The privacy-focused company's new Goggles tool allows users to weed out the noise—whatever that might mean.

Anyone can create or alter a Goggle. However, at the beta launch, Brave created eight different Goggles as examples. (It says these will be deleted once people create their own). These examples include Goggles to re-rank search results to remove copycat pages, removing search results from the top 1,000 websites, boosting content found on technical blogs, and more.

Pujol says that Brave created Goggles—which it first outlined in a 2021 white paper—to help remove biases from search results, including those in Brave’s search, and give people more choice. “Biases are everywhere: the underlying data, which sites are easier to crawl, which models are chosen, feature selection, presentation biases, popularity, the list can go on indefinitely,” Pujol says. It is very hard, if not impossible, to remove all biases from search results.

“Goggles will allow the creation of multiple universes within which users could search,” says Uri Gal, a professor of business information systems at the University of Sydney. Gal adds that the move is welcome in a search market that “has seen little innovation or competition” over the past couple of decades. “It would reduce the risk of people getting a single view of reality—or that portion of reality that they are interested in—that is created and maintained by a single platform (e.g. Google, Facebook) based on proprietary algorithms,” Gal says.

Brave knows that people may use Goggles to reinforce their worldview and filter subjects that align with their existing beliefs. At launch, both right- and left-leaning political Goggles have been created by AllSides, an American company that rates media organizations for their political bias. “We believe in freedom of speech, and as such, it is not for us to decide what is right or wrong,” Pujol says. “The person using Goggles is making a conscious act when applying a Goggle, and contrarian perspectives should be readily available. This explicitness alone is an improvement from the current landscape, where this kind of alteration is made without the user realizing it.”

Brave says it will treat Goggles the way as it does all web results and “not censor or police them,” unless it is required to do so legally, such as removing instances of child sexual abuse material.

But there are questions about how this will work in reality. “Exercising bias control is an action for the thoughtful,” says Bart Willemsen, a VP analyst focusing on privacy at Gartner, who adds that he is hopeful Goggles can have positive results. “In the abundance of information available, including dis- and malinformation, to correctly curate what is believed to be relevant and what not, or even untrue, is a huge task,” Willemsen says.

Despite Google’s dominance, there’s a flourishing market for alternative privacy-focused search engines, which claim not to track users or use their personal information for creepy ads. This includes Brave, which launched its search in beta last year. Among others—all with slightly different privacy claims and ways of working—are DuckDuckGo, StartPage, and Mojeek. (DuckDuckGo uses Bing to help power its search results, while StartPage is based on Google.) While billions of searches are made with Google alternatives each year, that’s still a drop in the ocean compared to Google’s dominance.

The search results that companies show, while being based on multiple factors, can prove controversial. Companies may face difficulties with the amplification of political content and issues around free speech. In October 2021, Twitter admitted its algorithm amplifies right-wing politicians more than left-wing ones. Recently, people on the far right have complained that DuckDuckGo limited Russian propaganda, although its results are partly provided by Microsoft’s Bing. In contrast, one 2019 study by Stanford University researchers found that Google’s search results didn’t favor either politician wing.

When Brave debuted its idea for Goggles in 2021, the company said it would open an offer to incorporate Goggles into any other search engine. So far, Pujol says, there haven’t been any conversations about this. And large changes to the status quo are unlikely. “I can’t see Google or any other major platform integrating user-defined Goggles,” Barnet says. “It would interfere with the way they personalize advertising to you and how they collect data on your activity to deliver that advertising. In other words, it would interfere with their business model.”

Brave Now Lets You Customize Search Results—for Better or Worse

Using WebAuthn, physical keys, and biometrics, organizations can adopt more advanced passwordless MFA and true passwordless systems. (Part 2 of 2)

_The first article of this two-part series examined ways to improve multifactor authentication (MFA) and boost adoption. This story takes a look at how organizations can adopt more advanced passwordless MFA and true passwordless systems._

Getting to passwordless won't be easy, but the concept is finally gaining momentum. Although several vendors have offered passwordless MFA and true passwordless technology for a few years — mostly relegated to enterprise use — a more comprehensive framework is now taking shape. Apple, Google, and Microsoft have jointly agreed to adopt passwordless in earnest.

