By Deeba Ahmed
Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity…
This is a post from HackRead.com Read the original post: Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

****Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity and Axie DAO suffered the largest crypto hack against a decentralized finance network reported to date.****

In May 2022, the United States issued an advisory according to which highly skilled hackers from North Korea were trying to get employed by posing as IT freelancers. Now, it has been revealed that Axie Infinity hacking was socially engineered in which North Korean government-backed hacker group Lazarus used a fake job offer to infiltrate Sky Mavis’ network by sending one of the company’s employees a PDF file containing spyware.

Lazarus’ involvement in such a high-profile hack should not come as a surprise. In January 2022, researchers from different crypto security firms concluded that North Korean hackers have so far stolen $1.3 billion from cryptocurrency exchanges across the globe, while their prime suspect in these hacks was the infamous Lazarus gang.

**Axie Infinity Hack**

The employee, an ex-senior engineer at the company, took the bait and thought that it was a high-paying job offer from another company and opened the PDF. However, in reality, this company didn’t exist. During the recruiting process, the ex-employee gave away critical personal information, which attackers used to steal from the company.

Sky Mavis explained that its employees are constantly threatened by “advanced spear-phishing attacks on various social channels.” In this instance, one employee was fooled, who doesn’t even work at Sky Mavis anymore.

It is worth noting that the play-to-earn game Axie Infinity is a Pokemon-inspired game developed by Sky Mavis and rakes in approximately $15 million in revenue daily.

**How was Ronin Hacked?**

According to The Block, when the hacking took place, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin.

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

The attacker had to capture five out of nine validators to infiltrate the company’s networks. The spyware-laced PDF helped the attacker control 4 validators and access the community-run Axie DAO (Decentralized Autonomous Organization), from where they got control of the 5th validator.

After compromising the network, the attackers stole $25 million worth of USDC stablecoin and 173,600 ether (roughly $597 million) from Axie Infinity’s treasury, collectively stealing crypto worth around $625 million.

Nevertheless, Ronin sidechain increased the number of validators to 11 to enhance security, whereas Sky Mavis is reimbursing Axie Players who lost crypto due to the attack. The company underwent a $150 million funding round back in April 2022.

**Lazarus Hackers**

The US government claims that the notorious North Korean hacker group Lazarus is responsible for the attack. This group specializes in such attacks.

This isn’t the first time that Lazarus has targeted the blockchain industry. However, this is uncommon for Lazarus to use social engineering to invade a company’s networks. In fact, in June 2020, Slovak internet security company ESET warned LinkedIn users of Lazarus’ involvement in a sophisticated LinkedIn recruiter scam targeting military and aerospace firms.

**More Lazarus Gang Hacks**

1.  US-Cert warns of North Korean BLINDINGCAN malware
2.  Lazarus Group’s AppleJeus MacOS malware targeting crypto exchanges
3.  NK Hackers infect authentic 2FA apps to infect Mac devices with malware
4.  LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users
5.  Lazarus hackers use Magecart attack to steal card data from EU, and US sites

Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.
Tracked as CVE-2022-30190, the

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin said in a report this week.

Tracked as CVE-2022-30190, the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.

The starting point for the latest attack chain observed by Fortinet is a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.

The malware's core function is to inject shellcode that launches a reverse shell to the attacker's host ("microsofto.duckdns\[.\]org"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.

The exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks relying on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as Emotet, QBot, IcedID, and Bumblebee to a victim's device.

The droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.

While attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like HTML smuggling as well as .LNK and .ISO files.

Last month, Cyble disclosed details of a malware tool called Quantum that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.

It's worth noting that macros have been a tried-and-tested attack vector for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.

Microsoft has since temporarily paused its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make "additional changes to enhance usability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

Security experts criticize company for reversing course, albeit temporarily, on a decision it made just this February to block macros in files downloaded from the Internet.

_Updated 5:19 p.m. EDT to include Microsoft's clarification that the change is temporary._ 

Several security experts expressed disappointment this week at Microsoft's quiet reversal Wednesday of a decision it had announced in February to disable Office macros in files from the Internet. Likely in response, Microsoft on Friday clarified that the rollback is only temporary while the company makes some additional changes to enhance usability.

In a brief — and barely noticeable — update Wednesday to the February announcement, the company originally said it was taking the step because customers wanted it to do so. "Based on feedback, we're rolling back this change from Current Channel," Microsoft said. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience."

