Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities. 
Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.
The infections involve a worm that propagates over removable USB devices containing

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.

Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.

The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.

"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "communicates with the rest of \[the\] infrastructure through TOR exit nodes."

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "rundll32.exe" at the startup phase.

The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor's origin or its end goals.

The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE\_DECRYPTION\_README" in each folder."

As precautions, the Taiwanese company recommends customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Raspberry Robin's Worm Targeting Windows Users

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22476  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request.  
CVSS Base score: 5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3 - 22.0.0.7

**Remediation/Fixes**

 IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH46073. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.7 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature(s):**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46073  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.8 or later (targeted availability 3Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Tom Tervoort from Secura.

**Change History**

07 July 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22476: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)

This year's RSA Conference saw a strange mix of selling the future and the past — for good reason.

The show floor during the RSA Conference was a dizzying mix of vendors selling solutions ideal for a precloud world and vendors carving out new concepts. There was a bewildering list of acronyms that we knew and several we didn't. CSPMs, CWPPs, and CIEMs were joined by SSMP, CNAPP, and CDR. (Read this companion piece to learn what they mean.)

The main takeaway seemed to be "Secure the future, but don't neglect the legacy of the past" — which is surprisingly reasonable for the volatile and ephemeral world of cybersecurity. Mix that in with the global skills shortage and confusion in the world of talent and, as the title of this article says, welcome-back-to-the-future shock!

Why do we see this strange mix of selling the future and the past? Well, not every company has the same pressures and drivers, so consequently they can be at a different stage of technology transformation. Cloud natives and the growing ranks of "cloud immigrants" (those not born using the cloud but who fully embrace it) live in the 2020s. At the same time, some organizations are moving to enter the 1990s or perhaps 2000s, at least as far as IT security spending goes. People are buying their first SIEM or upgrading to a next-gen firewall, as well as trying to secure cloud-native and cloud-migrated applications and workloads. Different industry sectors have different dynamics, and this is reflected in their architectures and operations.

Back in 1970, the Boston Consulting Group created the paradigm of the four stages of product growth: question marks, stars, cash cows, and pets. The VPN market is a perfect example of the cash cow — larger than all of the cloud security markets combined but with a clearly visible end-of-life looming on the horizon. In contrast, many cloud security solution categories, such as CSPM, CIEM, and CWPP, are now firmly established as rising stars, with healthy innovation and growth being evident.

**Ubiquitous Buzzwords and Hidden Gems**

RSA Conference has always been about buzzword bingo. Extended detection and response (XDR) was everywhere, but the vendor offerings underneath the banner varied widely. XDR is a relatively new term, and the various analyst firms — and even individual analysts within the big firms — are arguing about what it means. This is even more true of zero trust (a phrase that also describes how many CISOs feel about vendor pitches and marketing). More mature detection and response technologies, such as endpoint detection and response (EDR) and network detection and response (NDR) are joined by cloud detection and response (CDR, which I have seen interpreted also as content disarm and reconstruction) and data detection and response (DDR). Managed detection and response (MDR) is an attempt by managed service providers to shed the reputation of simply being there to tell the customer they've been hacked, and to shift a little bit left of the crisis.  

Zero trust is a term that's become overused and is losing traction — however, it's still an integral part of the security landscape. Of course, it's debatable whether zero trust truly models the way that we interact as humans in our customer and supplier relationships, but it is a useful model for cybersecurity architects and engineers trying to reduce the hazard of unintentional connectivity between systems.

And when we talk about hype in cybersecurity, there is one specter that always lurks in the corner. Machine learning spent a good few years being breathlessly abused by excited salespeople, to the point when it seemed like we should expect it to magically inoculate our applications, straighten out our insider risk problems, manage our supply chain, and serve coffee afterward. The reaction this provoked was frustrated CISOs refusing point-blank to talk to any wide-eyed evangelist of the magic box. Thankfully, machine learning and artificial intelligence now provide solid solutions ready to be put into operation. Marketing efforts are focusing on realizable, evidence-backed assertions based on customer benefits, and this is converting into solid growth.

**What Did I Miss?**

Despite the fact that fraud is on the rise, there weren't that many fraud detection solutions. Perhaps their absence is an indication that CISOs are turning away from the dream of the fusion solution and deciding that despite evidence of attackers using cyberattacks in fraud schemes, it's too complex to overcome the corporate politics. 

