BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Exploit is possible only when the bttoken in victim’s session is active.

CVE-2020-6220

New SmallID offering brings cloud-native data privacy and protection to organizations of all sizes.

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- BigID, the leading data intelligence platform that enables organizations to know their enterprise data and take action for privacy, security, and governance, today announced the availability of SmallID: the first pay-as-you-go cloud data security platform.

Now more than ever, the world runs on data - and it's difficult to have a clear understanding of all data assets across the company.  On top of that, evolving data protection and privacy regulations means that accumulating data without proactively protecting introduces more risk than ever. 

SmallID brings cloud-native data privacy and protection to organizations of all sizes, making it easy to find and mitigate risk across their entire cloud environment. Customers can easily reduce their attack surface, identify high-risk data, and automatically discover dark data across the cloud - without impacting business.  

Customers can now use the first on-demand cloud data security platform to manage their cloud risk posture, by benefitting from years of ML innovation from BigID, packaged up in a lightweight, on-demand platform in SmallID.

With SmallID, customers can:

*   Automatically discover and classify their data by sensitivity, type, regulation, policy, and more
*   Drastically reduce their attack surface
*   Identify shadow data and dark data
*   Improve security posture across the cloud
*   Simplify regulatory compliance with a data-first approach

"Cloud-native organizations leave themselves vulnerable to bad actors and a host of other complex issues when they don't have insight into what kind of data they are collecting," said Tyler Young, Chief Information Security Officer at BigID. "SmallID is a huge step forward for organizations of all sizes to have on-demand cloud protection that reduces the attack surfaces through allowing teams to identify and mitigate risk across their entire cloud environment."

Visit BigID at RSAC 2022 to see SmallID in action, or try it for free today.

**Learn more:**

*   Visit BigID's Data Protection HQ at RSAC2022 - save your spot
*   Visit SmallID-sponsored Cloud Data Security Panels June 7 & 8, with CISO led discussions from Amplitude, Blackstone, Clearsky Cybersecurity, Datadog, Highspot, Optiv, Relativity, Servicenow, ServiceTitan, Wiz, and more
*   Visit Booth #4529 in the North Expo Hall

**About BigID**

BigID's data intelligence platform enables organizations to know their enterprise data and take action for privacy, protection, and perspective. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, a Business Insider 2020 AI Startup to Watch, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

BigID Introduces Cloud Data Security On Demand

An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.

CVE-2022-31486

But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.

Cloud security vendor Lacework's recent announcement that it will reduce head count as part of a restructuring plan — just months after it secured $1.3 billion in a record-setting funding round — may have shocked the high-flying cybersecurity sector, but industry analysts say the layoffs do not signal any broad, imminent industry slowdown.

General economic conditions appear to have made investors a bit more cautious, however: Private equity (PE) investments — which accounted for nearly 40% of merger and acquisition activity last year — are down compared with the same period in 2021, as are company valuations overall.

Even so, M&A and venture capital activity in the cybersecurity industry remains robust and shows little sign of a major slowdown. Just in the last few days, for instance, ReliaQuest announced plans to purchase Digital Shadows for $160 million; Netskope acquired WootCloud for an undisclosed sum; and Lookout acquired SaferPass. In late May, Broadcom announced its intent to buy VMware for $61 billion in a deal that, if approved, will bring VMware's Carbon Black security under Broadcom's roof.

**Multiple Drivers**

"There are multiple dynamics at play for M&A" activity in the cybersecurity space, says Fernando Montenegro, an analyst with Omdia. "The established vendor being acquired for their cash flow. The adjacent technology being acquired by a security vendor to enter a market. The technology tuck-in and/or 'acqui-hire' into an existing vendor," he adds. Expect VCs, private equity, and corporate development teams to be a little more cautious, but still active, he notes.

"The industry has had a strong pace of acquisitions and fundings over the years, and we expect that to continue," Montenegro says. "What is changing is that there appears to be much more focus on demonstrating actual capabilities and momentum while being mindful of run rate."

There's also the understanding that too-large funding rounds raise expectations on delivery that may be more difficult to attain in a tightening economic environment, he notes.

Richard Stiennon, chief research analyst at IT-Harvest, says Lacework's decision to downsize and restructure may, in a way, be the result of its own success. The company experienced hypergrowth of some 272% last year and went on a hiring spree. After that, the company might have thought it wise to pause and consolidate while it catches up with expectations on sales growth, Stiennon explains. "There is categorically no broad consolidation in cybersecurity and there will not be until threat actors give up and go home," he says. "We will always need new ways to counter new threats."

