Pumpkin Sandstorm. Spandex Tempest. Charming Kitten. Is this really how we want to name the hackers wreaking havoc worldwide?

Hackers—particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit—are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world's most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.

So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?

Why, when I interview different cybersecurity firms about a particular unit of Russian military intelligence hackers, do I have to internally translate that this company refers to Fancy Bear as Pawn Storm, while this one calls them Iron Twilight? Why, when I wrote a news piece earlier this week about a North Korea–linked hacking team that has spied on their South Korean neighbors, stolen millions in cryptocurrency to fund the totalitarian regime of Kim Jong-un, and corrupted the software distributed by multiple companies to spread malicious code worldwide, did I find myself referring to them as "the hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima"? It is all, frankly, a little embarrassing—and to the average reader, lends reporting about cyber conflict about as much gravity as the play-by-play of a Pokémon card game.

A few days ago, Microsoft's cybersecurity division announced it was changing the entire taxonomy of names it uses for the hundreds of hacker groups that it tracks. Instead of its previous system, which gave those organizations the names of elements—a fairly neutral, scientific-sounding system as these things go—it will now give hacker groups two-word names, including in their description a weather-based term indicating what country the hackers are believed to work on behalf of, as well as whether they're state-sponsored or criminal.

That means Phosphorous, an Iranian group that Microsoft reported this week has been targeting US critical infrastructure like seaports, energy companies, and transit systems, now has the less-than-fearsome name Mint Sandstorm. Iridium, Russia's most aggressive and dangerous cyberwar-focused military hacker unit more commonly known as Sandworm—responsible for multiple blackouts in Ukraine and the most destructive malware in history—now has the whimsical title of Seashell Blizzard. Barium, a team of Chinese hackers that's carried out more software-supply-chain attacks than perhaps any group worldwide, is now Brass Typhoon—a phrase that, I confess, I have a hard time separating from flatulence.

Many of the new names sounded so absurd that I actually double-checked Microsoft hadn't published the new labeling system on April 1. Periwinkle Tempest. Pumpkin Sandstorm. Spandex Tempest. Gingham Typhoon. “These names are just really silly,” says Rob Lee, the founder and CEO of industrial-control-system cybersecurity firm Dragos. “I mean, talk about not being taken seriously as a profession.”

Goofiness aside, the new system is counterproductive for actual cybersecurity analysis, Lee argues. Given that Microsoft's threat intelligence is some of the best in the world, analysts and customers across the industry will have to actually revise their databases—and even some of their products—to match Microsoft's new naming scheme, he says. And the revised system now locks in educated guesses about the national loyalties of hackers with no indication of the analysts' degree of confidence in those assessments, Lee adds.f

What if a hacker group thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)

When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft's new names are more distinct, memorable, and searchable. In contrast to Lee's point about choosing neutral names, the Microsoft team _wanted_ to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)

Microsoft's team was also just running out of elements—there are, after all, only 118 of them. “We liked weather because it's a pervasive force, it's disruptive, and there's a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That's cybersecurity defenders' world, too.” As for the adjectives preceding those meteorological terms—often the real source of the names' inadvertent comedy—they're chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they're random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”

There's a certain, stubborn logic behind the cybersecurity industry's ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can't be sure they're seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn't sharing everything they see, it's better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—_sigh_—Seashell Blizzard, as every company's analysts get a different glimpse of the group's anatomy.

But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft's rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they're an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin’ beverage, and one that's already taken by a strain of cannabis?

Kevin Mandia, one of the original hacker hunters and the founder and CEO of the cybersecurity firm Mandiant, captured this problem in a speech at the Cybersecurity Threat Intelligence Summit in 2018. “I’ve always wondered, how do you get into a boardroom and say, ‘Sir, I know you’re breached. You’re in the headlines. And you were hacked by Fluffy Snuggle Duck,’” Mandia said. “It just doesn’t work.”

Mandia concedes today that in the five years since his Fluffy Snuggle Duck comment, he's become more inured to the silly hacker group names. “I don't care what they're called, I just want to make sure we have the catalog right. Do we have the fingerprints for them, do we have defenses for them?” he says.

In our interview, though, he still seemed to be genuinely tripped up by the labeling scheme of his competitor Crowdstrike, which names hackers after different animals based on their nationality. “Bear is Russia … or is it?” Mandia pondered out loud. “Panda is China. But that’s a bear. I’m confused already.”