On Friday, the company revised the wording to make clear the rollback was not permanent. "This is a temporary change, and we are fully committed to making the default change for all users," Microsoft noted. The update noted that organizations that wanted to could block Internet macros through the Group Policy setting.

Macros allow users to automate commonly repeated tasks in Microsoft applications such as Word, PowerPoint, and Excel. But they have also long been a favorite attack vector for threat looking to deploy ransomware and other malware on Windows systems via phishing emails and other means. As a glaring example: in January 2022, just before Microsoft announced its decision to block macros from running by default, some 31% of all threats that Netskope blocked involved weaponized Office files.

"Macros in Microsoft Office have been a mixed blessing since their inception," says Mike Parkin, senior technical engineer at Vulcan Cyber. "While they provide a lot of functionality that users like and have leveraged in myriad ways, they’ve also been a popular attack vector since they were introduced."

Microsoft's February announcement that they were doing something about macros as an attack vector was welcomed by people in cybersecurity. So, its change of heart now is a bit disappointing, Parkin says. "While Microsoft has not yet said why they are rolling back the change, it seems likely it’s because users have come to depend on the functionality and would rather keep it in spite of the risk."

A Microsoft spokesman pointed Dark Reading to the company's updated update on the rollback when asked for comment.  

**The Macro Threat**

Microsoft itself has noted the threat that macros pose. In fact, as recently as April, the company urged Windows administrators to ensure Office macros are disabled in the environment to protect against macro malware. The company pointed to several ransomware families that attackers had distributed on Windows systems by abusing macros. Because of this, many security experts reacted with enthusiasm when Microsoft announced that macros from the Internet would be blocked by default in Office starting April 2022.

Starting with Office version 2203, users would no longer be able to enable content macros in files from the Internet by clicking a button, Microsoft had said. Instead, when they attempt to open a download or attachment from the Internet, a message would alert users them about the presence of VBA macros in the file and direct them to learn more about the potential risks associated with the file.

The change prompted a noticeable drop in Office-based attacks. According to Netskope, the percentage of Office malware detected by the company's cloud security platform has declined steadily since February 2022 and hovered at less than 10% for the last five months — compared with 35% a year ago.

Microsoft's reversal this week is going to result in a resurgence of Office malware, says Ray Canzanese, director of Netskope Threat Labs. "We are disappointed with the decision," Canzanese says. "Malicious Office documents are a major infiltration vector for attackers, being used to spread backdoors, info stealers, and ransomware."

Microsoft's decision suggests the company decided to prioritize the usability concerns of a vocal minority of customers over the security benefits inherent in disabling macros by default for all Office users, he says. "Instead of having users who preferred the old behavior opt-out of the enhanced security measure, users and admins will now have to opt-in," Canzanese says. "With this reversal, we expect Office documents to regain their previous popularity among attackers."

Ian McShane, vice president of strategy at Arctic Wolf, says disabling Office macros by default was a huge step forward in securing a tried and tested attack path for adversaries. Re-enabling macros now means Office users are less secure today than they were a week ago. McShane says it would have been better for Microsoft to have continued blocking macros by default than leaving it up to organizations to do it. via group policy settings. The multiple steps and settings that are often involved in doing this can be confusing, he says. 

Instead, the better approach would have been to let those who need macros to enable it via group settings. "Opt-in security benefits no one and is dangerous," he says.

Microsoft Reverses Course on Blocking Office Macros by Default

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities. 
Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.
The infections involve a worm that propagates over removable USB devices containing

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.

Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.

The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.

"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "communicates with the rest of \[the\] infrastructure through TOR exit nodes."

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "rundll32.exe" at the startup phase.

The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor's origin or its end goals.

The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE\_DECRYPTION\_README" in each folder."

As precautions, the Taiwanese company recommends customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Raspberry Robin's Worm Targeting Windows Users

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22476  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request.  
CVSS Base score: 5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3 - 22.0.0.7

**Remediation/Fixes**

 IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH46073. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.7 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature(s):**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46073  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.8 or later (targeted availability 3Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Tom Tervoort from Secura.

**Change History**

07 July 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22476: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)

This year's RSA Conference saw a strange mix of selling the future and the past — for good reason.

