The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.

Source: Papilio via Alamy

A nation-state cyber-espionage group linked to India has broadened its targeting beyond regional rivals in Pakistan, Afghanistan, China, and Nepal and is focused on compromising computers and networks at maritime facilities in countries as far away as the Mediterranean Sea.

The group — known variously as SideWinder, Razor Tiger, and Rattlesnake — commonly wages spear-phishing attacks using images of official-looking documents. In its latest campaigns, SideWinder has falsified documents from specific ports, including the Port of Alexandria in Egypt, with high-interest topics such as job termination and salary reductions, researchers from BlackBerry said in a newly published advisory.

While the group has typically focused on rivals closer to home and is less prolific than other cyber spies, the current campaign suggests that they have expanded their targeting, says Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry.

"It's the first time we have seen SideWinder targeting ports and maritime facilities in EMEA," he says. "We see a lot of geopolitical turbulence and \[changing\] environments across the globe on a variety of issues. This often galvanizes threat groups and state-sponsors to specifically strike down critical assets, like those within the maritime industry."

The maritime industry increasingly has become a target of cyberattacks, posing serious danger to ships and ports. In 2019, the US Coast Guard warned shipping companies that attacks on their systems could lead to accidents and catastrophes. In the past year, following increased Chinese cyber operations against critical infrastructure including maritime systems in and around the South China Sea, various countries in the Asia-Pacific region have banded together to protect their networks and systems.

The cyber warnings also come as physical threats to shipping increase as well. Piracy off the Atlantic coast of Africa and the Arabian Sea, and among the island nations of the Asia-Pacific, has escalated, while ship malfunctions — such as the one the caused a vessel to collide with the Baltimore bridge — have become more frequent.

**New Phishing Lures, Old Exploits**

SideWinder has conducted attacks since at least 2012. The group is relatively sophisticated, commonly using encrypted malware samples, various obfuscation techniques, and running code in memory to avoid file scanners, according to a presentation at Black Hat Asia in 2022. From 2020 to 2022, the group conducted more than 1,000 attacks, Noushin Shabab, senior security researcher with Kaspersky, said during that presentation.

"I think what truly makes them stand out among other APT \[advanced persistent threat\] actors is the large tool set they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," Shabab said. "I haven't seen 1,000 attacks from a single APT" from another group thus far.

However, the current cyberattacks are, in many cases, using older vulnerabilities, such as a flaw in Microsoft Office dating back to 2017. The vulnerability (CVE-2017-0199) allows remote code execution against old versions of Microsoft Office and Windows, and has been a very popular vector of attack, with more than 5,600 malware samples exploiting the issue this year, including 15 malicious samples reported from Egypt, according to BlackBerry.

Like most groups, SideWinder does not like to waste a good exploit, even if it's seven years old, says Valenzuela.

"Why do we still see old CVEs like these exploited in the wild? Attackers know that many organizations don’t patch their Office software for many years," he says. "This is especially common in organizations with legacy systems, which are often used in ports and maritime facilities as well as other critical infrastructure."

BlackBerry documented the use of another very popular — and seven-year-old — vulnerability, in the Microsoft Office Equation Editor (CVE-2017-11882), with more than 9,500 samples of Office documents exploiting the issue since the start of 2024. Both of these vulnerabilities have made the Known Exploited Vulnerabilities list maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

**Maritime Under Attack**

BlackBerry's threat researchers discovered a variety of domains in the first and second stages of the attack that are likely evidence of their targets, including a long list in South Asia including Pakistan, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Egyptian ports appear to be the only target outside of India's extended neighborhood.

While the country appears to be extending its reach to other regions of the world, the cyber operations are not actually targeting ports on a global scale, Valenzuela says.

"They’re certainly targeting ports in key countries where this threat actor has geopolitical interests, and that includes the Indian Ocean and the Mediterranean, \[such as\] Egypt," he says. "We don’t have information about other targets in the Mediterranean Sea at this time."