Dedicated ransomware solutions were also remarkably absent. While CISOs may recognize the benefits of solutions specifically targeted at this huge problem, they need to be able to explain to the CFO why the malware solutions that have already been paid for aren't doing the job. I think that we are not seeing the full ransomware kill chain, as several threat research organizations are identifying links between ransomware, fraud attacks, and other cyberattacks.

Data security solutions seem to be becoming a component of other solutions, such as CWPP (for cloud), or other specific verticals, such as payment solutions, healthcare, and others that have compliance-driven privacy responsibilities. This is another example of how compliance drives security investment (and therefore, engineering and product development). It may be that, as more applications become fully cloud-centric, we will be expecting this capability to be provided natively within the cloud app itself.

It is surprising that Internet of Things/operational technology (IoT/OT) solutions remain thin on the ground. One colleague of mine suggested that the "s" in "things" stands for security, and it's not hard to see the truth behind that witticism. Security has always been driven by compliance and risk, and IoT/OT is still at the stage where design engineers and managers are seeking operational availability and connectivity. 

There appears to be little driving force in investing in secure cybersecurity solutions, despite the evident threat from unfriendly foreign powers, criminal gangs, and destructive activists. As many industrial control engineers say, it's all fun and games until some noxious glowing goo eats through the floor!

What's clear from the RSA Conference is that the industry is ready to use the lessons of the past to point us toward the future.

Welcome-Back-to-the-Future Shock

**BOULDER, Colo. – July 6, 2022 –** Swimlane, the low-code security automation company, today announced a $70 million growth funding round led by Activate Capital. Existing investors Energy Impact Partners (EIP) and 3Lines Venture Capital also participated in the round. The new investment will accelerate the company’s ongoing growth and operations on a global scale while continuing to advance its platform innovations in security automation ahead of the competition.

Automation has become a must-have technology for security operations, evident from recent Presidential Executive Orders, an unsolvable talent shortage and an ever-increasing amount of threat telemetry. Swimlane recently launched Turbine as the solution — a breakthrough in low-code automation that captures hard-to-reach telemetry and expands actionability beyond closed extended detection and response (XDR) ecosystems.

As part of the funding, the company also announced that Raj Atluru, Managing Partner at Activate Capital, will join the Swimlane Board of Directors.

“We invested in Swimlane because we believe in the company’s ability to unlock the most valuable product developments customers demand for security automation inside and outside the SOC,” said Atluru. “Swimlane has transcended traditional SOAR and risen to meet the growing need for low-code security automation to help organizations quantify business value, overcome process and data fatigue, and combat chronic staffing shortages.”

Sameer Reddy, Managing Partner at Energy Impact Partners said, “Security operations today is at a critical inflection point. Organizations don’t have enough people, money, or resources to address all of their security workflows across the entire organization, while also responding to threats the moment they happen. Automation will have to play a critical role in addressing these challenges and Swimlane is incredibly well-positioned as the leading independent security automation platform.”

According to Niloofar Razi Howe, Swimlane Board Member and long-time cybersecurity veteran, “The accelerating pace of threat telemetry coupled with a rapidly expanding attack surface is outstripping the ability for humans to act. Swimlane is filling in one of the biggest gaps in cybersecurity today by putting humans back in control with a low-code approach to security automation.”

“We are very proud of the global traction and results we have achieved,” said James Brear, CEO of Swimlane. “Besides our hyper revenue growth, we have achieved over 120% of net retention and product expansion. Our cloud product has seen a 5X increase in adoption over 2021 and our growth over the last four years is over 700%. This is a testament to our customer-first mindset and meeting all the use case requirements our customers demand.”

The new investment will also accelerate the growth of Swimlane’s global partner network and create new market opportunities through partners in all major geographies. This will include technical partner support and enablement to help partners unlock the power of automation beyond just threat response.

“Organizations across industries are facing a more sophisticated and targeted threat landscape than ever before,” said John Vanderzon, CTO of Sun Management, which also joined the growth round of investment. “We invested in Swimlane for its intelligent approach to solving a long-term problem. We see Swimlane as a paradigm shift similar to what we saw with Palo Alto Networks when we ran four of their betas in 2007. We look for technology that solves problems intelligently, and Swimlane's low-code security automation goes above and beyond to give companies the power to stop threats at the point of inception in a rapidly expanding attack surface — without the need to hire more people.”

