Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.

Source: Photo 12 via Alamy Stock Photo

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

**Vice Society's Latest Foray into Healthcare**

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

**The Rise of Inc Ransomware**

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into \[an attack\] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Vice Society Pivots to Inc Ransomware in Healthcare Attack

US ports rely on cranes manufactured by a Chinese state-owned company, many with unmonitored cellular connections, causing cybersecurity concerns.

Source: GreenOak via Shutterstock

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation's maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives' Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane's systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

"There could be legitimate purposes for \[a cellular modem\], but I think the general sentiment — because it's a Chinese-owned company — the \[committee\] is concerned that allowing access is setting up a ticking time bomb," he says. "If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes."

Related:Name That Toon: Tug of War

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

**Sea Change in Supply-Chain Focus**

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

Related:SCADA Market Is Set to Reach $18.7B by 2031

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

"The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request," the lawmakers stated. "This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast."

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities' over-reliance on Chinese vendors allowed China's government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

**Rough Seas for Cybersecurity**

Attacks on ports and ships are not unheard of. In February, the US reportedly hacked an Iranian military ship aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group attacked maritime facilities and ports around in the Indian Ocean and as far away as the Mediterranean Sea. And spoofing of GPS signals have enabled rogue nations to cause problems for freighters and other shipping near their shores.

Related:Remote Access Sprawl Strains Industrial OT Network Security

Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.

"Everything is remotely accessible now," he says. "If you haven't been in the industry, you might think our super-critical stuff isn't accessible from the Internet, surely, right? And oftentimes, that is not the case."

Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given China's law that forces disclosure of vulnerabilities to the government, it's likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus' Terrill.

"A known vulnerability that is not patched is a backdoor by any other definition," he says.

**Protecting Untrusted Infrastructure**

The House CCP Committee's report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.

Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xona's Fabela.

"In critical infrastructure, what I've seen is the asset owner — the purchaser of this equipment — doesn't want to maintain it," he says. "They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem."

Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.

"We'll monitor, and we'll over-the-shoulder their access — this is how they do it with physical access," he says. "A vendor can't just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all that's needed."

In the long term, the House CCP Committee's report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Concerns Over Supply Chain Attacks on US Seaports Grow

The first patch lets threat actors with low-level credentials still exploit the vulnerability, while the second fully resolves the flaw.

Source: Postmodern Studio via Alamy Stock Photo

A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam's backup and replication software.

As an unauthenticated remote code execution (RCE) flaw, the vulnerability has a CVSS score of 9.8 and threatens environments that are running versions 12.1.2.172 and below.

Initially reported for its high potential for exploitation, the vulnerability possesses an aging communication mechanism that makes it vulnerable to deserialization attacks. And it has an exploitation path that enables threat actors to create malicious payloads that bypass the protective measures Veeam has put in place.

While assessing the vulnerability, the security teams discovered 1,900 file modifications, 700 of which were deemed non-security related, indicating that Veeam's patching process went beyond just CVE-2024-40711 and likely involved addressing a variety of other security flaws as well.

Veeam released two recommendations to address different components of the vulnerability. The first patch, version 12.1.2.172, made it so that low-level credentials were still required in order for threat actors to exploit the vulnerability. The second patch, version 12.2.0.334, fully resolves the flaw. It's possible that the vulnerability was more severe than Veeam initially let on, and that the first patch did not fully mitigate the RCE threat, leaving systems exposed and prompting a second attempt to patch.

Dark Reading has contacted Veeam for more information about its approach.

In the meantime, it's recommended that enterprises apply the latest patch as soon as possible, since a PoC exploit for the vulnerability has been made publicly available on GitHub, giving attackers tools to launch their next attacks. 

**About the Author**

1 PoC Exploit for Critical RCE Flaw, but 2 Patches From Veeam

Once a user's device is infected as part of an ongoing Flax Typhoon APT campaign, the malware connects it to a botnet called Raptor Train, initiating malicious activity.

Source: Science Photo Library via Alamy Stock Photo

The Justice Department today announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.

According to unsealed documents, the botnet, known as Raptor Train, is operated by People's Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.

A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.

