North Korean state-sponsored actors, who help economically prop up Kim Jong Un's dictatorship, continue to pummel US infrastructure.

The federal Rewards for Justice program has doubled, to $10 million, the available reward for useful information about North Korean state-sponsored actors' attacks on US healthcare systems and other critical infrastructure.

The State Department has a Tor-based tip line where anyone can submit information they have on North Korean-sponsored threat actors, including Lazarus Group, Kimsuky, BlueNoroff, and Andariel, all linked to the DPRK government apparatus.

Earlier this month, the FBI, US Cybersecurity and Infrastructure Agency (CISA), and the Treasury Department issued a warning that North Korean state-sponsored actors are attacking the US healthcare and public health sectors with a new ransomware tool called Maui.

Also in July, Microsoft warned that a North Korean APT threat it calls DEV-0530 has been using a custom ransomware dubbed H0lyGh0st to successfully compromise small businesses in multiple countries.

The hefty reward signals the success the DPRK has had using cybercrime to fund its activities as a way to work around stringent international sanctions, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"This money is being funneled directly into weapons programs, and cybercrime has become an essential cog in the ongoing survival of Kim Jong Un's dictatorship," Bocek said via email, in reaction to the reward hike announcement. "Worryingly, this blueprint is also being mimicked by other rogue states. So, cutting North Korean cybercrime off at the source is essential to the national security of the U.S. and its allies."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Offers $10M Double-Reward for North Korea Cyberattacker Info

Call it a "cyber tax": Those costs are usually passed on to consumers, not investors, as compromised businesses raise prices for goods and services.

Sixty percent of breaches have resulted in companies recouping the cost of fines, clean-up, and technological improvements by increasing prices, essentially making consumers pay for breaches and companies' lack of preparedness, according to an annual report published on July 27.

The "Cost of Data Breach Report 2022" report, based on a survey of executives and security professionals at 550 companies, says the average cost of a data breach continued to rise in 2022, reaching an average of $4.4 million globally (up 13% since 2020) and $9.4 million in the United States. On average, companies required 277 days to identify and contain data breaches, down from 287 days in 2021, and 83% of companies had suffered more than one breach.  

"It is clear that cyberattacks are evolving into market stressors that are triggering chain reactions, \[and\] we see that these breaches are contributing to those inflationary pressures," says John Hendley, head of strategy for IBM Security's X-Force research team. "We have to think about cyber events as factors that are capable of straining the economy, similar to COVID, the war in Ukraine, gas prices, all of that."

    

Business email compromise and phishing attacks led to the most costly breaches (in millions of US$). Source: IBM Cost of Data Breach Report 2022

The annual report, based on surveys conducted by the Ponemon Institute, is not the first attempt to gauge the impact of breaches on businesses' balance sheets. Last year, a survey by security-operations firm IronNet found that most companies were affected by the supply chain attack on network management firm SolarWinds, with the average firm seeing an 11% drop in revenue due to dealing with the incident. 

Overall, experts estimated that the incident would cost SolarWinds about $18 million but would cost the 18,000 affected businesses and government agencies as much as $100 billion in clean-up costs.

**A "Cyber Tax" on Consumers**

While cybersecurity experts have increasingly urged companies to count on having their systems compromised, they continue to have problems stopping attackers, and they are passing costs onto consumers, Hendley notes. This suggests that data breaches and cyberattacks are creating a cyber tax, he argues, increasing costs for downstream consumers and clients.

"When you think about the fact that 83% of businesses have been breached at least once in their lifetime, I think it becomes difficult to say that we need to apply punitive damages to help prevent breaches," Hendley says. "There is always going to be a way in, so I think the best investment that we can have is to try to shift the line from protecting the perimeter to thinking like the attacker."

In addition to the labeling of breaches and fines as a cyber tax, the report highlighted various trends among industries dealing with cyberattacks. Companies that could reduce the overall breach detection and response time to less than 200 days saved $1.1 million, or 23% of the cost of the average breach.

