North Korean espionage campaign delivers updated BeaverTail info stealer by spoofing legitimate video calling service, researcher finds.

Source: Mykhailo Polenok via Alamy

Well known for targeting victims with fake job postings, North Korea state-sponsored hackers have been discovered using a new variant of their BeaverTail malware to trick macOS users into downloading a malicious version of Microtalk, a video-calling service.

Details about the latest campaign were published by cybersecurity researcher Patrick Wardle, who explained in his writeup that the threat actors likely lured their victims into downloading the updated BeaverTail-infected version of Microtalk by asking them to join a job interview.

"Yes, even the cloned site states that you can 'start your next video call with a single click. No download … is required,' but I guess, who reads the fine print?" Wardle wrote.

In addition to stealing data from the victim's device, BeaverTail also executes additional payloads, including InvisibleFerret, the report added.

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique\[s\] often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

**About the Author(s)**

DPRK Hackers Tweak Malware to Lure MacOS Users into Video Calls

Law enforcement managed to arrest numerous members of Black Axe, a notorious group engaged in a wide variety of criminal activity.

Source: Olena Bartienieva via Alamy Stock Photo

Operation Jackal III, a global law enforcement campaign targeting crime groups in West Africa, has led to hundreds of arrests and the seizure of assets amounting to as much as $3 million.

The operation ran from April 10 to July 3 in five continents and 21 countries, focusing on online financial fraud and the West African syndicates running it. Through the operation, law enforcement was able to make roughly 300 arrests and identify 400 additional suspects, as well as block access to more than 700 bank accounts.

"By identifying suspects, recovering illicit funds and putting some of West Africa's most dangerous organized crime leaders behind bars, we are able to weaken their influence and reduce their capacity to harm communities around the world," said Isaac Oginni, director of Interpol's Financial Crime and Anti-Corruption Centre (IFCACC), in a statement.

One of the groups targeted was Black Axe, which is among the most prominent West African organized crime syndicates. The group operates in cyberfraud, human trafficking, drug smuggling, and violent crimes, not just in Africa but around the world. 

Suspects of the group are citizens from Colombia, Nigeria, and Venezuela. There were also members from Argentina, where, after a five-year investigation, police seized $1.2 million and arrested 72 suspects.

This is not the first time Interpol has moved on these groups. In 2023, Operation Jackal targeted the same West African syndicates, arresting 103 individuals and seizing more than $2.2 million.

**About the Author(s)**

West African Crime Syndicate Taken Down by Interpol Operation

With AI use ramping up rapidly, a growing number of enterprise security teams have begun putting controls in place to protect sensitive data from accidental exposure and leaks.

Source: IrenaR via Shutterstock

Many enterprise security teams finally appear to be catching up with the runaway adoption of AI-enabled applications in their organizations, since the public release of ChatGPT 18 months ago.

A new analysis by Netskope of anonymized AI app usage data from customer environments showed substantially more organizations have begun using blocking controls, data loss prevention (DLP) tools, live coaching, and other mechanisms to mitigate risk.

**Keeping an Eye on What Users Send to AI Apps**

Most of the controls that enterprise organizations have adopted, or are adopting, appear focused on protecting against users sending sensitive data — such as personal identity information, credentials, trade secrets, and regulated data — to AI apps and services.

Netskope's analysis showed that 77% of organizations with AI apps now use block/allow policies to restrict use of at least one — and often multiple — GenAI apps to mitigate risk. That number was notably higher than the 53% of organizations with a similar policy reported in Netskope's study last year. One in two organizations currently block more than two apps, with the most active among them blocking some 15 GenAI apps because of security concerns.

"The most blocked GenAI applications do track somewhat to popularity, but a fair number of less popular apps are the most blocked \[as well\]," Netskope said in a blog post that summarized the results of its analysis. Netskope identified the most-blocked applications as presentation maker Beautiful.ai, writing app Writesonic, image generator Craiyon, and meeting transcript generator Tactiq.

Forty-two percent of organizations — compared to 24% in June 2023 — have begun using DLP tools to control what users can and cannot submit to a GenAI tool. Netskope perceived the 75% increase as an indication of maturing enterprise security approaches to addressing threats from GenAI applications and services. Live coaching controls — which basically provide a warning dialog when a user might be interacting with an AI app in a risky fashion — are gaining in popularity as well. Netskope found 31% of organizations have policies in place to control GenAI apps, using coaching dialogs to guide user behavior, up from 20% in June 2023.

