Implement zero-trust policies for greater control, use BYOD management tools, and take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

Mobile workers are productive and often essential to a business's success, but it puts an immense amount of pressure on IT to protect the company's corporate apps and data while maintaining worker privacy.

Bring your own device, also known as BYOD, challenges corporate security protocols and IT staff to protect their intellectual property and keep hackers at bay.

**BYOD Security Risks  
**When the pandemic first hit, organizations were forced to shift from mainly supporting corporate-owned, fully managed devices to supporting personal devices used for work purposes. This abrupt move to remote work forced companies to quickly shift their networking and security capabilities, creating a large amount of risk to their organization. Without proper security measures in place, these unmanaged BYOD devices grant employees access to company resources and sensitive data, which poses a potential risk for sensitive data to be leaked, inadvertently or on purpose.

With over 58% of employees saying their use of personal devices for work purposes increased during the COVID-19 pandemic, shortcuts were destined to be taken with the quick shift to remote work and BYOD. We saw IT teams prioritizing and investing in network access capabilities rather than remote security. With 84% of survey respondents saying they didn't invest in data protection, it's doubtful their security measures increased during the duration of the pandemic. As employees start to return to the office and regain access to even more company resources and sensitive data, their use of BYOD at work could expose their company to new risks.

Here's a spring-cleaning checklist to keep your employee's devices secure for their return to office and beyond:

**Step 1: Improve your BYOD security policy.** If you don't have a BYOD security policy, create one now! For the 39% of organizations that have a formal policy in place, ask yourself if your company's BYOD security policy is restrictive or too vague and adjust as needed. Consider employee's privacy and productivity concerns when making improvements to the policy.

**Step 2: Implement zero-trust security.** With 72% of organizations around the world that have either adopted or are in the process of planning or adopting zero trust, it has become the new business standard for reliable security in our "work-from-anywhere" world. Whether you're working in the office, checking your email in the airport, or working from home, zero-trust security expands beyond a company's security perimeter. Zero trust prescribes that every resource — including devices — must be assessed for potential risks or policy violations before gaining access to corporate data, giving greater control over a BYOD environment.

**Step 3: Make use of BYOD management tools.** It's difficult for companies to manage a fleet of devices across multiple departmental disciplines and mobile device management (MDM) software can help make it simple and easy. Various core functions of MDM ensure that devices are remotely available for auditing, update over the air, that software runs effectively, and devices are available for remote diagnosis and troubleshooting. According to Markets and Markets, the MDM market is anticipated to grow to $15.7 billion by 2025.

**Step 4: Keep your apps and their components up to date.** Each day, hundreds of vulnerabilities are discovered in the mobile and web space, and patches are released regularly. Developers should incorporate these patches in their applications and encourage their users to regularly update their app and their operating systems. This ensures that hackers who try to exploit these known vulnerabilities will be unsuccessful.

**Step 5: Empower employees with information.** According to Trustlook, more than 50% of employees haven't received formal instructions for how to safely use BYOD in the workplace. One of the biggest things companies can do to make sure BYOD devices are secure is empowering employees with information to understand how their devices can be risky to the company's data and create vulnerabilities. Without understanding the cause and effect of BYOD devices to the company, employees won't value a BYOD security policy.

**Step 6: Mitigate future mobile application security issues.** Don't let the wrong mobile security strategy result in customer data being stolen or misused by a cyber scam. Encourage your employees to scan all their mobile apps whether they're for personal or business use.

**Choosing Your Path  
**Large organizations with distributed and often multinational operations need to ensure employees use the latest technologies without putting corporate data and intellectual property at risk. Hybrid and remote work are here to stay, and the demand for BYOD will continue to increase. Determine which security tools and strategies are right for your organization and start implementing them before they cost you in the long run.

Spring Cleaning Checklist for Keeping Your Devices Safe at Work

In just one month, the ransomware group's activity rose by 2,100%, a new report finds.

While on the whole the ransomware landscape remained fairly stable between March and April, a new analysis shows a sizable hike in attack activity from the CLOP ransomware group.

The NCC Group April Threat Pulse update says that the CLOP ransomware group leapfrogged from dead last to the fourth most active group for the month, a 2,100% increase over March. 

The industrial sector was most targeted in April, suffering 35% of ransomware attacks, followed by consumer cyclicals (19%) and technology (10%), according to NCC. 

CLOP appears to favor targeting the industrial and technology sector, the researchers warn. 