The show floor during the RSA Conference was a dizzying mix of vendors selling solutions ideal for a precloud world and vendors carving out new concepts. There was a bewildering list of acronyms that we knew and several we didn't. CSPMs, CWPPs, and CIEMs were joined by SSMP, CNAPP, and CDR. (Read this companion piece to learn what they mean.)

The main takeaway seemed to be "Secure the future, but don't neglect the legacy of the past" — which is surprisingly reasonable for the volatile and ephemeral world of cybersecurity. Mix that in with the global skills shortage and confusion in the world of talent and, as the title of this article says, welcome-back-to-the-future shock!

Why do we see this strange mix of selling the future and the past? Well, not every company has the same pressures and drivers, so consequently they can be at a different stage of technology transformation. Cloud natives and the growing ranks of "cloud immigrants" (those not born using the cloud but who fully embrace it) live in the 2020s. At the same time, some organizations are moving to enter the 1990s or perhaps 2000s, at least as far as IT security spending goes. People are buying their first SIEM or upgrading to a next-gen firewall, as well as trying to secure cloud-native and cloud-migrated applications and workloads. Different industry sectors have different dynamics, and this is reflected in their architectures and operations.

Back in 1970, the Boston Consulting Group created the paradigm of the four stages of product growth: question marks, stars, cash cows, and pets. The VPN market is a perfect example of the cash cow — larger than all of the cloud security markets combined but with a clearly visible end-of-life looming on the horizon. In contrast, many cloud security solution categories, such as CSPM, CIEM, and CWPP, are now firmly established as rising stars, with healthy innovation and growth being evident.

**Ubiquitous Buzzwords and Hidden Gems**

RSA Conference has always been about buzzword bingo. Extended detection and response (XDR) was everywhere, but the vendor offerings underneath the banner varied widely. XDR is a relatively new term, and the various analyst firms — and even individual analysts within the big firms — are arguing about what it means. This is even more true of zero trust (a phrase that also describes how many CISOs feel about vendor pitches and marketing). More mature detection and response technologies, such as endpoint detection and response (EDR) and network detection and response (NDR) are joined by cloud detection and response (CDR, which I have seen interpreted also as content disarm and reconstruction) and data detection and response (DDR). Managed detection and response (MDR) is an attempt by managed service providers to shed the reputation of simply being there to tell the customer they've been hacked, and to shift a little bit left of the crisis.  

Zero trust is a term that's become overused and is losing traction — however, it's still an integral part of the security landscape. Of course, it's debatable whether zero trust truly models the way that we interact as humans in our customer and supplier relationships, but it is a useful model for cybersecurity architects and engineers trying to reduce the hazard of unintentional connectivity between systems.

And when we talk about hype in cybersecurity, there is one specter that always lurks in the corner. Machine learning spent a good few years being breathlessly abused by excited salespeople, to the point when it seemed like we should expect it to magically inoculate our applications, straighten out our insider risk problems, manage our supply chain, and serve coffee afterward. The reaction this provoked was frustrated CISOs refusing point-blank to talk to any wide-eyed evangelist of the magic box. Thankfully, machine learning and artificial intelligence now provide solid solutions ready to be put into operation. Marketing efforts are focusing on realizable, evidence-backed assertions based on customer benefits, and this is converting into solid growth.

**What Did I Miss?**

Despite the fact that fraud is on the rise, there weren't that many fraud detection solutions. Perhaps their absence is an indication that CISOs are turning away from the dream of the fusion solution and deciding that despite evidence of attackers using cyberattacks in fraud schemes, it's too complex to overcome the corporate politics. 

Dedicated ransomware solutions were also remarkably absent. While CISOs may recognize the benefits of solutions specifically targeted at this huge problem, they need to be able to explain to the CFO why the malware solutions that have already been paid for aren't doing the job. I think that we are not seeing the full ransomware kill chain, as several threat research organizations are identifying links between ransomware, fraud attacks, and other cyberattacks.

Data security solutions seem to be becoming a component of other solutions, such as CWPP (for cloud), or other specific verticals, such as payment solutions, healthcare, and others that have compliance-driven privacy responsibilities. This is another example of how compliance drives security investment (and therefore, engineering and product development). It may be that, as more applications become fully cloud-centric, we will be expecting this capability to be provided natively within the cloud app itself.