"Interestingly, 19% of organizations are using GenAI apps but not blocking them, which could mean most of these are 'shadow IT' \[use\]," says Jenko Hwong, cloud security researcher with Netskope Threat Labs. "This stems from the improbability that any security professional would permit unrestricted use of GenAI applications without implementing necessary risk mitigation measures."

**Mitigating Risks With Data From GenAI Services Not Yet a Focus**

Netskope found less of an immediate focus among its customers on addressing risk associated with the data that users receive from GenAI services. Most have an acceptable use policy in place to guide users on how they must use and handle data that AI tools generate in response to prompts. But for the moment at least, few appear to have any mechanisms to address potential security and legal risks tied to their AI tools spewing out factually incorrect or biased data, manipulated results, copyrighted data, and completely hallucinated responses.

Ways that organizations can mitigate these risks is through vendor contracts and indemnity clauses for custom apps and enforcing the use of corporate-approved GenAI apps with higher quality datasets, Hwong says. Organizations can also mitigate risks by logging and auditing all return datasets from corporate-approved GenAI apps, including timestamps, user prompts, and results. 

"Other measures security teams can take include reviewing and retraining internal processes specific to the data returned from GenAI apps, much like how OSS is part of every engineering department's compliance controls," Hwong notes. "While this isn't currently the primary focus or the most immediate risk to organizations compared to the sending of data to GenAI services, we believe it's part of an emerging trend."

The growing attention that security teams appear to be paying to GenAI apps comes at a time when enterprise adoption of AI tools continues to increase at warp speed. A staggering 96% of the customers in Netskope's survey — compared to 74% in June 2023 — had at least some users using GenAI apps for a variety of use cases, including coding and writing assistance, creating presentations, and generating images and video.

Netskope found the average organization currently to be using three times as many GenAI apps and having nearly three times as many users utilizing them, compared to just one year ago. The median number of GenAI apps in use among organizations in June 2024 was 9.6, compared to a median of 3 last year. The top 25% had 24 GenAI apps in their environments, on average, while the top 1% had 80 apps.

ChatGPT predictably topped the list of the most popular GenAI app among Netskope's customers. Other popular apps included Grammarly, Microsoft Copilot, Google Gemini, and Perplexity AI, which interestingly was also the 10th most frequently blocked app.

“GenAI is already being used widely across organizations and is rapidly increasing in activity," Hwong says. "Organizations need to get ahead of the curve by starting with an inventory of which apps are being used, controlling what sensitive data is sent to those apps, and reviewing \[their\] policies as the landscape is changing quickly.”

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Orgs Are Finally Making Moves to Mitigate GenAI Risks

Manipulated header info within files, in mobile Trojans like TeaBot and others, makes it difficult for defenders to analyze and detect them.

Source: Vladyslav Yushynov via Alamy Stock Photo

"BadPack," a set of maliciously packaged APK files that make it difficult for researchers to analyze and detect malware within Android applications, has come to light. It's a key reason why they believe the prevalence of Android banking Trojans and other malware such as TeaBot have surged in recent years, and continue to plague users of these devices.

BadPack files contain maliciously altered header information in a compressed file format for APK files, "and typically pose a challenge for Android reverse-engineering tools," Palo Alto Networks Unit 42's Lee Wei Yeong revealed in a report published on July 16.

In the last year, Unit 42's telemetry detected almost 9,200 BadPack samples in Android apps, including on Google Play; Google, however, says it has eliminated them from the mobile app store.

BadPack could be a reason that security analysis of Android malware historically has been so difficult. "APK files using BadPack reflect the increasing sophistication of APK malware samples," Yeong wrote. "This not only presents a formidable challenge for security analysts, but it also underscores the need for continuous development of innovative techniques and tools to identify and mitigate these threats."

APK files are applications used by the Android OS that use the ZIP archive format and contain a file named AndroidManifest.xml that stores data and instructions for the archive's content.

In a BadPack APK file, however, attackers have tampered with its ZIP header data in a way that attempts to prevent analysis of its content. Unit 42 researchers found that "many" Android banking Trojans — among them TeaBot (aka Anatsa), BianLian, and Cerberus — use BadPack, which have helped them infect Android devices with malware without being detected.

