John Leyden 09 June 2022 at 15:18 UTC

APTs hammering unpatched vulnerabilities

Chinese state-sponsored attackers are placing a heavy reliance on known but commonly unpatched vulnerabilities to “establish a broad network of compromised infrastructure”, a US federal security agency warns.

While previously unknown (zero-day) vulnerabilities and novel exploits usually grab the most headlines, a joint advisory from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warns that attacking “publicly known” flaws has become a mainstay of Chinese cyber-espionage.

**Hit list**

The advisory offers a list of network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

Flaws in small business-focused routers, SSL VPNs, and Network Attached Storage (NAS) devices from the likes of Cisco, Fortinet, Netgear and QNAP feature heavily on the list.

Some of the main attacks in play can achieve remote code execution (RCE) against unpatched systems while others achieve their aims by achieving authentication bypass or privilege elevation.

Catch up on the latest cyber-attack news and analysis

Chinese state-backed attackers are using publicly available exploit codes against virtual private network (VPN) services or public facing applications to hack into major telecommunications companies and network service providers, creating a platform for follow-up attacks.

Hacked systems “serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities”, according to the CISA’s advisory, which builds on previous US intel agency reporting.

By building a network of compromised systems that act as a platform for follow-up assaults, Chinese APTs are hiding or obfuscating the source of attacks, making detection and response more challenging.

Industry experts said that CISA’s latest advisory is designed to hammer home the importance of prompt patching.

**Slow patching peril**

Andrew Kahl, CEO of BackBox, commented: “Last month CISA released a joint advisory (PDF) that recommended prioritizing the patching of software containing known vulnerabilities.

“These two advisories within a month of each other indicates threat actors are increasingly targeting known vulnerabilities, because they understand many organizations are slow to implement patches.”

Kahl added: “One of the most common vectors for attackers is through known vulnerabilities that otherwise could have been patched. In fact, 87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability.”

**Hiding in plain sight**

Terry Olaes, director of sales engineering at Skybox, said that CISA’s alert pointed towards a need to adapt enterprise vulnerability remediation strategies to provide better coverage for less severe but actively exploited vulnerabilities.

Prompt triage would help organizations to protect themselves against attacks from a wide range of potential adversaries.

“Cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates,” Olaes said.

“If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS).”

Olaes concluded: “Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.”

RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks

Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

RSA CONFERENCE 2022 — "Nice to see you all again," Bruce Schneier told the audience at his keynote for the in-person return of RSA Conference, taking off his trademark cap. "It's kinda neat. Kinda a little scary." 

Schneier is a security technologist, researcher, and lecturer at Harvard Kennedy School. He has a long list of publications, including books from as early as 1993 and as recent as 2019's _We Have Root_, with a new one launching in January 2023. But he's best known for his long-running newsletter Crypto-Gram and blog Schneier on Security. And his upcoming book is about hacking.

To Schneier, hacking does not necessarily mean computer systems. "Think about the tax code," he said. "It's not computer code, but it's code. It's a series of algorithms with inputs and outputs."

Because the tax code is a system, it can be hacked, Schneier said. "The tax code has vulnerabilities. We call them tax loopholes. The tax code has exploits. We call them tax avoidance strategies. And there's an entire industry of black-hat hackers — we call them tax accountants and tax attorneys," he added, to audience laughter.

He defined hacking as "a clever, unintended exploitation of a system, which subverts the rules of the system at the expense of some other part of the system." He noted that any system can be hacked, from the tax code to professional hockey, where a player — it's contested just who — started using a curved stick to improve their ability to lift the puck. That player hacked the hockey system.

"Even the best-thought-out sets of rules will be incomplete or inconsistent," Schneier said. "It'll have ambiguity. It'll have things the designers haven't thought of. And as long as there are people who want to subvert the goals of the system, there will be hacks. 

"What I want to talk about here is what happens when AIs start hacking."

**Rise of the Machines**

When AIs start hacking human systems, Schneier said, the impact will be something completely new. 

"It won't just be a difference in degree but a difference in kind, and it'll culminate in AI systems hacking other AI systems and us humans being collateral damage," he said, then paused. "So that's a bit of hyperbole, probably my back-cover copy, but none of that requires any far-future science- fiction technology. I'm not postulating a singularity. I'm not assuming intelligent androids. I'm actually not even assuming evil intent on the part of anyone.

