A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

From “IT Army” DDoS attacks to custom malware, the country has become a target like never before.

The orders are issued like clockwork. Every day, often at around 5 am local time, the Telegram channel housing Ukraine’s unprecedented “IT Army” of hackers buzzes with a new list of targets. The volunteer group has been knocking Russian websites offline using wave after wave of distributed denial-of-service (DDoS) attacks, which flood websites with traffic requests and make them inaccessible, since the war started.

Russian online payment services, government departments, aviation companies, and food delivery firms have all been targeted by the IT Army as it aims to disrupt everyday life in Russia. “Russians have noticed regular hitches in the work of TV streaming services today,” the government-backed operators of the Telegram channel posted following one claimed operation in mid-April.

The IT Army’s actions were just the start. Since Russia invaded Ukraine at the end of February, the country has faced an unprecedented barrage of hacking activity. Hacktivists, Ukrainian forces, and outsiders from all around the world who are taking part in the IT Army have targeted Russia and its business. DDoS attacks make up the bulk of the action, but researchers have spotted ransomware that’s designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks.

The attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware groups have links to Russia and don’t target the nation. Now, it’s being opened up. “Russia is typically considered one of those countries where cyberattacks come from and not go to,” says Stefano De Blasi, a cyber-threat intelligence analyst at security firm Digital Shadows.

At the start of the war, DDoS was unrelenting. Record levels of DDoS attacks were recorded during the first three months of 2022, according to analysis from Russian cybersecurity company Kaspersky. Both Russia and Ukraine used DDoS to try to disrupt each other, but the efforts against Russia have been more innovative and prolonged.

Ukrainian tech companies transformed the puzzle game _2048_ into a simple way to launch DDoS attacks and have developed tools to allow anyone to join the action, irrespective of their technical knowledge. “The more we use attack automation tools, the stronger our attacks,” reads a message sent to the IT Army Telegram channel on March 24. The channel's operators urge people to use VPNs to disguise their location and help avoid their targets’ DDoS protections. Toward the end of April, the IT Army launched its own website that lists whether its targets are online or have been taken down and includes technical guides. (The IT Army did not respond to a request for comment.)

“We have made good strong hits, and a lot of websites don't work,” says Dmytro Budorin, the CEO of Ukrainian cybersecurity startup Hacken. When the war started, Budorin and colleagues altered one of the firm’s anti-DDoS tools, called disBalancer, so it could be used to launch DDoS attacks.

While Kaspersky’s analysis says the number of DDoS around the world has returned to normal levels as the war has progressed, the attacks are lasting for longer—hours rather than minutes. The longest lasted for more than 177 hours, over a week, its researchers found. “Attacks continue regardless of their effectiveness,” Kaspersky’s analysis says. (On March 25, the US government added Kaspersky to its list of national security threats; the company said it was “disappointed” with the decision. Germany’s cybersecurity agency also warned against using Kaspersky’s software on March 15, although it didn't go as far as banning it. The company said it believed the decision was not made on a technical basis.)

Budorin says DDoS has been useful for helping Ukrainians contribute to the war effort in other ways than fighting and says that both sides have improved their attacks and defense. He admits DDoS may not have a huge impact on the war, though. “It doesn't have a lot of effects with respect to the end goal, and the end goal is to stop the war,” Budorin says.

Since Russia began its full-scale invasion, the country’s hackers have been caught trying to disrupt power systems in Ukraine, deploying wiper malware, and launching predictable disruption attacks against the Ukrainian government. However, Ukrainian officials now say they have seen a drop in activity. “The quality decreased recently as the enemy cannot prepare as much as they were able to prepare,” Yurii Shchyhol, the head of Ukraine’s cybersecurity agency, the State Service for Special Communication and Information Protection, said in a statement on April 20. “The enemy now mostly spends time on protecting themselves, because it turns out their systems are also vulnerable,” Shchyhol said.