**Data Breach Costs Worst in Healthcare **

The cost of a single data breach varied significantly based on the type of industry affected. The heavily regulated healthcare sector continued to pay out the highest amount for compromises of data, reaching an average of $10 million per breach in 2022, compared with financial firms that paid an average of $6 million per breach, the second most expensive breach cost. Pharmaceutical companies and technology firms essentially tied for third place, paying about $5 million for each breach.

Ransomware continued to have a significant impact on business, despite signs that — so far this year — ransomware attacks have declined somewhat. The survey found that companies that pay ransoms spend less on clean-up costs, but high ransom totals negate most savings. In addition, 80% of companies that pay ransoms are attacked again, according to the "Ransomware: The True Cost to Business" report published by security firm CyberReason last year.

**Ransomware Not as Costly as Phishing Attacks**

Other research has highlighted the impact of ransomware on companies that have not adequately prepared for destructive attacks. Two-thirds of global firms hit with ransomware suffered a significant revenue loss, they said, as did 58% of those surveyed at US companies specifically. The attacks overall have led to 31% of global companies shuttering some part of their businesses.

"It is interesting to see the cost difference between ransomware victims who chose to pay and those who chose not to," Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a digital-risk protection firm. "Those who pay are often targeted again within months of the original attack, which would increase financial losses significantly. These factors are important to consider when making the challenging business decision of whether or not to pay."

That said, the initial vector of the attack also had a significant impact on cost. Business email compromise (BEC) and phishing attacks led to the highest average breach costs — about $4.9 million per incident — with third-party vulnerabilities and compromised credentials accounting for damages of approximately $4.5 million per incident.

The IBM-Ponemon report also highlighted technologies that could have the largest impact on data breach costs. Companies that use artificial intelligence and machine learning (AI/ML) technologies, DevSecOps processes, and formed an incident-response team saved about $300,000, $276,000, and $253,000 per incident, respectively. 

In contrast, companies that suffered from security system complexity, were migrating the business to the cloud, and had compliance failures saw the largest increases in cost per incident.

The report is based on more than 3,600 interviews with individuals from 550 companies of various sizes, focusing on breaches that involved anywhere from 2,200 to 102,000 records. Breaches outside that range were not included.

Average Data Breach Costs Soar to $4.4M in 2022

Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.

Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.

Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.

Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.

Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.

“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote. 

Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.

****Storing Exfiltrated Data****

Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.

Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.

Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.

Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.

Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.

Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.

“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.

****Payload Hosting****

Threat actors also are leveraging the cloud infrastructure of messaging apps to host more than legitimate services—they also hide malware in its depths, according to Intel 471.

Discord’s content delivery network (CDN) has been an especially fertile ground for malware hosting since as far back as 2019 because cybercrime operators farce no restrictions when uploading their malicious payloads there for file hosting, researchers noted.

“The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads,” researchers wrote.

Malware families observed using Discord CDN to host malicious payloads include: PrivateLoader, Colibri, Warzone RAT, Smokeloader, Agent Tesla stealer and njRAT, among others.

****Using Bots for Fraud****

Cybercriminals also are empowering Telegram bots to do more than offer legitimate features to users, researchers found. In fact, Intel 471 has observed what it calls an “uptick” in services being flogged on the cybercrime underground that provide access to bots that can intercept one-time password (OTP) tokens, which threat actors can weaponize to defraud users.

One bot known as Astro OTP gives threat actors access to both OTPs and short message service (SMS) verification codes, researchers observed. Cybercriminals can control the bots directly through the Telegram interface by executing simple commands, they said.

The current going rate for Astro OTP on hacker forums is US$25 for a one-day subscription or US$300 for a life-time subscription, researchers said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Messaging Apps Tapped as Platform for Cybercriminal Activity

New careers in IT open up for former footballers.

Friday 22nd July saw the very first students graduate from the PSM Cyber Stars Programme at an event held at the AXA Training Centre, the training facility for one the world’s most iconic football clubs, Liverpool FC.

For those young players who do not go on to have a career in the professional game, career paths can be difficult. Recognising the issue, Phoenix Sport and Media Group (PSMG) have opened the ‘state of the art’ PSM Digital Academy which is designed to help current and retired players into a career in cyber security. This week saw the first seven students graduate with many of them already lined up with their first roles in the sector.

