**PRESS RELEASE**

**LONDON** **and** **MIAMI****,** **Oct. 26, 2023** **/PRNewswire/ --** Sumsub, a full-cycle verification platform, today releases its "State of Verification and Monitoring in the Crypto Industry 2023" report. The findings focus on the regulations and verification practices for crypto companies, with highlights from verification performance and identity fraud statistics.

The intention of the report is to provide crypto businesses with a clear understanding of industry verification standards and trends, offering insights into enhancing user experience and improving operations. To gather direct insights, Sumsub conducted a survey among 100+ crypto companies, and combined its results with expert interviews of professionals in the crypto industry. Overall, 800,000+ fraud attempts were studied for this report. All data was aggregated and anonymized.

Key findings from the report include\*:

*   77% of crypto companies observed new fraud patterns and schemes this year, with attack methods becoming more professional;
*   Deepfakes remain a growing concern for the crypto industry, with 70% of companies noting their increasing popularity among fraudsters;
*   In 2023, the number of deepfakes in the crypto industry increased by 128% compared to 2022;
*   55% of crypto companies reported an increase in fraud\-related losses – both financial and reputational – connected to applicants;
*   The shift from document-based to Non-Doc Verification solutions is underway in crypto, demonstrating faster verification, from 38 to as fast as five seconds and from 46 to as quick as three seconds in Brazil and Ghana, respectively. 

_"As the_ crypto _industry continues to evolve, we see a global trend of decreasing onboarding time for_ crypto _users,"_ comments Jacob Sever**, co-founder and Chief Innovation Officer of Sumsub**. _"From 2022 to 2023, verification time nearly halved across all regions, driven by the growing expectation of swifter processes among users. As such, providers face the challenge of complying with increasingly stringent regulations, making solutions such as Non-Doc Verification essential. By expediting onboarding processes,_ crypto _firms eliminate the need for users to upload any documents, better allowing providers to keep pace with industry demands and enhance pass rates, all while thwarting the threat of synthetic_ fraud_."_

To download the free "**State of Verification and Monitoring in the** Crypto **Industry 2023**" report, visit https://sumsub.com/crypto-report-2023/.

_\* The statistics presented in the report are based on Sumsub's internal data on millions of verification checks analyzed in the first 8 months of 2023 and the same period in 2022._

**About** **Sumsub**

Sumsub is a full-cycle verification platform that secures the whole user journey. With Sumsub's customizable KYC, KYB, transaction monitoring and fraud prevention solutions, you can orchestrate your verification process, welcome more customers worldwide, meet compliance requirements, reduce costs and protect your business.

Sumsub has over 2,000 clients across the fintech, crypto, transportation, trading, e-commerce and gaming industries including Binance, Mercuryo, Bybit, Huobi, Unlimit, DiDi, Poppy and TransferGo.

SOURCE Sumsub

70% of Crypto Companies Report Deepfake Fraud Rise

The industrial automation giant agrees to buy Verve Industrial Protection, joining in an ICS trend of bringing cybersecurity capabilities in-house to keep up with attackers.

Manufacturers of industrial automation and control systems continue to scoop up industrial cybersecurity firms to provide customers with more protection for their factories and facilities.

This week, Rockwell Automation agreed to acquire Verve Industrial Protection, a cybersecurity software and services firm, which will become part of Rockwell's Lifecycle Services division. The acquisition follows the July commitment by Honeywell to buy SCADAfence, an operational technology and IoT security firm, as a way to acquire asset discovery and threat detection capabilities. And just last week, technology firm Siemens announced an all-in-one testing suite for industrial networks — partnering with Tenable on the initial testing tools, but committing to including more third parties in the future.

The large manufacturers are trying to catch up with attackers and fix their cybersecurity shortcomings, says Katell Thielemann, distinguished vice president analyst at business intelligence firm Gartner.