That said, the antivirus space for the first time is now truly consolidating, according to Stiennon. Thanks to Microsoft giving away good-enough security with Windows Defender and the availability of stronger endpoint protection capabilities from vendors such as CrowdStrike and SentinelOne, the traditional AV vendors are fading away, he says.

**Fast and Furious Pace**

Data that S&P Global Market Intelligence compiled earlier this year showed there were 42 cybersecurity transactions through March 18, 2022, with a median deal value of some $97 million. Google's $5.4 billion purchase of Mandiant was easily the biggest of those deals and accounted for most of the $6.77 billion in total transaction value of announced deals in the cybersecurity industry through that date. In comparison, there were 36 transactions over the same period in 2021, with a median deal value of $185 million. In all, in the first quarter of 2022 there were 59 deals compared with 49 last year. But total deal value at $9.3 billion was significantly smaller than last year's $17.6 billion, according to S&P Global Market Intelligence.

Rising interest rates, inflation, and concerns over potential economic headwinds appear to have driven down security vendor valuations compared with last year, says Garrett Bekker, an analyst with S&P Global Market Intelligence. Even so, investors appear willing to pay hefty multiples to acquire security firms and the appetite for buying them does not appear to have diminished significantly, he says. That's because most existing drivers remain in place, such as cloud adoption, the move to zero-trust access models, and the proliferation of ransomware and other malware.

One potential red flag is the slowdown in private equity investments so far this year, Bekker says. For the past two decades, there has been a steady increase in PE-funded mergers and acquisitions — from 40 in 2002 to 80 in 2010, and 209 in 2021 — or 37% of all transactions in the space, he says. There has been a near 20% drop-off in PE transactions in 2022 compared with the same period last year, Bekker says. 

"It's a fairly large drop-off," he notes. "We'll be looking to see whether that persists or is an aberration."

**Closer Scrutiny**

Speculation about potential recession and recent turmoil with tech equities is causing venture investors to scrutinize funding more carefully, says Joseph Blankenship, an analyst with Forrester Research. Many investors are also advising the firms they've invested in to slow their burn rate and concentrate on building revenue, with an eye toward profitability. "I do predict that the increased scrutiny, reduced risk appetite, and decreased funding will lead to fewer startups entering the cybersecurity market." It will also push existing firms to find faster exits.

"What we’re seeing now is a continuation of the M&A activity," Blankenship says, At the same time, he adds, buyers are looking to consolidate vendors and the technology portfolios from major cybersecurity vendors are more attractive than they've been previously.

Cybersecurity M&A Activity Shows No Signs of Slowdown

As governments crack down on ransomware, cybercriminals may soon shift to business email compromise—already the world's most profitable type of scam.

Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.

At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses. 

In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phony invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.

“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”

BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle. And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.

Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized collectives, making it more difficult for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.

“You can’t just cut off the head of the snake,” Hassold says. “If you arrest a dozen or even a few hundred of these actors, you’re still not making much of a dent.”

For ransomware actors, the most difficult aspect of transitioning to BEC scams would likely be the dramatic difference in collecting stolen money. Ransomware gangs almost exclusively collect victim payments in cryptocurrency, while BEC actors primarily use local networks of money mules in the markets where they launch their scams to launder fiat currency. Ransomware actors would need to plug into existing networks or invest in establishing their own in order to monetize BEC scams and have somewhere for the errant payments to go. Hassold points out, though, that as law enforcement becomes increasingly adept at tracing and freezing cryptocurrency payments—and as the value of cryptocurrencies continues to fluctuate wildly—ransomware actors may be motivated to learn new techniques and switch gears.

Crucially, Hassold notes that while he and his colleagues have not seen evidence of active collaboration between Eastern European ransomware gangs and West African BEC actors, he does see evidence on criminal forums and in active engagement with attackers that ransomware actors are interested in BEC and have been learning about it. Whether this exploration is simply for, ahem, professional enrichment, remains to be seen.

“All of these types of attacks are very serious and the stakes are very high, so it got me thinking about what things will look like in the future when ransomware eventually gets disrupted,” Hassold says. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that.”

The Hacker Gold Rush That's Poised to Eclipse Ransomware

Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.

At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses. 

In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phony invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.

“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”

BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle. And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.

Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized groups, making it more difficult for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.

“You can’t just cut off the head of the snake,” Hassold says. “If you arrest a dozen or even a few hundred of these actors, you’re still not making much of a dent.”