Founded by a group of Premier League players who are determined to make a positive difference, PSM Digital Academy and the Cyber Star Programme will be providing technical skills training as well as help in transitioning from sport. Located at Silverstone race circuit, the courses will be delivered in a modern training facility on site, or virtually, dependent on the preference of the learner. The courses will be in offensive, defensive and threat intelligence and will help plug a significant skills gap in this specific area of the cyber industry.

This is a new partnership between PSMG, CompTIA, BIT Training and Hack The Box and it’s tasked with delivering the programme under the name Cyber Stars.

The first cohort launched in late April 2022 and was oversubscribed which is an indication of the level of demand for this type of learning. Looking forward, the Academy will be inviting applications from other sports and focus groups including cricket, rugby, and athletics. As part of its commitment to diversity and inclusion, they are also hoping to offer focused cohorts for female players and for Paralympians.

The course has been designed to go beyond traditional training and has been tailored to help sports stars excel. PSM Cyber Stars Programme has also entered into partnerships with cyber employers who are looking to interview successful graduates for roles in this fast-growing sector.

Commenting on the new projects, Carly Barnes CEO of PSMG said: “We’re incredibly proud to have successfully launched this course and even more proud to see the very first students graduate at such a well renowned venue. These new graduates are about to start on brand new career paths in the IT industry and we look forward to seeing how they progress as the months and years move on.”

One former Liverpool FC Academy player that graduated from the course this week is Josh Sumner, who said: “It was devastating to leave Liverpool FC at the age of 19 after being there for seven years because football was all I knew. I’m now 28 years old and I can safely say that the PSM Cyber Stars Programme has set me on a new and exciting career path in IT. It was always something that I was interested in but this have given me the opportunity to take the first real life step in to the sector.”

Commenting on the initiative, Caitlin Hawkins, Academy Education Manager, Liverpool Football Club said: “This is an amazing initiative, and we are fully behind it at LFC. The workshop delivered by PSM, BIT Training, Hack The Box and CompTIA is impressive and we’ve had real interest in this course from our alumni. We’re delighted to see that the graduates from this week include former LFC player Josh Sumner and we look forward to giving our continued support to the course and these former players as they embark on new career paths.”

**Background information:**

**_CompTIA_**

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce. Visit https://www.comptia.org/

“The number of open job roles in the cyber security sector in the UK is increasing, yet the number of skilled people to fill them still lags behind. Globally, we are facing a huge skills gap and a shortage of millions of skilled professionals in the coming years. Our mission at CompTIA is to close the IT skills gap and improve the talent pipeline for IT employers.

The PSMG Cyber Stars programme does just that. The programme is different and engaging and helps us attract a new demographic of talent to become a part of this booming industry. The students are able to bring something new with the transferrable skills they have picked up in their years of professional training in sport. Skills such as Leadership, Team work, Problem Solving and Commitment are all skills that can be used in Tech.

We are demystifying the idea of needing to be a 'rocket scientist' or 'mathematician' to get into to work in Tech and Cyber roles. We are thrilled to support the academy alumni as they reskill, certify and transition into their new careers in cyber security and help us achieve our mission of supporting a skilled workforce into industry.

**Luke Barton, Senior Manager, CompTIA**

**_Hack The Box_**

Hack The Box is an online cybersecurity training and upskilling platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through the most gamified and engaging learning environment. Join a massive hacking playground and infosec community of 1.5 million platform members who learn, hack, level up, and exchange ideas and methodologies.

“At Hack The Box we are committed to creating a safer cyber world by making cybersecurity training accessible to everyone. Everyone can join and start learning and practicing cybersecurity, from theory to action. With that in mind, Hack The Box supported the PSM Cyber Stars Programme, providing cyber security training to a selected group of athletes - willing to explore a new line of work - and as such offer a pathway for these individuals to a new career opportunity.”

**Harris Pylarinos, Hack The Box, Founder & CEO**

**_BIT Training_**

Since 2004, BIT Training has provided award-winning commercial IT and Cyber Security training to support organisations and IT professionals across the world. Their dedicated team of in-house expert instructors, online platforms and learning partners provide cost-effective, flexible training solutions. They provide customers with the opportunity to learn ‘whenever’ and ‘wherever’ they need to achieve their learning goals.