It is surprising that Internet of Things/operational technology (IoT/OT) solutions remain thin on the ground. One colleague of mine suggested that the "s" in "things" stands for security, and it's not hard to see the truth behind that witticism. Security has always been driven by compliance and risk, and IoT/OT is still at the stage where design engineers and managers are seeking operational availability and connectivity. 

There appears to be little driving force in investing in secure cybersecurity solutions, despite the evident threat from unfriendly foreign powers, criminal gangs, and destructive activists. As many industrial control engineers say, it's all fun and games until some noxious glowing goo eats through the floor!

What's clear from the RSA Conference is that the industry is ready to use the lessons of the past to point us toward the future.

Welcome-Back-to-the-Future Shock

**BOULDER, Colo. – July 6, 2022 –** Swimlane, the low-code security automation company, today announced a $70 million growth funding round led by Activate Capital. Existing investors Energy Impact Partners (EIP) and 3Lines Venture Capital also participated in the round. The new investment will accelerate the company’s ongoing growth and operations on a global scale while continuing to advance its platform innovations in security automation ahead of the competition.

Automation has become a must-have technology for security operations, evident from recent Presidential Executive Orders, an unsolvable talent shortage and an ever-increasing amount of threat telemetry. Swimlane recently launched Turbine as the solution — a breakthrough in low-code automation that captures hard-to-reach telemetry and expands actionability beyond closed extended detection and response (XDR) ecosystems.

As part of the funding, the company also announced that Raj Atluru, Managing Partner at Activate Capital, will join the Swimlane Board of Directors.

“We invested in Swimlane because we believe in the company’s ability to unlock the most valuable product developments customers demand for security automation inside and outside the SOC,” said Atluru. “Swimlane has transcended traditional SOAR and risen to meet the growing need for low-code security automation to help organizations quantify business value, overcome process and data fatigue, and combat chronic staffing shortages.”

Sameer Reddy, Managing Partner at Energy Impact Partners said, “Security operations today is at a critical inflection point. Organizations don’t have enough people, money, or resources to address all of their security workflows across the entire organization, while also responding to threats the moment they happen. Automation will have to play a critical role in addressing these challenges and Swimlane is incredibly well-positioned as the leading independent security automation platform.”

According to Niloofar Razi Howe, Swimlane Board Member and long-time cybersecurity veteran, “The accelerating pace of threat telemetry coupled with a rapidly expanding attack surface is outstripping the ability for humans to act. Swimlane is filling in one of the biggest gaps in cybersecurity today by putting humans back in control with a low-code approach to security automation.”

“We are very proud of the global traction and results we have achieved,” said James Brear, CEO of Swimlane. “Besides our hyper revenue growth, we have achieved over 120% of net retention and product expansion. Our cloud product has seen a 5X increase in adoption over 2021 and our growth over the last four years is over 700%. This is a testament to our customer-first mindset and meeting all the use case requirements our customers demand.”

The new investment will also accelerate the growth of Swimlane’s global partner network and create new market opportunities through partners in all major geographies. This will include technical partner support and enablement to help partners unlock the power of automation beyond just threat response.

“Organizations across industries are facing a more sophisticated and targeted threat landscape than ever before,” said John Vanderzon, CTO of Sun Management, which also joined the growth round of investment. “We invested in Swimlane for its intelligent approach to solving a long-term problem. We see Swimlane as a paradigm shift similar to what we saw with Palo Alto Networks when we ran four of their betas in 2007. We look for technology that solves problems intelligently, and Swimlane's low-code security automation goes above and beyond to give companies the power to stop threats at the point of inception in a rapidly expanding attack surface — without the need to hire more people.”

**About Swimlane**

Swimlane is the leader in cloud-scale, low-code security automation. Swimlane unifies security operations in-and-beyond the SOC into a single system of record that helps overcome process and data fatigue, chronic staffing shortages, and quantifying business value. The Swimlane Turbine platform combines human and machine data into actionable intelligence for security leaders. For more information, visit swimlane.com or join the conversation on LinkedIn, Twitter and YouTube.

Swimlane Secures $70M Growth Round to Fuel Global Expansion of Next Generation Low-Code Security Automation Platform

Quantum-proof encryption is here—decades before it can be put to the test.