For example, Apple will be introducing Passkeys, which completely replace passwords used to log into websites, in a few months. The framework, based on the FIDO Alliance standard, uses biometrics such as Face ID to generate a unique, encrypted digital key that resides only on the device and within an encrypted keychain used for other Apple devices, including the iPhone, iPad, Mac, and Apple TV. This makes it impervious to phishing and other forms of data extraction.

In 2020, Microsoft turned to biometrics for authentication in Windows 10 and Windows 365 — and the company is also expanding passwordless to websites. In addition, all three companies are adding the ability to transfer this identity data across authenticated devices and systems. In the past, changing phones or other devices typically meant reinstalling credentials — a time-consuming and irritating task.

In addition to building biometrics and other security mechanisms into their operating systems, the Big Three are introducing software development kits (SDKs) that companies can use to build passwordless websites. As a result, it will soon be possible for consumers to begin ditching passwords for compliant sites and services. Like Apple's Passkey, a mobile phone or other registered device authenticates the person and then sends the request to the server without sending the biometric data.

"Where the big vendors lead, everyone else follows," says Don Tait, a senior analyst for Omdia.

At the heart of this transformation is the FIDO Alliance. "It is a classic example of the impact of consumerization on technology," adds Rik Turner, a senior analyst at Omdia. "As people begin to use tools in their private lives, they begin to seep into the workplace."

**A Matter of Identity**

Security experts say that the first step in building a better authentication framework is to stop using outdated methods like secret words and one-time codes to verify users. Even push apps are vulnerable to exploits. For example, crooks who gain access to a company's network or an MFA system can generate fake authentication requests that someone might authorize in a moment of distraction or inattentiveness.

Even highly secure YubiKeys and other U2F tokens aren't exempt from vulnerabilities and workarounds. For example, if a user forgets the key or can't use it for some reason, the typical workaround is to revert to a text code or less secure form of MFA as the backup. At that point, even an ultra-secure digital token can't provide protection.

A deeper and broader use of biometrics and user verification methods, including presence-based authentication and behavioral or activity-based models, is key. This includes the use of the FIDO protocol WebAuthn, which delivers an API that supports strong, public-key cryptography registration and authentication. It can be combined with a continuous authentication method that reverifies the identity of the session through a persistent token.

Several companies, including Beyond Identity, Veriff, 1Kosmos, and Jumio, have adopted this type of approach. They rely on FIDO standards that tie into biometrics, along with a highly secure identity proofing method. Typically, they ask users to provide a document such as a driver's license or a passport, which is securely stored in an app on the device. A selfie or face scan ensures that everything matches and authenticates the user.

For example, Veriff, which works in 190 countries, in 35 languages, and with 8,000 IDs, runs an online blockchain-based identity verification within a few seconds. It uses an AI-supported decision engine that incorporates real-time feedback through a document check, biometric scan, face comparison, background video, and device and network analytics. Financial institutions, healthcare providers, and others that use the technology can also reduce fake accounts and fraud.

"This creates a barrier that is much more difficult for an intelligent and determined bad actor to bypass," says Kalev Rundu, senior product manager at Veriff. "People today are much more willing to use biometrics for authentication, but they are only ready to do it if they receive real value in return and they can maintain control over how and where their data is used."

**Forward Thinking**

The move to passwordless MFA and true passwordless remains a slow march. For now, advanced authentication is more viable within the enterprise, where it's a closed and controlled environment. Michael Engle, co-founder and CSO at passwordless MFA solutions vendor 1kosmos, estimates that 80% of passwords can be eliminated almost immediately with the right strategy and tools.

For now, Omdia analysts Tait and Turner recommend migrating to passwordless MFA without delay. Not only does the framework deliver a better and safer customer experience, but it can also drive revenue growth, they argue. In addition, it's wise to phase in true passwordless systems and build on them through the FIDO Alliance, as well through Apple Passkeys and the equivalent passwordless systems at Google and Microsoft.

Along the way, it's also essential to educate customers and employees about passwordless authentication and ensure that people understand that their biometric data is being used as their gateway to apps and the Internet. The combination of better UX, incentives, and more streamlined processes can, over the long term, boost security, improve trust, and trim security costs.

Says Jasson Casey, CTO for Beyond Identity: "In the end, the objective isn't to eliminate passwords, though that's a noble cause. It's to create better security and a safer computing environment for everyone."

Evolving Beyond the Password: Vanquishing the Password

The cybersecurity community is buzzing with concerns of multichannel phishing attacks, particularly on smishing and business text compromise, as hackers turn to mobile to launch attacks.