The researchers have not captured the final payload in the attacks, but based on the group's previous actions, they believe the goal is intelligence-gathering and cyber espionage, the company stated in its advisory.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India-Linked SideWinder Group Pivots to Hacking Maritime Targets

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

Source: Schoening via Alamy Stock Photo

Multiple ransomware groups have been weaponizing an authentication bypass bug in VMware ESXi hypervisors to quickly deploy malware across virtualized environments.

VMware assigned the bug (CVE-2024-37085) a "medium" 6.8 out of 10 score on the CVSS scale. The average score is largely due to the fact that it requires an attacker to have existing permissions in a target's Active Directory (AD).

If they do have AD access, however, attackers can cause significant damage. With no technical trickery whatsoever, they can use CVE-2024-37085 to instantly scale up their ESXi privileges to the max, opening the door to ransomware deployment, data exfiltration, lateral movement, and more. Groups like Storm-0506 (aka Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (aka Scattered Spider) have already tried it out, deploying ransomware such as Black Basta and Akira.

Broadcom recently published a fix, available on its website.

**How CVE-2024-37085 Works**

Some organizations configure their ESXi hypervisors to use AD for user management. It turns out that by doing this, organizations were exposing themselves to something unexpected. By default, ESXi hypervisors granted full administrative access to any member of an AD domain group named "ESX Admins."

It's unclear how the "ESX Admins" group vulnerability was introduced into ESXi in the first place—Broadcom declined to clarify when Dark Reading reached out on the question. As Microsoft noted in a blog post, there's no particular reason why the hypervisor should have expected such a domain group, or have had a rule for what to do with it. "This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist," the threat intel team wrote. "Additionally, the membership in the group is determined by name and not by security identifier (SID)."

Exploiting CVE-2024-37085 was entirely trivial. So long as an attacker had sufficient privileges in AD, all they'd have to do to gain ESXi admin privileges was to create an "ESX Admins" group in the targeted domain and add a user to it. They could also rename any existing group to "ESX Admins," and either wield one of its existing users or add a new one.

**The Risk with Hypervisors**

"Ransomware attacks targeting ESXi and VMs are increasingly common, especially since around 2020, when enterprises increased their move toward digital transformation and took advantage of modern hybrid cloud and virtualized on-premise environments," explains Jason Soroko, senior vice president of product at Sectigo.

For all the business sense they make, virtualized environments also afford hackers unique benefits. Hypervisors tend to run many VMs at once, making them a one-stop shop for blasting ransomware as widely as possible, and those VMs often host critical services and business data.

Their utility to hackers makes it all the more troubling that, as Microsoft noted in its blog, security products have limited visibility and protections for hypervisors. This, Soroko explains, is "due to their isolation, complexity, and the specialized knowledge required for their protection. This isolation makes it difficult for traditional security tools to monitor and protect the entire environment, and API integration limits further exacerbate this issue."

To cover for these shortcomings, Microsoft highlighted the importance of keeping up to date with patches, and practicing broader cyber hygiene around critical and vulnerable assets. "Attackers love using the path of least resistance that provides maximum opportunity," Soroko notes, adding that ransomware actors will only target these systems more and more in the future.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla, Formbook, and Remcos RAT.
Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET.
"Attackers used previously

Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla, Formbook, and Remcos RAT.

Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET.

"Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data," ESET researcher Jakub Kaloč said in a report published today.

These campaigns, spread across nine waves, are notable for the use of a malware loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final payloads.

This, the Slovakian cybersecurity company said, marks a departure from previous attacks observed in the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Rescoms).

"During the second half of \[2023\], Rescoms became the most prevalent malware family packed by AceCryptor," ESET noted in March 2024. "Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia."

The starting point of the attacks was phishing emails incorporating malware-laced RAR or ISO attachments that, upon opening, activated a multi-step process to download and launch the trojan.