According to the Justice Department, the malware connected each of these affected devices to the botnet, which then conducted malicious cyberactivity designed as routine Internet traffic.

Integrity Technology Group, which is responsible for the malicious activities conducted by Flax Typhoon hackers, developed and controlled the botnet. In the past, Flax Typhoon has targeted government agencies, critical manufacturing, and information technology organizations in Taiwan as well as other countries. Not only this, but it has also attacked US and foreign universities, corporations, government organizations, and media organizations, among others. 

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security," said US Attorney General Merrick B. Garland. "As we did earlier this year, the Justice Department has again destroyed a botnet used by PRC-backed hackers to infiltrate consumer devices here in the United States and around the world. We will continue to aggressively counter the threat that China's state-sponsored hacking groups pose to the American people."

The takedown was a joint effort between the FBI, the US Attorney's Office for the Western District of Pennsylvania, and the National Security Cyber Section of the Justice Department’s National Security Division, with collaboration of French authorities, Lumen Technologies, and Black Lotus Labs, the group that first identified the botnet.

Should a user believe that their device is compromised, they can contact an FBI field office directly, report online to CISA, or visit the FBI's Internet Crime Complaint Center (IC3).

FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Traditional cybersecurity measures are increasingly inadequate against sophisticated threats in the rapidly evolving digital security landscape. Artificial intelligence (AI) has emerged as a transformative force to revolutionize risk assessment and management in the cybersecurity domain. As organizations grapple with an increasing array of cyber threats, AI-driven approaches to risk scoring are becoming more important and essential tools in the modern security arsenal.

At the forefront of this technological revolution is the development of AI-driven risk assessment models tailored specifically to cybersecurity threats. These systems are designed to identify vulnerabilities that often elude traditional methods by offering a more comprehensive and nuanced approach to risk scoring. Leveraging machine learning algorithms and deep neural networks, these AI models can analyze vast amounts of unstructured data, uncovering complex patterns and insights that might otherwise remain hidden from human analysts. These threats can range from univariate anomalies, like a user logging in from a different IP address, to more complex multivariate risks that involve deviations in user behavior patterns and anomalies in their typical sign-on activities.

A simple one-dimensional risk assessment approach is insufficient in real-life scenarios; instead, a weighted average risk system capable of detecting and evaluating these multivariate risks is essential. Each of these threat detection methodologies can and very well be independent of each other, assessing risks on different (combinations) of variables in play.

**An AI Advantage**

An important advantage of AI in cybersecurity is its ability to process and analyze data at a scale and speed far beyond human capabilities. These advantages enable real-time threat detection and dynamic risk scoring, which allows security teams to prioritize and respond to threats incredibly efficiently. By continuously analyzing network traffic, user behavior, and external threat intelligence, AI-driven systems can update risk scores in real time, providing a constantly evolving picture of an organization's security posture.

The integration of AI into risk-scoring systems also enhances the overall security strategy of an organization. These systems are not static, but rather learn and adapt over time, becoming increasingly effective as they encounter new threat patterns and scenarios. This adaptive capability is crucial in the face of rapidly evolving cyber threats, allowing organizations to stay one step ahead of potential attackers. An example of this in action is detecting anomalies during user sign-on by analyzing physical attributes and comparing them to typical behavior patterns. This approach helps prevent unauthorized access by identifying and blocking suspicious sign-ins before the user can enter the system.

**AI Is Not a Cure-All**

It's important, however, to realize that AI is not a cure-all for every cybersecurity challenge. The most impactful strategies combine the analytical power of AI with human expertise. While AI excels at processing vast amounts of data and identifying patterns, human analysts provide critical contextual understanding and decision-making capabilities. It's crucial for AI systems to continuously learn from the input of small and medium-sized enterprises (SMEs) through a feedback loop to refine their accuracy and minimize alert fatigue; this collaboration between human and artificial intelligence creates a robust defense against a wide range of cyber threats.

The application of AI in cybersecurity extends beyond threat detection. Advanced AI models are also being used to simulate potential attack scenarios, allowing organizations to proactively identify and address vulnerabilities before they can be exploited. This predictive capability represents a significant shift from reactive to proactive security measures, potentially saving organizations millions in breach-related costs.