"OEMs are on a bit of a redemption journey," she says. "Their end-user clients are starting to be vocal about buying multimillion-dollar assets that contain vulnerabilities and misconfigurations, and then having to pay million-dollar support services contracts that allow fixes downstream."

An additional impetus for Honeywell, Siemens, and Rockwell to acquire cybersecurity services comes from the desire to create additional channels for sales, says Dale Peterson, CEO and founder of Digital Bond, an ICS consultancy.

"What we are seeing is the large ICS vendors are developing practices to sell cybersecurity products and services — sometimes through acquisition ... and sometimes through partnerships," he says. "It's unclear if this will be successful or how committed they will be to this in tough times."

**Target Threats Tailored to ICS**

The acquisition announced comes as attackers are increasingly targeting industrial control systems (ICS) and the industrial Internet of Things (IIoT). In May 2021, an attack on Colonial Pipeline's information systems resulted in the company shutting down pipelines, causing a fuel shortage along the East Coast of the United States.

Overall, 77% of attacks on critical infrastructure came from state-affiliated actors and organized criminal groups, according to an analysis of 122 public incidents published by Rockwell Automation last month. The largest share of attacks (39%) hit the energy sector, with critical manufacturing, transportation, and nuclear sectors each accounting for another tenth of attacks, according to the report.

Attackers are increasingly targeting industrial automation and safety equipment with tailored malware, while defenders have seen "a worrisome increase in disclosed vulnerabilities in industrial cyber-physical systems," says Thielemann. Typically, the vast majority (84%) of attacks have come through IT networks, while only 14% have initially infected an OT device, according to Rockwell's report.

Operators of industrial systems need to know what devices are present in their OT and IT networks, which are vulnerable, and which can be patched, she says.

"As the threat landscape starts to pose a clear and present danger in production environments, it is critical to know what assets you have, and to shift from a network-centric view of security to an asset-centric one," Thielemann says.

**Industrial Automation Struggles With Security**

The Rockwell-Verve merger might also be a way to change the industrial control system and automation industries' mindset on security. Operators typically have not had good visibility into the devices and equipment deployed to their operational networks, and patching equipment that have lifecycles of decades when dealing with software with lifecycles of years is a complex problem.

Rockwell Automation has rolled out signed firmware and support for CIP Security for defense-in-depth, supporting device identification and authentication using certificates on devices, says Peterson.

Still, industrial automation providers have a ways to go to earn their customers' confidence that they will put security ahead of profits, he says.

"\[W\]hether the asset owner will trust the ICS vendor to be straightforward about risk when it reflects poorly on their own systems or reflects positively on a competitor" is an open question, Peterson says. "All this to say that the ICS vendor as a channel for ICS security products and services is unproven."

Rockwell Automation did not disclose the details of its purchase agreement with Verve. The company noted that the acquisition must meet regulatory approvals and should close in the first quarter of its fiscal year in 2024.

Rockwell's Verve Buy Enlivens Critical Infrastructure Security

Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.

A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.

**Yellow Liderc's Latest Campaign**

Since 2022, Yellow Liderc has been compromising legitimate websites and using them to insert malicious JavaScript. The JavaScript fingerprints unwitting visitors, capturing details such as their location, device, time of visit, and so on. If a visitor matches a specific profile — in this case, entities along the Mediterranean associated with maritime, logistics, and shipping — they will be served further malware.

The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.

This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.

After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum\[@\]yandex.com and brodyheywood\[@\]yandex — where further payloads lie.

**Yellow Liderc's Tactics and Targets Vary**

Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.

"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.

Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.

Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.

"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."

Iran APT Targets the Mediterranean With Watering-Hole Attacks

The English-speaking cyberattack group behind the MGM and Caesars Entertainment attacks is adding unique capabilities and gaining in sophistication. Prepare now, Microsoft says.

"One of the most dangerous financial criminal groups" — and growing in sophistication. That is Microsoft's assessment of the 0ktapus cyberattack collective, which was most recently in the news for carrying out the strikingly disruptive MGM and Caesars Entertainment ransomware hits.