For ransomware actors, the most difficult aspect of transitioning to BEC scams would likely be the dramatic difference in collecting stolen money. Ransomware gangs almost exclusively collect victim payments in cryptocurrency, while BEC actors primarily use local networks of money mules in the markets where they launch their scams to launder fiat currency. Ransomware actors would need to plug into existing networks or invest in establishing their own in order to monetize BEC scams and have somewhere for the errant payments to go. Hassold points out, though, that as law enforcement becomes increasingly adept at tracing and freezing cryptocurrency payments—and as the value of cryptocurrencies continues to fluctuate wildly—ransomware actors may be motivated to learn new techniques and switch gears.

Crucially, Hassold notes that while he and his colleagues have not seen evidence of active collaboration between Eastern European ransomware gangs and West African BEC actors, he does see evidence on criminal forums and in active engagement with attackers that ransomware actors are interested in BEC and have been learning about it. Whether this exploration is simply for, ahem, professional enrichment, remains to be seen.

“All of these types of attacks are very serious and the stakes are very high, so it got me thinking about what things will look like in the future when ransomware eventually gets disrupted,” Hassold says. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that.”

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 27 to June 3

DataLenz delivers real-time, machine learning-based breach detection with user behavior modeling for IBM zSystems.

NORMAN, Okla., June 3, 2022 /PRNewswire-PRWeb/ -- Iconium Software, the leading provider of geospatial security monitoring for IBM mainframe data, has announced the release of DataLenz 1.3 providing immediate access to indicators of compromise (IOCs) potentially saving IBM zSystems customers millions of dollars per year caused by security breaches. By presenting multiple complex data access points through a simple to use graphical interface, DataLenz quickly brings clarity to potential data threats permitting security personnel to act swiftly. Gone are the days of having to laboriously wade through reports trying to determine if a security breach occurred or not, let alone quickly take action.

Organization's mission-critical IBM mainframe data is constantly at risk from bad actors, often masquerading as insiders from remote geographies. DataLenz provides the CISO, DPO and SOC security professional with real-time awareness of and automatic response to anomalous and out-of-bounds threats against critical mainframe data assets.

"Many large enterprises are under attack from bad actors often from remote locations, as evidenced by increased frequency and severity of breaches," said Rick Jones co-founder and CEO, of Iconium Software. "Our customers are forward-thinking organizations that are looking to provide the most robust security for their IBM mainframe data. Our DataLenz solution, addresses these challenges by giving IBM mainframe professionals, security teams, and compliance-focused professionals the best set of tools available to deal with these new threats."

"As the geopolitical and overall security landscape becomes more fractured, enterprises are reevaluating their security posture. The DataLenz solution is perfectly placed to address the emerging threat vectors facing those enterprises looking to secure vital mainframe-based data. The latest enhancements in V1.3 further strengthen the DataLenz solution and more closely aligns with the most stringent requirements of highly regulated mainframe customers" – Steven Dickens, Senior Analyst, Futurum Research

With DataLenz 1.3, new innovation provides the following:

\-- Real-time alerts, intelligent analytics with customizable thresholds, and management for anomalous threats and out-of-bounds data and resource access, alteration, replication, and movement to, from, and on the IBM Z mainframe platform.

\-- An intuitive advanced dashboard with real-time and historical views, allows users to filter specific types and sources (including graphical paradigms such as geopolitical and satellite maps), and then expand into every relevant form of drill-down and analytical detail needed to recognize, understand, and respond to threats arising from inappropriate data and resource access anywhere in the world.

\-- Advanced methods of notification of any potential breach of access with a wide range of user responses including issuing administrative commands such as terminating and blocking apparent threat actors and issuing RACF® administrative commands (as authorized).

\-- Detailed historical tracking, analysis, and response to anomalous and threatening events, plus exporting and forwarding of custom-specifiable data for processing by the full range of tools from spreadsheets to real-time event management systems (SIEMs).

\-- Advanced and intuitive filters, heat maps, geographical zoom-in, score cards, and highly configurable widgets create a fully immersive environment for maximum awareness and control.

\-- Datalenz strengthens your data protection and in conjunction with RACF,  
ACF2, Top Secret. Today's CISOs and DPOs demand truly comprehensive, reliable, real-time and compelling awareness of and resolution of all potential threats to their mission-critical mainframe data and legal and regulatory compliance.

More than just ensuring compliance with ever-more-exacting audits, immediate responsiveness to potential breaches of critical data must be dealt with using automation and advanced analytical tools for the briefest possible Mean Time to Repair (MTTR). Remote accesses must be properly managed to prevent, alert, terminate and block out-of-bounds interaction with sensitive data and related resources, employing real-time and historical graphical searching, filtering, reporting, drill-down and response to anomalous events.