AI's role in cybersecurity is expected to grow exponentially as AI technology continues to advance. Future developments may include more sophisticated predictive models, enhanced automation of threat response, and even AI systems capable of autonomously patching vulnerabilities. These advancements promise to create more resilient and adaptive security infrastructures, better equipped to handle the challenges of an increasingly digital world.

The integration of AI into cybersecurity risk-scoring systems represents a significant leap forward in the field of digital security. By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats. As the digital landscape continues to evolve, embracing AI-driven approaches to cybersecurity will be crucial for organizations seeking to protect their assets and maintain their competitive edge in an increasingly interconnected world.

**About the Author**

AI and Data Science Leader, Cybersecurity Expert

Venkat Gopalakrishnan is an accomplished AI and data science leader with extensive experience driving AI initiatives in high-impact industries. The holder of two patents in AI and cybersecurity, Venkat has expertise in integrating traditional AI and generative AI into complex systems, having successfully led global teams and delivered innovative AI solutions across various domains, including cybersecurity, finance, and sales.

An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

The Coalition for Secure AI (CoSAI) expanded its roster of members with the addition of threat intelligence management, collaboration and response orchestration vendor Cyware this week.

Source: ElenaBS via Alamy

The Coalition for Secure AI is a collaborative open-source initiative that seeks to aid those looking to create secure-by design AI technologies. Its network of stakeholders in business and academia work together to develop holistic approaches and best practices, tools and methodologies to secure AI development and deployment. 

This week, threat intelligence management, collaboration and response orchestration vendor Cyware became a member of CoSAI. Google is one of the founding members. Existing members include OpenAI, Anthropic, Microsoft, IBM, Intel, Nvidia, and PayPal.

The coalition has established three work streams that focus on different areas: software supply chain security for AI systems, preparing defenders for a changing cybersecurity landscape, and AI risk governance. In the future it expects to expand into additional areas. Cyware will contribute as an expert in AI-enabled security solutions to help develop industry standards that prioritize safety, ethics and transparency in AI development, the company said.

CoSAI operates under OASIS Open, an international standards and open source consortium that seeks to help members advance projects in areas including cybersecurity, blockchain, IoT, emergency management, cloud computing and legal data exchange.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Coalition for Secure AI Promotes Safe, Ethical AI Development

What happened to KnowBe4 also has happened to many other organizations, and it's still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.

Source: DD Images via Shutterstock

A postmortem on the accidental hiring of a North Korean threat actor at a security firm reveals a sophisticated, industrial-like network of fake IT workers carefully groomed to fool US companies into giving them employment for the financial gain of the North Korean government.

In July, security awareness training firm KnowBe4 was transparent in revealing how a software engineer the company hired turned out to be a North Korean threat actor who immediately began loading malware onto his company-issued workstation.

Though administrators managed to detect and shut down the malicious operation before any harm was done, the incident served as a wake-up call about the sophistication of a North Korean state-sponsored program that sends operatives posing as credible IT workers out into the workforce.

Within weeks of the company's public revelation, KnowBe4 heard from more than a dozen other organizations that had similar stories of either hiring or being solicited for work by North Korean actors, the company revealed in a white paper (PDF) released this week.

Companies from the size of Fortune 500 organizations to small businesses with only 12 employees accidentally hired North Korean fake employees, with organizations with largely remote workforces being at the highest risk.

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"It turns out that the North Korean fake employee problem is a complex, industrial, scaled nation-state operation, and it is likely that thousands of organizations around the world have or are now involved in accidentally hiring North Korean fake employees," Roger Grimes, KnowBe4 data-driven defense evangelist, wrote in the report.

**Anatomy of a State-Sponsored Fake Employee Program**

The fact that the fake worker scheme is much more widespread than initially believed and that the people taking part in them are "exceptionally skilled" are the greatest lessons learned from KnowBe4's experience, Erich Kron, security awareness advocate at KnowBe4, tells Dark Reading.

"The ability to pass background checks, combined with the willingness and ability to interview on several Zoom calls is indicative of just how polished their program is," he says. "They seem to have processes in place that work exceptionally well on organizations both large and small."