In cases where an ISO file was attached, it would directly lead to the execution of DBatLoader. The RAR archive, on the other hand, contained an obfuscated Windows batch script enclosing a Base64-encoded ModiLoader executable that's disguised as a PEM\-encoded certificate revocation list.

A Delphi-based downloader, DBatLoader is primarily designed to download and launch the next stage malware from either Microsoft OneDrive or compromised servers belonging to legitimate companies.

Regardless of what malware is deployed, Agent Tesla, Formbook, and Remcos RAT come with capabilities to siphon sensitive information, allowing the threat actors to "prepare the ground for their next campaigns."

The development comes as Kaspersky revealed that SMBs are being increasingly targeted by cybercriminals owing to their lack of robust cybersecurity measures as well as limited resources and expertise.

"Trojan attacks remain the most common cyberthreat, which indicates that attackers continue to target SMBs and favor malware over unwanted software," the Russian security vendor said last month.

"Trojans are particularly dangerous because they mimic legitimate software, which makes them harder to detect and prevent. Their versatility and ability to bypass traditional security measures make them a prevalent and effective tool for cyber attackers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the

Cyber Espionage / Malware

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.

"SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week.

The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients' emotional state and trick them into opening booby-trapped Microsoft Word documents.

Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk\[.\]com") to retrieve an RTF file.

The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that's responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.

It's currently not known what's delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.

"The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions," BlackBerry said. "The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.
"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.
The cybersecurity

Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.

"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.

The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking.

The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating a OneDrive page and displays an error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually."

The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS.

However, clicking "How to fix" prompts the user to follow a series of steps, which includes pressing "Windows Key + X" to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly fix the issue.

"The command \[...\] first runs ipconfig /flushdns, then creates a folder on the C: drive named 'downloads,'" Pena explained. "Subsequently, it downloads an archive file into this location, renames it, extracts its contents ('script.a3x' and 'AutoIt3.exe'), and executes script.a3x using AutoIt3.exe."

The campaign has been observed targeting users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.

The disclosure builds upon similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks employing this technique – also tracked as ClickFix – are becoming increasingly prevalent.

The development comes amid the discovery of a new email-based social engineering campaign distributing bogus Windows shortcut files that lead to the execution of malicious payloads hosted on Discord's Content Delivery Network (CDN) infrastructure.

Phishing campaigns have also been increasingly observed, such as sending Microsoft Office Forms from previously compromised legitimate email accounts to entice targets into divulging their Microsoft 365 login credentials by clicking on a seemingly innocuous link.

"Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links within the forms," Perception Point said. "These forms are then sent to targets en-masse via email under the guise of legitimate requests such as changing passwords or accessing important documents, mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer."

What's more, other attack waves have utilized invoice-themed lures to trick victims to sharing their credentials on phishing pages hosted on Cloudflare R2 that are then exfiltrated to the threat actor via a Telegram bot.

It's no surprise that adversaries are constantly on the lookout for different ways to stealthily smuggle malware past Secure Email Gateways (SEGs) so as to increase the likelihood of success of their attacks.

According to a recent report from Cofense, bad actors are abusing how SEGs scan ZIP archive attachments to deliver the Formbook information stealer by means of DBatLoader (aka ModiLoader and NatsoLoader).

Specifically, this involves passing off the HTML payload as an MPEG file to evade detection by taking advantage of the fact that many common archive extractors and SEGs parse the file header information but ignore the file footer that may contain more accurate information about the file format.

"The threat actors utilized a .ZIP archive attachment and when the SEG scanned the file contents, the archive was detected as containing a .MPEG video file and was not blocked or filtered," the company noted.

"When this attachment was opened with common/popular archive extraction tools such as 7-Zip or Power ISO, it also appeared to contain a .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file is (correctly) detected as being a .HTML \[file\]."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware.
The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.
"A

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware.

The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.

"A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD," Broadcom-owned VMware noted in an advisory released in late June 2024.