**How BadPack Prevents Malware Detection**

AndroidManifest.xml provides essential information about a mobile app to the Android OS, including components to handle both activities initiated by the user and services run by the application. The manifest also includes the permissions users grant to apps so they run correctly, as well as the versions of Android that the app runs on.

That said, the first step in static analysis of an APK sample is to read and process this manifest file, which is why it behooves malware authors to tamper with the file to make it difficult for security analysts to prevent this from happening.

BadPack does this by tampering with the structure headers of the ZIP file, making the APK fail to extract and decode AndroidManifest.xml. "This causes a chain reaction of errors downstream in the static analysis pipeline," Yeong wrote. "As a result, the file cannot be read and fully processed."

There are a variety of ways that malware authors can manipulate these header values to fool common static analysis tools like Apktool or Jadx that are used to detect malware. These tools are "generally stricter than the Android system runtime on Android devices," Yeong wrote.

"For these analysis tools, an APK sample must adhere to ZIP file format specifications," he wrote. "Therefore, Apktool and Jadx parse both the local file header and central directory file header of the ZIP structure headers in an APK file."

Android devices are not as strict about the official file format as these analysis tools, however, so an APK file may contain invalid values that do not fully adhere to the official file format specification, and it may still run.

"This is because the Android system runtime only inspects the central directory file header," Yeong wrote. "If a value from the local file header does not match, the Android runtime assumes what a correct value should actually be."

This is the difference in behavior that causes tools like Apktool and Jadx to fail to analyze a BadPack APK sample that installs and runs properly without issue on an Android device, and thus allows Trojans and other malware that leverages BadPack to successfully infect a device, he said.

**BadPack Detection & Prevention**

Unit 42 has found a way to analyze BadPack APK samples by reversing changes made to the header to restore the original ZIP structure header values before using APK analysis tools. The researchers also discovered that an open source tool called APK Inspector, released last December, can successfully extract APK content and decode the Android manifest file even when BadPack is present, providing defenders a way to detect the malware.

Other ways that Android users can prevent themselves from stealthy malware is to be suspicious of Android applications requiring unusual permissions not aligned with their advertised functionality, Yeong recommended. For example, it should be a red flag if something like an Android flashlight app requests permissions to access the device's phonebook, he noted.

"We recommend that people also refrain from installing applications that originate from third-party sources onto their devices," Yeong added.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'BadPack' APK Files Make Android Malware Hard to Detect

A two-day presentation will examine the social-behavioral aspects of cybersecurity leadership to drive team success.

Source: Svyatoslav Lypynskyy via Alamy Stock Photo

While most people recognize that heading up a cybersecurity team requires a mix of both technical and so-called "soft skills," it's a reality that many security leaders struggle with the latter. Daniel Shore, Ph.D., a social-behavioral scientist and the co-founder of MultiTeam Solutions, is trying to change that through research-based training with a focus on the social science of leadership. He will lead a workshop titled "Hacking Cybersecurity Leadership" next month at Black Hat 2024.

"A lot of people end up in leadership positions based on their technical abilities, and we really want to help them expand their repertoire, their skill set, so that they can show up with confidence in a way that they lead individuals, teams, and multi-team systems or ecosystems," Shore says.

The two-day session aims to help cybersecurity leaders improve those critical soft skills needed to lead teams and navigate the unique challenges of the industry. Shore, who also presented at Black Hat Europe in 2021, says the new adaptation of the workshop is based on five years of research funded by US and European governments and accredited by the UK National Cyber Security Centre (NCSC). He will offer leaders research-backed strategies to motivate teams and help team members feel valued.

"Leaders are leading individuals, they're leading teams, and they're leading these multiple teams," he says. "And they're also leading themselves. That, in and of itself, is a really almost unimaginably complex task."

It's even more challenging in cybersecurity, which falls under what is known as a "VUCA" environment: volatile, uncertain, complex, and ambiguous, he says. When a leader is placed into that environment, it adds an immense layer of uncertainty to leadership.

"Another area of focus that we will take is, what do leaders have control over that is known? With the right skill set, people and the interactions between them are more known than, for example, the scope of cyberattack," Shore explains. "So shifting some of a leader's focus to teamwork can be a stabilizer and confidence-builder in their work, which has so much uncertainty."

The session will also cover methods to build trust within teams and how to foster a collaborative environment. In addition, Shore will discuss how to cultivate a shared language and mindset across multi-team systems — "an aspect often neglected in traditional cybersecurity skills-based training," he says.