The program takes advantage of a cultural shift in employment among US organizations over the past several years that has made companies more susceptible to placing workers with malicious intent in legitimate positions, Kron says.

This shift is a combination of organizations embracing the remote-work model, and the modern interest in hiring people from around the globe based on their knowledge and abilities rather than geographical location, he says.

Related:FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

"This is extremely challenging when many of the best candidates and people knowledgeable with cutting-edge technology are not US-born and may have strong accents that may have been a barrier to hiring in the past," Kron says. "Multicultural workforces are not only common in the modern business world but are critical if organizations wish to hire the top talent in their fields."

**A Look Behind the Curtain**

KnowBe4 learned much about how the various aspects of the North Korean program operate in the wake of the company's own incident. The company discovered that the chief goal of this program is financial gain, though operatives also to a lesser extent engage in cyber espionage and even corporate sabotage activities, once joining an organization.

Overall, there are four parts that are integral to making the fake employee scheme work: North Korean-based program leaders; North Korean employees and managers based in other countries; non-Korean scheme assisters that are usually based in the country where the job is located; and infrastructure to assist with accepting payments, generating fake identities or stealing real identities, creating fake employee websites and projects, giving references, money laundering, document forgery services, and other supporting activities.

Related:Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

The employees are often skilled IT workers and developers trained at North Korean universities, and are usually located in foreign countries, such as China, in shared living spaces and workspaces. They usually work in busy call-center-like spaces; in fact, organizations that interviewed or hired these fake employees often noted the noisy background, Grimes observed.

KnowBe4 described the employees ensnared in the program as themselves unfortunate victims of a type of human trafficking. They receive very little of the earned revenue, with most of it benefiting the North Korean government. Moreover, close family members stay back in North Korea "to be used as personal leverage to force the employee to toil long hours for very little wages," Grimes wrote.

**How to Spot a North Korean Fake Employee**

KnowBe4 offered substantial guidance for organizations during the hiring process to help them spot a North Korean threat actor before taking that person on board, as well offered after-hiring advice in case an operative makes it onto an IT team.

Some characteristics and behaviors in a candidate to look out for include the person being of Asian decent who is not highly skilled in English, though he or she claims to have always lived in the US. The person will be using a fake identity, a fake ID credential, and a fake work history that will all fail an secondary verification.

The candidate also will supply personal websites, profiles, or GitHub sites that seem overly basic, "often saying something and nothing at the same time, or you can find very similar sites and profiles," Grimes wrote. These sites and profiles also will have been posted only very recently and will have no Internet presence outside of the properties supplied by the candidate.

After hiring, organizations may detect unnecessary logins by the employee on the remote device provided by the company, from an IP address that doesn't match the claimed geographical location, or other unusual behavior. Employees also may work hours inconsistent with the time zone where they claim to be located.

Because the motivation for the threat actors is financial, another red flag after hiring is a request to be paid in unusual or strange payment schemes, including the demand for virtual currency.

**Protecting Your Organization**

If an organization suspects a person is a threat actor during the hiring process, it should be reported immediately to senior management for support in vetting the person's legitimacy. KnowBe4 also advised that organizations "threat model" their hiring process and make updates to mitigate the risk of hiring fake employees, such as sharing the warning signs for these actors with those in the direct hiring process.

Indeed, "reviewing hiring processes and reworking them around lessons learned from the experience has been critical" to KnowBe4's incident recovery, and "well worth the investment" to ensure the scenario doesn't repeat itself, Kron says.

If a company does suspect that one of its employees is a North Korean actor, KnowBe4 advised that any device supplied to the person by the company is immediately locked down to the bare minimum access, and monitored for unusual activity, malware, log modifications, or unexpected language changes. The company also should take further steps to monitor employee activity and, of course, remove the person from the job if suspicions prove true.

In retrospect, KnowBe4 has learned that even though it already had a strong security culture with many controls in place that allowed the company to mitigate the situation quickly, "there is always room for improvement," Kron says.

"Having been through this has allowed us to become even more secure than we were previously," he says, "and by sharing the lessons we learned, we hope it will help others."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm's North Korean Hacker Hire Not an Isolated Incident

By accessing the MSSQL, threat actors gain admin-level access to the application, allowing them to automate their attacks.