The English-speaking group (aka Scatter Swine, UNC3944 or, as Microsoft calls it, "Octo Tempest") typically engages in adversary-in-the-middle (AitM) techniques, social engineering involving calling up targets directly, and SIM swapping. It's been known to carry out cryptocurrency theft, data-leak extortion, and ransomware attacks (it became a BlackCat/ALPHV affiliate in mid-2023). Aside from the casino/hospitality wins in September, it previously made a name for itself by specializing in successfully compromising Okta credentials in a spate of attacks, including the widespread Twilio leak last August.

The threat has been evolving in recent campaigns, according to a detailed Microsoft analysis this week, and it exhibits a notable level of sophistication for which organizations need to actively prepare.

"We observed Octo Tempest leverage a diverse array of tactics to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," according to the report, which delves into the granular details of 0ktapus' arsenal. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models. The well-organized, prolific nature of Octo Tempest's attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators."

**0ktapus' Unique Technique**

For instance, 0ktapus has recently turned to a unique technique using the data movement platform Azure Data Factory and automated development pipelines, Microsoft warned; the goal appears to be data exfiltration via attacker-controlled Secure File Transfer Protocol (SFTP) servers, looking to hide amid a victim's legitimate big data operations.

"Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration," according to Microsoft.

Roger Grimes, data-driven defense evangelist at KnowBe4, noted that 0ktapus's large spectrum of possible attacks and motives creates challenges for organizations. 

"Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks," he said in an emailed statement. "The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyberattack methods and be taught how to recognize, mitigate, and appropriately report them."

He added, "we know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start."

Microsoft: 0ktapus Cyberattackers Evolve to 'Most Dangerous' Status

With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Longer Support Periods Raise the Bar for Mobile Security

The cybercrime recruitment and mentoring hub conducted a variety of cybercrimes including business email compromise.

Nigerian police arrested six men they believe are associated with a cybercrime recruitment and mentoring hub.

During interrogation, the six men — aged from 19 to 27 — admitted to activities including identity theft, hacking and trading of hacked Facebook accounts, romance scams, computer-related forgery, and other computer-related fraud, according to a statement from the Nigerian police force.

Police also said intelligence reports indicated involvement by the syndicate in other high-level cybercrimes, including business email compromise and high-yield investment program fraud.

A police spokesperson said in a statement that the arrested suspects will be charged upon the conclusion of the investigation, while "efforts to apprehend the fleeing members of this criminal network are underway," suggesting there are more people involved.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nigerian Cybercrime Hub Shut Down With 6 Arrests

Companies are advised to act now to protect networks while federal employee paychecks are still forthcoming. Public agencies are updating contingency plans before the November extension ends, while cyber stalkers get an extra month to plan, too.

At the last moment on Sept. 30, Congress passed a bipartisan bill to fund the federal government for another 45 days, avoiding a government shutdown for now. Given the uncertainty regarding funding, the Office of Management and Budget has instructed agency leaders to prepare for a potential shutdown, and those plans must remain in motion until longer-term spending bills are approved. If the government does shut down in mid-November, hundreds of thousands of federal employees will be furloughed. Many more will continue working, with or without pay. With so many variables at play, what could a shutdown in November mean for the nation's cybersecurity?

**The Potential for Insider Threats and Disgruntled Employees

The potential shutdown sends a powerful message to government employees — either that they are not essential, or that their work is but paying them is not. This could create insider threats, as employees feel their work is devalued at the same time that they lack the funds to pay their own bills at home. It's not hard to imagine some upset people trying to find another way to get paid, even if that involves working with — or for — a cybercriminal.

****Nation-State Opportunities**

A shutdown might motivate nation-state actors to conduct an attack, taking advantage of the uncertainty to increase the chance of further disruption. Reportedly, the Cybersecurity and Infrastructure Security Agency (CISA) was already preparing to furlough more than 80% of its workforce.

Given that a significant portion of CISA's mission involves proactively monitoring threats and educating public and private sector stakeholders about emerging dangers, the ability to effectively communicate and raise awareness among stakeholders may become constrained. The question remains: Can we afford to operate our cyber agency at such a reduced level — and could malicious actors take advantage of its impact? If nation-state actors weren't already prepared for this possibility, the 45-day extension provides more opportunity to put such plans in place.

**Meeting Regulatory Requirements**

It's not just the public sector and critical infrastructure that will be affected, either. If malicious actors seize this opportunity, how will public companies handle material incident disclosure? The Securities and Exchange Commission (SEC) recently adopted new rules (PDF) to "enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934." But if a serious cybersecurity incident occurs, how will public companies report it within the allotted four-day time frame? Who will help these entities respond to, analyze, and investigate those incidents if most of CISA is furloughed, along with other government agencies that assist in incident response? Will every organization, public or private, have to turn to incident response companies, and just hope that they can get the support they need?

**Are Understaffed Agencies Prepared?**

Despite the looming possibility of a government shutdown, various other governmental policies and decisions persist in their progression. Take, for instance, the resumption of student loan repayments in October, which have been on a three-year hiatus due to the COVID-19 pandemic. It is imperative that the system continues to anticipate a surge in new activity but also bolsters its defenses against potential cyberattacks. During the last government shutdown in 2019, .gov websites also became inaccessible because of expired TLS certificates, which can put personal information at risk of man-in-the-middle attacks and users susceptible to fraud and identity theft.

**Prepare for Disruption**

There have been 14 shutdowns since 1981, according to the Congressional Research Service, many lasting only a day or two, so it's hard to know what to expect. Many of the government agencies have not updated their contingency plans in 2023 (just 39 out of 114 have updated plans). While the government continues to urge public and private sectors to improve cybersecurity readiness, it's easier said than done.

As the government agencies continue preparations for a potential shutdown, the private sector must prepare for the potential fallout. Regardless of whether a significant attack occurs during a government shutdown — in November or sometime in the future, it's certainly a risk to be considered. All organizations would be best served by doing their best to protect their complex networks now, regardless of whether long-term government funding is in place.

What Would a Government Shutdown Mean for Cybersecurity?

Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.

StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.

While StripedFly can indeed mine Monero cryptocurrency, that's just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.

"What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity," Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.

Overall, the platform appears to be "a hallmark of APT malware" that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.

Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.

The researchers said the discovery of the breadth of StripedFly is "astonishing," especially given that it has successfully evaded detection for some six years.

**Breaking Down StripedFly**

The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.

The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.

StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. "Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.

The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim's network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.

The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.

**Unsolved Mysteries**

The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they've been infected.

In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead," the researchers wrote.

It's also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that "either there are minimal active infections," or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.

"Only those who crafted this enigmatic malware hold the answer," the researchers acknowledged. "It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

Complex Spy Platform StripedFly Bites 1M Victims

The threat actor exfiltrated 690GB of uncompressed data, or 767,035 files.

Westinghouse subsidiary BHI Energy, an energy services provider, confirmed that it experienced an Akira ransomware attack in June.

BHI's IT team at BHI discovered network data being encrypted in late June; as it proceeded to investigate the incident, it brought in outside counsel and a third-party cybersecurity firm.

The cybersecurity firm found that Akira, the threat actor, gained initial access in late May through the compromised account of a third-party contractor, resulting in the threat actor reaching "the internal BHI network through a VPN connection."

According to the notice sent to Iowa's consumer protection agency, in the week after first gaining access, the threat actor performed reconnaissance of the internal network on two different occasions. In late June, the threat actor started exfiltrating 690GB of data over nine days, including data like BHI's Active Directory database. Once the threat actor completed this, they then deployed the Akira ransomware.