“The PSM Cyber Stars Programme is unique and we’re proud to be involved. We’ve broken down the learning pathway so that academic and social backgrounds are unimportant; it’s all about talent and aptitude. We’re very excited to partner with PSMG, CompTIA and Hack The Box to grow the partnership as market demand for our courses grows.”

First Cohort Graduates from PSM Cyber Stars Program at Liverpool FC

Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation. 
"The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware," Finnish cybersecurity company WithSecure (formerly F-Secure

Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed **Ducktail** designed to seize control as part of a financially driven cybercriminal operation.

"The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware," Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report.

"The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to."

The attacks, attributed to a Vietnamese threat actor, are said to have begun in the latter half of 2021, with primary targets being individuals with managerial, digital marketing, digital media, and human resources roles in companies.

The idea is to target employees with high-level access to Facebook Business accounts associated with their organizations, tricking them into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire.

In some cases, the archive file containing the malicious payload is also delivered to victims through LinkedIn, ultimately allowing the attacker to take over any Facebook Business account.

An information-stealing malware written in .NET Core, the binary is engineered to use Telegram for command-and-control and data exfiltration. WithSecure said it identified eight Telegram channels that were used for this purpose.

It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all the stored cookies and access tokens, alongside stealing information from the victim's personal Facebook account such as name, email address, date of birth, and user ID.

Also plundered are data from businesses and ad accounts connected to the victim's personal account, allowing the adversary to hijack the accounts by adding an actor-controlled email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

While users with Admin roles have full control over the Facebook Business account, users with Finance editor permissions can edit business credit card information and financial details like transactions, invoices, account spend, and payment methods.

Telemetry data gathered by WithSecure shows a global targeting pattern spanning a number of countries, including the Philippines, India, Saudi Arabia, Italy, Germany, Sweden, and Finland.

That said, the company noted it was "unable to determine the success, or lack thereof" of the Ducktail campaign, adding it couldn't determine how many users have potentially been affected.

Facebook Business administrators are advised to review their access permissions and remove any unknown users to secure the accounts.

The findings are yet another indicator of how bad actors are increasingly banking on legitimate messaging apps like Discord and Telegram, abusing their automation features to propagate malware or meet their operational goals.

"Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users," Intel 471 said Tuesday.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts

It's been seven years since the online cheating site AshleyMadison.com was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many AshleyMadison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of AshleyMadison mentions across Russian cybercrime forums and far-right underground websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

It’s been seven years since the online cheating site **AshleyMadison.com** was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

As first reported by KrebsOnSecurity on July 19, 2015, a group calling itself the “**Impact Team**” released data sampled from millions of users, as well as maps of internal company servers, employee network account information, company bank details and salary information.

The Impact Team said it decided to publish the information because ALM “profits on the pain of others,” and in response to alleged lies that Ashley Madison parent firm **Avid Life Media** allegedly told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promised “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

A snippet of the message left behind by the Impact Team.

The Impact Team said ALM had one month to take Ashley Madison offline, along with a sister property called Established Men. The hackers promised that if a month passed and the company did not capitulate, it would release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

Exactly 30 days later, on Aug. 18, 2015, the Impact Team posted a “Time’s up!” message online, along with links to 60 gigabytes of Ashley Madison user data.

**AN URGE TO DESTROY ALM**

One aspect of the Ashley Madison breach that’s always bothered me is how the perpetrators largely cast themselves as fighting a crooked company that broke their privacy promises, and how this narrative was sustained at least until the Impact Team decided to leak all of the stolen user account data in August 2015.

Granted, ALM had a lot to answer for. For starters, after the breach it became clear that a great many of the female Ashley Madison profiles were either bots or created once and never used again. Experts combing through the leaked user data determined that fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created. On top of that, researchers found 84 percent of the profiles were male.

But the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines.

Hence, it appears the Impact Team’s goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then letting that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

**Robert Graham**, CEO of Errata Security, penned a blog post in 2015 concluding that the moral outrage professed by the Impact Team was pure posturing.

“They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote.

**Per Thorsheim**, a security researcher in Norway, told _Wired_ at the time that he believed the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster.