**About Swimlane**

Swimlane is the leader in cloud-scale, low-code security automation. Swimlane unifies security operations in-and-beyond the SOC into a single system of record that helps overcome process and data fatigue, chronic staffing shortages, and quantifying business value. The Swimlane Turbine platform combines human and machine data into actionable intelligence for security leaders. For more information, visit swimlane.com or join the conversation on LinkedIn, Twitter and YouTube.

Swimlane Secures $70M Growth Round to Fuel Global Expansion of Next Generation Low-Code Security Automation Platform

Quantum-proof encryption is here—decades before it can be put to the test.

In 1994, a Bell Labs mathematician named Peter Shor cooked up an algorithm with frightening potential. By vastly reducing the computing resources required to factor large numbers—to break them down into their multiples, like reducing 15 to 5 and 3—Shor’s algorithm threatened to upend many of our most popular methods of encryption.

Fortunately for the thousands of email providers, websites, and other secure services using factor-based encryption methods such as RSA or elliptic curve cryptography, the computer needed to run Shor’s algorithm didn’t exist yet. 

Shor wrote it to run on quantum computers which, back in the mid-1990s, were largely theoretical devices that scientists hoped might one day outperform classical computers on a subset of complex problems.

In the decades since, huge strides have been made toward building practical quantum computers, and government and private researchers have been racing to develop new quantum-proof algorithms that will be resistant to the power of these new machines. For the last six years, the National Institute of Standards and Technology (NIST)—a division of the US Department of Commerce—has been running a competition to find the algorithms that it hopes will secure our data against quantum computers. This week, it published the results.

NIST has whittled hundreds of entries from all over the world to an initial list of just four: CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for use in digital signatures during identity verification or when signing digital documents. “People have to understand the threat that quantum computers can pose to cryptography,” says Dustin Moody, who leads the post-quantum cryptography project at NIST. “We need to have new algorithms to replace the ones that are vulnerable, and the first step is to standardize them.”

Just as RSA encryption relies on the difficulty of factoring extremely large numbers, three of the four algorithms unveiled this week use a complicated mathematical problem that’s expected to be difficult for even quantum computers to wrestle with. Structured lattices are abstract multi-dimensional grids that are extremely challenging to navigate unless you know the shortcuts. In structured lattice cryptography, as with RSA, the sender of a message will encrypt the contents using the recipient’s public key, but only the receiver will have the keys to decrypt it. With RSA the keys are factors—two large prime numbers that are easy to multiply together but difficult to ascertain if you have to work backwards. In these post-quantum cryptography algorithms the keys are vectors, directions through the maze of a structured lattice.

Although it will be a few years before these standards are published in their final form, it’s a pretty big moment. “For the first time, we have something to use against a quantum threat,” says Ali El Kaafarani, the CEO of PQShield, which worked on the FALCON algorithm.

Those quantum threats might still be decades away, but security experts warn of “harvest now, decrypt later” attacks—bad actors hovering up caches of encrypted data with the expectation that they’ll eventually have a quantum computer that can access them. The longer it takes to implement quantum-proof cryptography, the more data will be vulnerable. (Although, Lancaster University quantum researcher Rob Young points out that a lot of sensitive data that could be harvested now is also time sensitive: Your credit card number today will be irrelevant in 15 years.)

“The first thing organizations need to do is understand where they are using crypto, how, and why,” says El Kaafarani. “Start assessing which parts of your system need to switch, and build a transition to post-quantum cryptography from the most vulnerable pieces.”

There is still a great degree of uncertainty around quantum computers. No one knows what they’ll be capable of or if it’ll even be possible to build them at scale. Quantum computers being built by the likes of Google and IBM are starting to outperform classical devices at specially designed tasks, but scaling them up is a difficult technological challenge and it will be many years before a quantum computer exists that can run Shor’s algorithm in any meaningful way. “The biggest problem is that we have to make an educated guess about the future capabilities of both classical and quantum computers,” says Young. “There's no guarantee of security here.”

The complexity of these new algorithms makes it difficult to assess how well they’ll actually work in practice. “Assessing security is usually a cat-and-mouse game,” says Artur Ekert, a quantum physics professor at the University of Oxford and one of the pioneers of quantum computing. “Lattice based cryptography is very elegant from a mathematical perspective, but assessing its security is really hard.”

The researchers who developed these NIST-backed algorithms say they can effectively simulate how long it will take a quantum computer to solve a problem. “You don't need a quantum computer to write a quantum program and know what its running time will be,” argues Vadim Lyubashevsky, an IBM researcher who contributed to the the CRYSTALS-Dilithium algorithm. But no one knows what new quantum algorithms might be cooked up by researchers in the future.

Indeed, one of the shortlisted NIST finalists—a structured lattice algorithm called Rainbow—was knocked out of the running when IBM researcher Ward Beullens published a paper entitled “Breaking Rainbow Takes a Weekend on a Laptop.” NIST’s announcements will focus the attention of code breakers on structured lattices, which could undermine the whole project, Young argues. 

There is also, Ekert says, a careful balance between security and efficiency: In basic terms, if you make your encryption key longer, it will be more difficult to break, but it will also require more computing power. If post-quantum cryptography is rolled out as widely as RSA, that could mean a significant environmental impact.

Young accuses NIST of slightly “naive” thinking, while Ekert believes “a more detailed security analysis is needed”. There are only a handful of people in the world with the combined quantum and cryptography expertise required to conduct that analysis.

Over the next two years, NIST will publish draft standards, invite comments, and finalize the new forms of quantum-proof encryption, which it hopes will be adopted across the world. After that, based on previous implementations, Moody thinks it could be 10 to 15 years before companies implement them widely, but their data may be vulnerable now. “We have to start now,” says El Kaafarani. “That’s the only option we have if we want to protect our medical records, our intellectual property, or our personal information.”

Will These Algorithms Save You From Quantum Threats?

The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

The novel threat steals data and can affect all processes running on the OS, stealing information from different commands and utilities and then storing it on the affected machine.

A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.

The malware, dubbed Orbit, is unlike other Linux threats in that it steals information from different commands and utilities and then stores them in specific files on the machine, researchers from security automation firm Intezer discovered. In fact, the malware’s name comes from one of the filenames it to temporarily store the output of executed commands, they said.

Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer’s Nicole Fishbein explained in a blog post on Orbit published this week.

The malware sets itself apart from similar threats is its “almost hermetic hooking” of libraries on the targeted machines, which allows it to gain persistence and evade detection while stealing information and setting SSH backdoor, she said.

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Fishbein wrote in the post.

Moreover, once Orbit is installed, it infects all of the running processes on the machine, including new ones, she said.

****Setting Itself Apart****

Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD\_PRELOAD. Orbit works differently, however, using two different ways to load the malicious library, Fishbein wrote.

“The first way is by adding the shared object to the configuration file that is used by the loader,” she explained in the post. “The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at  ESET, Fishbein wrote.

But that’s where the similarity with how those backdoors hijack libraries ends, she said. Orbit goes a step further by not only stealing info from different commands and utilities, but implementing “an extensive usage of files” for storing the stolen data, something researchers have not seen before, Fishbein wrote.

****Installation and Execution****

Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.

To install the payload and add it to the shared libraries that are being loaded by the dynamic linker, the dropper calls a function called patch\_ld and then the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2. The latter is done to check if the malicious payload is already loaded by searching for the path used by the malware, researchers said.

If the payload is found, the function can swap it with the other location, they noted. Otherwise, the dropper looks for /etc/ld.so.preload and replaces it with a symbolic link to the location of malicious library: /lib/libntpVnQE6mk/.l or /dev/shm/ldx/.l, depending on the argument passed to the dropper.

Lastly, the dropper will append /etc/ld.so.preload to the end of the temp file to make sure that the malicious library will be loaded first, researchers said.

The payload itself is a shared object (.SO file) that can be placed either in persistent storage or in shim-memory. “If it’s placed in the first path the malware will be persistent, otherwise it is volatile,” Fishbein wrote.

The shared object hooks functions from three libraries–libc, libcap and Pluggable Authentication Module (PAM). Once this is done, the existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, researchers found.

This hooking allows the malware to infect the whole machine and harvest credentials, evade detection, gain persistence, and provide remote access to the attackers, Fishbein wrote.

****Evasion Tactics****

Orbit also hooks multiple functions as its strategy to evade detection, thus preventing them from releasing information that might reveal the existence of the malicious shared library either in the running processes or the files in use by Orbit, researchers noted.

“The malware uses a hardcoded GID value (the one set by the dropper) to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions,” Fishbein wrote. In Linux, a GID is a numeric value used to represent a specific group.