Russia Is Being Hacked at an Unprecedented Scale

Emotet is back with a new spam campaign. And it's now spreading itself as a shortcut link file pretending to be Word document.
The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

![Emotet fixes bug in code, resumes spam campaign](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-1277291140-900x506.jpg)

Posted: April 27, 2022 by

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/FQ-puUmWUAERnF2-600x392.jpeg)

_Sample email of an Emotet spam containing a defective attachment.  
(Source: @malware\_traffic)_

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22\_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

> #emotet Update – As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x https://t.co/pEcOWdbfOa
> 
> — Cryptolaemus (@Cryptolaemus1) April 22, 2022

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

*   ACH form.zip
*   ACH payment info.zip
*   BANK TRANSFER COPY.zip
*   Electronic form.zip
*   form.zip
*   Form.zip
*   Form – Apr 25, 2022.zip
*   Payment Status.zip
*   PO 04252022.zip
*   Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

**RELATED ARTICLES**

Emotet fixes bug in code, resumes spam campaign

The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.
"These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program

![Russian Military Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjcRGGpPVaSDP71Dqct6SGyWKwT1f5xd_i_T8j1cghxa5v7NLZnn4E8A6uL7dqwiyK8K2r0O8n9u48uPJNi7-2EIgm2VMth6ufE_i7U9RSUD_kcxSJsyBaPItNzBbsAFYp_VdpevfgJuLoexMH9m2B42teEO9wZf4QSZISaPt-QHNJndbS7_GJLqzsc/s728-e1000/hackers.jpg "Russian Military Hackers")

The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.

"These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program said.

All the six Russian officers are members of an advanced persistent threat group called Sandworm (aka Voodoo Bear or Iron Viking), which is known to be operating since at least 2008 with a specific focus on targeting entities in Ukraine with the goal of establishing an illicit, long-term presence in order to mine highly sensitive data.

![CyberSecurity](https://thehackernews.com/images/-SmHk9U6ikBk/YVHUUpxrNfI/AAAAAAAA4ac/xluSCU7878ErhlmIN9mj9pKf9fr3LTBwACLcBGAsYHQ/s300-e100/rewind-3-300.png)

The hacker, who are officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), are as follows -

*   Artem Valeryevich Ochichenko, who has been linked to technical reconnaissance and spear-phishing campaigns to gain unauthorized access to IT networks of critical infrastructure facilities worldwide

*   Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, who are said to have developed components of the NotPetya and Olympic Destroyer malware used by the Russian government on June 27, 2017 to infect computer systems, and

*   Anatoliy Sergeyevich Kovalev, who is accused of developing spear-phishing techniques and messages used by the Russian government to breach computer systems of critical infrastructure facilities

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

On October 15, 2020, the U.S. Justice Department indicted the aforementioned officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses, charging them with conspiracy to commit wire fraud and aggravated identity theft.

![Russian Military Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwJTJ3kg8QUmfZtLWxkNxXZvalCjAEm7T_GZUk5bojaT0q3EO896JySTwXDYsAgG0lRMiuS33bDhE-nqnEdSQPn5MUsW5Ekh5BtwTRfvwP4DOuXyc0vD84IxvI_pPQEk8_CDr_pPYBnL1mm1LOL7ckP9C8FGR3XbRxo_nIzZEyvaVaYWFy-b4VaElN/s728-e1000/million.jpg "Russian Military Hackers")

As part of the initiative, the Rewards of Justice has set up a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad\[.\]onion" that can be used to submit tips about these threat actors anonymously, or alternatively share the information via Signal, Telegram, or WhatsApp.

The Sandworm collective was most recently attributed to a now-neutralized sophisticated botnet malware dubbed Cyclops Blink that ensnared internet-connected firewall devices and routers from WatchGuard and ASUS.

Other recent hacking activities associated with the group include the deployment of an upgraded version of the Industroyer malware against high-voltage electrical substations in Ukraine amidst the ongoing invasion.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offers $10 Million Bounty for Information on 6 Russian Military Hackers

Supply chain disruptions, intellectual property theft and the rising cost of data breaches are among the top reasons for a drastic increase in global focus on cybersecurity compliance.