In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named "ESX Admins" and adding any user to it, or renaming any group in the domain to "ESX Admins" and adding a user to the group or using an existing group member.

Microsoft, in a new analysis published on July 29, said it observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest leveraging the post-compromise technique to deploy Akira and Black Basta.

"VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named 'ESX Admins' to have full administrative access by default," researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh said.

"This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist."

In one attack staged by Storm-0506 against an unnamed engineering firm in North America, the threat actor weaponized the vulnerability to gain elevated permissions to the ESXi hypervisors after having obtained an initial foothold using a QakBot infection and exploiting another flaw in the Windows Common Log File System (CLFS) Driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.

Subsequently, phases entailed the deployment of Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal domain administrator credentials and move laterally across the network, followed by dropping the SystemBC implant for persistence and abusing the ESXi admin access to deploy Black Basta.

"The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC," the researchers said. "The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection."

The development comes as Google-owned Mandiant revealed that a financially motivated threat cluster called UNC4393 is using initial access obtained via a C/C++ backdoor codenamed ZLoader (aka DELoader, Terdot, or Silent Night) to deliver Black Basta, moving away from QakBot and DarkGate.

"UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives," the threat intelligence firm said. "This most recent surge of Silent Night activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393's only known means of initial access."

The attack sequence involves making use of the initial access to drop Cobalt Strike Beacon and a combination of custom and readily-available tools to conduct reconnaissance, not to mention relying on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved by means of SystemBC.

ZLoader, which resurfaced after a long gap late last year, has been under active development, with new variants of the malware being propagated via a PowerShell backdoor referred to as PowerDash, per recent findings from Walmart's cyber intelligence team.

Over the past few years, ransomware actors have demonstrated an appetite for latching onto novel techniques to maximize impact and evade detection, increasingly targeting ESXi hypervisors and taking advantage of newly disclosed security flaws in internet-facing servers to breach targets of interest.

Qilin (aka Agenda), for instance, was originally developed in the Go programming language, but has since been redeveloped using Rust, indicating a shift towards constructing malware using memory-safe languages. Recent attacks involving ransomware have been found to leverage known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.

"The Qilin ransomware is capable of self-propagation across a local network," Group-IB said in a recent analysis, adding it's also equipped to "carry out self-distribution using VMware vCenter."

Another notable malware employed in Qilin ransomware attacks is a tool dubbed Killer Ultra that's designed to disable popular endpoint detection and response (EDR) software running on the infected host as well as clear all Windows event logs to remove all indicators of compromise.

Organizations are recommended to install the latest software updates, practice credential hygiene, enforce two-factor authentication, and take steps to safeguard critical assets using appropriate monitoring procedures and backup and recovery plans.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

PRESS RELEASE

Lakera, the world's leading real-time Generative AI (GenAI) Security company, has raised $20 million in a Series A funding round. Led by European VC Atomico, with participation from Citi Ventures, Dropbox Ventures, and existing investors including redalpine, this investment brings Lakera's total funding to $30 million. This funding positions Lakera at the forefront of the global economy's race to secure GenAI applications. As part of this round, Atomico Partner Sasha Vidiborskiy will join Lakera's board.

It's been predicted that by 2026, 80% of enterprises will have used GenAI or GenAI-enabled applications in production environments, up from less than 5% in 2023. As businesses worldwide scramble to harness the power of GenAI without exposing themselves to AI-specific risks, the demand for Lakera's platform is expected to continue growing at a rapid clip.

While GenAI could add an estimated $4.4 trillion annually to global GDP, cybersecurity remains the second most-cited risk associated with its adoption as traditional cyber tools are ill-equipped to address the novel dangers it poses. This creates a critical need for security solutions that address GenAI-specific risks, without which businesses are unable to unlock the benefits of AI.