"The hacks I think about don't even require major breakthroughs in AI. They'll improve as AI gets more sophisticated, but we can see shadows of them in operation today. And the hacking will come naturally as AIs become more advanced in learning, understanding, and problem-solving."

He traced the evolution of AI hackers using examples of competitions. Technically it's the human developers who compete in events like DARPA's 2016 Cyber Grand Challenge or China's Robot Hacking Games, but the AIs operate autonomously once set into motion.

"We know how this goes, right?" he asked. "The AIs will improve in capability every year, and we humans stay about the same, and eventually the AIs surpass the humans."

While he acknowledged that bad actors might set up AI systems to hack financial systems for profit or mayhem, Schneier also posited that an AI might hack human systems independently and without intent. 

"\[That\] is more dangerous because we might never know it happened. And this is because of the explainability problem," he said, "which I will now explain."

**Explaining the Explainability Problem**

Schneier set up the discussion of explainability with a literary reference. In Douglas Adams' _Hitchhiker's Guide to the Galaxy_, a race of superintelligent beings called the Magratheans "build the universe's most powerful computer — Deep Thought — to answer the ultimate question to life, the universe, and everything. And the answer is?" he queried. An audience member obliged by answering "42."

The Magratheans were naturally not happy with this opaque answer, and they asked the computer to explain what it meant. "Deep Thought was unable to explain its answer or even tell you what the question was," Schneier said. "That's the explainability problem."

He added: "Modern AIs are essentially black boxes. Data goes in one end, an answer comes out the other. And it can be impossible to understand how the system reached its conclusion even if you're a programmer and look at the code."  

Schneier then discussed Deep Patient, a medical AI meant to analyze patient data and predict diseases. While the system performed well, he said, it doesn't give the doctors any explanation to help them see why it predicted a disease.

Reward hacking refers to an AI achieving a goal in a way its designer didn't intend. The audience enjoyed Schneier's description of an evolution simulator that "instead of building bigger muscles or longer legs, it actually grew taller so it could fall over a finish line faster than anybody could run."

He also used the examples of King Midas and genies to underscore the human problem of poor specification, where the granting of wishes too literally leads to misery. 

"But here's the thing," he said. "There's no way to outsmart the genie. Whatever you wish for, he will always be able to grant it in a way that you wish he hadn't. The genie will always be able to hack your wish."

And because of how the human mind works, "any goal we specify will necessarily be incomplete," he said. "We can't completely specify goals to an AI, and AIs won't be able to completely understand context."

Schneier then used the 2015 Volkswagen emissions scandal to set up an example of an AI hack that we wouldn't be able to detect because of the explainability problem. He said he imagines having an AI system design engine software to be both efficient and able to pass an emissions test. In such a system, the AI might hit on the same solution the Volkswagen engineers did — that is, fudge the emissions data by turning on emission controls only during testing — while not telling humans how it accomplished its goals. Thus the company might celebrate their great new design without even realizing that it's a hack and a fraud.

He expanded that to the real-world example of recommendation algorithms that push extremist content "because that's what people respond to." And that's an example that has real-world effects, radicalizing vulnerable people and causing them to entrench in false beliefs and sometimes even take drastic actions.

Schneier talked about research into how to avoid such negative unintended effects. One solution, value alignment, attempts to teach systems to respect human moral code. "Good luck" specifying human values or allowing an AI to learn them by self-training, he said.

In defending against AI hacking, he said, "what matters is the amount of ambiguity in the system." AIs are not able to work well with ambiguity. But that seems to be a limited solution that AIs could evolve to surmount.

**AI Hacks and the Real World**

Partly because of their lucrative nature and partly because of the structured code, Schneier expects financial systems to be one of the first real-world systems affected by AI hacks. Talking about the tax code, for example, he asked, "How many loopholes will it find that we don't know about?"

Even worse might be the AI message bots that could be infesting your Twitter time line already, pushing messages and interacting realistically. "It will influence what we think is normal, and what we think others think," Schneier warned. "That's a scale change."

But perhaps the most fraught element is the role AI is already playing in people's lives. 