As security conferences return to in-person venues, the cybersecurity community is buzzing with concerns over multichannel phishing attacks, with mobile phishing the biggest concern as hackers turn to mobile to launch smishing and business text compromise attacks.

By moving completely to the cloud, apps and browsers are all we need to communicate with work, family, and friends. While most of us are aware of the cybersecurity guardrails, we are not infallible. We can be lured into providing personal information and credentials or installing malicious apps that can undermine even the most sophisticated cybersecurity defenses. Our reliance on mobile devices with little or no protection from malicious attacks leaves personal and company data at risk.

Multichannel phishing attacks are on the rise, and more breaches are successful because hackers are delivering very targeted attacks on massive scales — powered by automation technology, taking advantage of human psychology, and exploiting our use of apps, browsers, and multiple communications channels.

Humans are the most strategic cybersecurity entry points into an organization because criminals can use psychology to fool us into overriding or undermining even the most sophisticated cybersecurity protection setups. And today's sophisticated attacks are essentially invisible to the human eye. Gone are the poorly spelled phishing emails of yesterday. Today's human hacking can fool even the most security-aware professional to follow a malicious URL or log in to an illegitimate site and expose data and a network. For the attacker, it's much more straightforward and a lower cost to attack a human than a network or a well-defended machine.

'Furthermore, our world — and the way we use technology — has been dramatically altered. This has further increased the danger of human hacking attacks. Post-pandemic, a large percentage of the workforce will continue to have some hybrid remote/office working arrangements — meaning that we're mixing our personal and professional worlds online more than ever. That opens us to more threats, especially when human hacking attacks are coming from legitimate infrastructure. We've turned to interacting through apps and working on browsers. Using collaboration channels like Zoom and Slack and doing nearly everything through our smartphones has opened more attack vectors.

Gone are the days when phishing emails were easily spotted due to low-quality logos, poor grammar, or just the totally unbelievable nature of the email. Now, attackers are well-equipped and very strategic about their attacks, and the believable SMS text or social media invite from a cybercriminal is far more dangerous.

Then, the sheer number of these channel users multiplies the risk equation for enterprises. Add to this the fact that attacks have evolved to the point where a single attack will use multiple channels to convince the users that they are legitimate. There is also the major issue of underestimating the risk of the human factor — today's attacks are simply impossible to detect with human-only views, assessments, and forensics.

**What to Watch For**

Now, especially as the browser is becoming the operating system of the enterprise, the number of channels for attack has increased. Browser extensions and plug-ins are available through very respected big brands, including Android and Apple, but they are not always safe. Also, browser search results can become embedded with attacks, attracting the attention of the user with something that they care about and are more likely to click on. And of course, common Microsoft 365 apps and enterprise productivity apps such as LinkedIn, Dropbox, and WhatsApp are open to phishing abuse.

Since human hacking is a unique problem, we need to focus on people in order to resolve it. Training people to recognize threats is important, but the attacks are too hard to spot by users for training employees to be cautious to be enough security. Asking people to forward suspicious requests to IT is a help but not a cure. There are simply too many convincing attacks coming in on all channels for IT to keep up with those that are forwarded.

There are better ways. One, recognize that cybercriminals are pointing attacks at the people inside organizations and then defend them — on every single digital channel. Two, take advantage of AI and machine learning to identify threats and then use that protection on endpoints in an organization's network — from employee smartphones to Zoom accounts.

In a world where we're trying to stay one step ahead of the hackers, it's time to adequately recognize the magnitude of the multichannel challenge on the horizon — and a new approach that bolsters the people who are under attack.  
**  
About the Author**

    

Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.

The Risk of Multichannel Phishing Is on the Horizon

We as industry leaders should be building on what individual platforms like GitHub are doing in two critical ways: demanding third parties improve security and creating more interoperable architectures.

GitHub recently made security news by announcing plans to implement default multifactor authentication (MFA) across its repositories. The company deserves credit for recognizing its gravitational pull within the software ecosystem and acting accordingly, but it shouldn't be alone. We as industry leaders should be building on what individual platforms like GitHub are doing in two critical ways: demanding our own ecosystems of providers raise the bar of their security practices, and creating more interoperable architectures and blueprints to make better security postures more accessible for organizations that rely on our critical platforms.