David Haber, Founder and CEO of Lakera, explains the urgency: "With the advent of GenAI, the old cybersecurity techniques aren't sufficient. Enterprises now operate in a world where anyone who knows how to talk knows how to hack. Security solutions need to change but they can't get in the way of user experience. There is a need for real-time AI security solutions that continuously evolve and enable amazing user experiences."

David elaborates in his blog published today.

Cybersecurity-risks posed by LLMs

The spectrum of LLM vulnerabilities is both diverse and severe:

*   GenAI introduces prompt attacks as the most widely accessible hacking method. In the past, hackers needed to be able to code - but now, the only barrier to entry is being able to talk.
    
*   Prompt attacks can easily be used to manipulate GenAI so that a malicious actor can gain unauthorized access to a company's systems, steal confidential data, take unauthorized actions, and generate harmful content.
    
*   AI "sleeper agents" can lie dormant until activated for malicious purposes. Jailbreaking techniques can compromise powerful models in mere minutes.
    
*   AI-targeted worms can bypass security measures, harvesting data and launching widespread attacks.
    

Lakera's comprehensive approach to AI security delivers three key benefits for enterprises: protection that doesn't slow down their AI applications; the ability to stay ahead of AI threats with continuously evolving intelligence; and centralized implementation of AI security controls.

The company's growth comes at a pivotal moment in AI development. With the adoption of GenAI, users now direct software applications using natural language, and Lakera's real-time AI security does not compromise application interactivity. To make implementation effortless for developers, the company's API can be integrated with a single line of code, providing an ultra-low-latency security layer compatible with any GenAI model. Centralized controls allow security teams to customize application-specific policies and address emerging threats without code changes.

Lakera is uniquely positioned to tackle these fast-changing challenges, in part thanks to Gandalf - an AI educational platform created by the company which serves as the world's largest AI red team. With over 250 thousand unique users worldwide, including companies such as Microsoft where it's used in security training, Gandalf generates a real-time database of AI threats which is growing by 100 thousands of uniquely new attacks every day and keeps Lakera's software up to date, ensuring continuous protection for customers. The 50+ million data points generated by Gandalf, combined with the founding team's deep experience in building AI systems with real-time requirements, means Lakera's customers are able to stay ahead of threats and deliver amazing user experiences.

Atomico Partner Sasha Vidoborskiy, who will join Lakera's board, said: "Lakera has seen impressive commercial pull, winning customers such as Dropbox and a top 3 US bank, and already having more than 35% of Fortune 100 companies knock on their door. All those clients have an urgency to deploy GenAI applications into production, but can't do it without protection in place. Easy integration, best-in-class performance, and low latency are why they pick Lakera. But most importantly, the company is led by David and his team, who are thought leaders in the space and have a deep understanding of what the adoption of AI means for new cybersecurity risks."

"At Dropbox, ensuring the security of our systems and customers' data is a top priority," said Donald Tucker, Head of Corporate Development and Ventures at Dropbox. "Lakera's team has extensive expertise and a deep understanding of the complex security challenges companies are facing with LLMs and Generative AI. Their advanced technology is helping companies like Dropbox safeguard against vulnerabilities these new technologies pose. We're thrilled to strengthen our existing relationship with Lakera by investing in the future of the company and AI security."

Lakera plans to use this funding round to invest further in its product development and expand its presence in the US, where it already has a foothold in Silicon Valley.

About Lakera  
Lakera is the world's leading real-time GenAI security company. Customers rely on Lakera for security that doesn't slow down their AI applications. To accelerate secure adoption of AI, the company created Gandalf, an educational tool, where more than one million users have learned about AI security. Lakera uses AI to continuously evolve defenses, so customers can stay ahead of emerging threats. Lakera was founded by David Haber, Mateo Rojas-Carulla and Matthias Kraft in 2021.