"AIs are making parole decisions \[about\] who receives bank loans, helps screen job candidates \[and\] applicants for college, people who apply for government services," he noted. Because we can't tell why an AI made the decision, it will not seem fair to those denied — and indeed, it might well be unfair and based on unwarranted or underanalyzed parameters like a ZIP code.

And as with so much, he pointed out, it will be the powerful who benefit and the masses who suffer. "It's not that we \[gestures around the room\] are going to discover hacks in the tax codes," Schneier said. "It's going to be the investment bankers."  

He closed on a note of hope, though. While AI can certainly be used to find and exploit software vulnerabilities, he pointed out that they can also be used to find and _fix_ those vulnerabilities. 

"It identifies all the vulnerabilities and then it patches them" before the software gets released, he suggested. "You could imagine \[this AI\] being built into the software development tools. It's part of the compiler.

"We can imagine a world in which software vulnerabilities are a thing of the past," he added. "Kinda weird, but that's what would happen."

Schneier cautioned that during the transition period in which old vulnerable codes — computer or human — were still open and the new ones were still being vetted, black-hat AIs would still have a rich opening. However, he said, "While AI hackers can be employed by the offense and the defense, in the end it favors the defense. We need to be able to quickly and efficiently respond to hacks," though.

Human systems need to have the same agility as software, he said.

"The overarching solution is people," he said. "We're much better off as a society if we decide as people what technology's role in our future should be."

Why AIs Will Become Hackers

ReliaQuest CTO Joe Partlow joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss extended detection response — and acquisition news.

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. And in that same vein, Partlow describes points to the company’s planned acquisition of threat intel vendor Digital Shadows as a central move to reducing risk and improving resilience for customers. The combined entity will create a force multiplier for aiding the detection, investigation, and response to potential breaches, Partlow adds.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Organizations can no longer rely on traditional responses to ransomware.

Imagine the scene: A devastating ransomware attack has immobilized a large manufacturing company. It's not possible to ship or sell any products, or to contact the company's customers. The whole supply chain has been compromised. To make matters worse, two backup locations are also inaccessible. Unfortunately, this is not a what-if scenario. It happened, despite the best efforts of the company's security and business operations teams. Even though the organization had a Plan A _and_ a Plan B, it wasn't enough to deal with modern-day ransomware.

Too often, a traditional response to a ransomware attack is focused solely on a technical investigation. However, the ripple effects of ransomware go far beyond a system reboot and security housekeeping. As our manufacturing company's predicament highlights, there's often a gap between what needs to be done and shared across the enterprise and current incident response plans. Organizations' leaders must recognize that ransomware is a business risk, not simply a cybersecurity problem, and they should take the right steps in the right order to handle any crisis.

**Ransomware Motivations Evolve**

Although ransomware has been around a long time, threat actor tactics and motivations have recently changed. Following Russia's invasion of Ukraine, threat actors on Dark Web Russian language forums — particularly ones associated with ransomware — are sometimes choosing targets based on political motives rather than just financial gains. The ideological divide has led many underground actors to call for the return of ransomware groups to the mainstream underground and to reinstate the targeting of Western entities, especially in the resources, government, banking, and critical infrastructure sectors.

**New Tactics Open the Door**

We’re also seeing new threat actors introducing fresh ideas and evolving tactics. For example, some attacks are more destructive than disruptive, involving deleting or damaging backups. This destroys Plan B and makes it harder for a compromised target to get back up and running. It can also damage a business's brand and reputation.

Making life easier for threat actors is access to "plug-and-play" tools, such as ransomware-as-a-service products that can be easily purchased on the Dark Web and just as easily deployed. And there is also the growing interest in network access sales — when cybercriminals offer sophisticated and accomplished threat actors a shortcut to a compromised network for a price. For example, in February the Accenture threat intelligence team found that an underground site user, "GodLevel," was advertising access to a subdomain belonging to an identified Ukrainian agricultural exchange. An attacker could potentially use compromised system access to elevate user privileges and make use of associated domains to obtain personally identifiable information (PII) and payment card data, resell exfiltrated data, and deploy malicious software such as ransomware.

When it comes to ransomware tactics, one of the new flavors is extortion, where threat actors initiate a public business disinformation campaign aimed at eroding confidence and public trust in a business.

We're even seen threat actors directly contacting individuals whose data has been stolen from a company when the company refuses to pay a ransom. So, while companies are trying to deal with cyber complexities and get their business back up and running, they may also have to defend themselves against an extended ecosystem of stakeholders.