In 1994, a Bell Labs mathematician named Peter Shor cooked up an algorithm with frightening potential. By vastly reducing the computing resources required to factor large numbers—to break them down into their multiples, like reducing 15 to 5 and 3—Shor’s algorithm threatened to upend many of our most popular methods of encryption.

Fortunately for the thousands of email providers, websites, and other secure services using factor-based encryption methods such as RSA or elliptic curve cryptography, the computer needed to run Shor’s algorithm didn’t exist yet. 

Shor wrote it to run on quantum computers which, back in the mid-1990s, were largely theoretical devices that scientists hoped might one day outperform classical computers on a subset of complex problems.

In the decades since, huge strides have been made toward building practical quantum computers, and government and private researchers have been racing to develop new quantum-proof algorithms that will be resistant to the power of these new machines. For the last six years, the National Institute of Standards and Technology (NIST)—a division of the US Department of Commerce—has been running a competition to find the algorithms that it hopes will secure our data against quantum computers. This week, it published the results.

NIST has whittled hundreds of entries from all over the world to an initial list of just four: CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for use in digital signatures during identity verification or when signing digital documents. “People have to understand the threat that quantum computers can pose to cryptography,” says Dustin Moody, who leads the post-quantum cryptography project at NIST. “We need to have new algorithms to replace the ones that are vulnerable, and the first step is to standardize them.”

Just as RSA encryption relies on the difficulty of factoring extremely large numbers, three of the four algorithms unveiled this week use a complicated mathematical problem that’s expected to be difficult for even quantum computers to wrestle with. Structured lattices are abstract multi-dimensional grids that are extremely challenging to navigate unless you know the shortcuts. In structured lattice cryptography, as with RSA, the sender of a message will encrypt the contents using the recipient’s public key, but only the receiver will have the keys to decrypt it. With RSA the keys are factors—two large prime numbers that are easy to multiply together but difficult to ascertain if you have to work backwards. In these post-quantum cryptography algorithms the keys are vectors, directions through the maze of a structured lattice.

Although it will be a few years before these standards are published in their final form, it’s a pretty big moment. “For the first time, we have something to use against a quantum threat,” says Ali El Kaafarani, the CEO of PQShield, which worked on the FALCON algorithm.

Those quantum threats might still be decades away, but security experts warn of “harvest now, decrypt later” attacks—bad actors hovering up caches of encrypted data with the expectation that they’ll eventually have a quantum computer that can access them. The longer it takes to implement quantum-proof cryptography, the more data will be vulnerable. (Although, Lancaster University quantum researcher Rob Young points out that a lot of sensitive data that could be harvested now is also time sensitive: Your credit card number today will be irrelevant in 15 years.)

“The first thing organizations need to do is understand where they are using crypto, how, and why,” says El Kaafarani. “Start assessing which parts of your system need to switch, and build a transition to post-quantum cryptography from the most vulnerable pieces.”

There is still a great degree of uncertainty around quantum computers. No one knows what they’ll be capable of or if it’ll even be possible to build them at scale. Quantum computers being built by the likes of Google and IBM are starting to outperform classical devices at specially designed tasks, but scaling them up is a difficult technological challenge and it will be many years before a quantum computer exists that can run Shor’s algorithm in any meaningful way. “The biggest problem is that we have to make an educated guess about the future capabilities of both classical and quantum computers,” says Young. “There's no guarantee of security here.”

The complexity of these new algorithms makes it difficult to assess how well they’ll actually work in practice. “Assessing security is usually a cat-and-mouse game,” says Artur Ekert, a quantum physics professor at the University of Oxford and one of the pioneers of quantum computing. “Lattice based cryptography is very elegant from a mathematical perspective, but assessing its security is really hard.”

The researchers who developed these NIST-backed algorithms say they can effectively simulate how long it will take a quantum computer to solve a problem. “You don't need a quantum computer to write a quantum program and know what its running time will be,” argues Vadim Lyubashevsky, an IBM researcher who contributed to the the CRYSTALS-Dilithium algorithm. But no one knows what new quantum algorithms might be cooked up by researchers in the future.

Indeed, one of the shortlisted NIST finalists—a structured lattice algorithm called Rainbow—was knocked out of the running when IBM researcher Ward Beullens published a paper entitled “Breaking Rainbow Takes a Weekend on a Laptop.” NIST’s announcements will focus the attention of code breakers on structured lattices, which could undermine the whole project, Young argues. 