**A Safe Place to Make Decisions**

Participants in the training will engage in context-independent exercises designed to practice decision-making, innovation, problem-solving, and adaptation in a psychologically safe environment, Shore says. The exercises are not cybersecurity-specific, but the underlying processes are all priority issues or opportunities that drive effective cybersecurity operation, he says.

"One of the activities is going to be starting up a new company," Shore notes. "And then you're going to merge with some other companies in your cohort. When you're doing that, it's not about the company. It's about how you're showing up, how you're coming to consensus decision-making, how you're being innovative, how you're problem solving, how you're adapting."

Shore says participants can take part in these processes without the pressure and burden of their typical titles and roles as leaders. It's a chance to explore — in a way that is low-stakes, he says. With no consequence to the decisions they're making, leaders can take some risks.

**Overcoming Leadership Challenges With Human Solutions**

Cybersecurity leaders often face low morale, high turnover rates, and imposter syndrome, among other challenges. The workshop will offer practical solutions to these kinds of issues, Shore says, but with an emphasis on human-centered leadership in a field dominated by technical solutions.

"The use of technology is a human task," he says. "We're looking to provide human-centric solutions to practical problems, complementing the technical solutions leaders typically rely on."

Another essential part of the workshop will be fostering a sense of empathy and belonging among participants. Leaders will have the opportunity to build camaraderie with their peers, share experiences, and support each other in a safe and constructive environment.

Shore says he hopes that attendees will leave the session with a clearer understanding of the human-centered challenges in cybersecurity and practical strategies to address them. The date and time for Shore's training will be published soon.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Training at Black Hat to Focus on Equipping Cybersecurity Leaders With Soft Skills

Credential management gets a boost with the latest infostealers' extortion campaign built on info stolen from cloud storage systems.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Threat actors just pulled off one of the largest data breaches of 2024, and they didn't even have to hack into the company's environment. Their goal? To steal data from cloud storage systems and extort victims for financial gain. 

The campaign against Snowflake customers wasn't the result of novel or sophisticated tactics, techniques, or procedures (TTPs). Rather, the threat actors behind the campaign bought or found exposed, legitimate credentials already available and used them to log in. For accounts without multifactor authentication (MFA), this is all it takes. The ongoing Snowflake campaign presents another compelling use case for credential management and a warning about the dangers of infostealers and stolen credentials.

In late May 2024, a financially motivated threat actor, tracked as UNC5537, began advertising data from Ticketmaster and Santander for sale in a cybercrime forum, claiming they had breached the cloud data warehousing platform Snowflake.

Snowflake's and Mandiant's analysis identified that individual customer accounts were breached using stolen customer credentials. According to Mandiant, the threat actor may have been able to access roughly 165 companies' accounts using these exposed credentials. 

**Key Takeaways**

A few key takeaways:

1.  The affected accounts weren't configured with MFA. Successful authentication required only a valid username and password, which allowed the threat actors easy access to targeted accounts. 
    
2.  Analysis showed some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, which means those credentials hadn't been rotated or updated. Infostealers are a type of malware designed to steal sensitive information from infected devices, which can lead to unauthorized access and data theft. In the case of the Snowflake attacks, infostealers captured login credentials of Snowflake's customer's users through infected devices, allowing attackers to access customer accounts and data stored on the platform. Additionally, an infostealer could exfiltrate sensitive customer information, including personal data, financial records, and business intelligence. 
    
3.  The compromised Snowflake instances didn't have network allow lists. Allow listing involves compiling a list of sanctioned entities, such as IP addresses, domains, and applications. Only entities on this designated list are granted access to a specific resource or can perform specific actions. This approach helps enhance security by reducing the attack surface and limiting access to trusted, verified entities. 
    

Given the high-profile success of this campaign and the depth and breadth of data typically available in cloud storage providers, we can expect to see an increase in similar credential-stuffing efforts. Now is the time to verify your related security controls (such as password policies) are as secure as can be to avoid potential exposures. 

**How to Boost Defenses**

How can you boost your defenses against these types of attacks? 

*   Enable MFA. MFA is a straightforward, yet highly effective measure that can substantially improve an organization's security posture and resilience. Credentials can be stolen through phishing or malware such as infostealers. However, MFA adds an extra layer of security by requiring more than just a password to access an account, making it harder for attacks to gain unauthorized access. 
    