“It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,'” Thorsheim told Wired. “Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.”

**NEO-NAZIS TARGET ASHLEY MADISON CEO**

As the seventh anniversary of the Ashley Madison hack rolled around, KrebsOnSecurity went back and looked for any mentions of Ashley Madison or ALM on cybercrime forums in the months leading up to the Impact Team’s initial announcement of the breach on July 19, 2015. There wasn’t much, except a Russian guy offering to sell payment and contact information on 32 million AshleyMadison users, and a bunch of Nazis upset about a successful Jewish CEO promoting adultery.

Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle “**Brutium**” on the Russian-language cybercrime forum **Antichat** between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users:

“Data from July 2015  
Total ~32 Million contacts:  
full name; email; phone numbers; payment, etc.”

It’s unclear whether the postdated “July 2015” statement was a typo, or if Brutium updated that sales thread at some point. There is also no indication whether anyone purchased the information. Brutium’s profile has since been removed from the Antichat forum.

Flashpoint is a threat intelligence company in New York City that keeps tabs on hundreds of cybercrime forums, as well as extremist and hate websites. A search in Flashpoint for mentions of Ashley Madison or ALM prior to July 19, 2015 shows that in the six months leading up to the hack, Ashley Madison and its then-CEO **Noel Biderman** became a frequent subject of derision across multiple neo-Nazi websites.

On Jan. 14, 2015, a member of the neo-Nazi forum Stormfront posted a lively thread about Ashley Madison in the general discussion area titled, “Jewish owned dating website promoting adultery.”

On July 3, 2015, Andrew Anglin, the editor of the alt-right publication Daily Stormer, posted excerpts about Biderman from a story titled, “Jewish Hyper-Sexualization of Western Culture,” which referred to Biderman as the “Jewish King of Infidelity.”

On July 10, a mocking montage of Biderman photos with racist captions was posted to the extremist website Vanguard News Network, as part of a thread called “Jews normalize sexual perversion.”

“Biderman himself says he’s a happily married father of two and does not cheat,” reads the story posted by Anglin on the Daily Stormer. “In an interview with the ‘Current Affair’ program in Australia, he admitted that if he found out his own wife was accessing his cheater’s site, ‘I would be devastated.'”

The leaked AshleyMadison data included more than three years’ worth of emails stolen from Biderman. The hackers told _Motherboard_ in 2015 they had 300 GB worth of employee emails, but that they saw no need to dump the inboxes of other company employees.

Several media outlets pounced on salacious exchanges in Biderman’s emails as proof he had carried on multiple affairs. Biderman resigned as CEO on Aug. 28, 2015. The last message in the archive of Biderman’s stolen emails was dated July 7, 2015 — almost two weeks before the Impact Team would announce their hack.

Biderman told KrebsOnSecurity on July 19, 2015 that the company believed the hacker was some type of insider.

“We’re on the doorstep of \[confirming\] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Certain language in the Impact Team’s manifesto seemed to support this theory, such as the line: “For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”

But despite ALM offering a belated $500,000 reward for information leading to the arrest and conviction of those responsible, to this day no one has been charged in connection with the hack.

A Retrospective on the 2015 Ashley Madison Breach

Just ahead of its headline-grabbing attack on the Italian tax agency, the infamous ransomware group debuted an improved version of the malware featuring parts from Egregor and BlackMatter.

Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers.

This significant evolution, seen in the recently debuted LockBit 3.0 (aka LockBit Black), is likely meant to offset better defenses, a greater scrutiny by researchers and investigators, and competition from other gangs, according to analyses by multiple researchers.

"There is no question that, whether it is law enforcement pressure or the defenders getting better, that we are seeing that these groups are forced to evolve — they have to get better at what they are doing," says Jon Clay, vice president of threat intelligence for Trend Micro.

They also have to keep up with the Dark-Web Joneses. To that end, the latest version now requires a key to obfuscate its main routines and hinders reverse engineering and analysis, for example — a technique used by other ransomware families, such as Egregor, cybersecurity firm Trend Micro stated in an advisory published on Tuesday. The new version of the ransomware program also enumerates available application programming interfaces (APIs), a feature identical to the BlackMatter ransomware program, the company stated.