Disruptive times have resulted in a surge in attacks, and it is possible that Russia's invasion of Ukraine could continue this trend. Recent analysis from the Accenture cyber-incident forensic response team, based on engagements conducted between January and December 2021, shows a year-on-year increase of 107% in ransomware and extortion attacks and 33% in intrusion volume from ransomware and extortion. These growing threats put pressure on a traditional crisis response and accentuate the vital role of coordinated planning and communications.

**Closing the Communications Gap**

When all areas of the enterprise work together — driven from the top — the whole business benefits. Here are some steps to consider to help close the gaps that open the door to ransomware and extortion:

*   **Lead with leaders:** Cybersecurity professionals often run tabletop exercises, but they should evolve such exercises to include executive-level simulations. This enables organizations to test their defenses against a typical ransomware attack directly with business leaders — while simulating the risk and adrenalin of a "real-life" attack scenario.
*   **Avoid the domino effect:** Taking an uncoordinated first step can lead an organization down a path that can hinder its recovery. By creating a playbook and having a clear plan for the whole business, overseen by the C-suite, organizations can avoid the domino effect of "wrong place, wrong time" actions.
*   **Report with rigor:** The devil is in the details. To protect against ransomware, maintain standard cybersecurity patching hygiene practices and incorporate an intelligence-driven approach to vulnerability and attack surface management programs. To be resilient, organizations should better understand internal reporting obligations and act with full transparency, in a thoughtful and factual way.

**Conclusion**

By understanding — and preparing for — the full implications of a ransomware attack on an organization, recovery can be faster and easier. However, business leaders are often ill-prepared, especially when it comes to the essential communications needed to inform and instruct all stakeholders affected by an attack. It's time for business leaders to look with fresh eyes at how they handle ransomware and extortion. And the emphasis should be on prioritizing effective crisis management across the enterprise.

How Poor Communication Opens the Door to Ransomware and Extortion

BlackBasta, a newish ransomware group that is somehow linked to Conti, has a new Linux variant of its malware that targets VMware ESXi virtual machines.
The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.

BlackBasta, an alleged subdivision of the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linux servers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VM is a bare-metal hypervisor software. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

**On Linux: BlackBasta 101**

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communities associate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .basta is appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

Contents of the readme.txt ransom note dropped in every subfolder in volumes. (Source: Uptycs)

A section of the ransom note reads:

    Your data are stolen and encrypted
    The data will be published on TOR website if you do not pay the ransom
    You can contact us and decrypt one file for free on this TOR site
    (you should download and install TOR browser first https://torproject.org)
    {URL redacted}

**Protect your Linux ESXi VM against ransomware attacks**

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

*   Harden the SSH (Secure Shell) access to allow only a specific user to use it.
*   Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
*   Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

BlackBasta is the latest ransomware to target ESXi virtual machines on Linux

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems.
Dubbed Symbiote by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a parasite.

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems.

Dubbed **Symbiote** by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a parasite.

The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa.

"Symbiote's main objective is to capture credentials and to facilitate backdoor access to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. "What makes Symbiote different from other Linux malware is that it infects running processes rather than using a standalone executable file to inflict damage."

It achieves this by leveraging a native Linux feature called LD\_PRELOAD — a method previously employed by malware such as Pro-Ocean and Facefish — so as to be loaded by the dynamic linker into all running processes and infect the host.

Besides hiding its presence on the file system, Symbiote is also capable of cloaking its network traffic by making use of the extended Berkeley Packet Filter (eBPF) feature. This is carried out by injecting itself into an inspection software's process and using BPF to filter out results that would uncover its activity.

Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its presence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files.

This is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server.

"Since the malware operates as a user-land level rootkit, detecting an infection may be difficult," the researchers concluded. "Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not 'infected' by userland rootkits."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

*   Product
*   Community
*   Partners
*   News
    **news***   Insights & Updates
        *   ownCloud News
    *   Forum
        *   ownCloud Central
    *   Events
        *   Upcoming Events
        *   Past Events / Recordings
    *   Social Media
        *   Facebook
        *   Twitter
        *   LinkedIn
    
    **Latest Posts**
    
    Whether it's files containing personal data (GDPR), intellectual property or sensitive corporate data from HR, finance or …
    
    Read more
    
    We recently released the beta for Infinite Scale. And, there's more: The alpha releases of the desktop …
    
    Read more
    
*   Pricing

*   Risk: medium
*   CVSS v3 Base Score: 5.7
*   CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
*   CWE ID: CWE-212
*   CWE Name: Improper Removal of Sensitive Information Before Storage or Transfer
*   CVE: CVE-2022-31649

**Description**

The settings page and some API responses of a few ownCloud apps contained plaintext credentials.