Mandia and Lee both dream of a day when a government body—say, the US National Institute of Standards and Technology—comes up with a hacker group naming convention that can be adopted across the industry. But they both also say that companies would never stick to it. Marketing aside, the fog of war in cybersecurity research means analysts at different companies will never be sure they're looking at the same entities—unless they all agree to openly share every scrap of their closely guarded intelligence.

Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica, leading the country's government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world. Periwinkle Tempest. Seriously.

Hacker Group Names Are Now Absurdly Out of Control

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 14 to April 21

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

**Summary**

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

**Affected Products**

*   SolarWinds Platform 2023.1 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2023.2

**Acknowledgments**

*   Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

**Workarounds**

SolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available. The expected release is by the end of April 2023. SolarWinds also recommends customers to follow the guidance provided in the SolarWinds Secure Configuration Guide. Ensure only authorized users can access the SolarWinds Platform. Special attention should be given to the following points from the documentation:

*   Be careful not to expose your SolarWinds Platform website on the public internet. If you must enable outbound internet access from SolarWinds servers, create a strict allow list and block all other traffic. See SolarWinds Platform Product Features Affected by Internet Access.
*   Disable unnecessary ports, protocols, and services on your host operating system and on applications like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2023 Microsoft, available at https://docs.microsoft.com, obtained on March 28, 2023.)
*   Apply proper segmentation controls on the network where you have deployed the SolarWinds Platform and SQL Server instances.
*   Starting with the Orion Platform 2020.2.1 Hotfix 2, you can configure your SolarWinds Platform alert actions to be run in the context of a limited user account. See the article on Securing external programs and script actions.

CVE-2022-36963: SolarWinds Trust Center Security Advisories | CVE-2022-36963

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

**Summary**

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

**Affected Products**

*   SolarWinds Platform 2023.1 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2023.2

**Acknowledgments**

*   Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

**Workarounds**

SolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available. The expected release is by the end of April 2023. SolarWinds also recommends customers to follow the guidance provided in the SolarWinds Secure Configuration Guide. Ensure only authorized users can access the SolarWinds Platform. Special attention should be given to the following points from the documentation:

*   Be careful not to expose your SolarWinds Platform website on the public internet. If you must enable outbound internet access from SolarWinds servers, create a strict allow list and block all other traffic. See SolarWinds Platform Product Features Affected by Internet Access.
*   Disable unnecessary ports, protocols, and services on your host operating system and on applications like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2023 Microsoft, available at https://docs.microsoft.com, obtained on March 28, 2023.)
*   Apply proper segmentation controls on the network where you have deployed the SolarWinds Platform and SQL Server instances.

CVE-2022-47505: SolarWinds Trust Center Security Advisories | CVE-2022-47505

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

**Summary**

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

**Affected Products**

*   SolarWinds Platform 2023.1 and earlier

**Fixed Software Release**

*   SolarWinds Platform 2023.2

**Acknowledgments**

*   Juampa Rodriguez (@UnD3sc0n0c1d0)

**Workarounds**

SolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available. The expected release is by the end of April 2023. SolarWinds also recommends customers to follow the guidance provided in the SolarWinds Secure Configuration Guide. Ensure only authorized users can access the SolarWinds Platform. Special attention should be given to the following points from the documentation:

*   Be careful not to expose your SolarWinds Platform website on the public internet. If you must enable outbound internet access from SolarWinds servers, create a strict allow list and block all other traffic. See SolarWinds Platform Product Features Affected by Internet Access.
*   Disable unnecessary ports, protocols, and services on your host operating system and on applications like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2023 Microsoft, available at https://docs.microsoft.com, obtained on March 28, 2023.)
*   Apply proper segmentation controls on the network where you have deployed the SolarWinds Platform and SQL Server instances.

CVE-2022-47509: SolarWinds Trust Center Security Advisories | CVE-2022-47509

Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.

Globally, interest has surged around North Korea's Kimsuky advanced persistent threat group (a.k.a. APT43) and its hallmarks. Still, the group is showing no signs of slowing down despite the scrutiny.

Kimsuky is a government-aligned threat actor whose main aim is espionage, often (but not exclusively) in the fields of policy and nuclear weapons research. Its targets have spanned the government, energy, pharmaceutical, and financial sectors, and more beyond that, mostly in countries that the DPRK considers arch-enemies: South Korea, Japan, and the United States.