There is also, Ekert says, a careful balance between security and efficiency: In basic terms, if you make your encryption key longer, it will be more difficult to break, but it will also require more computing power. If post-quantum cryptography is rolled out as widely as RSA, that could mean a significant environmental impact.

Young accuses NIST of slightly “naive” thinking, while Ekert believes “a more detailed security analysis is needed”. There are only a handful of people in the world with the combined quantum and cryptography expertise required to conduct that analysis.

Over the next two years, NIST will publish draft standards, invite comments, and finalize the new forms of quantum-proof encryption, which it hopes will be adopted across the world. After that, based on previous implementations, Moody thinks it could be 10 to 15 years before companies implement them widely, but their data may be vulnerable now. “We have to start now,” says El Kaafarani. “That’s the only option we have if we want to protect our medical records, our intellectual property, or our personal information.”

Will These Algorithms Save You From Quantum Threats?

The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.

The malware, dubbed Orbit, is unlike other Linux threats in that it steals information from different commands and utilities and then stores them in specific files on the machine, researchers from security automation firm Intezer discovered. In fact, the malware’s name comes from one of the filenames it to temporarily store the output of executed commands, they said.

Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer’s Nicole Fishbein explained in a blog post on Orbit published this week.

The malware sets itself apart from similar threats is its “almost hermetic hooking” of libraries on the targeted machines, which allows it to gain persistence and evade detection while stealing information and setting SSH backdoor, she said.

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Fishbein wrote in the post.

Moreover, once Orbit is installed, it infects all of the running processes on the machine, including new ones, she said.

****Setting Itself Apart****

Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD\_PRELOAD. Orbit works differently, however, using two different ways to load the malicious library, Fishbein wrote.

“The first way is by adding the shared object to the configuration file that is used by the loader,” she explained in the post. “The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at  ESET, Fishbein wrote.

But that’s where the similarity with how those backdoors hijack libraries ends, she said. Orbit goes a step further by not only stealing info from different commands and utilities, but implementing “an extensive usage of files” for storing the stolen data, something researchers have not seen before, Fishbein wrote.

****Installation and Execution****

Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.

To install the payload and add it to the shared libraries that are being loaded by the dynamic linker, the dropper calls a function called patch\_ld and then the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2. The latter is done to check if the malicious payload is already loaded by searching for the path used by the malware, researchers said.

If the payload is found, the function can swap it with the other location, they noted. Otherwise, the dropper looks for /etc/ld.so.preload and replaces it with a symbolic link to the location of malicious library: /lib/libntpVnQE6mk/.l or /dev/shm/ldx/.l, depending on the argument passed to the dropper.

Lastly, the dropper will append /etc/ld.so.preload to the end of the temp file to make sure that the malicious library will be loaded first, researchers said.

The payload itself is a shared object (.SO file) that can be placed either in persistent storage or in shim-memory. “If it’s placed in the first path the malware will be persistent, otherwise it is volatile,” Fishbein wrote.

The shared object hooks functions from three libraries–libc, libcap and Pluggable Authentication Module (PAM). Once this is done, the existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, researchers found.

This hooking allows the malware to infect the whole machine and harvest credentials, evade detection, gain persistence, and provide remote access to the attackers, Fishbein wrote.

****Evasion Tactics****

Orbit also hooks multiple functions as its strategy to evade detection, thus preventing them from releasing information that might reveal the existence of the malicious shared library either in the running processes or the files in use by Orbit, researchers noted.

“The malware uses a hardcoded GID value (the one set by the dropper) to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions,” Fishbein wrote. In Linux, a GID is a numeric value used to represent a specific group.

As an example of this functionality, Orbit hooks readdir—a Linux function that returns a pointer to a dirent structure describing the next directory entry in the directory stream associated with dirp–to check the GID of the calling process, she explained.

“If it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output,” Fishbein wrote.

**Register Now for this LIVE EVENT on MONDAY JULY 11:** Join Threatpost and Intel Security’s Tom Garrison in a live conversation about innovation enabling stakeholders to stay ahead of a dynamic threat landscape and what Intel Security learned from their latest study in partnership with Ponemon Institue. Event attendees are encouraged to preview the report and ask questions during the live discussion. **Learn more and register here**.

Tag

#mac