"The increase in CL0P's activity seems to suggest they have returned to the threat landscape," Matt Hull, global lead for strategic threat intelligence at NCC Group, said in a statement about the new ransomware group activity findings. "Organizations within CL0P's most targeted sectors — notably industrials and technology — should consider the threat this ransomware group presents, and be prepared for it." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CLOP Ransomware Activity Spiked in April

Illicit trade still flourishing despite recent law enforcement takedowns

Illicit trade still flourishing despite recent law enforcement takedowns

Markets that trade in stolen credit card details have been a staple of the underground scene for years but recent cybercrime busts – along with sanctions stemming from the war in Ukraine – are putting the squeeze on cybercriminals.

Carding shops offer a platform to buy and sell stolen card data, which is often sourced directly from breaches or malware-infected point-of-sale (POS) terminals, as well as from skimming devices attached to POS terminals and ATMs.

Recent law enforcement busts had led to a wave of card shop closures. For example, the at the time largest illicit marketplace for stolen payment card data, Joker’s Stash, closed in February 2021.

In early February this year, Russian law enforcement agencies also seized four major card shops – Trump's Dumps, FERum, SkyFraud, and Ultimate Anonymity Services (UAS).

**Follow the money**

An analysis by Blueliv into the state of underground card shops focused on Brian’s Club and Rescator as currently active shops, comparing them with two inactive shops, FERum and All World Cards. Rescator used to be one of the biggest card shops until 2019, when it went offline and encountered a lengthy hiatus before unexpectedly returning in mid-2021.

“Rescator’s case demonstrates how this landscape can be highly volatile and that inactive card shops are not always permanently gone,” a blog post on by Blueliv, the threat intel division of security vendor Outpost24, notes.

Blueliv concludes that the underground carding market remains febrile.

“The card shop ecosystem is deeply impacted by different actors, events, historical moments, the adoption of security policies, and other factors,” Blueliv said. “Law enforcement agencies have a huge impact on the landscape, but personal reasons might lead criminals to withdraw from the carding scene.”

Blueliv’s research was presented at the recent Botconf 2022 conference in Nantes.

**Eastern front**

Geo-political factors as well as the security policy of e-commerce providers can impact the availability of products for illicit shops, which also impacts the overall landscape.

For example, more countries adopt security chips instead of magnetic stripes in their payment systems, meaning that magnetic strip card data dumps have less utility. Data dumps containing card info plus CVV values however have greater utility because they enable online fraud.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig that sanctions against Russia following its invasion of Ukraine in February have impeded the ability of cybercriminals to realize the profits from their illegal activity.

“The ongoing conflict between Russia and Ukraine has resulted in some of the most significant economic sanctions in history being directed against Russia,” Morgan explained.

“This has also coincided with numerous providers shutting down their operations in Russia; Russian users looking to cash out through certain gift cards – for example Amazon or Paypal – may find this more difficult as such services are no longer available in their country of origin.”

Read more of the latest news about cybercrime

Recent changes have made it harder for entry-level cybercriminals to start making money, according to Morgan.

“Due to increasing sophistication of controls and user awareness, carding often requires a greater level of skills,” Morgan explained.

“A user will be required to steal the initial credentials – potentially by using skimmer on point of sale (POS) machines – parse logs from the affected machines for carding info, set up accounts on the relevant criminal marketplaces, and potentially also assist buyers with money laundering services.”

Morgan added: “Often, this necessitates several individuals working as a team, rather than one person who is capable of completing the entire carding attack on their own. This makes entry into the carding space more difficult for amateur cybercriminals who do not have those initial connections in the carding space.”

YOU MAY ALSO LIKE Ransomware scourge increases global data breach woes

Volatile market for stolen credit card data shaken up by sanctions against Russia




A year-long international investigation has resulted in the arrest of the suspected head of the SilverTerrier cybercrime group by the Nigeria Police Force.
"The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims," Interpol said in a statement.

A year-long international investigation has resulted in the arrest of the suspected head of the SilverTerrier cybercrime group by the Nigeria Police Force.

"The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims," Interpol said in a statement.

Operation Delilah, as the coordinated international effort is called, involved tracking the 37-year-old Nigerian man's physical movements, before he was apprehended at Murtala Mohammed International Airport in Lagos.

Singapore-headquartered cybersecurity company Group-IB said it provided threat intelligence that led to the arrest as part of the police operation that commenced in May 2021.