**Affected**

*   ownCloud server < 10.10.0

**Action taken**

Remove the sensitive values from the HTML and API responses.

CVE-2022-31649: Information disclosure in settings UI and API responses - ownCloud

Concentric AI's Karthik Krishnan joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how artificial intelligence has transformed the security landscape.

Concentric AI's Karthik Krishnan joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how artificial intelligence has transformed the security landscape.

Dark Reading's Terry Sweeney in conversation with Karthik Krishnan, CEO and founder of Concentric AI

Informa Tech

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI. Krishnan also discusses where AI is best implemented and how the technology is helping to reduce data volumes that inundate most active security operations centers (SOCs).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Concentric: How To Maximize Your AI Returns, In and Out of the SOC

It only takes one successful attack to spell disaster for a company. Learn how to protect your company with this email security best practice guide.

The number of emails sent _each day_ is expected to top 330 billion this year.

Cybercriminals know this, with phishing and other email-targeting tactics the top attack vectors ― because they work so well. And as we discussed in the first article of this two-part series, "For MSPs, Next-Gen Email Security Is a Must," advances in automation have made it easy to run these attacks at scale, with no organization too small to target anymore.

It only takes one successful attack to spell disaster. What can you do to protect your company? Although proper email security is never a walk in the park, we have prepared a checklist of email security best practices for small and midsize businesses (SMBs), divided into three categories: organizational culture, security posture management, and technology stack.

**Organizational Culture**

A security-first organizational culture bolsters email safety by prioritizing the following:

1.  **Clear policies:** Get IT and business leaders to co-formulate clear security policies, including email-specific ones.
2.  **Continuous reinforcement:** Make email security practices part of employee onboarding, ongoing training, and performance reviews.
3.  **Peer buy-in:** Buy-in for the company's security strategy from _non-security_ peers is crucial for good security outcomes for SMBs.
4.  **Learning from incidents:** Leverage email security incidents to address vulnerabilities and finetune policies.

**Security Posture Management**

Here are four best practices for email security posture management that SMBs can adopt:

1.  **Timely incident response:** A _companywide_ incident response plan (that includes notifications, responsibilities, response and mitigation workflows, reporting, etc.) must be regularly tested and updated.
2.  **Data loss prevention (DLP) program:** A DLP program incurs costs, but the ROI is clear when a company can achieve near-zero RPO/RTO outcomes in response to ransomware or other data theft exploits.
3.  **Systematic management of email passwords:** UK survey: 82% of security breaches over the previous year started with weak email passwords. IT should enforce strong, unique passwords that are updated regularly.
4.  **Clear reporting:** Be able to _demonstrate_ diligent tracking of email security metrics and effectively _address_ incidents and vulnerabilities.

**Staying on Top of Technology**

Cyber threats are constantly evolving, increasing the pressure on businesses to optimize and modernize their protection. Ensure that your current email security stack is best of breed and up to date:

1.  **Proactive refreshing of email security stack:** SMBs with a process in place to proactively refresh their security technology stack achieve superior security outcomes.
2.  **SaaS:** A SaaS email security solution ensures continuous improvement while eliminating infrastructure overhead.
3.  **Two-factor authentication (2FA):** An additional authentication step considerably hardens email security. There are plenty of freeware and commercial 2FA solutions out there.
4.  **Multiple, overlapping layers of defense:** Sophisticated exploits require a multilayer defense based on email security gateways; anti-phishing or anti-malware tools; and threat intelligence solutions.

**Using an MSP**

MSPs have the resources and experience to deploy a well-integrated, end-to-end solution that protects their customers' email flows. The benefits of using an MSP include:

*   24/7/365 threat detection and response

*   Scalability

*   Easy integration with existing email infrastructure

*   Flexibility and configurability

It's a win-win solution: The MSP works against the weaponization of email while the SMB can focus its resources on core business activities.

