listed in the order they appeared.

Miller said that after months of complaining and sharing fake profile information with LinkedIn, the social media network appeared to do something which caused the volume of group membership requests from phony accounts to drop precipitously.

“I wrote our LinkedIn rep and said we were considering closing the group down the bots were so bad,” Miller said. “I said, ‘You guys should be doing something on the backend to block this.”

Jason Lathrop is vice president of technology and operations at **ISOutsource**, a Seattle-based consulting firm with roughly 100 employees. Like Miller, Lathrop’s experience in fighting bot profiles on LinkedIn suggests the social networking giant will eventually respond to complaints about inauthentic accounts. That is, if affected users complain loudly enough (posting about it publicly on LinkedIn seems to help).

Lathrop said that about two months ago his employer noticed waves of new followers, and identified more than 3,000 followers that all shared various elements, such as profile photos or text descriptions.

“Then I noticed that they all claim to work for us at some random title within the organization,” Lathrop said in an interview with KrebsOnSecurity. “When we complained to LinkedIn, they’d tell us these profiles didn’t violate their community guidelines. But like heck they don’t! These people don’t exist, and they’re claiming they work for us!”

Lathrop said that after his company’s third complaint, a LinkedIn representative responded by asking ISOutsource to send a spreadsheet listing every legitimate employee in the company, and their corresponding profile links.

Not long after that, the phony profiles that were not on the company’s list were deleted from LinkedIn. Lathrop said he’s still not sure how they’re going to handle getting new employees allowed into their company on LinkedIn going forward.

It remains unclear why LinkedIn has been flooded with so many fake profiles lately, or how the phony profile photos are sourced. Random testing of the profile photos shows they resemble but do not match other photos posted online. Several readers pointed out one likely source — the website thispersondoesnotexist.com, which makes using artificial intelligence to create unique headshots a point-and-click exercise.

Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

But the Sustainability Group administrator Taylor said the bots he’s tracked strangely don’t respond to messages, nor do they appear to try to post content.

“Clearly they are not monitored,” Taylor assessed. “Or they’re just created and then left to fester.”

This experience was shared by the DevOp group admin Miller, who said he’s also tried baiting the phony profiles with messages referencing their fakeness. Miller says he’s worried someone is creating a massive social network of bots for some future attack in which the automated accounts may be used to amplify false information online, or at least muddle the truth.

“It’s almost like someone is setting up a huge bot network so that when there’s a big message that needs to go out they can just mass post with all these fake profiles,” Miller said.

In last week’s story on this topic, I suggested LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.

Many of our readers on Twitter said LinkedIn needs to give employers more tools — perhaps some kind of application programming interface (API) — that would allow them to quickly remove profiles that falsely claim to be employed at their organizations.

Another reader suggested LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.

In response to questions from KrebsOnSecurity, LinkedIn said it was considering the domain verification idea.

“This is an ongoing challenge and we’re constantly improving our systems to stop fakes before they come online,” LinkedIn said in a written statement. “We do stop the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scams. We’re also exploring new ways to protect our members such as expanding email domain verification. Our community is all about authentic people having meaningful conversations and to always increase the legitimacy and quality of our community.”

In a story published Wednesday, Bloomberg noted that LinkedIn has largely so far avoided the scandals about bots that have plagued networks like Facebook and Twitter. But that shine is starting to come off, as more users are forced to waste more of their time fighting off inauthentic accounts.

“What’s clear is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security,” Bloomberg’s **Tim Cuplan** wrote. “Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms.”

Tag

#intel