The development is the third in a series of law enforcement actions aimed at the identification and arrest of the suspected members of the SilverTerrier gang (aka TMT).

In November 2020, three alleged members of the group were arrested for compromising at least 500,000 government and private sector companies in more than 150 countries since 2017. This was followed by the arrests of 11 more members earlier this year as part of an operation dubbed Falcon.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Interpol Arrest Leader of SilverTerrier Cybercrime Gang Behind BEC Attacks

With manufacturing ranking as the fourth most targeted sector, manufacturers that understand their exposure will be able to build the necessary security maturity.

Digital transformation within the manufacturing industry, often referred to as Industry 4.0, is bringing a new world of connectivity and efficiency to modern-day factories. Smart factories incorporate new technology — such as factory automation, artificial intelligence, and the Internet of Things — at all levels of production and the supply chain. Whether robots on the factory floor, wearable devices that improve safety, or monitoring of equipment data through the IoT, adopting Industry 4.0 is the way forward to ongoing success and innovation in the industry.

Manufacturers are on board with the change: The market for smart factory equipment is expected to expand from $295.65 billion in 2021 to more than $500 billion in 2026. However, cyber threats are increasing in tandem with the rise of Industry 4.0.

According to the Kroll "Q4 2021 Threat Landscape" report, manufacturing is the fourth most targeted sector, behind only professional services, technology/telecommunications, and healthcare. As with most other sectors, phishing is the most common attack vector detected against manufacturing targets.

The threat landscape will only continue to expand. Manufacturers that take steps now to understand their exposure will be able to build the security maturity needed to embrace connected technology.

**Manufacturing's Security Maturity  
**Cyberattackers are pivoting toward manufacturing due to the industry's comparatively low level of security maturity, newfound connectivity in core processes, and the difficulty of securing complex manufacturing environments. Differentiated manufacturing processes have always been considered trade secrets, and the industry is highly sensitive to interruptions in service.

However, in the past, mission-critical systems were air gapped, or not Internet connected. This drove attackers to look for easier targets in financial services or healthcare, both of which have lucrative assets, connected devices, and operate with a high degree of urgency, which can lead to security shortcuts, and connected devices.

Now that manufacturing is adopting connected devices, analyzing more data, and feeding that data into custom software, the need for security maturity in the manufacturing sector is urgent. This is a problem that transcends the IT department. Effective security maturity is a multidisciplinary undertaking that must consider the ways that technologies, processes, and people contribute to keeping critical data and devices secure. Protecting industry 4.0 requires dedicated cybersecurity knowledge and expertise.

**Current Cyber Threats in Manufacturing  
**Threats against the manufacturing sector fall into three main categories.

Traditional cyber threats include ransomware against IT systems, data theft, supply chain attacks, and intellectual property theft. These are serious threats that can cost manufacturing businesses time, money, and credibility. They are also threats that smaller manufacturers, in particular, have not yet built strong defenses against due to limited time, resources, or hiring capabilities.

Manufacturing firms are also uniquely at risk for targeted attacks against industrial control systems (ICS). As operational technology (OT) works more closely with traditional IT assets, including connected industrial IoT (IIoT) devices, it is becoming easier to bridge the gap between those groups of devices, and to compromise OT that was originally designed or configured as an isolated network. This can lead not only to the compromise of sensitive information but also interruptions in service and delays in fulfillment.

Another layer of threat against the manufacturing sector involves bespoke software. To make sense of the data that connected systems create, and to enjoy efficiency advantages this data can offer, that data has to be fed into other software. The software is often custom-made for an individual company's technology and data assets. This software and the infrastructure on which it runs can be an attractive target. If it wasn't designed from the start with security in mind, and if it is not implemented and maintained with security in mind, that bespoke software can become the weak link that lets an attacker in.

**What's Next: Adopting Industry 4.0 Securely  
**As a manufacturer, you cannot afford _not_ to adopt Industry 4.0. For efficiency reasons, including just-in-time manufacturing, as well as workplace monitoring, Industry 4.0 is the path toward factories that are both more cost-effective and safer. These changes are not only exciting, but they are becoming necessary: Customers are demanding the flexibility, agility, and information that only Industry 4.0 provides.

However, this is not just a revolution in what you can do on the factory floor, and in what you can do to delight customers. It is also a revolution in how your company needs to think about security. Consider your products: Putting a safe, high-quality product on the market in the first place is more efficient and cheaper in the long run than having to handle a recall if something goes wrong.