**Ransomware Attack on Italy's Tax Agency**

Earlier this month, the Italian Revenue Agency became the latest purported victim of LockBit, with the group boasting that it encrypted and exfiltrated 78 gigabytes of files from the tax agency. If true, the organization will have to find a way to recover, but the attack also threatens Italian citizens, Gil Dabah, co-founder and CEO of data-protection firm Piiano, said via email.

"The second type of victim is the individual whose data was compromised," he said. "In this case, there is a high chance that the data of an individual taxpayer was compromised."

Following Russia's invasion of Ukraine, these ransomware groups have committed to supporting Russia and are increasingly facing requests to conduct operations against nation-state targets, says Paul Martini, CEO of iBoss, a provider of cloud-security solutions.

"The shadow cyber-war between nations that has been carried out through espionage, disinformation campaigns, and strategic attacks on critical targets is just starting to come out of the shadows," he said. "We can expect this to boil over and the West is going to need stronger defenses in place to protect government and civilian targets."

The group behind LockBit has had a good run so far in 2022. Despite an 18% drop in overall attacks, likely due to the disruption of the infrastructure behind the Conti cybercrime group or possibly fallout from Russia's invasion of Ukraine, LockBit has become the most commonly encountered ransomware family, accounting for 40% of all attacks detected by security firm NCC Group in May.

But evolution is necessary to stay on top.

**Major Improvements for LockBit 3.0**

The changes to the latest version of the LockBit ransomware includes functions that collect system APIs as a way to use legitimate functions as part of its attack and extensive — albeit fairly simple — encryption of configuration data and code, according to Trend Micro's advisory.

Perhaps most notably, a major addition to LockBit 3.0 is a set of features to slow down or prevent reverse engineering. The program includes, for example, a password required to decrypt the main body of executable code and a feature that attempts to crash debuggers.

"They pride themselves on their ability to regularly update their ransomware and ransomware-as-a-service offerings," says Trend Micro's Clay. "There are a lot more obfuscation capabilities in 3.0, and they put in a lot of features that try to minimize how much analysts and researchers can discover about their code."

Meanwhile, the adoption of BlackMatter tactics is unsurprising, given that both LockBit and BlackMatter are Russia-linked groups and cybercriminals are increasingly moving between groups.

**The Basics of Ransomware Defense Still Work**

For the most part, the new features found in LockBit 3.0 do not undermine current defenses, says Trend Micro's Clay. Multi-factor authentication can block the most common approach to gaining access — through stolen credentials — while modern endpoint detection and response (EDR) can detect and stop and attack before attackers start encrypting data. Finally, having a good backup process for critical data will make recovery easier.

"They \[ransomware groups\] claim that backups will not help, but if you have a proper procedure then you can recover your data," he says. "The good news is that the defenders have implemented a lot of these best practices, and they seem to be working."

LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top

Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

**Vulnerable Insiders**

Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cybercrime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

Palo Alto Networks' report points to how some threat actors — such as the highly destructive LAPSUS$ group — have attempted to recruit insiders by offering money for access credentials or for helping them carry out their attack in other ways. "When some people are struggling to make ends meet, \[such\] offers could be more tempting to some," the report said.

This trend has been flagged before: A report from Flashpoint in May noted the growing popularity of insider recruitment efforts among threat actors. Flashpoint counted as many as 3,988 unique insider-related chat discussions — primarily on Telegram — between Jan. 1 and Nov. 30, 2021, with a particularly sharp spike happening after August. Many of those attempting to recruit were ransomware operators or other extortion groups. Commonly employed tactics included using a known insider or running public recruitment advertisements and direct solicitation.

Another survey that Pulse and Hitachi ID conducted of 100 IT and security professionals showed 65% saying that threat actors had approached them or their employees for assistance with a ransomware attack over the past year.

**Phishing, Software Vulns Remain Major Initial Access Vectors**

Unit 42's research also confirmed what security teams fighting on the front lines to keep their organizations safe already know: Ransomware and BEC attacks continue to dominate the need for incident response. A startling 70% of intrusions were tied to one of these two causes. In BEC attacks, the data showed that threat actors typically spent between 7 and 48 days in the breached environment before the victim contained the threat, with a median dwell time of 38 days. The median dwell time for ransomware attacks was slightly lower, at 28 days, likely because of how noisy these attacks are.