The advanced monitoring, historical intelligence, proactive alerting and actions and versatile dashboard functionality of DataLenz 1.3 make it the definitive solution for extending the security of your critical mainframe data against threats anywhere in the world. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus.

To learn more about Iconium and today's news, visit the website: https://www.iconiumsoftware.com

**About Iconium Software**

Iconium Software was formed in 2017 to serve customers and offer high-performance quality software products that are customer-driven by design. The Founders, Executive Team, and employees at Iconium Software are committed to providing the highest quality software to achieve the greatest advantage for each of our customers. For more information \[email protected\].

Iconium Software Releases DataLenz v1.3 for IBM zSystems

May 2022 saw the continued dominance of LockBit, and a possible disbursement of the Conti gang into other ransomware groups.
The post Ransomware: May 2022 review appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

**Conti sleight of hand?**

Although LockBit remained the most widely-deployed ransomware in May 2022, it was, typically, Conti that sucked all of the air out of the room.

Conti ransomware and the group that distributes it has been a dangerous, noisy presence in the ransomware ecosystem since 2020. It has been involved in hundreds of attacks, including the horrific disabling of Ireland’s Health Service Executive, and according to the FBI, it is “the costliest strain of ransomware ever documented”, having raked in over $150 million in ransom payments.

Recently, the group has had its troubles. On February 27, an individual with access to the group’s inner-workings started leaking a treasure trove of data that included source code, files, and tens of thousands of internal chat messages. Not long after, a hacking group began using the leaked source code to attack targets inside Russia, violating one of ransomware’s unspoken rules. And at the start of this month, the FBI put a $10 million bounty on the group’s head.

On May 8 the newly-inaugurated president of Costa Rica declared a national emergency across the country’s public sector, in response to the continuing effects of a devastating Conti ransomware attack carried out in April. On the same day, an inflammatory message appeared on the group’s leak site, alongside a leak of 672 GB of stolen data.

The message itself is the usual grandiose puffery: It took a swing at US President Joe Biden—”this old fool will soon die”, claimed the attack had been carried out by just two people, and threatened that Costa Rica was just a “Demo version” of what was to come.

You would be forgiven for thinking that despite recent travails, Conti is going strong.

But according to an in-depth analysis by Advintel though, that’s what it wants you to think. It says that far from being in rude health, the Conti brand is in the process of disbanding and that the attacks on Costa Rica were a deliberately showy act from an operation being run by a skeleton crew.

It seems that the decision to offer its “full support of Russian government” in February, following the invasion of Ukraine, may have been a fatal error. By aligning itself to the Russian state it had made ransom payments a potential sanctions violation, killing the group’s income.

Advintel asserts that as a result the Conti group has been “silently creating subdivisions that began operations before the start of the shutdown process.” These subdivisions—said to include KaraKurt, BlackByte, BlackBasta—are supposed to establish themselves before Conti disappears to avoid the kind of shallow and transparent rebrand some other groups have pursued.

Malwarebytes Threat Intel has been able to confirm that there was an internal announcement about the shutdown for affiliates, and that the group’s internal chat servers are down, although the leak site is still operational, and updated almost daily with additional data.

**Ransomware attacks in May 2022**

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In May, LockBit remained by far the most widely-used ransomware. Conti remained active, but its activity was significantly reduced compared to recent months. Notably, three of the four groups that have overtaken it—Black Basta, Hive, and ALPHV—are linked to the alleged Conti disbandment. Intriguingly, Hive was named as the ransomware used in an attack on Costa Rica’s national health service on May 31.

The USA remained far and away the country most badly affected by ransomware attacks in May, and services the industry sector more likely to be attacked.

Known ransomware attacks by group, May 2022

Known ransomware attacks by country, May 2022

Known ransomware attacks by industry, May 2022

****Ransomware mitigations****

Source: IC3.gov

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
*   Implement network segmentation, such that all machines on your network are not accessible from every other machine.
*   Install and regularly update antivirus software on all hosts, and enable real-time detection.
*   Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
*   Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
*   Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
*   Consider adding an email banner to emails received from outside your organization.
*   Disable hyperlinks in received emails.
*   Use double authentication when logging into accounts or services.
*   Ensure routine auditing is conducted for all accounts.
*   Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

****How Malwarebytes protects against ransomware****

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware: May 2022 review

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Tag

#intel