Supply chain disruptions, intellectual property theft and the rising cost of data breaches are among the top reasons for a drastic increase in global focus on cybersecurity compliance. 

Regulated industries face more stringent requirements, and some organizations now require third-party assessments instead of using internal teams to verify compliance with cybersecurity frameworks. Non-regulated industries can also leverage the same standards in order to reduce their security risk. Compliance automation is increasingly important to manage the growing burden that security teams face.

**Why automate compliance in the first place?**

Data breaches are expensive. Various reports indicate average costs for a data breach is in the millions, and security teams are already overwhelmed and understaffed. This is a strong call for using automation to help with compliance initiatives.

Due to understaffing and tight labor markets, the most sensible means to advance your compliance initiatives is through the use of automation. Automating compliance is a key component of managing the work and reducing risk. The open source project Compliance as Code offers tools to help with this. Security automation content is available in SCAP, Bash, Ansible and other formats to help with verifying required system configurations and remediating when necessary.

**About Compliance as Code**

The Compliance as Code organization on GitHub is a Red Hat originated project that spawned from the collaboration of government agencies and commercial vendors to make Security Content Automation Protocol (SCAP) content more accessible to users. Since its inception in 2011, the project has evolved to include commercial security profiles — such as The Payment Card Data Security Standard (PCI-DSS) and Center for Internet Security (CIS), and to accommodate modern automation tooling.

Today, the Compliance as Code project provides general-purpose security content and building tools that commercial vendors can quickly develop and collaborate on. We have used these capabilities to deliver customer value through automated compliance solutions. However, compliance reporting can pose a challenge due to the nature of the reports and process. Ensuring accurate results in a spreadsheet takes time and effort and often duplicates work. Automated report generation can improve the efficiency of this job and get reproducible results into the hands of customers and contributors with less delay.

**New approach to compliance reporting**

Organizations, especially those in regulated industries, must often attain an Authority to Operate (ATO) to install and use software in their environments. Part of this process is to evaluate the software against a Security Requirements Guide (SRG), which is a set of technical controls such as those found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

This evaluation is done to determine whether or not the software meets, does not meet, or can be configured to meet each control, or whether or not the control applies to the particular software. Depending on the determined status, other text-based information may be required. 

The evaluators may need to provide manual instructions or code to explain how to verify status. To configure the software to meet a particular control, they may also need to provide the code necessary to reach that configuration. The product of this exercise is a Security Technical Implementation Guide (STIG): a configuration standard consisting of cybersecurity requirements for a specific product.

The development of STIGs, a laborious process, is made more challenging when spreadsheets are involved. The US Defense Information Systems Agency (DISA) provides organizations with spreadsheets containing the security requirements for particular software and all the fields that may or may not need to be completed based on the status of each control, and there can be 100+ controls. Specific challenges an organization could face while working toward completion of that spreadsheet include:

*   Keeping track of who is doing/has done what
    
*   What fields need to be completed based on the determined status of each control
    
*   Ensuring correct formatting of content
    
*   Quality assurance
    

Red Hat is improving and streamlining Security Requirements Guide (SRG) processing to get Security Technical Implementation Guides (STIGs) to customers faster and more efficiently by automating the STIG generation and verification process. 

The Compliance as Code codebase has been enhanced to produce STIG content based on previously vetted checks. The STIG content delivered now inherits the test process that is already done on Compliance as Code content and reduces any errors with automated comma-separated values (CSV) file generation.

The process has started by streamlining SRG processing, but Red Hat does not intend to stop there. Many of the same problems are faced in different groups. To implement holistic solutions, we intend to incorporate frameworks that apply to customers around the globe and that spread across industries. Compliance as Code is a home for collaboration and iteration upon existing solutions to better serve customers and the community.

**Learn more**

We have introduced you to Compliance as Code and how Red Hat is helping to make automated compliance reporting accessible to everyone. If you would like to learn more, visit the Compliance as Code content repository and learn more about compliance management here.