A similar attitude makes sense in security. Considering security from the beginning, both in terms of connected infrastructure and the custom code that holds systems together, leads to smoother operations and avoids the major business disruption, cost, and reputational damage that comes with incident response, and the subsequent remaking of code or infrastructure after an issue is exploited.

Effectively preparing and defending against the security challenges of Industry 4.0 is an endeavor that requires action and initiative from people beyond IT. In short, it requires dedicated cybersecurity expertise, with people who can consistently analyze risks and the threat landscape. The effort needs professionals who know how to design and implement effective security controls that prevent active threats, and can make sense of log data and identify anomalies, as well as respond to attacks. They can also oversee that best practices are followed for secure design and coding in applications that ingest and process factory data.

Industry 4.0 Points Up Need for Improved Security for Manufacturers

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. 
The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

_Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article._

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking _out_ of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

**Saitama’s DNS tunnelling**

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

**Saitama’s messages**

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = **message**, **counter** '.' **root domain**

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

**1\. Make contact**

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

**nbn4vxanrj.joexpediagroup.com**

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is **nrj**.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message **nbn4vxa**.

**a** b c d e f g **h** i j k l m n **o** p q **r** s **t u** v w x y z 0 1 2 3 4 5 6 7 8 9
↓             ↓             ↓     ↓   ↓ ↓             
**n** j 1 6 9 k p **b** h d 0 7 y i **a** 2 g **4** u **x** **v** 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.**203**

**2\. Ask for a command**

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as **ao**. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to **nrc**, and one of Saitama’s three root domains is chosen at random, resulting in:

**aonrc.uber-asia.com**

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.**0**.**0**.**4**

**3\. Get a command**

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message **k7myyy**.

The counter is encoded using the hard-coded alphabet to **nr6**, and one of Saitama’s three root domains is chosen at random, giving us:

**k7myyynr6.asiaworldremit.com**

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2

Saitama

43

Static

70

Cmd

71

CompressedCmd

95

File

96

CompressedFile

Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

**70**.**118**.**101**.**114**

**4\. Run the command**

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

**p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com**

The counter is encoded using the hard-coded alphabet to **nrb**, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message **p6yqqqqp0b67gcj5c2r3gn3l9epzt**.

**Detection**

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

**IOCs******Maldoc****

Confirmation Receive Document.xls  
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

**Saitama backdoor**

update.exe  
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

**C2s**

uber-asia.com  
asiaworldremit.com  
joexpediagroup.com

How the Saitama backdoor uses DNS tunnelling

Company to debut its AD capabilities at the 2022 RSA Conference.

HERZLIYA, Israel, May 24, 2022 /PRNewswire/ -- XM Cyber, the multi-award-winning attack path management company, announced today a new security capability for Microsoft's Active Directory (AD). XM Cyber is the first in the industry to link the use of AD into the entire attack path, bringing multiple attack techniques together and offering a complete and accurate view of an organization's cybersecurity risk, across on-prem and cloud environments. With this new capability, enterprises gain end-to-end attack path visualization for easy understanding and prioritized remediation of all weaknesses before an attack can take place.

A chain of attack vectors (vulnerabilities, misconfigurations, user privileges, human errors, etc.) that enables lateral movement through an organization's network is called an attack path. Once an attacker is inside the network, they can move laterally, escalating their privileges and targeting systems to gain access to sensitive data and business-critical resources, and even gain access to the cloud environment by moving from a compromised enterprise AD user to the associated Azure AD user.

AD is widely used by enterprises around the world (including approximately 90% of Global Fortune 1000 companies) to connect and manage endpoints inside corporate networks. This makes it an attractive target for hackers seeking to obtain domain admin-level access. An attacker that has compromised an AD user can elevate privileges, conceal malicious activity in the network, execute malicious code, and gain access to the cloud environment to compromise assets. The XM Cyber Research team recently reported that 73% of the top attack techniques used to compromise critical assets in 2021 involved mismanaged or stolen credentials; and according to EMA research, at least 50% of organizational attacks are due to AD compromise.

"It is critical to make concentrated efforts to comprehensively secure and monitor AD, proactively look for threats and misconfigurations, and remediate to prevent dangerous actions from taking place," according to Gartner®. \[1\]

The XM Cyber Attack Path Management platform demonstrates how AD abuse comes into play across the entire attack path, bringing together multiple attack techniques to pinpoint the riskiest credentials and permissions across users, endpoints and services managed in AD. This enables organizations to direct resources to remediate the most impactful risks first using step-by-step guidance. The platform's comprehensive security posture analysis surfaces AD weaknesses in real time, correlating the likelihood of attacks that can compromise critical assets.