Phishing continues to be the top vector for initial access so far in 2022, and was the suspected cause in 37% of the incident response cases that Unit 42 completed between April 2021 and May 2022.

"Unfortunately, most organizations learn about one of these attacks the hard way — upon receiving an extortion demand or after wire fraud is committed," says Dan O’Day, consulting director, Unit 42 at Palo Alto Networks. "Increasingly, threat actors quickly gain access, identify and exfiltrate sensitive data, and deploy extortion tactics — sometimes in a matter of hours or in just a few days."

Notably, 31% — or nearly one-in-three intrusions — resulted from attackers gaining an initial foothold via a software vulnerability. Some 87% of the vulnerabilities that Unit 42 researchers were able to positively identity fell into one of six categories: ProxyLogon and ProxyShell flaws in Exchange Server; the Apache Log4j flaw; and vulnerabilities in technologies from Zoho, SonicWall and Fortinet. In 55% of incidents where Unit 42 was able to positively identify the vulnerability that an attacker used to gain initial access, the vulnerability was ProxyShell, and in 14% of the cases it was Log4j.

"Because one-third of attacks target software vulnerabilities, security teams should continue to patch vulnerabilities early and often," says O'Day. While some threat actors continue to rely on older, unpatched vulnerabilities, others are looking to exploit new vulnerabilities increasingly quickly. "In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough," he says.

As one example, he points to a threat prevention signature that Palo Alto Networks released for an authentication bypass vulnerability in F5 Big IP technology (CVE-2022-1388). "Within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts," he says. "More and more, we're seeing attackers scanning as soon as details of a critical vulnerability are published."

Poor patch management practices exacerbated the issue for many organizations — it contributed to 28% of the breaches that Unit 42 responded to. One example of poor patch management is simply waiting too long to implement a patch for a known vulnerability, O'Day notes. "Further, around 30% of organizations were running end-of-life software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the US government."

Economic Downturn Raises Risk of Insiders Going Rogue

Artificial intelligence tools can help companies strike the right balance between preventing financial crime and maintaining customer service and satisfaction.

We've entered a perfect storm for financial crime where fraud is flourishing. This maelstrom has been created by the combined effects of geopolitical events and the ongoing global pandemic, which has led to the digitalization of society ramping up, by necessity, even faster than it was before.

While all sectors are suffering, financial technology (fintech) has been hit particularly hard, which makes striking the right balance between preventing financial crime and maintaining high levels of customer service and satisfaction all the more difficult — and business-critical. As the situation continues to evolve and worsen, it has become a high priority for fintechs to learn how to effectively fight and defeat fraudsters, while continuing to grow their top lines.

As companies address this challenge, they must consider:

*   What key areas should fintechs focus on? Where is fraud rife?
*   How can fintech minimize the negative impact of fraud on operations and finances?
*   Can technology defend against the fraudsters?

**'Fraud-as-a-Service' Takes Center Stage**

It sounds like just a clever play on words based on the software-as-a-service (SaaS) model, but fraud-as-a-service (FaaS) is a real phenomenon. Mirroring the cloud model through which fintechs deploy many of their capabilities via services, bad actors with worse intentions are leveraging similar technology to commit service-based crime on an unprecedented scale. FaaS occurs when an individual or group of fraudsters facilitate fraudulent online activity by providing tools and services to others.

This devious method enables fraudsters to purchase and exploit data and tools leveraging stolen or synthetic identities, which they then use for fraudulent purposes. FaaS also enables scaled attacks on fintechs in which fraudsters overwhelm financial systems with bad traffic and complete illegal transactions at a high volume. Using this approach, fraudsters are mimicking the fintechs' use of quick, easy, and cost-effective online processes, as well as the best analytics and data, only to defraud instead of enrich. The result: Software fights software at an unmanageable scale.

**Trouble Spots**

One area where fraud is particularly pernicious in the industry is onboarding, where it's vital for fintechs to balance keeping crime at bay while still ensuring a high level of customer service. Identity fraud and fraudulent documentation issues often arise during the onboarding of new customers, which can hurt a company's growth objectives and hinder its customer service goals.