Compliance as Code: Extending compliance automation for process improvement

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

Driven by the popularity of agile development, the usage of Web application programming interfaces (APIs) has increased dramatically, leaving software-focused companies with larger, and more vulnerable, attack surfaces that can be exploited by threat actors.

Overall, API usage has soared in the past year, tripling to about 15,600 APIs per company, with traffic quadrupling to 820 million requests per year for the average firm, according to two recent reports. And where the application developers go, attackers follow: Over the past year, malicious API traffic has surged by almost a factor of seven, according to the "State of API Security" report published in March by Salt Security, an API security firm.

Between the changes in development and growing vulnerabilities exposed by third-party software components that could be exploited through APIs, attackers will continue to increasingly target the easy-to-use interfaces, says Elad Koren, chief product officer for Salt Security.

"Attacks are growing, because the attack surface is growing," he says. "But it's not just that. It's also issues like Spring4Shell and Log4j — all those new vulnerabilities are part of this new attack surface — and they \[threat actors\] are targeting all of these vulnerable surfaces."

The trends are the latest challenge for application security. Development teams continue to move quickly, usually not fully documenting the APIs created to link different application components in the cloud or over the network. The result is that companies do not know the extent of the their API inventory and whether those application interfaces are secure, says Sandy Carielli, a principal analyst with Forrester Research.

    

Source: Salt Security

No wonder, then, that API security has become a top-five briefing topic for the business analyst firm, she says.

"The growing \[malicious traffic\] certainly doesn't surprise me," she says. "As more organizations move to using APIs, a higher percentage of application traffic is through APIs, so naturally you are going to see more malicious traffic going through that channel."

**Taming the API Attack Surface  
**Much of the impetus behind growing API inventory and traffic is the shift to cloud-native and agile development methodologies. A typical sprint for application development sprints is two to three weeks, so a development team has dozens of opportunities to introduce API misconfigurations and vulnerabilities into a service or application, says Oz Golan, CEO and co-founder at Noname Security, an API security firm.

"As organizations drive their digital transformation processes faster and harder, more API vulnerabilities will surface and become exploited," he says. "Unless they slow down their business operations and do extensive testing, they are going to release and expose their operations to risks."

The average company has nearly 15,600 APIs and has seen a 41% rate of API security incidents over the past 12 months, according to "The 2022 API Security Trends Report," published by S&P Global Market Intelligence and sponsored by Noname Security. However, those findings are complicated by the different yardsticks that API security vendors use to collect their data, including survey results, which are notoriously malleable. Salt Security, for example, found that the average customer had 135 APIs and a 95% rate of API security incidents, according to its "State of API Security" report, published in March.

While the numbers differ — sometimes significantly — both reported significant growth in relative API usage among their customers and relative growth of malicious API traffic.

**Hacking the API Security Challenge  
**For that reason, companies need to fully account for their own APIs and their employees' API usage, including API source, destination, type, data sensitivity, owner, and whether the API access requires authorization. So far, companies have not done a great job of keeping track of their API inventories, Forrester Research's Carielli says.

"In an ideal world, you would have your development team creating specification files for every API and keeping them up to date," she says. "We don't live in an ideal world. A lot of the discovery tools have to analyze traffic and do pre-release testing on APIs to make sure that you have the right controls and that they are being managed well."

The steps for securing APIs track closely with application security overall. Focusing on secure design and threat modeling means heading off vulnerabilities before they grow into significant — and expensive-to-fix — issues. Testing and monitoring API usage following deployment is just as important to gather data on attackers and to protect against issues not discovered during development, says Salt Security's Koren.

Fixing as many of the security issues as possible by considering API security during the design phase is important, but runtime security is just as necessary, because it gives application owners peace of mind and visibility into attackers' tactics, he says.

"Today, it is very important to have that pipeline security for the left side — the development side — but it is not interchangeable with runtime security," Koren says. "You will never ever, no matter how good your tools are, catch all the issues you have during the development phase. You have to have the runtime, because they are not interchangeable."

API Attacks Soar Amid the Growing Application Surface Area

By Deeba Ahmed
Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people…
This is a post from HackRead.com Read the original post: New Scam Utilizing AI-Generated Images to Represent Fake Law Firm

**Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.**

**Non-Existent People Posed as Boston Law Firm**

It may seem like a story straight out of a Hollywood script, but it is indeed true that scammers are using AI-generated images to scam people. According to Ben Dickson of TechTalks, he received an email from a law firm’s attorney, which turned out to be fake, and surprisingly, the sender didn’t even exist.

**Details of the Scam**

In his blog post published in TechTalks, Dickson wrote that on April 13, Nicole Palmer sent an email citing “DMCA Copyright Infringement Notice.” The email introduced Nicole as a Trademark Attorney of Arthur Davidson Legal Services and claimed that the recipient had used an image in TechTalks that belonged to one of her clients.

“Our client is happy for their image to be used and shared across the internet. However, proper image credit is due for past or ongoing usage,” the email supposedly sent by Nicole read.

The email contained references to Section 512(c) of DMCA with a professional signature that made it appear legit. If it wasn’t done, Nicole threatened legal action against Dickson.

![](https://www.hackread.com/wp-content/uploads/2022/04/Nicole-Palmer-fake-email-side-1024x332.jpg)

DMCA Notice (Image: TechTalks)

**How was the Scam Discovered?**

Dickson spent around 7 days adding credit to that image and a homepage to Nicole’s client’s website. But, when he couldn’t be successful, he re-read the email and identified something off. It was a link to an image-sharing website called Imgur. On this site, anyone can upload images without creating a profile.

“So it was perfectly possible that they had downloaded the image from my website, uploaded it on Imgur, and then claimed that their image was there before mine,” Dickson wrote.

Dickson had taken that image from Pexels, a license-free stock photo library. He emailed Nicole with proof that no attribution was needed and waited for a reply. When he didn’t receive a response, he checked out her legal firm Arthur Davidson Legal website, which seemed authentic with profiles of 18 lawyers who graduated from prestigious institutions, 420 cases, and a 90% success rate with 380 wins.

A quick Google search didn’t yield any results of such a well-known law firm either. Red flags were raised when Dickson noted the website domain was set up in February 2022 while the firm was established in 2009.

Later, it turned out that Nicole Palmer didn’t even exist because when Dickson checked her photograph on the website, he learned that a generative adversarial network created the image.

![New Scam Utilizing AI-Generated Images to Represent a Fake Law Firm](https://www.hackread.com/wp-content/uploads/2022/04/fake-nicole-palmer.jpg)

Fake AI-Generated Image of Nicole Palmer (Image: TechTalks)

It is worth noting that in 2019, Hackread.com reported a website (thispersondoesnotexist.com) designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.

It is quite possible that Palmer’s image was also created using the same website. Nevertheless, watch out for fake emails claiming to represent law firms or threatening people with phony DMCA notices or subpoenas.

1.  AI firm exposes 2.5 million sensitive medical records online
2.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
3.  New Underactor tool reveals pixelated text to expose sensitive data
4.  Ukrainian News Channel Hacked to Run Deepfake video of President Zelensky
5.  These people don’t exist – They were created by tech using Artificial Intelligence

New Scam Utilizing AI-Generated Images to Represent Fake Law Firm

SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.

NEW YORK, April 26, 2022 /PRNewswire/ -- SecurityScorecard, the global leader in cybersecurity ratings, today introduced its Cyber Risk Quantification (CRQ) capabilities that will enable customers to understand cyber risk in financial terms, enabling organizations to bring cyber risk into holistic business risk analysis, and assisting organizations in a cost-benefit analysis of cyber investment options. SecurityScorecard's CRQ capabilities help customers understand the financial impact of a cyber-attack, gain insight into the probability of incidents over time and quantify the reduction in expected losses if issues are resolved. The SecurityScorecard CRQ capabilities will be included in the company's risk intelligence platform, the industry's first holistic offering that proactively protects organizations from every angle.

"Executives and boards of directors lack the ability to connect cybersecurity budgets to business outcomes, hindering the CISO's ability to justify their cybersecurity budgets. By grounding risk quantification in SecurityScorecard's expansive data, we are bringing cyber security to the forefront of daily decision making," said Prashant Pai, Senior Vice President and General Manager Strategic Initiatives, SecurityScorecard. "Our goal is to help our customers make informed decisions on how to raise the bar on their cybersecurity defenses with optimized investments, and we will continue to partner with leading CRQ thought leaders to provide the options they are looking for."

To deliver the combined insights of SecurityScorecard's cybersecurity ratings data and leading risk models, SecurityScorecard is partnering with a number of leading CRQ thought leaders and developers including ThreatConnect, and RiskLens, which created Factor Analysis of Information Risk (FAIR™). With multiple views of risk available through the lens of different CRQ frameworks, risk managers can determine which framework is the best fit for their business.

With cyber risks becoming increasingly prevalent, boards of directors and executives need to evaluate those risks and become more involved with cybersecurity. Effectively reporting to the board is a key component of every security leader's job.

According to Gartner® The 2022 Board of Directors Survey, 88% of respondents viewed cybersecurity as a business risk, while 72% stated they are focused on aligning risk, strategy and performance to drive business resilience.1

"The CRQ integration between RiskLens and SecurityScorecard will finally give organizations of all sizes what they need to effectively understand and manage cyber risk: an automated, 'dollars and cents' view of cyber risk," said Nick Sanna, CEO, RiskLens. "Based on the FAIR cyber risk quantification standard, on industry benchmark data and on their SecurityScorecard security rating, organizations can now make risk-informed business decisions."

"ThreatConnect is excited to partner with SecurityScorecard as the combination of their external cybersecurity risk posture and the power of ThreatConnect Risk Quantifier (RQ) connects the outside and inside views for an organization, giving them a 360 degree perspective of the risk to their organizations," said Jerry Caponera, Vice President of Cyber Risk Strategy for ThreatConnect. "Applying ThreatConnect's statistical and machine learning algorithms to the SecurityScorecard data enables customers to easily visualize their risk and, more importantly, prioritize which factors should be improved based on financial risk reductions."

SecurityScorecard's CRQ portfolio enables executives, CISOs and risk managers to obtain a comprehensive view of their cyber risk that enables them to define cyber risk in a universally understood metric and embed those insights into decisions across the organization.

SecurityScorecard's CRQ capabilities also offer:

*   **Scalable risk quantification methodology -** With continuous monitoring of over 12 million companies, SecurityScorecard grounds its analysis in a consistent cybersecurity data-driven approach to deliver a real-time view of risk.
*   **Contextualized view of cyber risk -** SecurityScorecard directly ties financial impact to the security issues that drive losses.
*   **Multiple risk quantification frameworks–** Multiple risk frameworks are integrated into the CRQ capabilities to ease the evaluation and implementation of CRQ.

SecurityScorecard enterprise customers can learn more and gain early access to SecurityScorecard's CRQ capabilities by clicking here.

**About SecurityScorecard  
**Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

1 _Gartner, "Roadmap to Renewal: The 2022 Board of Directors Survey", Partha Iyengar, published October 28, 2021, ID G00728156._

_GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved._

SOURCE Security Scorecard

SecurityScorecard Launches Cyber Risk Quantification Portfolio

Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.



*   Observability
    *   Explore the Platform
    *   SolarWinds Observability
    *   Hybrid Cloud Observability
    *   or View All Observability Products
*   Network Management
    *   Hybrid Cloud Observability
    *   Network Configuration Manager
    *   Kiwi Syslog Server
    *   Network Performance Monitor
    *   Netflow Traffic Analyzer
    *   Network Topology Manager
    *   or View All Network Management Products
*   Systems Management
    *   Hybrid Cloud Observability
    *   Virtualization Manager
    *   Web Performance Monitor
    *   Server & Application Monitor
    *   Storage Resource Monitor
    *   Server Configuration Monitor
    *   or View All Systems Management Products
*   Database Management
    *   Database Performance Analyzer
    *   SQL Sentry
    *   Database Insights for SQL Server
    *   Database Performance Monitor
    *   Task Factory
    *   or View All Database Management Products
*   IT Service Management
    *   Service Desk
    *   Web Help Desk
    *   Explore Dameware
    *   Dameware Remote Everywhere
    *   Dameware Remote Support
    *   or View All IT Service Management Products
*   Application Management
    *   SolarWinds Observability
    *   AppOptics
    *   Server & Application Monitor
    *   Pingdom
    *   Loggly
    *   Web Performance Monitor
    *   or View All Application Management Products
*   IT Security
    *   Access Rights Manager
    *   Patch Manager
    *   Serv-U Secured FTP
    *   Server Event Manager
    *   Identity Monitor
    *   Serv-U Managed File Transfer
    *   or View All IT Security Products
*   or View All Products & Free Trials

The SolarWinds Platform is the industry’s only unified monitoring, observability, and service management platform. It’s the foundation for a new generation of SolarWinds observability solutions and provides the architecture on how we solve observability challenges for our customers.

Top Products

*   Explore the Platform
*   SolarWinds Observability

*   Hybrid Cloud Observability

View All Observability Products

Network management tools, from configuration and traffic intelligence to performance monitoring and topology mapping, to readily see, understand, and resolve issues. An integrated, multi-vendor approach that’s easy to use, extend, and scale to keep distributed networks optimized.

Top Products

*   Hybrid Cloud Observability
*   Network Configuration Manager
*   Kiwi Syslog Server

*   Network Performance Monitor
*   Netflow Traffic Analyzer
*   Network Topology Manager

View All Network Management Products

Comprehensive server and application management that’s simple, interoperable, and customizable from systems, IPs, and VMs to containers and services. Optimize resource usage and reduce MTTR with powerful monitoring, discovery, dependency mapping, alerting, reporting, and capacity planning.

Top Products

*   Hybrid Cloud Observability
*   Virtualization Manager
*   Web Performance Monitor

*   Server & Application Monitor
*   Storage Resource Monitor
*   Server Configuration Monitor

View All Systems Management Products

Monitor, analyze, diagnose, and optimize database performance and data ops that drive your business-critical applications. Unify on-premises and cloud database visibility, control, and management with streamlined monitoring, mapping, data lineage, data integration, and tuning across multiple vendors.

Top Products

*   Database Performance Analyzer
*   SQL Sentry
*   Database Insights for SQL Server

*   Database Performance Monitor
*   Task Factory

View All Database Management Products

Modernize your service desk with intelligent and automated ticketing, asset, configuration, and service-level agreement (SLA) management; a knowledge base; and a self-service portal with secure remote assistance. SolarWinds offers an easy-to-use IT service management (ITSM) platform designed to meet your service management needs to maximize productivity while adhering to ITIL best practices.

Top Products

*   Service Desk
*   Web Help Desk
*   Explore Dameware

*   Dameware Remote Everywhere
*   Dameware Remote Support

View All IT Service Management Products

Ensure user experience with unified performance monitoring, tracing, and metrics across applications, clouds, and SaaS. Robust solutions offering rich visualization, synthetic and real user monitoring (RUM), and extensive log management, alerting, and analytics to expedite troubleshooting and reporting.

Top Products

*   SolarWinds Observability
*   AppOptics
*   Server & Application Monitor

*   Pingdom
*   Loggly
*   Web Performance Monitor

View All Application Management Products

Reduce attack surface, manage access, and improve compliance with IT security solutions designed for accelerated time-to-value ranging from security event management, access rights management, identity monitoring, server configuration monitoring and patching, and secure gateway and file transfer.

Top Products

*   Access Rights Manager
*   Patch Manager
*   Serv-U Secured FTP

*   Security Event Manager
*   Identity Monitor
*   Serv-U Managed File Transfer

View All IT Security Products

Tag

#intel