About Atomico  
Atomico invests in ambitious tech founders from Seed through to IPO with a particular focus on Europe, leveraging deep operational experience to supercharge their growth. Founded in 2006, Atomico has partnered with over 100 ambitious teams - including those at Klarna, Supercell, Graphcore, Compass, MessageBird, Masterclass, Attentive Mobile, Pipedrive and Hinge Health. Atomico's team of founders, investors and operational leaders have been responsible for global expansion, hiring and marketing at companies from Skype and Google to Twitter and Uber. The firm currently has $5B in assets under management.

Lakera Raises $20M Series A to Secure Generative AI Applications

PRESS RELEASE

LONDON, July 25, 2024 /PRNewswire/ -- An investigation by Heimdal reveals that the EU is facing a surge in brute force cyber attacks on corporate and institutional networks, primarily originating from Russia.

These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection.

The investigation into the Russian brute-force campaign has revealed several critical insights:

*   Attackers are aiming for High-Value Targets (HVTs)
    
*   Key infrastructure cities like Edinburgh and Dublin have been frequently targeted
    
*   Over half of the attack IP addresses are linked to Moscow, targeting major cities in the UK, Denmark, Hungary, and Lithuania
    
*   The rest of the investigated attack IPs can be traced back to Amsterdam and Brussels
    
*   Major ISPs like Telefonica LLC and IPX-FZCO were significantly abused
    
*   Heimdal's data shows these attacks date back to May 2024 but may have been happening even longer.
    

Prevalent Infiltration and Attack Techniques

The attackers primarily target administrative accounts using various case combinations and language variants.

Over 60% of attack IPs are new, with approximately 65% recently compromised and the rest previously abused, revealing a constantly evolving threat.

The threat actors employ known attack principles such as SMBv1 crawlers, RDP crawlers, and RDP alternative port crawlers, exploiting weak or default credentials through password guessing, spraying, and stuffing.

Additionally, their use of legitimate Microsoft infrastructure broadens the attack surface and complicates detection and response.

Data shows that attackers have actively exploited Microsoft infrastructure from the Netherlands and Belgium to increase their attack range and success odds.

Russia Leveraging State-Owned Networks to Propagate Attack

Major ISPs like Telefonica LLC and IPX-FZCO are significantly abused, with the former accounting for 27.7% of attacks from Russia.

The attackers also leveraged resources from Russian allies, including Indian telecom companies Bharat Sanchar Nigam Limited and Bharti Airtel Limited, both of which have faced recent data breaches.

Scope of Brute-Force Campaign

Russia's motivation behind these cyberattacks is multifaceted.

The reasons for these actions likely include aims to destabilize and disrupt critical infrastructure in Europe, extract sensitive data, gain financial advantage to fuel ongoing cyber-war efforts, or deploy malware.

The threat actors' mandates can span multiple types of subversive cyber-warfare ops, including seek-and-destroy, disruption of critical assets, and sabotage.

A Wake Up Call for the European Union

This persistent threat underscores the need for cybersecurity measures within EU countries, including strengthening cloud security, enforcing multi-factor authentication, conducting regular security audits, and educating employees.

Morten Kjaersgaard, Founder of Heimdal, said:

"This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it.

The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so.

Whoever is responsible, whether it's the state or another nefarious group, they have no shame in using Russia's allies to commit these crimes.

The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China."

Paul Vixie, Co-Founder of SIE Europe, added:

"The data that Heimdal has uncovered is explosively evil, and SIE Europe data clearly shows how well built these Russian Wasp nests are and they show no signs of stopping.

SIE Europe does not ever traffic in Personally Identifiable Information, and this case shows the investigative power of public information once cooperatively assembled."

Read the full investigation here: Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure (heimdalsecurity.com).

Heimdal Security Presents its Latest Report on Brute-Force Cyberattacks

Microsoft says that an examination of Windows crash reports around the outage shows that kernel drivers need to be carefully employed.

Source: Mundissima via Alamy Stock Photo

UPDATED

Microsoft has released more details around its assessment of the CrowdStrike Falcon outage nearly two weeks ago, noting that one takeaway is the need to reduce infosec vendors' reliance on the kernel drivers.