Identity theft and document fraud are on the rise and already cost the global economy billions of dollars a year, with no end in sight. Beyond onboarding, institutions are asking for more documents to verify customer identities, requiring proof of residence and age and evidence of income, in addition to standard IDs. Whether it's the alteration of bank or government documents or the creation of false ones, the fact is that it just takes one valid forgery for a bad actor to wreak havoc.

If that same fraudster has access to multiple stolen identities, then the fintech is going to face scaled attacks via serial fraud attempts. Often a case of successful fraud is the precursor to other crimes, such as money laundering, human trafficking, and even terrorism.

**Using AI to Scrutinize Identity**

It can feel hopeless when learning of scaled-up attacks executed at high speed, but resisting and rooting out fraud is possible with artificial intelligence (AI). Typically, new fraud patterns are hard to detect until they have been observed for a period of time, at which point fintechs can react and deploy defenses against the attack. Usually, the time lag is too great and the damage has been done. But AI can subject every customer interaction, from documentation to behaviors, to a level of forensic analysis that would be impossible for humans to achieve at the same speed. The technique can filter out everything from fake documents and stolen data to bot-executed serial fraud efforts.

Incorporating AI ensures that fintechs will allow fewer high-risk identities and document transactions in their processes, helping them outsmart the fraudsters and beat them at their own game.

However, it's not enough to simply invest in AI technologies; human capabilities are just as important to achieve financial crime prevention at scale within an AI-centric model. Fintechs should not only understand the data they're working with and have AI expertise at the ready, but they should also ensure alignment with business objectives and establish an appropriate operational workflow. By blending these critical elements, fintechs _can_ successfully fight financial crime.

AI Can Help Fintechs Fight Fraud-as-a-Service

Attackers are easily turning popular messaging apps and their associated services — like bots, cloud infrastructure, and CDNs — against users, researchers warn.

Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware, as shown by ongoing, dangerous campaigns. 

From bots that enable games and content sharing, to robust content delivery networks (CDNs) ideal for hosting malicious files, these platforms are helping fuel a surge of new attacks, according to the security research team at Intel 471. 

Most often, the malware is used along with easily acquired infostealers to prey on unsuspecting users and steal their credentials, auto-filled data, payment card information, and more.   

"Using messaging platforms, such as Telegram and Discord, allows threat actors to hide in plain view," John Bambenek, principal threat hunter at Netenrich, explains to Dark Reading. "Many people already use these applications so you can't just block them (though you may be able to block API access to those services in an enterprise environment). And there is no a large team administering those platforms so they are not staffed to monitor channels and servers for criminal misuse." 

**CDNs Abused to Host Malware **

Some attackers have found success using CDNs like Discord's to host their malware, which the analysts point out has no restrictions for file hosting. 

"The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads," according to the report on messaging app threats. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families the researchers found lurking in Discord's CDN.  

**Telegram Bots Swipe OTP Tokens **

Although the tactic isn't new, 471 analysts point out an emerging threat group, Astro OTP. It's actively using Telegram bots to steal one-time-password (OTP) tokens and SMS message verification codes used for two-factor authentication.  

"The operator allegedly could control the bot directly through the Telegram interface by executing simple commands," the report explains. "Access to the bot is extremely cheap, a one-day subscription can be bought for $25, with a lifetime subscription available for $300."

The threat from this tactic lasts far beyond the initial compromise The Intel 471 team warn that gathering compromised credentials and other information can be a critical precursor to a devastating enterprise attack. 

It's up to users to be aware of the security of messaging platforms they use, the 471 researchers say, adding that enterprise security teams should take the time to protect against these types of messaging application man-in-the-middle attacks.   

"Whether these actors are stealing credentials for further sales or bypassing verification codes to gain unauthorized access into a victim's bank account, the ease by which threat actors can obtain this information should serve as a warning," Michael DeBolt, chief intelligence officer at Intel 471, tells Dark Reading about his research team's findings. "Security teams should institute token-based multi-factor authentication wherever possible, and educate their user base on what possible scams stemming from these automated schemes can look like."

Tag

#intel