"Existing solutions provide security teams with limited visibility into which users can expose critical assets," said Boaz Gorodissky, CTO, XM Cyber. "Our unique ability to chain together AD attack techniques gives organizations the edge against attackers, enabling them to reduce their risk before the attack ever happens. We are committed to providing proactive security so CISOs can focus on maximizing resources to protect their most business-critical applications and data."

XM Cyber will debut its AD capabilities at the 2022 RSA Conference, taking place June 6-9 in San Francisco. Interested parties can book a personal demo here or visit us at booth #4328 at the Moscone North Expo. Learn more about XM Cyber Active Directory security here.

\[1\] Gartner, "Emerging Technologies and Trends Impact Radar: Security", Ruggero Contu, Mark Driver, et al, 12 October 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About XM Cyber  
**XM Cyber is a leading hybrid cloud security company that is changing the way innovative organizations approach cyber risk. Its attack path management platform continuously uncovers hidden attack paths to businesses' critical assets across cloud and on-prem environments, enabling security teams to cut them off at key junctures and eradicate risk with a fraction of the effort. Many of the world's largest, most complex organizations choose XM Cyber to help eradicate risk. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

XM Cyber Adds New Security Capability for Microsoft Active Directory

New features include context-aware, zero-trust data protection on local peripherals and devices.

SANTA CLARA, Calif. – May 24, 2022 – Netskope, the leader in Security Service Edge (SSE) and zero trust, today announced a key expansion of data protection capabilities to endpoint devices and private apps. The introduction of a patented endpoint data loss prevention (DLP) solution will enable Netskope Intelligent SSE customers to protect data everywhere it moves across the hybrid enterprise.

Zero trust principles are critical to SSE, which describes the security stack needed to enable a modern Secure Access Service Edge (SASE) architecture. Data protection is of utmost importance throughout a SASE architecture—specifically, the need for security to move with data wherever it is accessed, and apply zero trust to determine the right level of access. Additionally, legacy and endpoint DLP offerings have failed enterprises by being siloed, complicated, and intrusive, hindering user productivity.

Netskope has been consistently recognized by top industry analysts for its advanced data protection capabilities. With today’s continued expansion of the Netskope Intelligent SSE platform, Netskope customers will be able to protect data across SaaS, IaaS, private applications, web, e-mail, and endpoint devices from a single converged data protection solution, leveraging machine learning, user and entity behavior analytics (UEBA), and insider threat mitigation capabilities to improve security efficacy, efficiency, and agility.

  
Notable features of Endpoint DLP include:

· Context-aware, zero trust data protection on local peripherals and devices, such as USB drives and printers

· Unified data classification, policy enforcement, and incident management for DLP across SaaS, IaaS, private apps, web, e-mail, and endpoint devices

· A patented lightweight endpoint agent with cloud-based inspection and contextual data protection policies that enhance the user experience

· Machine learning and Advanced Analytics to help simplify data classification and policy definition, lowering operational overhead

· UEBA, which makes it possible to identify and stop complex data loss scenarios such as insider risk, where users are unintentionally or even maliciously abusing their access to data

“No SASE or zero trust journey will be successful without data protection capabilities that can address all critical use cases in a way that is easy to deploy and doesn’t slow down users,” said John Martin, Chief Product Officer, Netskope. “The introduction of Endpoint DLP extends Netskope’s award-winning data protection capabilities that much further, to critical use cases with endpoint devices. While some competitors may offer unified policy and management or provide data protection for certain vectors, Netskope is the only vendor that can provide truly converged data protection across the full IT environment. We are very excited to deliver Endpoint DLP to customers as another Netskope game-changer.”

“With Netskope’s new eDLP, we can now offer single-pass data protection —across all vectors, from the cloud to the endpoint —with unified policies, within a single management console,” said Mick Coady, Global Vice President CyberSecurity Solutions, World Wide Technology. “As a Platinum Partner in Netskope’s Evolve partner program, we’re seeing the huge growth opportunity that Netskope’s Intelligent SSE approach represents. This new addition will accelerate that growth.”