The threat actor was removed from BHI's network in July, and the company took several steps to secure its environment. Since BHI's cloud backup solution was unaffected, the company was able to recover data without needing a ransomware decryption tool.

In reviewing the affected systems, BHI found that the data affected included personal information such as full names, dates of birth, Social Security numbers, and health information of 896 Iowa residents, who have since been notified. BHI is offering a 24-month membership to Experian's IdentityWorks to these people.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BHI Energy Releases Details of Akira Ransomware Attack

In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.

A critical security update is now available for the latest high-profile Citrix NetScaler vulnerability. But so is an exploit. And in some cases, the latter may be simpler to use than the former.

It's been a busy week so far for Citrix customers. On Sept. 23, following reports of active exploitation in the wild, the company released an urgent update for CVE-2023-4966, a sensitive information disclosure vulnerability in its NetScaler application delivery controller (ADC) and Gateway products. The vulnerability was assigned a "High" 7.5 out of 10 CVSS rating by NIST, but a "Critical" 9.4 by Citrix itself.

Then on Sept. 24, researchers from Assetnote published a proof-of-concept (PoC) exploit to GitHub. The widely available exploit is, relative to the severe consequences it can wreak, remarkably simple.

"It's a remote access solution in the vast majority of places and, as a result, it's exposed to the Internet most of the time," explains Andy Hornegold, VP of product at Intruder. "The risk is somebody will be able to exploit this vulnerability, read session tokens, connect to your device as one of your standard users, and then access your environment with those privileges."

**The New Citrix Exploit**

Researchers from Assetnote discovered two related functions at the heart of CVE-2023-4966 — _ns\_aaa\_oauth\_send\_openid\_config_ and _ns\_aaa\_oauthrp\_send\_openid\_config_ — both responsible for implementing the OpenID Connect (OIDC) Discovery endpoint. OIDC is an open protocol used for authentication and authorization.

On an unpatched NetScaler device, an attacker could easily overload the buffer by sending a request exceeding 24,812 bytes. With a request hardly three lines long, the researchers discovered they could cause the device to leak memory.

"It feels like hacking back in 1999," Hornegold says, only half-jokingly. "Back in the day it was, like, the default way of trying to carry out these kinds of attacks — to just stuff a whole load of 'a's into a packet and see what comes back."

In this case, he explains, "I can send one request with a whole bunch of 'a's in one go, and then in the body of the response, it starts to expose session tokens for people who are logged in to that NetScaler device, which I can reuse to log in as those users." By hijacking an authenticated session, a malicious actor could potentially bypass any checks, including multifactor authentication (MFA).

**Why Patching Isn't Enough**

According to Citrix, its software is used by more than 400,000 organizations across the globe, including 98% of Fortune 500 companies. According to Enlyft, NetScaler in particular is used by nearly 84,000 companies, including brand names like eBay and Fujitsu.

NetScaler isn't just popular. As Intruder noted in a Sept. 25 blog post, it's popular most notably within critical industries, which often prefer to run infrastructure on-premises rather than in the cloud.

So while Citrix advised customers on Sept. 23 to patch as soon as possible, doing so won't be equally easy for everyone. For organizations that require 24/7 uptime, "It's a bit of a balancing act," Hornegold says, "because you obviously need to keep that service live for as long as possible, especially when you're talking about critical national infrastructure. Any downtime needs to be taken as part of a risk consideration."

Regular businesses won't be able to just patch and forget about it, either. As Mandiant pointed out last week, hijacked sessions could persist even through patches, so organizations have to take the extra step of terminating all active sessions.

And even that may not be enough. Mandiant observed threat actors exploiting CVE-2023-4966 as early as August, leaving a healthy window of time for further post-exploitation persistence and downstream access.

"There's a whole two months of opportunity there," Hornegold points out. "So if the question is 'what is the worst that could happen if you don't patch this?' —realistically, the worst may well have happened already."

Source

DARKReading