In a blog post published over the weekend, David Weston, vice president of enterprise and OS security at Microsoft, detailed that the company measured the impact of the incident through accessing crash reports that were voluntarily shared by customers. 

As not every customer opts to share crash reports, those are just "a subset of the number of impacted devices previously shared by Microsoft," Weston wrote. 

But the consensus that emerged was that while kernel drivers such as those employed by CrowdStrike can actually improve performance and prevent software tampering, those advantages must be rationalized against potential risk posed by their innate privileges.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote.

He said he believes that if security vendors can strike the right balance, organizations can minimize kernel usage while also maintaining a strong security position.

This story was updated at 9:15 a.m. ET on July 30, 2024 to correct inaccurate reporting that Microsoft revised the original 8.5 million device estimate for how many machines were affected by the CrowdStrike outage.

**About the Author(s)**

Microsoft Talks Kernel Drivers Post CrowdStrike Outage

Ubuntu Security Notice 6924-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6924-1July 29, 2024linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-iot: Linux kernel for IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM SCMI message protocol;  - InfiniBand drivers;  - TTY drivers;  - TLS protocol;(CVE-2024-26584, CVE-2024-36016, CVE-2024-26585, CVE-2021-47131,CVE-2024-26907, CVE-2022-48655, CVE-2024-26583)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1041-iot      5.4.0-1041.42  linux-image-5.4.0-1048-xilinx-zynqmp  5.4.0-1048.52  linux-image-5.4.0-1076-ibm      5.4.0-1076.81  linux-image-5.4.0-1089-bluefield  5.4.0-1089.96  linux-image-5.4.0-1096-gkeop    5.4.0-1096.100  linux-image-5.4.0-1113-raspi    5.4.0-1113.125  linux-image-5.4.0-1117-kvm      5.4.0-1117.124  linux-image-5.4.0-1133-gcp      5.4.0-1133.142  linux-image-5.4.0-1134-azure    5.4.0-1134.141  linux-image-5.4.0-190-generic   5.4.0-190.210  linux-image-5.4.0-190-generic-lpae  5.4.0-190.210  linux-image-5.4.0-190-lowlatency  5.4.0-190.210  linux-image-azure-lts-20.04     5.4.0.1134.128  linux-image-bluefield           5.4.0.1089.85  linux-image-gcp-lts-20.04       5.4.0.1133.135  linux-image-generic             5.4.0.190.188  linux-image-generic-lpae        5.4.0.190.188  linux-image-gkeop               5.4.0.1096.94  linux-image-gkeop-5.4           5.4.0.1096.94  linux-image-ibm-lts-20.04       5.4.0.1076.105  linux-image-kvm                 5.4.0.1117.113  linux-image-lowlatency          5.4.0.190.188  linux-image-oem                 5.4.0.190.188  linux-image-oem-osp1            5.4.0.190.188  linux-image-raspi               5.4.0.1113.143  linux-image-raspi2              5.4.0.1113.143  linux-image-virtual             5.4.0.190.188  linux-image-xilinx-zynqmp       5.4.0.1048.48Ubuntu 18.04 LTS  linux-image-5.4.0-1076-ibm      5.4.0-1076.81~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1133-gcp      5.4.0-1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1134-azure    5.4.0-1134.141~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-190-generic   5.4.0-190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-190-lowlatency  5.4.0-190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-azure               5.4.0.1134.141~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1076.81~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.190.210~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6924-1  CVE-2021-47131, CVE-2022-48655, CVE-2024-26583, CVE-2024-26584,  CVE-2024-26585, CVE-2024-26907, CVE-2024-36016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-190.210  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1134.141  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1089.96  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1133.142  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1096.100  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1076.81  https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1041.42  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1117.124  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1113.125  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1048.52

Tag

#microsoft