A work-from-anywhere, or “hybrid,” environment makes it increasingly difficult to maintain security models based on implicit trust in any entity that wants to connect. Zero trust principles enable organizations to govern access to data based on behavior by users, devices, networks, and applications— increasing confidence in policy enforcement everywhere. By evaluating several contextual elements—user identity, device identity and security posture, time of day, geolocation, business role, sensitivity level of the data, and more—the resource itself can determine an appropriate level of confidence, or trust, only for that specific interaction and only for that specific resource. Using Netskope Intelligent SSE with zero trust principles applied throughout the environment, businesses become more agile, reduce risk, and streamline solution deployment and maintenance.

"DLP has been extremely complicated and cumbersome, and that's before you factor in cloud, web, email, private apps, and endpoints,” said Frank Dickson, IDC Group Vice President, Security & Trust. “Netskope looks to address complexity with integration, providing a unified cloud delivered solution. Compared to old school network and endpoint-based DLP solutions, having DLP in this integrated solution makes it dramatically easier to protect data wherever it may be and in a manner that is frictionless for end users. It is a win-win.”

Visit Netskope and take a demo of Intelligent SSE at Booth #S449 at RSA Conference, June 6-9, 2022, in San Francisco. For more on today’s announcement, read the Netskope blog.

**About Netskope**  
Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Expands Data Protection Capabilities to Endpoint Devices and Private Apps

New funding led by global cyber investor Paladin Capital Group, alongside existing investors Columbia Capital and Skylab Capital.

**ALEXANDRIA, Va., May 24, 2022**\--(BUSINESS WIRE)--Nisos, The Managed Intelligence CompanyTM, today announced $15 million in Series B funding led by global cyber investor Paladin Capital Group alongside existing investors Columbia Capital and Skylab Capital. The new funding will be leveraged to accelerate company growth with investments in the company’s Managed Intelligence services, the Nisos Intelligence PlatformTM, and additional staff to meet client’s increasing intelligence needs.

"Nisos provides a level of intelligence that is timely, relevant, and actionable. Their monitoring, analysis, and investigation services have been a critical component of our diligence process, enabling us to quickly quantify risk and accelerate acquisitions," said Jason Button, Lead for Security, Integration, and Mergers, Cisco Systems, Inc.

To date, the company has secured over $33 million in funding and experienced tremendous momentum, with a 140 percent increase in Q1 bookings year-over-year. In the last year, the company expanded internationally with the opening of its first European office, increased its headcount by 60 percent, and issued prominent, high visibility research that reveals cybersecurity issues and disinformation campaigns throughout the globe.

"While threat intelligence holds the promise of making protection efforts more precise, in many cases it does the exact opposite, overwhelming teams with terabytes of unorganized information. Managed Intelligence is addressing these shortcomings and empowering security teams with the right information at the right time so that they can effectively combat today's sophisticated adversaries," said Christopher Steed, Chief Investment Officer and Managing Director at Paladin Capital Group. "In this emerging space, Nisos is pioneering an innovative new approach with its unique ability to connect cyber and physical risk for more effective threat intelligence, enabling the company to triple its valuation in two years while also positioning itself for continued rapid growth."

As part of the company’s client enablement strategy, the new funding will be used to expedite product management and development, drive market awareness and elevate customer services and success. This includes plans to refine the Nisos Intelligence Platform to improve analyst and client experiences and build a foundation for additional growth ahead.

"Over the last year, Nisos has grown tremendously as we’ve expanded our platform and continued to add talented experts to address the needs of our growing client base, positioning us at the forefront of the Managed Intelligence market," said David Etue, CEO at Nisos. "This funding helps us expand our offerings and the company to meet accelerating demand from clients who increasingly understand the value of intelligence, and discover that the more they learn, the more resources and expertise they require."

**About Nisos**

Nisos is The Managed Intelligence CompanyTM. Our services enable security, intelligence, and trust & safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyberattacks, disinformation and abuse of digital platforms. For more information visit: www.nisos.com

**About Paladin Capital Group**

Paladin Capital Group was founded in 2001 and has offices in Washington DC, New York, London, Luxembourg, and Silicon Valley. As a multi-stage investor, Paladin Capital Group’s core strength is identifying and supporting innovative companies that develop promising, early-stage technologies to address the critical cyber and advanced technological needs of both commercial and government customers.

Combining proven investment experience with deep expertise in global security, cyber technology, and cutting-edge research, Paladin has invested in more than 60 companies and has been a trusted partner to investors, entrepreneurs, and governments for over two decades. Follow the firm on Twitter @Paladincap and visit www.paladincapgroup.com.

Tag

#intel