**Our Interconnected Tech Stack**

Enterprises today rely on a whole ecosystem to run their tech stacks. They rely on cloud services for their infrastructure, including Azure, AWS, and Google Cloud. They rely on companies like Okta for their identity solutions, and they rely on a whole host of technologies to help them build or sell products faster, including collaboration and CRM apps as well as repositories like GitHub.

They also rely on a broad set of third-party providers to deliver services such as customer support, or to manage some aspects of their infrastructure. We know the long chain of software cooks in the kitchen has created access nightmares and breaches. The Cybersecurity and Infrastructure Security Agency, along with other international government security organizations recently released guidance for managed service providers, and third-party risk is something we at Okta know better than most. In January of this year, we experienced the compromise of a provider that ultimately resulted in a threat actor briefly gaining access to an Okta support tool via a thin client. While the threat actor never directly accessed the Okta service through an Okta account, Okta's own security posture was threatened as a result of our interconnected ecosystem.

**The Path Forward**

The first step toward resolution is technology leaders looking internally to recognize and take stock of our own service supply chain and the third-party providers we rely on. In Okta's case, we took a hard look at how Okta provides access to our providers and the security expectations we have for third-party providers that have access to customer data. While security practitioners understand the need to implement systems of least privilege that limit lateral movement, it's critical to ask whether those same principles are being applied by the third-party providers you rely on. Movement within their environments can become movement in yours.

The second area is looking outward toward the customers and partners who rely on our platforms. In the case of GitHub, the attack surface is massive and the user base is broad. In an age where everyone acknowledges the need to implement MFA, its adoption levels are still quite low. Look no further than Microsoft Azure Active Directory, where more than three-quarters (78%) of organizations currently don't employ MFA for their user accounts according to Microsoft's "Cyber Signals Report."

For something like identity and access management, it's easy to see just how broad the identity and access management attack surface can be. According to Verizon's "Data Breach Investigations Report," 89% of Web app attacks are caused by credential abuse. While standards help a lot in access management, they are not foolproof. Leading identity solutions have largely eliminated the need for individual configurations to apps and services through prebuilt, self-service integrations that rely on standards and protocols like SAML and OpenID Connect.

But that ability to ensure secure interoperability can and should go further.

Organizations rely on multiple solutions that co-exist, feeding logs, risk signals, and other valuable insights into one another. We often think of this for security tools, but it should also apply to any platform or service where there is data and sensitive information. This is where we can and should improve in order to raise all security boats. Our efforts as an industry to operate with an eye toward open, prebuilt integrations and clear architectures will ensure that tentpole technologies — whether they're in networking, identity management, endpoint detection and response, or security information and event management — work effectively together. This goes beyond preventing misconfigurations: It's about creating better security outcomes.

Our technology world is flatter today than it has ever been before, whether it's our collective reliance on third-party providers, our interconnected software supply chain, or the interoperability of our tooling. In that environment, it's critical for industry leaders to not only maintain a high degree of compliance across their own ecosystems of third-party providers but to develop technologies and policies that raise the bar for their users and customers. Part of that is through steps like the one GitHub is taking: implementing default policies that rely on stronger factors. But in an interconnected world, we must move beyond individual actions to create open and interoperable technologies that enable users to easily configure and integrate their foundational technologies in secure ways.

GitHub's MFA Plans Should Spur Rest of Industry to Raise the Bar

With almost every business experiencing growth in human and machine identities, firms have made securing those identities a priority.

Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.

In a survey of IT and identity professionals released Wednesday from Dimensional Research, almost every organization — 98% — experiences rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.  

The rising incidence of breaches is unsurprising, says Julie Smith, executive director of the Identity Defined Security Alliance (IDSA), which sponsored the survey,

"The number and complexity of identities organizations are having to manage and secure is increasing," she says. "Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts."

For the most part, organizations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.

    

Source: IDSA

The IDSA recommends that companies focus on identity-related security outcomes that reduce the risk and impact of data breaches. Almost every respondent (96%) believes that implementing security controls focused on identities, such as multifactor authentication (MFA), could have prevented or minimized a breach.

"Centered on enabling effective identity governance, access, and behavioral detection, the security outcomes add a layer of protection around IT environments," the report states. "It is here that multifactor authentication as a mitigation strategy jumped to the top of the list in preventing breaches."