**Acronis and Email Security**

Whether a business manages email security itself or turns to an MSP, having an integrated data protection and cybersecurity solution that secures an organization's online assets — including email — is critical. Learn how Acronis can help with its cyber protection solutions, featuring ML-based anti-malware, antivirus, and anti-ransomware protection, fail-proof patching, continuous backups, safe and rapid recovery, global threat monitoring, smart alerts, and more.

**About the Author**

    

Candid Wüest is the VP of Cyber Protection Research at Acronis, where he researches new threat trends and comprehensive protection methods. Previously, he worked for more than 16 years as the tech lead for Symantec's global security response team. Wüest is a frequent speaker at security-related conferences, including RSAC and AREA41, and is an adviser for the Swiss federal government on cyber-risks. He holds a master's in computer science from ETH Zurich and various certifications and patents.

Cracking the Email Security Code: 12 Best Practices for Small and Midsize Businesses

We catch up with some old acquaintances that just aren't ready to hang up the towel just yet.
The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.

**FakeUpdates (SocGholish) lookalike**

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through a similar malvertising campaign involving the RIG exploit kit.

**MakeMoney connection**

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.

Security researcher @na0\_sec saw the “MakeMoney gate”, named after the domain makemoneywithus\[.\]work (**188.225.75.54**), redirect the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime\[.\]xyz (**185.220.35.26)**.

Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime\[.\]xyz was hosted on the same server (185.220.35.26) as makemoneyeazzywith\[.\]me. Staying with the MakeMoney theme, we see makemoneywith\[.\]us on 188.225.75\[.\]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery\[.\]xyz.

There is also activity on **185.220.33.3**, **185.230.140.210** and **188.225.75.54** hosting a number of impersonation hostnames such as magicpropeller\[.\]xyz (PropellerAds), magicpopcash\[.\]xyz (PopCash).

We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.

We don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.

**Indicators of Compromise**

**IP addresses (malvertising domains, gates)**

185.220.35.26  
188.225.75.54  
185.220.33.3  
185.230.140.210

**IP addresses (fake template)**

188.227.107.121  
188.227.107.92

**Domains (malvertising domains, gates)**

adcashtds2\[.\]xyz  
adcashtdssystem\[.\]site  
adsinside\[.\]xyz  
adsterramagic\[.\]me  
adstexx\[.\]xyz  
allmagnew\[.\]xyz  
alltomag\[.\]xyz  
an-era\[.\]shop  
ankgomag\[.\]xyz  
anklexit\[.\]online  
ankltrafficexit\[.\]xyz  
ankmagicgo\[.\]xyz  
blackexit\[.\]xyz  
ccgmaining\[.\]life  
ccgmaining\[.\]live  
ccgmaining\[.\]work  
clickadusweep\[.\]vip  
clickadusweeps\[.\]vip  
clickadutds\[.\]xyz  
clicksdeliveryserver\[.\]space  
clicktds2\[.\]xyz  
cryptomoneyinside\[.\]xyz  
cryptomoneyinsider\[.\]biz  
cryptomoneyinsider\[.\]link  
cryptomoneyinsider\[.\]site  
cryptomoneyinsider\[.\]work  
cryptomoneyinsiders\[.\]com  
cryptomoneyinsiders\[.\]site  
cryptomoneyinsiders\[.\]work  
cryptomoneytds\[.\]xyz  
cryptopaycard\[.\]shop  
cryptosuite\[.\]pro  
cryptosuitetds\[.\]com  
cryptotraffic\[.\]vip  
cryptotraffictds\[.\]online  
cryptotraffictdss\[.\]xyz  
cryptozerotds\[.\]xyz  
daiichisankyo-hc\[.\]live  
earncryptomoney\[.\]info  
exitmagall\[.\]xyz  
extradeliverytraffic\[.\]com  
extramoneymaker\[.\]vip  
familylabs\[.\]xyz  
fujimi\[.\]fun

