This Tech Tip outlines how enterprise defenders can mitigate the risks of the curl and libcurl  vulnerabilities in their environments.

Security teams don’t have to swing into crisis mode to address the recently fixed vulnerabilities in the command-line tool curl and the libcurl library, but that doesn't mean they don't have to worry about identifying and remediating impacted systems. If the systems are not immediately exploitable, security teams have some time to make those updates.

This Tech Tip aggregates guidance on what security teams need to do to ensure they aren't at risk.

A foundational networking tool for Unix and Linux systems, cURL is used in command lines and scripts to transfer data. Its prevalence is due to the fact that it is used as both a standalone utility (curl) as well as a library that is included in many different types of applications (libcurl). The libcurl library, which allows developers to access curl APIs from their own code, can be introduced directly into the code, used as a dependency, used as part of an operating system bundle, included as part of a Docker container, or installed on a Kubernetes cluster node.

**What Is CVE-2023-38545?**

The high severity vulnerability affects curl and libcurl versions 7.69.0 to 8.3.0, and the low severity vulnerability impacts libcurl versions 7.9.1 to 8.3.0. However, the vulnerabilities cannot be exploited under default conditions. An attacker trying to trigger the vulnerability would need to point curl at a malicious server under the attacker’s control, make sure curl is using a SOCKS5 proxy using proxy-resolver mode, configure curl to automatically follow redirects, and set the buffer size to a smaller size.

According to Yair Mizrahi, a senior security researcher at JFrog, the libcurl library is vulnerable only if the following environment variables are set: _CURLOPT\_PROXYTYPE_  set to type _CURLPROXY\_SOCKS5\_HOSTNAME_; or _CURLOPT\_PROXY_ or _CURLOPT\_PRE\_PROXY_  set to scheme _socks5h://_. The library is also vulnerable if one of the proxy environment variables is set to use the _socks5h://_ scheme. The command-line tool is vulnerable only if it is executed with the _\-socks5-hostname_ flag, or with _\--proxy_ (-x) or _\--preproxy_ set to use the scheme _socks5h://_. It is also vulnerable if curl is executed with the affected environment variables.

“The set of pre-conditions needed in order for a machine to be vulnerable (see previous section) is more restrictive than initially believed. Therefore, we believe the vast majority of curl users won’t be affected by this vulnerability,” Mizrahi wrote in the analysis.

**Scan the Environment for Vulnerable Systems**

The first thing organizations need to do is to scope their environments to identify all systems using curl and libcurl to assess whether those preconditions exist. Organizations should inventory their systems and evaluate their software delivery processes using software composition analysis tools for code, scanning containers, and application security posture management utilities, notes Alex Ilgayev, head of security research at Cycode. Even though the vulnerability does not affect every implementation of curl, it would be easier to identify the impacted systems if the team starts with a list of potential locations to look.

The following commands identify which versions of curl are installed:

_Linux/MacOS:_

_find / -name curl 2>/dev/null -exec echo "Found: {}" \\; -exec {} --version \\;_

_Windows:_

_Get-ChildItem -Path C:\\ -Recurse -ErrorAction SilentlyContinue -Filter curl.exe | ForEach-Object { Write-Host "Found: $($\_.FullName)"; & $\_.FullName --version }_

GitHub has a query to run in Defender for Endpoint to identify all devices in the environment that have curl installed or use curl. Qualys has published its rules for using its platform.

Organizations using Docker containers or other container technologies should also scan the images for vulnerable versions. A sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate liburl copies. Docker has pulled together a list of instructions on assessing all images.

_To find existing repositories:_

_docker scout repo enable --org <org-name> <org-name>/scout-demo_

_To analyze local container images:_

_docker scout policy \[IMAGE\] --org \[ORG\]_

This issue highlights the importance of keeping meticulous track of all open source software being used in an organization, according to Henrik Plate, a security researcher at Endor Labs.

“Knowing about all the uses of curl and libcurl is the prerequisite for assessing the actual risk and taking remediation actions, be it patching curl, restricting access to affected systems from untrusted networks, or implementing other countermeasures,” Plate said.

If the application comes with a software bill of materials, that would be a good place to start looking for instances of curl, adds John Gallagher, vice president of Viakoo Labs.

Just because the flaws are not exploitable doesn’t mean the updates are not necessary. Patches are available directly for curl and libcurl, and many of the operating systems (Debian, Ubuntu, Red Hat, etc.) have also pushed fixed versions. Keep an eye out for security updates from other applications, as libcurl is a library used by many operating systems and applications.

One workaround until the updates can be deployed is to force curl to use local hostname resolving when connecting to a SOCKS5 proxy, according to JFrog’s Mizrahi. This syntax uses the socks5 scheme and not socks5h: _curl -x socks5://someproxy.com_. In the library, replace the environment variable _CURLPROXY\_SOCKS5\_HOSTNAME_ with _CURLPROXY\_SOCKS5_.

According to Benjamin Marr, a security engineer at Intruder,  security teams should be monitoring curl flags for excessive large strings, as that would indicate the system had been compromised. The flags are _\--socks5-hostname_, or _\--proxy_ or _\--preproxy_ set to use the scheme _socks5h://_.

How to Scan Your Environment for Vulnerable Versions of Curl

**PRESS RELEASE**

**(Lehi, UT) Oct. 12, 2023 —** DigiCert, a leading global provider of digital trust, today announced its next generation Discovery, a set of key capabilities in DigiCert® Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats.

"The majority of organizations have not yet implemented a centralized crypto-management solution," said DigiCert Chief Product Officer Deepika Chauhan. "This is becoming critical now, as IT leaders consider how to transition their cryptographic algorithms and certificates to quantum-safe standards in order to protect their organizations against 'harvest now, decrypt later' strategies."

In a recent Gartner® report1, Senior Director Analyst Brian Lowans wrote, "All cryptographic technologies will need to evolve to cope with the future threat of quantum computing, which is increasing the need for innovative technologies such as crypto-agility, postquantum cryptography and quantum key distribution."

Trust Lifecycle Manager Discovery employs a broad set of methods for finding certificates within an organization, including integration with private CAs, such as AWS Private CA and Microsoft CA, integration with vulnerability management solutions such as Qualys and Tenable, integrations with web servers and load balancers, and port-based scanning. 

"The integration of Qualys Vulnerability Management, Discovery and Response (VMDR) and DigiCert products enables our customers to manage and automate the cryptographic assets that they discover in their vulnerability scans," said Pinkesh Shah, Chief Product Officer, Qualys. "This seamless integration enables companies to tightly couple their vulnerability management and cryptoagility strategies, improving their security posture and agility while reducing their cyber risk."

Learn more about Trust Lifecycle Manager Discovery here. 

1.  Gartner, Hype Cycle™ for Data Security, 2023, Brian Lowans, 14 July 2023

GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.

**About DigiCert, Inc.**  
DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

DigiCert Announces Comprehensive Discovery of Cryptographic Assets

**PRESS RELEASE**

**REDWOOD CITY, Calif., October 11, 2023 –** Appdome, the mobile one-stop shop for mobile app defense, today released new threat evaluation tools inside ThreatScope™ Mobile XDR to deliver enhanced monitoring, investigation and threat evaluation for mobile apps and brands globally. Among the new tools is Threat-Inspect™, a powerful new ability to investigate, drill down, share and report on defenses, attacks and threats in the production environment. 

Appdome's ThreatScope™ Mobile XDR gathers thousands of threat signals from mobile app security, hacking, fraud, malware, cheat, and bot attacks from inside deployed mobile apps, and translates that data into brand relevant views that cyber, fraud and business teams can use to evaluate and respond to mobile threats and attacks in real time. The new evaluation tools include: (1) Threat-Inspect, for deep threat inspection, (2) Threat-Views™, for creating savable monitoring perspectives by app, device, OS, attacks and other parameters, and (3) Threat-Snapshots for ease of reporting and collaboration. ThreatScope Mobile XDR is pre-integrated with Appdome’s Cyber Defense Automation platform for Android & iOS apps for instant response to any cyber or fraud attack. 

"Real-time attack data from the native mobile app channel is full of surprises," said Tom Tovar, co-creator and CEO of Appdome. "Our new evaluation tools, including Threat-Inspect, allow even faster and deeper investigation into cyber and fraud data from the mobile channel and empower mobile brands to view this data from a business context."

The new threat evaluation features in ThreatScope Mobile XDR provide mobile businesses and brands: 

**Threat-Inspect™** allows cyber teams to pivot between "All" and “Unique” attacks as well as between attacks and “Impacted Devices,” to see the number of unique devices experiencing each attack. This new capability allows cyber responses to be tailored to the specific threat(s) in the production environment while also easing the remediation burden for mobile users and brands globally. 

A unique feature of Threat-Inspect is that it also can be used in conjunction with Appdome’s recently released Build-to-Test automated testing capability. Build2Test allows Appdome-protected mobile apps to be used inside automated mobile app testing suites, logging all security events for the developer to track and monitor. These logged security events are now visualized inside Threat-Inspect.  

**Threat-Views™** allows security teams to zoom in and monitor specific aspects of the mobile app defense, attack and threat data shown on ThreatScope. Create and save any number of Threat-Views to monitor one or more mobile applications, OS, OS Version, attack vector, mobile app release, Fusion Set (defense model), geographic region or other parameter. Threat-Views enable persistent business level viewing and analysis, which is essential for demonstrating ROI and keeping the overall mobile business safe. 

**ThreatScope Snapshots™**allow cyber teams to export and share real-time mobile app defense and attack snapshots from ThreatScope, Threat-Views or Threat-Inspect data. Use ThreatScope Snapshots to keep cyber, fraud, and business teams informed on progress in stopping security, fraud, malware, and other attacks, demonstrate compliance, or collaborate with other teams internally. 

Powering these features are new levels of metadata now available in ThreatScope. These include enhanced attack, threat and fraud metadata including geo-location, unique identifiers for threats and impacted installations as well as new options such as IP address and more. This metadata allows mobile brands to click to see all the in-production mobile apps and installations impacted by each attack or threat. Simply click on a specific attack or threat and choose the impact view needed by each business line. IP address and unique device data can now also be downloaded for offline analysis. 

"These enhancements to ThreatScope really raise the bar on actionable, interactive risk and threat intelligence for mobile apps," said Eric Newcomer, CTO and Principal Analyst at Intellyx. "You can drill down on device data to see which devices are impacted, and explore different views by geo-location, threat ID, and IP address – all in real time. And you can now capture and export the data for internal distribution."

Appdome's Threat-Scope Mobile XDR is the only XDR solution offering consolidated, real-time, cyber security, fraud, malware, cheat and bot attack and threat intelligence from in-production Android & iOS apps. With ThreatScope Mobile XDR, mobile brands, developers, cyber and fraud teams can immediately respond with updated security models, build-by-build and release-by-release and prioritize protections that have a real impact on the mobile business and users. The entire ThreatScope Mobile XDR capability inside Android & iOS apps without any burden on mobile dev teams, including no code, no SDK and no servers to deploy and, most importantly, no separate agent installed on the mobile device. 

"Once you see the data in ThreatScope Mobile XDR, you can't live without it," said Chris Roeckl, Chief Product Officer at Appdome. "Combining real-time data with instant action is the only way to combat the huge diversity, sophistication and relentlessness hackers, attackers and fraudsters use to compromise mobile apps, brands, and users globally."

For more information about ThreatScope™ Mobile XDR visit: www.appdome.com 

**About Appdome**  

Appdome, the mobile app economy’s one-stop-shop for mobile app defense, is on a mission to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry’s only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, MOBILEBot™ Defense, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, all inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, mobile games, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Appdome Announces Attack Evaluation Tools in Digital Economy's Mobile XDR

A plurality of the targets in the ongoing campaign have been based in the Americas.

A threat actor is using compromised Skype and Microsoft Teams accounts to distribute DarkGate, a troublesome loader associated with multiple malicious activities, including information theft, keylogging, cryptocurrency miners, and ransomware such as Black Basta.

Forty-one percent of the targets of the campaign — which appears to have begun in August — are organizations in the Americas, according to researchers at Trend Micro who are tracking the activity.

In a report this week, Trend Micro also said its researchers had observed the developer of DarkGate begin to advertise the malware on underground forums and renting it out on a malware-as-a-service basis to affiliate threat actors. The pivot, after years of going it alone, has resulted in a recent surge in DarkGate activity after a relative lull.

**Microsoft Phishing Via Skype and Teams**

The operator of the DarkGate campaign that Trend Micro is currently tracking is using both Skype and Teams to distribute the malware. In one of the attacks, the threat actor took control of a Skype account belonging to an individual at an organization with whom the target recipient's organization had a trusted relationship. The adversary basically used the compromised Skype account to hijack an existing message thread and send a message that appeared to contain a PDF file but was actually a malicious VBS script. When the recipient executed the file, it initiated a sequence of steps to download and install DarkGate on the target computer.

In another attack that Trend Micro analyzed, the threat actor attempted to achieve the same outcome using a Teams account to send a message with a malicious .LNK file, to a target recipient. Unlike the Skype caper, where the threat actor purported to be someone belonging to a trusted third party, in the Teams variation, the recipient received the malicious message from an unknown, external entity. 

"In this case, the organization’s system allowed the victim to receive messages from external users, which resulted in them becoming a potential target of spam," Trend Micro said.

"We also observed a tertiary delivery method of using a VBA script wherein a .LNK file arrives in a compressed file from the originators' SharePoint site," the security vendor said. In this attack variation, the threat actor attempts to lure the victim to a specific SharePoint site, to download a file named "Significant company changes September.zip."

**DarkGate: A Potent Threat**

DarkGate is malware that has targeted users in various regions around the world since at least 2017. It integrates multiple relatively potent functions; for instance, the malware can execute commands for gathering system information, mapping networks, and doing directory traversal. It also implements remote desktop protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software. Other "features" include ones related to cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers.

For payload delivery and execution, DarkGate uses AutoIT, a legitimate Windows automation and scripting tool that authors of other malware families have used for obfuscation and defense evasion.

**DarkGate Offers Multiple Potential Payloads**

Trend Micro's analysis showed that once DarkGate is installed on a system, it drops additional payloads. Sometimes those are variants of DarkGate itself or of Remcos, a remote access Trojan (RAT) that attackers previously haveused for cyber-espionage surveillance and for stealing tax-related information.

Trend Micro said it was able to contain the DarkGate attacks it observed before any actual harm came to pass. But given the developer's apparent pivot to a new malware leasing model, enterprise security teams can expect more attacks from varied threat actors. The objectives of these adversaries could vary, meaning organizations need to keep an eye out for threat actors using DarkGate to infect systems with different kinds of malware.

While the attacks that Trend Micro observed targeted individual Skype and Teams recipients, the attacker's goal clearly was to use their systems as an initial foothold on the target organization's networks. "The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining," according to Trend Micro.

The security firm recommends that organizations enforce rules around the use of instant messaging applications such as Skype and Teams. These rules should include blocking external domains, controlling the use of attachments and implementing scanning measures if possible. Multifactor authentication is also crucial to prevent threat actors from misusing illegally obtained credentials to hijack IM accounts, Trend Micro said.

DarkGate Operator Uses Skype, Teams Messages to Distribute Malware

Scammers have targeted the vaunted blue check marks on the platform formerly known as Twitter, smearing individuals and brands alike.

Fraudsters are taking advantage of the new verification system implemented by X, formerly known as Twitter, in order to impersonate brands and steal personal information.

The infamous blue checkmark used to be reserved for verified companies and influencers. But after purchasing the microblogging giant, and following a period of rapidly declining users and revenue, Elon Musk changed the rules, enabling anybody to obtain one simply by paying a monthly fee.

The site's new, liberal approach to authentication has opened the door for scammers, while the introduction of other tiers of "authentication" — gold and gray badges, for instance — has created confusion for brands and users alike.

Dark Reading was unable to reach X for comment on this story.

**How Blue Check Scams Work**

In July, the budget British airline easyJet canceled over 1,700 summer flights from Gatwick Airport in London.

Anticipating a wave of angry customers, scammers filled in the void.

According to the UK nonprofit Which?, a bevy of copycat easyJet accounts were created in the hours thereafter, with at least five surviving an initial sweep of account shutdowns. Their usernames mimicked the company's legitimate username, and in their bios they linked to "Online Help Hubs," which were actually just phishing pages designed to harvest personal information. The scammers also engaged angry customers over direct messages, and occasionally intervened in conversations they were having with the actual company.

_Source: Which?_

Not all of the blame lies with X, though. Companies that shirk on customer service often direct angry customers to social media instead, since it's allegedly faster (read: more cost-effective).

One UK resident told The Guardian in August how, after months of fruitlessly attempting to get a refund on a canceled holiday flight, he finally conceded to engage with Booking.com over X.

Booking.com asked him to send them his phone number via DM. After a call over WhatsApp, they agreed to refund his payment, but he would first need to download an app.

Only then, with his suspicion aroused, did the man realize the company's account handle had an unexpected hyphen in it, and their WhatsApp caller ID traced to Kenya.

"I've since come across other fake Booking.com Twitter accounts which are following customers who are at their wits' end trying to get a refund and have resorted to X to air their grievance with the company,” he recalled to reporters.

**Reckoning With the New Check Mark System**

Rather than just the blue check mark, X currently offers four tiers for accounts:

*   The blue check now only reflects that a user pays for an "X Premium" monthly subscription.
*   Gray check marks are reserved for government bodies and officials.
*   Gold check marks replace the blue, to authenticate official corporate accounts.
*   Individuals associated with organizations may also have a logo next to their names.

A gold badge costs $1,000 per month (plus $50 for additional affiliates), meaning that small businesses may not be able to afford authentication, and larger ones may not want to pay. And it's even led to inconsistencies within organizations. In a blog published Thursday, Kaspersky highlighted how Microsoft's presence on X is a mess of accounts with and without gold check marks, some affiliated with the organization and some not.

**What Companies Can Do About X Brand Impersonation**

Companies unable (or unwilling) to shell out the cash and organize around X's new rules — and companies like easyJet, for whom even doing everything right isn't enough to fend off copycats — will need other means of protecting their customers and their brand names. Because like any typosquatting endeavor, a diligent phishing campaign can erode consumer trust.

"For sensitive communication or support," says Callie Guenther, senior manager of threat research at Critical Start, "directing customers back to the official website or a recognized customer service number can be effective. And a consistent online presence, characterized by regular updates and engagement, can deter impersonators and give customers confidence in the brand's authenticity."

However, she cautions, "any system that implies trust through verification can be exploited, so users should always be cautious. LinkedIn, for example, doesn't have a checkmark system similar to Twitter, but fake profiles or impersonators can still exist."

Brands Beware: X's New Badge System Is a Ripe Cyber-Target

Popular malware like QakBot and DarkGate rely on VBScript, which dates back to 1996 — but their days are numbered now that Microsoft is finally deprecating the Windows programming language.

Microsoft announced this week that it's deprecating the timeworn VBScript — bad news for cybercriminals, for whom it's a favorite tool.

In future releases of Windows, VBScript will be available only as a feature on demand; and eventually, it will be removed from the operating system altogether.

The VBScript programming language, short for Visual Basic Script, is nearly 30 years old, having been introduced in the mid-90s as a lightweight way to natively generate programming scripts. But like grunge fashion and Neve Campbell movies, its pre-Y2K moment in the sun is long past.

Yet cybercriminals continue to use it as an avenue for initial access to targets, especially since Microsoft started blocking macros by default. Threat actors quickly discovered after its release that they could create malicious VBScripts that would run natively and unquestioned on Windows machines, which could help them smuggle in any number of remote access Trojans, downloaders, and more.

An early example of this was the "ILoveYou" worm from 2000, but more recent malware "gettin' VBS-y wit' it" (to malaprop another mid-90s sensation) include Emotet, QakBot, and DarkGate.

That class of malware's days now appear to be numbered.

"Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript," according to the official announcement from Redmond. In other words, for the interim period before full discontinuation, it will be disabled by default, but users can choose to turn it on if they wish.

Microsoft didn't provide a timeline for when it plans full removal of the tool.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Set to Retire Grunge-Era VBScript, to Cybercrime's Chagrin

**PRESS RELEASE**

**WATERLOO, ON, Oct. 10,2023 / PRNewswire/--** BlackBerry Limited (NYSE: BB; TSX: BB), the pioneer of enterprise mobility management, today announced two major new Unified Endpoint Management (UEM) innovations — BlackBerry UEM at the edge and BlackBerry UEM for the IoT.

BlackBerry® UEM software is used for managing, monitoring, and securing all of an organization's end-user devices. Taking BlackBerry UEM to the edge will enhance enterprise productivity and employee experience by placing workloads close to the end user and their device for ultra-low latency connectivity, while maintaining the highest security standards that customers rely on and trust BlackBerry to deliver – in testing users saw up to 87% decrease in latency. The solution brings the BlackBerry Network Operations Center (NOC), the company's unique secure connectivity infrastructure, to the edge and integrates with AWS Local Zones and Availability Zones to securely place compute, storage, and other services where data is being generated and consumed. BlackBerry UEM at the edge is compatible with BlackBerry UEM on-prem and cloud.

BlackBerry UEM for the Internet of Things (IoT) will expand unified endpoint management to IoT devices enabling organizations to realize the vast benefits of the IoT and reduce unknown risks in their environment. The solution integrates BlackBerry UEM with AWS IoT Greengrass, an open source edge runtime and cloud service used on millions of IoT endpoints across the connected world – in factories, vehicles, healthcare, enterprises – to provide IoT endpoint visibility and management and empower IT teams. Advancing the company's convergence vision, this new addition to BlackBerry UEM will enable organizations to seamlessly and securely inventory and manage their IT and IoT endpoints from a single console.

"BlackBerry founded and has been a leader in the enterprise mobility management market for over twenty years. We are once again revolutionizing the market, by leapfrogging the industry in endpoint management innovation and paving the way for convergence," said Neelam Sandhu, Chief Elite Customer Success Officer, BlackBerry. "It has been wonderful to collaborate with AWS to develop BlackBerry UEM at the edge and BlackBerry UEM for the IoT, to enable our customers to unlock new business value through digital technologies, which offer the potential to transform and advance every aspect of the connected world, spanning how we live and work." 

"IoT has advanced over the past years across different industries – automotive, enterprise, medical, manufacturing. The convergence of the IoT with security at the forefront of the conversation is now emerging as a must-have for the connected world. Bridging systems in the cloud provides scale, consistency, and flexibility to organizations to access data across the IoT and developers to innovate to deliver new value. AWS is delighted to collaborate with BlackBerry on UEM edge and IoT solutions to deliver unified and innovative endpoint management solution for the future of the connected world," said Dr. Sarah Cooper, General Manager for Industry Products at AWS.

The IoT is a foundational pillar of the future of digital transformation and unlocks new business opportunities for organizations by dramatically extending the reach of information technology. The value of enterprise IoT is largely untapped today due to the heavy compute requirements of the IoT and the complexity of the IoT network. Edge computing addresses the increasing demand for real-time data processing and analysis, and increased endpoint visibility provides valuable situational awareness and security benefits, enabling organizations to easily integrate IoT into their IT strategies. 

BlackBerry UEM holds the most security certifications in the industry and is the only UEM product to be named 2023 Customers Choice by Gartner® Peer Insights™.

AWS provides reliable, scalable, and inexpensive cloud computing services to organizations around the world. For more information on AWS products click here.

For more information on BlackBerry UEM at the edge or BlackBerry UEM for the IoT, including general availability dates, register for BlackBerry Summit, taking place on October 17, where speakers from industry, enterprise and BlackBerry will reveal the future of IoT, IT and Cybersecurity and showcase the latest BlackBerry innovations.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust.

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services._

BlackBerry Unveils Next-Generation UEM Redefining the Endpoint Management Market

The company has taken down its systems in an effort to determine the scope of the attack.

Simpson Manufacturing filed an 8-K form with the Securities and Exchange Commission (SEC), stating that it experienced disruptions in its IT infrastructure and applications due to a cyberattack on Oct. 10.

Simpson Manufacturing, an engineering, manufacturing, and building products company based in California, employs more than 5,000 people worldwide.

Due to the attack, the company has taken certain systems offline to mitigate the issue; operations are expected to be disrupted until the incident is fully resolved. An investigation has been launched to determine the nature of the attack as well as the scope of its effect.

The company has also enlisted the help of third-party cybersecurity experts to assist in the ongoing investigation as well as the recovery efforts.

It is possible that the cyberattack Simpson Manufacturing experienced deals with ransomware, given that the company's response method to the incident is typical for a ransomware attack, though Simpson Manufacturing provided no information as to the type of attack it experienced. 

This incident came just after the company announced it would report its third-quarter financial results later this month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Simpson Manufacturing Launches Investigation After Cyberattack

By working cooperatively, the West and Africa can mobilize to tackle nation-state-backed cyber threats.

Nation-state hackers are a potent weapon in the hands of countries. The days a war starts by someone pulling a trigger are gone: It has been replaced by the Enter key.

To gain the best possible insights into global threat landscapes, who is attacking who, why they're attacking, and how the West and Africa can mobilize to tackle nation-backed cyber threats, it's crucial to understand the geopolitical dynamics of cyber warfare. Only by gaining a thorough context of the situation can governments, businesses, and cybersecurity providers effectively reduce nation-backed cyberattacks.

**The Role of Africa in Global Cyber Warfare**

Africa, and South Africa in particular, forms a delicate bridge between the East and the West. On one hand, Africa has economically benefited from the East; Eastern mining, infrastructure, and private-sector companies all have roots in the continent. At the same time, Africa increasingly seeks trade deals with the West.

Careful balancing of economic ties with Eastern and Western nations has enabled Africa to accelerate its export trade in the last decade, with the continent's average GDP growth expected to rise from 3.8% in 2022 to 4.1% in 2023–2024.

However, as large Western organizations conduct business with African nations, they become vulnerable to the threat of cyberattacks coordinated across the continent. Many of these attacks are perpetrated by attackers based in or backed by the BRICS nations (Brazil, Russia, India, China, and South Africa).

Cyberattacks have proliferated over the last decade, particularly in Africa. In Kenya and Nigeria, Kaspersky reports a large increase in financial and banking Trojans in the second quarter of 2021 compared with the first quarter of 2021: a 59% increase in Kenya, and a 32% increase in Nigeria.

A 10-year review of the cyber-threat landscape in South Africa finds that the most prevalent perpetrators of cybercrime were trained hackers, and the most common motivation was criminal.

Countries spanning the continent are targeted on a mass scale, often using the same threat methodologies. At Performanta, we've seen attack methodologies repeated by actors across various countries: we discovered a Lazarus Group cyberattack network operating in Zambia and tracked the same attack tools and methodologies to activity in Uganda.

We've also seen APT40, also known as Kryptonite Panda, an advanced persistent threat (APT) located in Haikou, Hainan Province, People's Republic of China, target government organizations, companies, and universities in a wide range of industries via Africa and across the United States, Canada, Europe, and the Middle East. APT40 counterparties, China-based Phantom Panda and Wet Panda, have similarly targeted these regions over telecommunications networks.

Why are Eastern APT groups attacking via Africa? There are a few motivations: Attackers may perceive attacking Africa to have fewer risks; they're aiming to access Western assets via Africa; or they are testing attack methodologies on Africa to later use in the West on home soil. The big picture is dangerously murky, but all these reasons enter into the equation.

**Where Does the West Come in?**

The West and Africa are intrinsically linked as they both fall afoul of the East and BRICS attacks. To counter this, both must implement long-term collaborative efforts to turn the cyberwars in their favor. Any short-term partnership fails to consider the aggressively innovating threat landscape, where insights are outdated almost as soon as they are collected.

Working cooperatively, the West and Africa can share knowledge of APT threats, attack success rates, emerging methodologies, and the strategies deployed by specific nations, sponsored groups, or ransomware-as-a-service (RaaS) brokers. Managed security service providers possess deep knowledge of regional threat landscapes in Africa, and this could prove pivotal in deciphering the severity of threat data and data loss, allowing more efficient threat categorization.

With this information, the right combat tools can be put into place and attacks can be thwarted more successfully. Both parties can gain visibility into new threat-prevention methods, big data sets, and powerful cybersecurity tools that can help them fight the threat of BRICS-backed actors on all fronts.

In the pursuit of global cyber safety, immediate, direct cooperation is the only way that Africa's unique placement as a bridge between East and West can transform from a vulnerability to an advantage.

The Cyberwar Between the East and the West Goes Through Africa

Evasive malware disguised as a caching plug-in allows attackers to create an admin account on a WordPress site, then take over and monetize sites at the expense of legitimate SEO and user privacy.

Sophisticated malware capable of creating an administration account for a website is lurking behind an authentic-looking WordPress caching plug-in, giving threat actors a way to completely hijack infected websites at will.

Researchers from Wordfence discovered the plug-in, which can perform a variety of malicious tasks while masquerading as legitimate add-on software for the WordPress platform, they revealed in a blog post Oct. 11. Chief among this activity is the ability to create an admin account and remotely activate plug-ins — basically giving threat actors free rein over infected sites.

The backdoor can work both as a standalone script and also as a plug-in, with features like remote plug-in activation and conditional content filtering that give it evasion capabilities difficult for inexperienced users to detect.

Other capabilities include the ability to add filters to prevent the malware from being included in the list of activated plug-ins, pinging functionality that allows a malicious actor to check if the script is still operational, and file-modification capabilities. Further, the backdoor can activate or deactivate arbitrary plug-ins remotely, which is "useful to disable unwanted plug-ins and also to activate this malicious plug-in as needed," Wotschka wrote.

"Since the malicious file runs as a plug-in within the context of WordPress, it does have access to normal WordPress functionality just like other plug-ins do," Wordfence vulnerability researcher Marco Wotschka wrote in the post. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy."

A Wordfence analyst discovered a sample of the malware during a site clean on July 18, and created a signature the following day, which was subsequently tested and released to Wordfence customers on Sept. 1.

**Malicious Plug-in: A Hidden but Detectable Malware Enemy**

The researchers broke down some of the key functionality of the malicious plug-in, including features that are most likely to arise suspicion among current site administrators or users.

One of those is to use wp\_create\_user function to create a new user account with the username superadminand a hardcoded password to set up an attacker as a website administrator. This account is removed once a victim has been successfully compromised as a way to remove traces and thus reduce changes of detection, according to Wordfence.

"While often seen in test code, user creation with hardcoded passwords should be considered a red flag, and the elevation of this user to an administrator is certainly reason enough for suspicion," Wotschka wrote.

The malicious plug-in also includes bot detection code, which is often present in malware on a website that serves normal content to some users while redirecting or presenting malicious content to others.

"One common thread shared by these infection scenarios is that site owners find their site looks fine to them, but their visitors have reported issues such as seeing spam or being redirected to dubious sites," Wotschka explained.

Further, since this kind of malware wants search engines to find the malicious content, it is usually served to them as they index a site, he said. Threat actors use keyword stuffing to help increase traffic sent to infected sites, with administrators often reporting a sudden, unexpected surge in site traffic when their sites are hit by an infection.

While the presence of bot detection code on its own is not enough to verify that malicious activity is present on a website, it does stand out as suspicious activity, Wotschka added.

**Securing WordPress Sites**

Plug-ins remain an exposed and sizeable attack surface for WordPress and the millions of sites built on it, an endemic issue that remains a persistent threat. Threat actors have targeted WordPress sites via both malicious and vulnerable plug-ins, with both issues often going unnoticed by site operators until after a website is already under active attack.

Overall, anyone building websites using WordPress should follow security best practices in how they configure the sites to ensure they remain as protected as possible. Wordfence advised that they should also include some type of security monitoring on the site in case of compromise even after following these practices.

Source

DARKReading