**MFA Reduces Identity-Related Breaches**

The top three countermeasures identified by respondents as potentially blunting the impact of breaches included MFA, more timely review of privileged access, and continuous discovery and monitoring of privileged access rights, according to the survey. Those three security controls also are likely to get the most investment in the coming year, says IDSA's Smith.

"We wouldn’t necessarily expect the countermeasures and planning to match up 100% as that would indicate organizations are chasing their tails and focusing only on the last breach when forward-thinking strategy and vision about the next potential breach is needed," she says.

Machine identities — such as system credentials, software secretes, and Internet of Things (IoT) passwords — are the main factors driving increased identities at 43% of organizations, according to the report. Despite that, only 18% of companies consider machine identities to be a significant source of breaches.

"Both human and machine identities are vulnerable without the proper mitigation and security tactics in place," Smith says. "Given that machine identities have the potential to expand much quicker than human identities, if a machine identity isn’t properly secured, managing the network of machine identities can quickly pose a major risk."

Meanwhile, the growing number of cloud workloads means that the credentials that allow software to talk use APIs and communicate with other software is an expanding surface of attack, Alex Simons, corporate vice president of program management for Microsoft's Identity division, said in March.

Companies that have executives focused on identity security are more likely to reduce the risk of breaches, according to the IDSA report. While only 30% of respondents consider training in securing passwords to be a very effective strategy, companies that have top-level business executives espousing support for password security are much more likely to be more careful with work-related credentials compared with companies that rely on security teams as the primary evangelist.

"If we’re talking about implementing and deploying meaningful security outcomes, we have to increase engagement beyond IT or security teams," IDSA's Smith says. "This simply demonstrates that when management embraces security as a part of messaging, the general trend implies that security becomes a strategic part of the company’s culture."

80% of Firms Suffered Identity-Related Breaches in Last 12 Months

Popular zipfile program 7-Zip now supports Microsoft's Mark of the Web feature. What is it, and how does it work?
The post 7-Zip gets Mark of the Web feature, increases protection for users appeared first on Malwarebytes Labs.

One of the most popular zip programs around, 7-Zip, now offers support for “Mark of the Web” (MOTW), which gives users better protection from malicious files.

This is good news. But what does that actually mean?

In the bad old days, opening up a downloaded document could be a fraught exercise. Malicious files would often have full permission from the system to do whatever they wanted. Compromised PCs were the inevitable end result, and infected attachments were extremely popular. Outside of regular security tools, there often wasn’t much else available to help stop the flow.

Microsoft’s file block feature in 2007 meant network administrators could lock down any attempt to open specific file types. Unfortunately, this was a little too restrictive for some users. Files couldn’t be opened, even in cases where the user knew they were safe.

Microsoft changed things up a little in 2010, with Protected View.

**Protected View: what is it?**

Every time you download a spreadsheet or Word document and open it up, some checking takes place in the background. Downloaded files produce a yellow bar with the following message:

> _Protected View: Be careful. Files from the internet can contain viruses. Unless you need to edit, it’s safer to stay in Protected View._

This isn’t too different to the old file block feature, with a few key differences. Firstly, you can actually look at the document you want to open. As it is locked into a read-only mode, it can’t do anything malicious to your system. Secondly, users now have the option to enable editing. While there are other potentially dangerous aspects to opening downloaded files, Microsoft has solutions for those too. There is, of course, something telling these programs to warn you about potentially dangerous files. This is where MOTW comes into play.

**How does Mark of the Web help?**

MOTW is perhaps most recently known for blocking VBA code from running in Office. When a file is downloaded, Windows adds a ZoneId to the file which is responsible for the warning message(s). When the system detects the mark, the yellow bar is replaced by a red one. Unlike it’s yellow counterpart, there is no enable content button. Those files are done, with no way back.

Right click a file you’ve downloaded, and in General properties you should see a message which reads:

> _This file came from another computer and might be blocked to help protect this computer._

This exists thanks to MOTW.

The mark doesn’t exist on the file itself, which is left untouched. Originally an Internet Explorer security feature, you’ll now find it keeping you from harm’s way across the Microsoft product range.

**Is this new addition a benefit for a zip program?**

Absolutely. As noted by Bleeping Computer, MOTW didn’t apply to files extracted with 7-Zip. As a result, you’d have Office files opening as if you’d created them yourself with no Protected View in sight.

With this now enabled in the latest version of 7-Zip, some key Windows security precautions are now back in place.