Source: ADDICTIVE STOCK CREATIVES via Alamy Stock Photo

Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others.

Researchers at Huntress initially discovered the threat when tracking activity on Sept. 14. "What tipped us off was host/domain enumeration commands spawning from a parent process of sqlservr.exe," the researchers wrote in their advisory.

The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for handling its database operations. According to the researchers, while it's common to keep database servers on an internal network or behind a firewall, Foundation software contains features that allow access through a mobile app. Because of this, "the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL."

In tandem, Microsoft SQL Server has a default system admin account, known as "sa," which has full administrative privileges over the entire server. With such high privileges, these accounts can enable users to run shell commands and scripts.

The threat actors targeting the application have been observed brute-forcing the application at scale as well as using default credentials to gain access to victim accounts. In addition, threat actors appear to be using scripts to automate their attacks.

It's recommended that organizations rotate their credentials associated with Foundation software and keep installations disconnected from the Internet to prevent falling victim to these attacks.

**About the Author**

Contractor Software Targeted via Microsoft SQL Server Loophole

Thought to be Brazilian in origin, the remote access Trojan is the "perfect tool for a 21st-century James Bond."

Source: Valentin Valkov via Shutterstock

"SambaSpy," a recently surfaced remote access Trojan (RAT), is loaded up with a Swiss Army knife-like set of functions for spying on victims and stealing data from them. Its creators, thought to be Brazilian, have also made the versatile RAT hard to detect and analyze by obfuscating it with Zelix KlassMaster, a legitimate Java obfuscation tool that developers often use to protect their code against reverse engineering and unauthorized modification.

**The Perfect Tool?**

Researchers at Kaspersky first spotted SambaSpy in May. "The malicious campaign we uncovered was exclusively targeting victims in Italy," Kaspersky said in a report this week. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries." More recent evidence suggests the attackers may be expanding to targets in Spain, Brazil, and potentially other countries, Kaspersky said.

SambaSpy is a RAT that an attacker can use to download and upload files, manage the file system and processes, load additional plug-ins, and take complete remote control of a compromised system. Among other functions, the RAT can also take screenshots, steal passwords, control webcams, and log keystrokes. It's a combination of capabilities that Kaspersky assessed would make the malware "the perfect tool for a 21st century James Bond villain."

Threat actors use remote access Trojans like SambaSpy for a variety of reasons. Some common use cases include targeted information stealing, dropping other malware, credential stealing, and cyber espionage.

**Testing the Waters**

SambaSpy's feature set appears to make the malware suitable for any of these purposes. Like most other RATs — and indeed any malware for that matter — the alleged Brazilian threat group behind it is distributing the malware via phishing emails spoofed to appear like they are from a real estate company.

Users who click on the call-to-action in the email are redirected to a website that checks the victim's operating system language and the browser. If the OS is in Italian and if the browser is Edge, Chrome, or Firefox, the malicious site injects a malicious PDF file containing either a dropper or a downloader that each do the same thing: install SambaSpy on the victim system. As is common with most modern malware, the SambaSpy dropper/downloader first checks if it has landed on a virtual system, before installing the malware. Interestingly, if the OS language is not Italian, the malicious website redirects the potential victim to a legitimate website for online invoices.

Though the tactic of using email to deliver SambaSpy might seem low-tech, it remains the most effective vector for initial access. A Trend Micro study conducted earlier this year showed email to be among the top initial access vectors; Trend Micro claims that 73.8 billion of the more than 161 billion threats that it blocked in 2023 used email as the initial access vector. The company expects such attacks are going to continue with generative AI tools that let attackers craft phishing lures that will also get progressively harder to spot.

"For the attackers, it doesn't really matter who they hit, nor are the particulars of the phishing bait important," Kaspersky said. "Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Packed With Features, 'SambaSpy' RAT Delivers Hefty Punch

Criminal actors are finding their niche in utilizing QR phishing codes, otherwise known as "quishing," to victimize unsuspecting tourists in Europe and beyond.

Source: Westend61 GmbH via Alamy Stock Photo

In what seems to be an increasingly popular method of attack, two threat groups have been identified as utilizing QR code parking scams in the UK and throughout the world.