Kimsuky is by no means a new outfit — CISA has traced the group's activity all the way back to 2012. Interest peaked last month thanks to a report from cybersecurity firm Mandiant, and a Chrome extension-based campaign that led to a joint warning from German and Korean authorities. In a blog published April 20, VirusTotal highlighted a spike in malware lookups associated with Kimsuky, as demonstrated in the graph below.

    

Volume of lookups for Kimsuky malware samples. Source: Virus Total

Many an APT has crumbled under increased scrutiny from researchers and law enforcement. But signs show Kimsuky is unfazed.

"Usually when we publish insights they'll go 'Oh, wow, we're exposed. Time to go underground,'" says Michael Barnhart, principal analyst at Mandiant, of typical APTs.

In Kimsuky's case, however, "no one cares at all. We've seen zero slowdown with this thing."

**What's Going on With Kimsuky?**

Kimsuky has gone through many iterations and evolutions, including an outright split into two subgroups. Its members are most practiced at spear phishing, impersonating members of targeted organizations in phishing emails — often for weeks at a time — in order to get closer to the sensitive information they're after.

The malware they've deployed over the years, however, is far less predictable. They've demonstrated equal capability with malicious browser extensions, remote access Trojans, modular spyware, and more, some of it commercial and some not.

In the blog post, VirusTotal highlighted the APT's propensity for delivering malware via .docx macros. In a few cases, though, the group utilized CVE-2017-0199, a 7.8 high severity-rated arbitrary code execution vulnerability in Windows and Microsoft Office.

With the recent uptick in interest around Kimsuky, VirusTotal has revealed that most uploaded samples are coming from South Korea and the United States. This tracks with the group's history and motives. However, it also has its tendrils in countries one might not immediately associate with North Korean politics, like Italy and Israel.

For example, when it comes to lookups — individuals taking an interest in the samples — the second most volume comes from Turkey. "This may suggest that Turkey is either a victim or a conduit of North Korean cyber attacks," according to the blog post.

    

Kimsuky malware sample lookups by country. Source: VirusTotal

**How to Defend Against Kimsuky**

Because Kimsuky targets organizations across countries and sectors, the range of organizations who need to worry about them is greater than most nation-state APTs.

"So what we've been preaching everywhere," Barnhart says, "is strength in numbers. With all these organizations around the world, it's important that we all talk to each other. It's important that we collaborate. No one should be operating in a silo."

And, he emphasizes, because Kimsuky uses individuals as conduits for greater attacks, everybody has to be on the lookout. "It's important that we all have this baseline of: don't click on links, and use your multi-factor authentication."

With simple safeguards against spear phishing, even North Korean hackers can be thwarted. "From what we're seeing, it does work if you actually take the time to follow your cyber hygiene," Barnhart notes.

North Korea's Kimsuky APT Keeps Growing, Despite Public Outing

An uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.

A phishing campaign that launched in March and is actively targeting Microsoft operating system users in Europe and the US is making the rounds, using the EvilExtractor tool as its weapon of choice.

Research this week from FortiGuard Labs details the EvilExtractor attack chain, explaining that it usually starts with a legitimate-seeming Adobe PDF or Dropbox link, which instead deploy a malicious PowerShell when opened or clicked, before eventually leading to the modular EvilExtractor malware.

"Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker’s FTP server," FortiGuard Labs researchers wrote.

The report points out that EvilExtractor was first developed by Kodex, which claimed that, despite its obvious name, it's used as an "educational tool,' according to the EvilExtractor report. "However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info-stealer."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'EvilExtractor' All-in-One Stealer Campaign Targets Windows User Data

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices. 

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

The War on Passwords Enters a Chaotic New Phase

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider **3CX.** The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on **LinkedIn** to lure people into opening malware disguised as a job offer; malware targeting **Mac** and **Linux** users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.

In late March 2023, 3CX disclosed that its desktop applications for both **Windows** and **macOS** were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm **Mandiant**, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for **X\_TRADER**, a software package provided by **Trading Technologies**.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on **GitHub**. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.

Meanwhile, the security firm **ESET** today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by **ClearSky Security**, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

**Microsoft Corp.**, which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like **Sumatra PDF** and the SSH client **Putty**.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “**ZINC**“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “**Diamond Sleet**.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise **Linux** operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers **Peter Kalnai** and **Marc-Etienne M.Leveille**. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

**Kim Zetter**, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X\_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X\_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X\_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

Tag

#microsoft