There are some caveats to this story. As we know, not everybody pays attention to security warnings. Computer users routinely ignore all manner of security alerts from their operating system, browser, and security tools. The design and placement of warnings can further deter people paying attention to them. On top of all that, bogus security warnings can further make things confusing for users.

No matter how many warning messages are displayed, some people will still click “Enable” on files they shouldn’t. Even so, opening downloaded files with restrictions applied from the get-go can only be a good thing.

7-Zip gets Mark of the Web feature, increases protection for users

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware.
Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware.

Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.

Follina (CVE-2022-30190, CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, 2022, as part of its Patch Tuesday updates.

According to an independent report published by Malwarebytes, CredoMap is a variant of the .NET-based credential stealer that Google Threat Analysis Group divulged last month as having been deployed against users in Ukraine.

The malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence," Malwarebytes said. "The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state."

It's not just APT28. CERT-UA has further warned of similar attacks mounted by Sandworm and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts.

The development comes as Ukraine continues to be a target for cyberattacks amidst the country's ongoing war with Russia, with Armageddon hackers also spotted distributing the GammaLoad.PS1\_v2 malware in May 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

The threat actor targets institutions and companies in Europe and Asia.

The threat actor targets institutions and companies in Europe and Asia.

An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now.

“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT.

Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.”

The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network.

The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky.

The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious program called Ninja.

Aspects of ToddyCat’s threat activities were also tracked by cybersecurity firm ESET, which dubbed the “cluster of activities” seen in the wild as Websiic. Meanwhile, researchers at GTSC identified another part of the group’s infection vectors and techniques in a report outlining the delivery of the malware’s dropper code.

“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” Kaspersky wrote.

****Multiple Strings of Attacks on Exchange Server Over the Years****

During the period between December 2020 and February 2021, the first wave of attacks were carried out against the limited number of servers in Taiwan and Vietnam.

In the next period, between February 2021 and May 2021, researchers observed a sudden surge in attacks. That’s when, they said, the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries including Iran, India, Malaysia, Slovakia, Russia and the United Kingdom.

After May 2021, the researchers observed the attributes linked to the same group which targets the previously mentioned countries as well as the military and government organizations based in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.

****Attack Sequence****

The attack sequence is initiated after the deployment of the China Chopper web shell attack sequenc, which allows the dropper to execute and install the components and create multiple registry keys.

The registry modification in the prior step forces “svchost” to load a malicious library “iiswmi.dll” and performs its action to invoke the third stage where a “.Net loader” executes and opens the Samurai backdoor.

According to the researchers, the Samurai backdoor is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” and uses obfuscation techniques.

In the specific incidents, the advanced tool Ninja was implemented by Samurai to coordinate and collaborate multiple operators to work simultaneously on the same machine. The researchers explained that the Ninja provides a large set of commands allowing an attacker to “control remote systems, avoid detection and penetrate deep inside a targeted network”.

Ninja shares similarities with the other post-exploitation toolkit like Cobalt strike in terms of capabilities and features. It can “control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths,” the researcher noted.

****ToddyCat Activity Extend Over to Chinese APTs****

According to the report, China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame. In those instances, researchers observed the Chinese-language hackers use an Exchange backdoor called FunnyDream.

“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations and in one case they used the same directory,” researchers wrote.

The security researchers believe that despite the ‘occasional proximity in staging locations’, they do not have any concrete proof that shows the linkage between the two malware families.

“Despite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment,” Kaspersky wrote. “Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” the report added.

“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests,” Kaspersky wrote.

Elusive ToddyCat APT Targets Microsoft Exchange Servers

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.
The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.

The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022.

The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that's advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month.

That said, the Raccoon Stealer actors are already working on a second version that's expected to be "rewritten from scratch and optimized." But the void left by the malware's exit is being filled by other information stealers such as RedLine Stealer and Vidar.

Dridex (aka Bugat and Cridex), for its part, has the capability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots, and log keystrokes, among others, through different modules that allow its functionality to be extended at will.

In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).

That's not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver a malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.

"This once again demonstrates that threat actors are agile and quick to adapt to change," the cybersecurity firm said. "By design, Rig Exploit Kit allows for rapid substitution of payloads in case of detection or compromise, which helps cyber criminal groups recover from disruption or environmental changes."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer

ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

Tag

#microsoft