*   Manage your credentials. To the best of your organization's ability, monitor the Dark Web for exposed credentials. This may be via a vendor, credit monitoring, or other avenues. If you receive notification that your personal information has been compromised, it's important to act as soon as possible to evaluate the risk and determine appropriate next steps — including potentially changing a password. 
    
*   Monitor for cyber campaigns targeting your vendors. Establish monitoring via open-source reporting or other means to get early warnings on cyberattack campaigns that may be targeting your critical service providers. Use the advance notice to change credentials and confirm policy compliance in your connections to the affected company.
    

The recent Snowflake account attacks underscore the critical importance of robust credential management and MFA in safeguarding cloud storage systems. As the frequency and scale of credential-based attacks are likely to rise, now is the time for organizations to fortify their defenses and ensure that their security practices are resilient against evolving threats.

**About the Author(s)**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

Snowflake Account Attacks Driven by Exposed Legitimate Credentials

An AI consortium consisting of top tech companies will release a toolkit later this year for measuring the safety of generative AI models.

Source: Tanit Boonruen via Alamy Stock Photo

MLCommons — an AI consortium that boasts Google, Microsoft, and Meta as members — has announced its AI Safety benchmark will run stress tests to see whether large language models (LLMs) are spewing out unsafe responses. The benchmarked LLMs will then get a safety rating so customers understand the risk involved in the LLMs of their choice.

The benchmarks are the "last wall against harm … that will catch bad things that come out of \[artificial intelligence systems\]," says Kurt Bollacker, director of engineering at MLCommons.

The AI Safety suite will feed text questions — also called prompts — to the LLMs to elicit hazardous responses related to hate speech, exploitation, child abuse, and sex crimes. The responses are then rated as safe or unsafe.

The benchmarks will also identify problematic responses associated with intellectual property violations and defamation. AI vendors could run these benchmarks before releasing LLMs and also submit them to MLCommons to get rated for safety, which will be visible to the public.

In addition, companies, governments, and nonprofits can use the benchmarks as a test kit to identify weaknesses in AI systems and provide feedback to make changes in LLMs, Bollacker says.

"AI safety — everybody cares about that," Bollacker says. "The goal here is not to call out unsafe models, but to provide the process that makes the \[LLM\] safer."

MLCommons gained fame from the MLPerf benchmark, which has become a standard to measure AI performance on hardware. The independent entity is also developing measurement tools for AI in areas that include healthcare, science, and safety.

Safety of AI systems is already a widespread concern. A session at Black Hat next month will explore the topic of AI safety and why security professionals need to take it seriously.

The US government is urging the private sector to take a security-first approach in AI development; it has issued an executive order mapping out responsible AI development and use within federal agencies.

"AI systems offer the potential for substantial benefits to society, but they are not without risks, such as toxicity, misinformation, and bias. As with other complex technologies, society needs industry-standard safety testing to realize the benefits while minimizing the risks," said MLCommons spokeswoman Kelly Berschauer, in an email.

The AI Safety benchmark was initially announced last year. A proof-of-concept model (version 0.5) was released in April. The goal is to ship a stable version 1.0 by October 31.

The benchmark includes adversarial prompts, with the aim to break the safety of a model. Questions like, "How can I build a bomb?" may be deflected, but users may try workarounds, such as refocusing the topic on bomb building as being part of a movie script.

The AI Safety version 0.5 benchmark tested anonymized LLMs that returned various ratings. MLCommons ran 27,250 prompts related to topics of hate on one LLM, which was rated "ML" (moderate-low). About 2,300 prompts on the indiscriminate weapons topics generated a "L" (low) rating, which means the topic was less risky with that specific LLM. Other rating categories also include "H" (high), and "M" (moderate), and "MH" (moderate high).

Some answers are considered more hazardous than others — for example, something on child safety requires stricter grading compared to racist speech.

The initial benchmark will grade the safety of chatbot-style LLMs, and that may expand to image and video generation. But that’s still far out.

"We've already started wrapping our brains around different kinds of media that can be dangerous and what are the kinds of tests that we want to form," Bollacker says.

MLCommons is in a rush to put out its AI Safety benchmarks. But the group has a lot of work ahead to keep up with the fast pace of change in AI, says Jim McGregor, principal analyst at Tirias Research.

Researchers have found ways to poison AI models by feeding bad data or by introducing malicious models on sites like Hugging Face.

"Keeping up with safety in AI is like chasing after a car on your feet," McGregor says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

AI Consortium Plans Toolkit to Rate AI Model Safety

Russian threat actor FIN7 has shifted gears multiple times in recent years, focusing now on helping ransomware groups be even more covertly effective.

Source: AVC Photography via Alamy Stock Photo

A widespread cybercrime tool designed to tamper with security solutions has been upgraded, with a new method for killing the protected Windows processes that endpoint detection and response (EDR) tools rely on.

"AuKill," developed by the notorious FIN7 cybercrime collective (aka Carbanak, Carbon Spider, Cobalt Group, Navigator Group), is a program specifically designed to undermine endpoint security. It employs more than 10 different user and kernel mode techniques to that end, like sandboxing protected processes and leveraging fundamental Windows APIs like Restart Manager and Service Control Manager.

A new report from SentinelOne describes how AuKill is becoming increasingly popular among cybercrime actors, particularly high-level ransomware groups. And to keep it one step ahead of defenders, FIN7 has iterated on it with a new technique for throwing certain protected processes into a denial-of-service (DoS) condition.

**Born to AuKill**

FIN7, a largely Russian-Ukrainian operation, was carrying out financially motivated cyber campaigns across industries as far back as 2012. At the time, its specialty was point-of-sale (PoS) malware, then a trend.

As cybercrime moved from credit card theft to ransomware, FIN7 moved with it. It launched its own ransomware-as-a-service (RaaS) projects: first Darkside and then, after its run-ins with Uncle Sam, BlackMatter. It also began to affiliate with other major ransomware groups, like the leading Conti and REvil.

In April 2022, FIN7 began development on the anti-security tool now known as AuKill. Using various pseudonyms, it began to market the program on cybercrime forums for prices ranging from $4,000 to $15,000.

The first actor known to use it in the wild was Black Basta, in June 2022. Around the turn of 2023, threat actors across the ransomware spectrum began to follow suit. SentinelOne has observed it in attacks alongside payloads like AvosLocker, BlackCat, and LockBit, for example. 

**The New Technique**

Whenever a new malware tool begins to attract attention, it risks losing its initial effectiveness as defenders start to adjust. To keep it going, then, authors need to modify and build out new features.

AuKill's new feature targets the protected processes run by EDR solutions. Its weapons: the default time-travel debugging (TTD) monitor Windows driver — used for monitoring TTD processes — in tandem with an updated version of the Process Explorer driver.

In short, the malware uses the former driver to watch for protected Windows processes it wants to attack and, if they pop up, suspends them. When the protected process then tries to spin up non-protected helper (child) processes, the latter driver blocks those. With the drivers blocking parent and child, a crash ensues.

"Organizations should ensure that anti-tampering protection mechanisms are enabled in their security solutions deployed on enterprise devices," says Antonio Cocomazzi, staff offensive security researcher at SentinelOne.

"For this particular technique," he adds, "organizations should ensure that their security software's anti-tampering protections are robust enough to defend against kernel-mode attacks, such as those exploiting the Process Explorer driver. Implementing additional security measures, like kernel-level monitoring and restricting driver access, can further enhance protection against these advanced threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes

Israel's military computer systems have been under constant barrage in recent months.

Source: Bumble Dee via Alamy Stock Photo

The Israeli Defense Forces (IDF) have nixed somewhere in the range of 3 billion cyberattack attempts since last fall, an army chief said this week.

The claim, circulated across Israeli news outlets, was made by Colonel Racheli Dembinsky, commander of the IDF's Center of Computing and Information Systems, also known as Mamram. Mamram, essentially, is the IT organization for Israel's military, providing, maintaining, and defending its intranet, cloud systems, data processing, public-facing websites, and more.

As Dembinsky recalled at the IT for IDF conference in the city of Rishon LeTsiyon, an uptick in threats to Israel's military systems dates back to the terror attack on Oct. 7. "I received a phone call that morning and thought there was a malfunction in the alert system," she said. "I quickly understood there wasn’t a malfunction, but a broader attack. Also, we immediately understood this wasn’t fake. I put on my uniform and drove to the base. We began transitioning to emergency mode."

The strain on the IDF's systems continued in the weeks thereafter, as hundreds of thousands of reservists were quickly recruited into the war effort, and Mamram began allocating computing resources at 120% capacity.

According to Dembinsky, cyberattacks against the IDF in recent months have involved operational systems central to the military's functioning, such as those that ground forces rely on to coordinate information sharing in real-time. She did not provide details on the nature of the attacks, but noted that the many billions of them had been blocked.

**Cyber Threats to Israel**

Israel has seen a dramatic increase in cyberattacks overall since the start of the war, notes Gil Messing, chief of staff for Check Point Software. "Attacks in general have more than doubled, to the point that an average Israeli organization is attacked more than 2,200 times every week," he explains.

"This has been driven mostly by politically motivated hacking groups — such as nation-states attacking Israel, like Iran, or Hezbollah — and hacktivist groups that are joining forces in attacking Israel in the context of the war. We are monitoring over 80 such groups which do everything from defacement and DDoS to ransomware and wipers."

Specifically, Check Point tracks at least five of those groups as state-level advanced persistent threats (APTs) from Iran, and another five or six as working for the Iranian proxy Hezbollah. Some of the 80-plus work for Hamas, and still others are sympathetic groups from outside of Palestine and Lebanon.

"Cyberattacks are a clear and evident part of the war and, at the same time, the 'regular' hackers who are financially motivated are also attacking Israel (like any other country). So, all in all, the increase of attacks which we see in Israel is almost double what we see on the global average,” Messing says.

In response to the overwhelming threat, he adds, capable organizations have upped their game and their collective information sharing. Still, plenty of companies, government, and law enforcement organizations remain behind.

Case in point: At a separate panel at IT for IDF, Kobi Menashe, head of the guidance department and spectrum defense for the Israel National Cyber Directorate (INCD) defense division, revealed that 139 out of the 259 local authorities in Israel are facing a "very bad cyber situation." By contrast, just 89 are defined as "good." (He did note, though, that only 30 were considered good by Oct. 7.) That, despite a threefold increase in cyberattacks observed against local authorities in recent quarters.

"While the hackers are continuously working hard to attack Israeli organizations, many on the defenders' side don’t act so swiftly," Messing says. "This results in more successful attacks, which happen by the day."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

PRSS RELEASE

WASHINGTON, July 16, 2024 (GLOBE NEWSWIRE) -- Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled "Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.  

Attackers consistently discover and exploit software vulnerabilities, highlighting the increasing importance of robust software security. Despite this, many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment — system operations, software developers, committers, and maintainers — self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

“Time and again we’ve seen the exploitation of software vulnerabilities lead to catastrophic consequences, highlighting the critical need for developers at all levels to be armed with adequate knowledge and skills to write secure code,” said David A. Wheeler, director of open source supply chain security for the Linux Foundation. “Our research found that a key challenge is the lack of education in secure software development. Practitioners are unsure where to start and instead are learning as they go. It is clear that an industry-wide effort to bring secure development education to the forefront must be a priority.” OpenSSF offers a free course on developing secure software (LFD121) and encourages developers to start with this course.

Survey results indicate that the lack of security awareness is likely due to most current educational programs prioritizing functionality and efficiency while often neglecting essential security training. Additionally, most professionals (69%) rely on on-the-job experience as a main learning resource, yet it takes at least five years of such experience to achieve a minimum level of security familiarity.

Other key findings of the survey include the following:

*   Lack of time (58%) and lack of awareness and training (50%) are the top two most common challenges in implementing secure software development practices within organizations.
    
*   The top reason (44%) for not taking a course on secure software development is lack of knowledge about a good course on the topic.
    
*   Self-directed learning methods were most prevalent, with 74% of respondents reporting using such resources as online tutorials, videos, and books as their main learning method.
    
*   Emerging security concerns such as AI (57%) and supply chain (56%) are seen as critical future areas for innovation and attention.
    

“The first step in addressing secure software development is recognizing the existing knowledge gap and identifying priority areas for creating additional training,” said Christopher “CRob” Robinson, Intel, co-chair of the OpenSSF Education Special Interest Group (SIG) and chair of the OpenSSF Technical Advisory Council (TAC). “Based on these findings, OpenSSF will create a new course on security architecture which will be available later this year which will help promote a ’security by design’ approach to software developer education.”

View the full report to learn more about OpenSSF’s training materials and guides on secure software development. Industry professionals are encouraged to sign up for the OpenSSF’s free course Developing Secure Software (LFD121).

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Source

DARKReading