gettime\[.\]xyz  
hilldeliveryexit\[.\]xyz  
hillex\[.\]xyz  
hilllandings\[.\]xyz  
hillmag\[.\]xyz  
hillmagnew\[.\]xyz  
hilltopmagic\[.\]xyz  
hilltoptds\[.\]xyz  
hilltoptdsserver\[.\]xyz  
hilltoptdsservers\[.\]fun  
hilltoptrafficdelivery\[.\]com  
hilltoptrafficdelivery\[.\]xyz  
jillstuart-floranotisjillstu\[.\]art  
k-to-kd\[.\]me  
keitarotrafficdelivery\[.\]com  
keitarotrafficdelivery\[.\]xyz  
lahsahal\[.\]site  
magcheckall\[.\]me  
magicadss\[.\]xyz  
magicadsterra\[.\]xyz  
magicclickadu\[.\]xyz  
magickhill\[.\]xyz  
magickpeoplenew\[.\]xyz  
magicpopcash\[.\]xyz  
magicpropeller\[.\]xyz  
magicself\[.\]xyz  
magiczero\[.\]xyz  
makemoneyeazzywith\[.\]me  
makemoneynowwith\[.\]me  
makemoneywith\[.\]us  
makemoneywithus\[.\]work  
mizuno\[.\]casa  
money365\[.\]xyz  
myallexit\[.\]xyz  
myjobsy\[.\]com  
nawa-store\[.\]com  
newallfrommag\[.\]xyz  
newzamenaadc\[.\]xyz  
newzamenaclick\[.\]xyz  
newzamenaself\[.\]xyz  
newzamenazero\[.\]xyz  
nippon-mask\[.\]site  
northfarmstock\[.\]xyz  
offers\[.\]myjobsy\[.\]com

offersstudioex\[.\]live  
openphoto\[.\]xyz  
partners\[.\]usemoney\[.\]xyz  
prelandingpages\[.\]xyz  
promodigital\[.\]me  
propellermagic\[.\]xyz  
sberbank\[.\]hourscareer\[.\]com  
sberjob\[.\]hourscareer\[.\]com  
selfadtracker1\[.\]online  
selfadtrackerexit\[.\]xyz  
selftraffictds\[.\]xyz  
selfyourads\[.\]xyz  
shop\[.\]mizuno\[.\]casa  
supersports\[.\]fun  
surprise\[.\]yousweeps\[.\]vip  
tracker\[.\]usemoney\[.\]xyz  
traffic\[.\]selfadtracker1\[.\]online  
traffic\[.\]usemoney\[.\]xyz  
trafficdeliveryclick\[.\]xyz  
trafficdeliveryoffers\[.\]com  
trafficdeliverysystem\[.\]world  
traffictrackerself\[.\]xyz  
tryphoto\[.\]xyz  
trytime\[.\]xyz  
usehouse\[.\]xyz  
usemoney\[.\]life  
usemoney\[.\]xyz  
ymalljp\[.\]com  
yousweeps\[.\]vip  
zamenaad\[.\]xyz  
zamenaclick\[.\]xyz  
zamenahil\[.\]xyz  
zamenazer\[.\]xyz  
zapasnoiadc\[.\]xyz  
zapasnoiclick\[.\]xyz  
zapasnoiself\[.\]xyz  
zapasnoizero\[.\]xyz  
zermag\[.\]xyz  
zernewmagcheck\[.\]xyz  
zerocryptocard\[.\]shop  
zeroexit\[.\]xyz  
zerok2exit\[.\]xyz  
zeroparktraffic\[.\]xyz  
zeroparktrakeroutside\[.\]shop  
zerotdspark\[.\]space  
zerotracker\[.\]shop

**References**

https://twitter.com/MBThreatIntel/status/1483235125827571715  
https://twitter.com/MBThreatIntel/status/1361824286499950601  
https://twitter.com/malware\_traffic/status/1412128664721014785  
https://twitter.com/malware\_traffic/status/1357513424566124548  
https://twitter.com/FaLconIntel/status/1351739449932083200  
https://twitter.com/tkanalyst/status/1226125887256416256  
https://twitter.com/david\_jursa/status/1346562997305696262  
https://twitter.com/nao\_sec/status/1334289601125445633  
https://twitter.com/FaLconIntel/status/1298661757943087105  
https://twitter.com/nao\_sec/status/1294871134001799168  
https://twitter.com/david\_jursa/status/1232996830520193024  
https://twitter.com/david\_jursa/status/1229354505583628288  
https://twitter.com/nao\_sec/status/1211975197219151876

Tag

#intel