The researchers at Netcraft believe that one of the groups is active across Europe, especially in France, Germany, Italy, Switzerland, and the UK. According to initial reports of the threat, threat actors trick unsuspecting victims into scanning malicious QR codes and entering their personal information. And the damage doesn't stop there — ultimately, because the QR codes are fake, users aren't registering their cars for parking, meaning that they're likely to be hit with a double whammy: potential financial fraud and a parking ticket.

The threat first came to public notice in August when British car insurer RAC published a warning advising drivers to be vigilant and only pay with card, cash, or official parking apps already installed on their phones. The potential victim count so far is roughly 10,000 within just a two-month span, according to their report released today.

The scams are gaining so much traction that they're stretching beyond Europe, to Canada and the United States, prompting the FBI to issue alert number I-011822-PSA, "Cybercriminals Tampering with QR Codes to Steal Victim Funds," to bring awareness to an issue they suspect will only continue to grow.

**No-Parking Zone**

In the United Kingdom, it first began with what the researchers called a "wave of malicious QR codes appearing across the city center" of London. The fake QR codes would be found printed on adhesive stickers and posted on parking meters. After scanning the QR code, the user turned victim would be directed to a phishing website impersonating a legitimate parking payment app, PayByPhone.

The scams spread across Britain, and peaked from June to September, with the threat actors were getting traction with, or perhaps specifically targeting, tourists in areas such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen.

With roughly 30 parking apps currently being used in the UK, these criminals are likely to find success preying on tourists who need to access public parking with easy and accessible payment options. 

And though the current research focuses on how these schemes impact parking and tourists in particular, Robert Duncan, vice president of product strategy at Netcraft, stresses to Dark Reading that the threats carry risk in business context, pointing out a rash of corporate Microsoft 365 "quishing" attempts that exploited corporate users who used their own devices, thus excluding them from the enterprise's security perimeter and leaving them open to any potential threats. 

**PayByQuish?**

One criminal group using these methods is specifically impersonating PayByPhone, and follow a series of steps to execute their scam.

First, the threat actor "deploys boots on the ground resources" to set up the attack and affix the QR codes to parking payment machines, Duncan explains. Next, the victims scan the malicious, fake QR code and are unknowingly directed to a phishing website. The victim then follows the steps to enter their personal details: the parking lot location code, their vehicle details, parking duration, and lastly — and most damaging — their payment-card details.

Once this is completed, the website will display a "processing" page to simulate the legitimate user experience. The payment is then "accepted," and the phishing website confirms the entered details before directing the victim to the real PayByPhone website. 

According to the researchers, in some cases the phishing group sends the victim to a failed payment page, asking them for an alternative payment method. This only exacerbates the issue by collecting more card info and further adding to the funds that the threat actors can steal from.

Evading criminal groups' schemes seems a difficult task when it presents itself so well as a legitimate operation. But the researchers have found that there are certain markers that can help potential victims detect a scam. For instance, 32 domain names with the same scam all displayed the following characteristics:

1.  Registered with NameSilo.
    
2.  Using .info, .click, .live, .online, and .site top-level domains (TLDs) rather than .com or common country-specific TLDs.
    
3.  The sites appeared to be protected by Cloudflare.
    

**How Businesses Can Avoid the Quish Hook**

As these kinds of threat continue to grow, and possibly develop into new business sectors (such as quishing threats infiltrating restaurants or retail stores), Duncan notes that it won't be easy to defend against. 

"It's quite difficult for businesses to defend against rogue QR codes being placed over existing ones," he says. "It's also harder to protect customers using mobile devices who may not have as many built-in security measures as on desktop devices. In this case, an online brand protection platform with broad URL-based threat intelligence with QR code support can help."

Ultimately, Duncan says, there is no foolproof solution to preventing these threats as "both fake and legitimate QR codes often use URL shorteners, which makes it very hard to tell apart." Instead, he recommends that users avoid scanning QR codes and instead look up parking apps in official app stores.

"There's a lot of potential for QR code misuse," he adds. "You're often on a mobile device, where controls can be weaker. Watch this space."

Source

DARKReading