As an example of this functionality, Orbit hooks readdir—a Linux function that returns a pointer to a dirent structure describing the next directory entry in the directory stream associated with dirp–to check the GID of the calling process, she explained.

“If it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output,” Fishbein wrote.

**Register Now for this LIVE EVENT on MONDAY JULY 11:** Join Threatpost and Intel Security’s Tom Garrison in a live conversation about innovation enabling stakeholders to stay ahead of a dynamic threat landscape and what Intel Security learned from their latest study in partnership with Ponemon Institue. Event attendees are encouraged to preview the report and ask questions during the live discussion. **Learn more and register here**.

Sneaky Orbit Malware Backdoors Linux Devices

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

We take a look at a report which indicates Brazil has a long way to go with regard to encrypting and backing up data.
The post Report: Brazil must do more to encrypt, back up data appeared first on Malwarebytes Labs.

Federal government organisations in Brazil may need to reassess their approach to cyberthreats, according to a new report by the country’s Federal Audit Court. It outlines multiple key areas of concern across 29 key areas of risk. One of the biggest problems in the cybercrime section of the report relates to backups. Specifically: The _lack_ of backups when dealing with hacking incidents.

**Backups in Brazil: An uphill struggle**

Backups are an essential backstop that can help against several forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware. When networks are compromised and systems are locked up, victims with effective backups can try to restore their systems to a point in time before the attack.

Not having backups leaves victims with very limited options. Assuming the attackers don’t just vanish into the night, the business may decide to pay the ransom and recover the encrypted files. At best, that is a slow, manual process. If things go badly, the decryption tools may be broken and fail to recover data. In some cases, they may not even exist. At this point, an organisation is out of pocket _and_ files.

This is enough to cause showstopping issues for any organisation. And if the affected business performs critical tasks, attacks can have alarming consequences for the community at large. Healthcare and law enforcement are good examples of this.

As a result, getting up to speed on backing up data has become more prominent in recent years. In fact, not _just_ backing up. It’s important that organisations create sensible, organised backups which can be deployed in a crisis. You can’t roll back properly if the files are disorganised and nobody can make sense of which folder goes where.

With this in mind, the statistics don’t make for great reading.

**The numbers game**

According to the report:

*   **74.6% of organizations** (306 out of 410) do not have a formally approved backup policy—basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups.
*   **71.2% of organizations** that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system.
*   **66.6% of organizations** that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information.
*   **60.2% of organizations** (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective.

**Backing up: Not a guaranteed fix**

The report notes that various initiatives already exist to get people talking about the need for both encryption and backing up. While any rise in backup numbers is a good thing, it’s not necessarily going to come close to solving problems.

One of the worst offshoots of standard ransomware attacks in the past few year is the rise of “double extortion”, where ransomware authors steal data before it’s encrypted, and then threaten to release it if the ransom isn’t paid. One of the reasons double extortion attacks came about is precisely because backups don’t work against data leaks.

For organizations that do keep backups, the challenge is how to set them up and maintain them so they do what’s expected, when they are needed most. This is surprisingly difficult.

David Ruiz, host of Malwarebytes’ Lock and Code podcast recently spoke to backup expert Matt Crape, a technical account manager at VMWare, to find out why backups often fail when it really matters, and how to ensure they don’t.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

Report: Brazil must do more to encrypt, back up data

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.
"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.

"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available."

In February 2022, the tech giant said it was disabling macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to mitigate potential attacks that abuse the functionality for deploying malware.

"Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Microsoft noted at the time.

It's not immediately clear what the "feedback" was or what prompted Redmond to reverse course without any official notice. We have reached out to Microsoft for further comment, and we will update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Quietly Rolls Back Plan to Block Office VBA Macros by Default

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security firm Zimperium dubbed the malware family **ABCsoup**, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."

The rogue browser add-ons come with the same extension ID as that of Google Translate — "aapbdbdomjkkjkaonfhkkikfgjllcleb" — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser.

In the event the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta said.

All the observed variants of the extension are geared towards serving pop-ups, harvesting personal information to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as a spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup entails checking for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, gather the users' first and last names, dates of birth, and gender, and transmit the data to a remote server.

Not only does the malware use this information to serve personalized ads, the extension also comes with capabilities to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.

Zimperium attributed the campaign to a "well-organized group" of Eastern European and Russian origin, with the extensions designed to target Russian users given the wide variety of local domains targeted.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac