Cybercriminals employ obfuscated script to stealthily hijack victim server bandwidth for use in legitimate proxy networks.

Threat actors are exploiting vulnerable secure shell protocol (SSH) servers to launch Docker services that take advantage of an emerging and lucrative attack vector that hijacks a victim's network bandwidth for money.

Researchers from the Akamai Security Intelligence Response Team (SIRT) in June discovered the currently active campaign, which employs an emerging type of attack called proxyjacking, the researchers revealed in a blog post last week.

Threat actors use SSH for remote access and then run malicious scripts that enlist victim servers into a legitimate peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain, without their knowledge, the researchers said. These networks — which use companion apps or software installed on Internet-connected devices — allow someone to share Internet bandwidth by paying to use the IP address of the app users.

"This allows for the attacker to monetize an unsuspecting victim's extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery," Allen West, an SIRT security researcher, wrote in the post.

In a nutshell, that is proxyjacking, an emerging attack model that takes advantage of these services and, on a grand scale, potentially can earn cybercriminals hundreds of thousands of dollars per month in passive income, the researchers found.

While the idea of proxyjacking is not new — think of cryptojacking, an entirely illegal endeavor, as a distant cousin — the ability to easily monetize piggybacking on someone's bandwidth as affiliates of mainstream companies is new, which explains why security researchers are seeing more proxyjacking in the threat landscape, West warned.

"Providing a simple path to financial gain makes this vector a threat to both the corporate world and the average consumer alike, heightening the need for awareness and, hopefully, mitigation," he wrote.

Proxyjacking also makes it easy for threat actors to hide their tracks by routing malicious traffic through a multitude of peer nodes before it reaches its final destination, according to the research. This makes the origin of the nefarious activity difficult for victims or researchers to pinpoint — another attractive option for attackers looking to monetize their activity without consequence.

**How the Attack Works**

The first indication of the attack that Akamai researchers identified came when an attacker established multiple SSH connections to one of the company's honeypots using a double Base64-encoded Bash script to obscure the activity. They successfully decoded the script and were able to observe the proxyjacking method of the threat actor down to the exact sequence of operations.

The script transformed the compromised system into a node in the Peer2Profit proxy network, using the account specified by $PACCT as the affiliate that will profit from the shared bandwidth, according to Akamai SIRT. The same process was seen being employed for a Honeygain installation awhile later.

"The script was designed to be stealthy and robust, attempting to operate regardless of the software installed on the host system," West wrote.

The script goes on to execute various functions, one of which is to download an actual, unmodified version of cURL, a command-line tool that enables data exchange between a device and a server through a terminal.

This tool seems to be all the attackers need for the scheme to work, and, "if it is not present on the victim host, then the attacker downloads it on their behalf," West wrote.

The executable cancels any containers running on the node to install a Docker container to handle the proxyjacking process and, once everything is in place, the attacker can exit the network without a trace.

**How Do You Defend Against Proxyjacking?**

Because of the growing prevalence of and the relative ease with which attackers can set up proxyjacking attacks, and inability to identify original perpetrators, organizations need to maintain vigilance on their networks so as to notice abnormal behavior in how their resources are being used to avoid compromise, the researchers recommend.

For the particular attack that the Akamai team observed, attackers used SSH to gain access to a server and install a Docker container. To avoid this type of attack, organizations can check their locally running Docker services to locate any unwanted resource sharing the system, according to Akamai. If they find one, the intrusion should be investigated and a determination of how the script was uploaded and run should be made, after which organizations should perform a thorough clean-up.

Also unique to the attack is that the executable in the form of the cURL tool would likely go overlooked by most companies, since that tool can be used legitimately. However, in this case, it was the initial artifact in the attack that led the researchers to investigate deeper, West said.

"It was the ability to look at the source of the artifact that took it from a harmless piece of code to what we now know is part of a proxyjacking scheme," he explained, which "highlights the importance of being able to isolate all unusual artifacts, not just those that are considered malicious."

Moreover, because proxyjacking attackers also use vulnerabilities to mount attacks — that was the case in a recent attack that leveraged the infamous Log4j flaw — organizations should maintain updated assets and apply patches to applications whenever available, particularly when vulnerabilities already have been exploited, the research recommends.

West added: "Users with deeper knowledge of computer security can additionally remain vigilant by paying attention to the containers currently running, monitoring network traffic for anomalies, and even running vulnerability scans on a regular basis."

SSH Servers Hit in 'Proxyjacking' Cyberattacks

When you just keep filing it away to handle "someday," security debt typically rears its head when you are most vulnerable and can least afford to pay it.

There has always been a tradeoff in IT between shipping new features and functionality versus paying down technical debt, which includes things like reliability, performance, testing … and yes, security. 

In this "ship fast and break things" era, accumulating security debt is a decision that organizations voluntarily make. Every organization has security tasks stuffed in their Jira backlogs for "someday" — things like deploying security patches and running the newest, most stable versions of programming languages and frameworks. Doing the right thing takes time, and teams willfully postpone these tasks because they are prioritizing new features. A big part of the CISO's job is recognizing those moments when security debts must be paid.

One thing that made the Log4j exploit so alarming for CISOs was the realization that there was this huge accumulated debt that wasn't even on their radar. It exposed a hidden class of security gaps between open source projects and the ecosystems of creators, maintainers, package managers, and organizations who use them. 

Software supply chain security is a unique line item on the security debt balance sheet, but CISOs can put together a coherent plan for paying it down.

**A New Class of Vulnerability**

Most companies have gotten really good at locking down their network security. But there's a whole class of exploits that are possible because developer build systems and the software artifacts they leverage to write applications do not have a trust mechanism or secure chain of custody. 

Today, anyone with common sense knows not to pick up a random thumb drive and plug it into their computer due to the security risks. But for decades, developers have been downloading open source packages with no way to verify that they're safe. 

Bad actors are capitalizing on this attack vector because it is the new low-hanging fruit. They realize that they can gain access through these holes, and once inside, pivot to all the other systems that have dependencies on whatever insecure artifact they used to gain entry. 

**Stop Digging by Locking Down Build Systems **

The fundamental starting point for CISOs, endorsed in materials like the developer guide "Securing the Software Supply Chain," is to start using open source frameworks like NIST's Secure Software Development Framework (SSDF) and OpenSSF's Supply Chain Levels for Software Artifacts (SLSA). These are basically prescriptive steps for locking down your supply chain. SLSA Level 1 is to use a build system. Level 2 is to export some logs and metadata (so you can later look things up and do incident response). Level 3 is to follow a series of best practices. Level 4 is to use a really secure build system. By following these first steps, CISOs can create a strong foundation for building a software supply chain that is secure by default. 

Things get more nuanced as CISOs think about policies over how developer teams acquire open source software in the first place. How do developers know what their company's policies are for what's considered "secure"? And how do they know that the open source they are acquiring (which constitutes the great majority of all software used by developers these days) is indeed untampered with?

By locking down build systems and creating a repeatable method to verify provenance of software artifacts before bringing them into the environment, CISOs can effectively stop digging a deeper hole for their organization in security debt. 

**What About Paying Down Old Software Supply Chain Security Debt?**

After you've stopped digging by locking down your base images and build environments, now you need to update your software and patch your vulnerabilities, including base image versions.

Updating software and patching CVEs is super tedious. It's boring, it's time consuming, it's a chore — it's work. It's the "eat your veggies" of cybersecurity. Paying down this debt requires a deep collaboration between CISOs and development teams. It is also an opportunity for both teams to agree on more secure, productive tooling and processes that can help make an organization's software supply chain secure by default. 

Just like some people don't like change, some software teams don't like updating their container base images. The base image is the first layer of container-based software applications. Updating a base image to a new version can sometimes break the software application, especially if there is inadequate test coverage. So, some software teams prefer the status quo, essentially loitering indefinitely on a working base image version that is likely accumulating CVEs daily.

To avoid this accumulation of vulnerabilities, software teams should as update images frequently with small changes and use "testing in production" practices like canary releases. Using container images that are hardened, minimal in size, and built with critical software supply chain security metadata, like software bills of materials (SBOMs), provenance, and signatures, can help alleviate the time-consuming pain of daily vulnerability management in base images. These techniques strike the right balance between staying secure and making sure production doesn't go down.

**Start Paying as You Go**

What's uniquely unpleasant about security debt is that when you just keep filing it away for "someday," it typically rears its head when you are most vulnerable and can least afford to pay it. The Log4j vulnerability struck right before the busy holiday e-commerce cycle and crippled many engineering and security teams well into the following year. No CISO wants to have hidden security surprises lurking.

Every CISO should be making a minimum investment into more secure build systems, software signing methods to establish the provenance of software before developers bring it into the environment, and hardened, minimal container base images that reduce the attack surface at the foundation of software and applications. 

Deeper into this massive software supply chain security debt payoff, CISOs face a conundrum of how much they are willing to have their developers pay as they go (by continually updating base images and software with vulnerabilities) versus postponing that debt and achieving an acceptable level of vulnerability.

A CISO's Guide to Paying Down Software Supply Chain Security Debt

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Let's see you tame this contest beast! Come up with a witty cybersecurity-related caption to explain the scary scene above, and our favorite submission will win a $25 Amazon gift card.

The contest ends on July 26, 2023. Here are four easy ways to send your ideas:

*   Email \[email protected\] with the subject line "The Edge July 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

The most eggcellent caption for our June "Spring Chickens" contest came via Twitter from Gerald Benischke, a debugger, breaker and fixer of software. Congratulations, Gerald, and thanks to everyone for playing!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Three-Ring Circus

XDR can lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOC.

The cyber security operation center (SOC) model's focus has shifted to extended detection and response (XDR). Architected correctly, XDR puts less pressure and cost on the security information and event management (SIEM) system to correlate complex security alerts. It also does a better job as a single pane of glass for ticketing, alerting, and orchestrating automation and response.

XDR is a real opportunity to lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOCs.

**Intelligent Data Pipelines and Data Lakes Are a Necessity**

_**Takeaway: A security data pipeline can remove log waste prior to storage and route logs to the most appropriate location.**_

Managing your security data pipeline intelligently can have a massive impact on controlling spending by preprocessing every log and eliminating excess waste, especially when your primary cost driver is GB per day. Consider the following example showing the before and after size of Windows Active Directory (AD) logs.

    

The average inbound event had 75 fields and a size of 3.75KB. After removing redundant and unnecessary fields, the log has 30 fields and a size of 1.18KB. That is a 68.48% reduction of SIEM storage cost.

Applying similar value analysis for where you send each log is equally important. Not all logs should be sent to the SIEM! Only logs that drive a known detection should be sent to SIEM. All others used in supporting investigations, enrichment, and threat hunting should go to the security data lake. An intelligent data pipeline can make on-the-fly routing decisions for each log and further reduce your costs.

    

    

**Focus Detection and Prevention Closest to the Threat**

_**Takeaway: Product-native detections have gotten dramatically better; the SIEM should be a last line of defense.**_

The SIEM used to be one of the only tools that could correlate and analyze raw logs and identify alerts that need to be addressed. This was largely a reflection of other tools being single-purpose and generally bad at identifying issues by themselves. As a result, it made sense to ship everything to the SIEM and create complex correlation rules to sort the signal from the noise.

Today's landscape has changed with endpoint detection and response (EDR) tools. Modern EDR is essentially SIEM on the endpoint. It has the same capabilities to write detection rules on endpoints as the SIEM has, but now there is no need to ship every bit of telemetry data into the SIEM.

EDR vendors have gotten markedly better at building and maintaining out-of-the-box detections. We have consistently seen a sizable decrease in detections and preventions attributed to the SIEM during our purple team engagements in favor of tools like EDR and next-generation firewalls (NGFW). There are exceptions like Kerberoasting (which on-premises AD doesn't have much coverage for). As you move to pure cloud for AD, even those types of detections will be handled by "edge" tools like Microsoft Defender for Endpoint.

**Play to Your SIEM Strong Suit**

_**Takeaway: Having a deliberate process to consistently measure and improve your detection capabilities is far more valuable than having any specific SIEM tool on the market.**_

Purple teaming across industries and detection ecosystems has allowed us to understand the efficacy of many modern EDR, NGFW, SIEM, and other tools. We score and benchmark purple team results and trend the improvements over time. We have found over the past five years that the SIEM you buy has no measurable correlation to purple team scores. Process, tuning, and testing are what matter.

SIEM tools have architectural differences that can make one a better or worse fit for your environment, but buying a specific SIEM to significantly improve your detection capabilities will not prove out. Instead, focus your efforts on dashboards and correlations that support threat-hunt and incident-response efforts.

**Align EDR, SIEM, and SOAR in Your XDR Architecture**

_**Takeaway: Security automation and artificial intelligence (AI)-enhanced triage is the future but should be approached with caution. Not all automation needs to exclude all human involvement.**_

The future of XDR is coupled with tightly integrated security orchestration, automation, and response (SOAR) technologies. XDR concepts recognize that what really matters is **not how fast you can detect a threat, but how fast you can neutralize a threat.** _"If this – then that"_ SOAR automation methodologies aren't effective in real-world scenarios. One of the best approaches we've seen in XDR automation is:

*   Conduct a purple team exercise to identify which current detection events are optimized (very low false positive rates) and can be trusted with an automated response.
*   Create an automated response playbook but insert human intervention steps to gain confidence before you turn it fully over to automation. We call this "semi-automation," and it's a smart first step.

XDR is a buzzword, but when viewed in a technology-agnostic fashion, it is based on good foundations. Where organizations are most likely to fail is applying legacy SIEM management philosophies to modern XDR architectures. These program design philosophies will likely improve your capabilities and reduce your costs.

**About the Author**

    

Mike Pinch joined Security Risk Advisors in 2018 after serving 6 years as the Chief Information Security Officer at the University of Rochester Medical Center. Mike is nationally recognized as a leader in the field of cybersecurity, has spoken at conferences including HITRUST, H-ISAC, and has contributed to national standards for health care and public health sector cybersecurity frameworks. Mike focuses on GCP, AWS, and Azure security, primarily in helping SOC teams improve their capabilities. Mike is an active developer and is currently enjoying weaving modern AI technologies into common cybersecurity challenges.

Architecting XDR to Save Money and Your SOC's Sanity

The group has given one of Apple's biggest semiconductor suppliers until Aug. 6 to pay $70 million or risk having its data and "points of entry" to its network publicly leaked.

Taiwan Semiconductor Manufacturing Company (TSMC) — one of Apple's biggest semiconductor suppliers — on Friday blamed a third-party IT hardware supplier for a data breach that has exposed the company to a $70 million ransom demand from the LockBit ransomware group.

In an emailed statement to Dark Reading, TSMC confirmed multiple reports about the security incident but did not say what data specifically LockBit actors might have accessed from its systems and is holding for ransom. The statement, however, described the incident as not affecting any of TSMC's business or customer information.

**Third-Party Breach**

"TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration," the statement noted. It identified the third-party supplier as Kinmax Technology, a Hsinchu, Taiwan- based systems integrator that claims to work with numerous other major technology players, including Aruba, Checkpoint, Cisco, Citrix, Fortinet, Hewlett-Packard Enterprise, Microsoft, and VMware. It's unclear if any other customers are affected by the attack.

Meanwhile, a subgroup within the LockBit operation that calls itself the National Hazard Agency claimed that it has given TSMC up to Aug. 6 to pay the multimillion-dollar ransom or risk having the company's stolen data publicly leaked. The threat actor claimed that it would also publish what it described as "points of entry" into TSMC's network as well as passwords and login information for gaining access to it. The latter is catnip to cyberattackers given that TSMC is a juicy target: It reported a net income of some $34 billion on consolidated revenue of $75.8 billion in 2022.

TSMC said it had conducted a review of its hardware components and security configurations used in its systems, after Kinmax reported the incident, to determine the scope of the breach. "After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the company’s security protocols and standard operating procedures," the statement noted. The chipmaker said it remained committed to enhancing security awareness among its suppliers and in ensuring they complied with the company's security requirements.

**IT Supplier Downplays Incident**

Kinmax said it discovered the intrusion into its systems on June 29. The company described the attacker as having breached the company's engineering test environment and accessing system installation preparation information. 

"This is the system installation environment prepared for customers," Kinmax said in a statement on the incident. "The captured content is parameter information such as installation configuration files."

The statement appeared to downplay the seriousness of the breach. "The \[breached\] information has nothing to do with the actual application of the customer. It is only the basic setting at the time of shipment," the company said. The statement did not identify TSMC by name. But it somewhat bewilderingly claimed that the chipmaker (or others) had not experienced any negative consequences. "At present, no damage has been caused to the customer and the customer has not been hacked by it," the June 30 statement noted.

In the statement shared with Dark Reading, the systems integrator expressed regret over the incident. "We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience. The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future," the Kinmax statement said.

TSMC is the latest among a rapidly growing number of organizations that has experienced a data breach via a third-party compromise. News of the company's predicament comes even as reports continue to pour in about numerous organizations falling victim to the Cl0p ransomware gang because of a vulnerability in Progress Software's widely used MOVEit Transfer app. Victims of that campaign so far include biopharma giant AbbVie, Siemens, Schneider Electric, the University of California at Los Angles (UCLA).

Such breaches have brought IT supply chain security into sharp focus in recent years and made it a top priority in the Biden administration's May 2021 cybersecurity executive order.

Chip Giant TSMC Blames $70M LockBit Breach on IT Hardware Supplier

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Mobile Cyberattacks Soar, Especially Against Android Users

Nokod Security is building a platform that enables organizations to secure in-house low-code/no-code custom applications by scanning for security and compliance issues and applying remediation policies

**TEL AVIV, Israel****,** **June 29, 2023** **/PRNewswire/ --** Nokod Security, a company developing security for low-code / no-code custom applications and Robotic Process Automation (RPA), announced its $8 million seed round, which will be used to establish a presence in the United States market, as well as to expand the R&D teams and support novel research of security vulnerabilities in the low-code/no-code domain. Funds were raised from Acrew Capital, Meron Capital and Flint Capital, firms with a successful track record of investing in top companies in the data protection, software verification and cybersecurity sectors like Exabeam, Mitiga, Laminar, Socure, and others.

Adoption of low-code / no-code and RPA platforms like Microsoft PowerApps, ServiceNow or UiPath is predicted to reach 65% of the IT market by 2024. More so, Generative AI and ChatGPT-like tools, introduced just this past year, are set to hyper-accelerate low-code / no-code development. Although these platforms provide businesses fast application development with minimal complex coding using third-party toolkits, they are not covered by the application security stack. As a result, the applications and automations create a new attack surface as well as introduce the risk of compliance violations.

Yair Finzi, a former Head of Department in an elite cyber security unit of the Israeli Army and a cybersecurity entrepreneur with over 15 years of experience, and Amichai Shulman, a cybersecurity researcher, advisor, entrepreneur and investor with multiple successful exits, recognized this gap early on. They have a proven track record of running successful companies: Yair co-founded and led SecuredTouch (acquired by Ping Identity), while Amichai co-founded and served as CTO of application and data security giant, Imperva.

With Nokod, Yair and Amichai empower businesses with a platform to manage cybersecurity and compliance risks stemming from their low-code / no-code custom applications and RPAs by streamlining security into the application's lifecycle. The platform provides the security team with a comprehensive view of the application inventory, identifies security issues and vulnerabilities and offers the organization customized auto-remediation, effectively accelerating their digital transformation. The company is in discussions with Fortune 500 companies in several verticals.

**"**In today's world, application development is both time-consuming and costly, exacerbated by the anticipated threefold increase in the shortage of full-time software developers by 2025. As companies increasingly turn to low-code/no-code and RPA platforms, coupled with the rise of Generative AI tools, the adoption of low-code/no-code tools is set to skyrocket. This trend can take us back to the days when everyone coded without proper security measures, leaving sensitive business and personal data vulnerable to unauthorized access. Our product ensures 100% secure citizen development within enterprises,"— notes Yair Finzi**, co-founder and СЕО of Nokod Security.**

"Low-code / no-code apps are being widely deployed, but the shared security model, as in other domains, only helps customers up to a certain point, and then they are on their own. This is a huge looming security problem, and Acrew is excited to back a founding team at Nokod that can solve it," - says Mark Kraynak**, founding partner at Acrew Capital.** 

"Meron invests in leading early-stage companies with deep technologies. We are proud to invest in a pioneering company in the world of low-code / no-code security. The growth of Generative AI tools and their expected adoption in the business environment will further accelerate the adoption of low-code / no-code development. However, there is currently no real solution to this new attack surface. Nokod has the right team to solve it at the right time," - adds **Liron Azrielant, managing partner at Meron Capital.**

"We invest in cybersecurity startups and place our bets on their teams. With Nokod, we are confident in their founders' extensive experience in web application security, which is a critical factor for both small and medium-sized businesses as well as for large enterprises," — notes Sergey Gribov**, partner at Flint Capital.**

The global cybersecurity market was valued at $163.53 billion in 2019 and by 2030, the market is forecast to have a value of $430.46 billion. The low-code development platform market size is projected to reach 

**About Nokod Security**

Nokod Security is a Tel Aviv\-based startup providing a platform that enables organizations to secure their low-code / no-code custom applications and Remote Process Automation (RPA) by scanning them for security and compliance issues and applying customized auto-remediation policies.

The company was founded in 2023 by Yair Finzi, serial entrepreneur and former co-founder of SecuredTouch (acquired by Ping Identity), and Amichai Shulman, former co-founder and CTO of Imperva, a multibillion-dollar cybersecurity company that was a pioneer in the web application firewall (WAF) and database security categories.

SOURCE Nokod Security

Nokod Raises $8M Seed Round From Seasoned Cybersecurity Investors to Enhance Low-Code/No-Code App Security

The APT35 group (aka Charming Kitten) has added backdoor capabilities to their spear-phishing payloads — and targeted an Israeli reporter with it.

The Iran-linked threat group known as APT35 (aka Charming Kitten, Imperial Kitten, or Tortoiseshell) has updated its cyberattack arsenal with improved abilities to hide its actions, as well as an upgraded custom backdoor that it's distributing via a spear-phishing campaign.

The advanced persistent threat (APT) has been alleged to be operating out of Iran and primarily concerned with collecting intelligence by compromising account credentials and, subsequently, the email of individuals they successfully spear-phish.

According to a blog post published by Volexity, the group has recently attempted a spear-phishing campaign targeting an Israeli journalist with a "draft report" lure. The "draft report" was a password-protected RAR file containing a malicious LNK file which downloaded a backdoor.

The incident was a highly targeted attack; prior to sending malware to the victim, the attackers asked if the person would be open to reviewing a document they had written related to US foreign policy. The target agreed to do so, since this is not an unusual request in the journalism line of work, but APT35 didn't send it right away — instead, the attackers continued the interaction with another benign email containing a list of questions, to which the target then responded with answers. After multiple days of benign and seemingly legitimate interaction, the attackers finally sent the "draft report" loaded with malware.

Toby Lewis, global head of threat analysis at Darktrace, says APT35's targeting profile is very much in the theme of what you'd expect to see from a group associated to the Iranian government. He says: "This is a group that's trying to be bespoke, be stealthy, and stay under the radar, and so to do that you're also going to really focus your social engineering to try and improve that return on the investment."

**PowerStar Malware & Evolving Spear-Phishing Techniques**

In this most recent campaign, it delivered the PowerStar malware — an updated version of one of its known backdoors, known as CharmPower — which it sent via an email containing an .LNK file inside a password-protected .RAR file.

When executed by a user, the .LNK file downloads PowerStar from the Backblaze hosting provider and attacker-controlled infrastructure, according to Volexity's report. PowerStar then collects a small amount of system information from the compromised machine and sends it via a POST request to a command-and-control (C2) address downloaded from Backblaze.

Volexity believes this variant of PowerStar to be especially complex, and suspects that it is likely supported by a custom server-side component, which automates simple actions for the malware operator. Also, a decryption function is downloaded from remotely hosted files which hinders detection of the malware outside of memory and gives the attacker a kill switch to prevent future analysis of the malware's key functionality.  
"With PowerStar, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk," the company said. "This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding PowerStar payload."

Lewis says that quest for return on investment for APT groups sometimes drives relatively unsophisticated, low-effort campaigns, but more often, "you've got groups that are going to get as sophisticated as they need to be to meet their objectives." What that means can run the gamut: Some will be able to develop zero days, as opposed to just using something they got from somebody else; others will demonstrate sophistication in how they manage and control their infrastructure.

The latter is the case with APT35. "When you've got the trade craft that we've got this group using, effectively bringing down custom payloads, it's bringing down different modules from third party services," he says. "Each different payload is going to be a little bit different, a little bit tweaked, and a little bit tuned, and ... that sort of approach is absolutely what you'd expect to see."

Nonetheless, Volexity researchers said they regularly observe operations from the APT, but finds the group to rarely deploy malware as part of their attacks. "This sparing use of malware in their operations likely increases the difficulty of tracking their attacks," according to the firm.

APT35 has been active for more than a decade. According to a 2021 blog from Darktrace, APT35 has in that time launched extensive campaigns against organizations and officials across North America and the Middle East; public attribution has characterized APT35 as an Iran-based nation state threat actor. Recent campaigns were suspected to be in service to Iran's potential physical targeting of dissenters for kidnapping and other kinetic ops.

Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools

Cyberattacks against organizations in some African nations increased significantly in 2022, despite a major expansion in cybersecurity hiring to support cloud and digital migration.

Cyberattacks against large enterprises in African nations ramped up in 2022, with Kenyan businesses reporting an 82% increase in such attacks, while South African and Zambian businesses recorded a 62% increase each.

According to a report from pan-African technology group Liquid C2, the top method of attack was via phishing or spam attacks (61%), with another 48% of incidents using compromised passwords. 

Jess Parnell, vice president of security operations at Centripetal, suspects that it's likely that cyberattackers are targeting businesses in Kenya, South Africa, and Zambia because they are all emerging economies with growing business sectors.

"Attackers may see these countries as attractive targets due to the potential for financial gain through various cybercrime activities, such as data theft, ransomware attacks, or financial fraud," he says.

Anna Collard, security evangelist at KnowBe4 Africa, says she feels the majority of attacks are still mostly opportunistic, such as ransomware gangs working through lists of compromised networks or credentials they get from access brokers, but the emerging economy aspect is certainly a factor in the targeting. 

"Ransomware-as-a-service groups shift their attention more towards emerging economies to get away from US based retaliation," she says, "and this makes Southern Africa or any economy with higher cyber-dependency on the continent an attractive target."

**Africa Sees Increasing Cybersecurity Hiring **

Africa faces a growing 100,000-person gap in the number of certified cybersecurity professionals, according to the Liquid C2 report; yet all respondents in the report highlighted that they had advanced significantly in their cloud and digital strategies as well as in related cybersecurity capabilities.

Furthermore, 68% said they had appointed cybersecurity staff members, or signed up with a cybersecurity team, in the past year. Kenya had the highest percentage at 82%, followed by South Africa (63%) and Zambia (62%).

Parnell says the fact that attacks persisted regardless of the number of staff hired or cybersecurity investments suggests that simply investing in cybersecurity measures does not guarantee protection against cyber threats.

"Cybercriminals continually evolve their tactics, making it challenging for businesses to stay ahead of them," he says. "Therefore, it is crucial for organizations to adopt a proactive approach to threat intelligence powered cybersecurity and continuously update their defenses to mitigate risks."

He adds, "Defending against cyberattacks requires a multi-layered approach that includes implementing robust security measures, raising employee awareness about phishing and other common attack vectors, regularly updating software and systems, conducting vulnerability assessments, and promptly responding to security incidents. By prioritizing cybersecurity and taking proactive measures, businesses can better defend against attacks and minimize the potential impact of successful breaches."

Likewise, Klaus Schenk, senior vice president of security and threat research at Verimatrix, says that increasing cybersecurity staff could actually draw the wrong kind of attention: "In general, hiring specialized staff alone may not necessarily lead to a reduction in the number of cyberattacks. In some cases, it might even attract the attention of malicious actors who view it as a challenge or an opportunity to demonstrate their skills."

That said, clearly the benefits outweigh the risk, he adds. "Augmenting your cybersecurity team can significantly mitigate the impact of cyberattacks on your business," he notes. "The ultimate goal should be to minimize the occurrence of such attacks and ideally achieve a state where they have no impact whatsoever."

African Nations Face Escalating Phishing & Compromised Password Cyberattacks

As cybercrime amidst the Russia-Ukraine war continues to escalate, the DDoSia project, launched by a known hacktivist group, has exploded in its number of members and quality of tools used for attacks.

After being launched by Russian hacktivist group "NoName057(16)" in the summer of 2022 and quickly gaining a substantial number of members and active users, the crowdsourced DDoS project known as "DDoSia" has grown exponentially, by 2,400%.

The platform now has 10,000 active members compared with the 400 it had when it first launched. It also has 45,000 subscribers on its primary Telegram channel, compared with just 13,000 last summer. With this growth comes more individuals helping conduct attacks on Western organizations, and better tools to deploy these attacks, such as introducing binaries for all major OS platforms.

Through data collected by Sekoia, analysts found that the targets of these DDoS attacks between May 8 and June 26 of this year were, for the most part, Lithuanian, Ukrainian, and Polish (39%). This is presumably due to the fact that these countries have made public declarations against Russia during the Russia-Ukraine war. During this time frame, the hacktivist group targeted 486 websites, including Ukrainian education and government sites, and French banking websites.

"NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims," Sekoia analysts stated in a blog post. "\[We\] assess that strengthening the security of their software is part of NoName057(16)'s efforts to continuously develop their capabilities, almost certainly driven by their active community as well as the increasing scrutiny of their activities from the CTI community."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading