You're only as strong as your weakest security link.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

Most companies are sitting ducks regarding API security. During my two decades in infosec, I've never seen a threat landscape evolve as rapidly and dangerously as the one surrounding APIs. And here's the kicker: Most organizations are blissfully unaware of the ticking time bomb in their digital infrastructure.

Remember the Optus breach that exposed 9.8 million customer records last year? That was just the tip of the iceberg. APIs are the new favorite target for hackers, and for good reason. They're everywhere, often poorly secured, and packed with juicy data.

Don't believe me? Let's look at some numbers. A recent security audit for a midsize fintech client uncovered a staggering 5,743 distinct APIs in active use. Five years ago, that number was 486. This isn't an anomaly — it's the new normal.

But here's where it gets scary: Most companies have yet to learn how many APIs they run. It's like leaving your house with every window and door wide open and then wondering why you got robbed.

Take the recent Twilio debacle. A single unsecured API endpoint exposed 33 million phone numbers associated with Authy accounts, according to Trend Micro. The attackers didn't need sophisticated tools or insider knowledge. They fed a list of phone numbers into an API and watched the data pour out. It was that easy.

Or consider the 2021 Peloton fiasco. A faulty API allowed anyone to access users' private account data without authentication. Age, gender, and location were all up for grabs.

These aren't isolated incidents. They're symptoms of a systemic problem in our approach to API security. We're building digital skyscrapers on foundations of sand and then acting surprised when they come crashing down.

So, what can you do about it? Here are some practical steps:

1.  Get your house in order. Start cataloging every API in your ecosystem. You can't secure what you don't know exists. You can use automated discovery tools if you have to, but you can get a complete inventory.
    
2.  Adopt a zero-trust approach. Treat every API call as potentially malicious, regardless of origin. Implement strong authentication and authorization for every endpoint. No exceptions.
    
3.  Rate limit everything. Don't let attackers flood your APIs with requests. Set sensible limits and enforce them rigorously.
    
4.  Versioning is your friend. Implement a robust versioning system for your APIs. When vulnerabilities are discovered (and they will be), you need to be able to deprecate and disable old versions quickly.
    
5.  Educate your developers. Most API vulnerabilities stem from developers' lack of security awareness. Invest in regular training sessions focused explicitly on API security best practices.
    
6.  Monitor aggressively. Implement advanced monitoring and behavioral analysis tools. Be sure to look for anomalies in API traffic patterns. The sooner you can detect unusual activity, the better your chance of preventing a breach.
    
7.  Regular penetration testing. Don't wait for hackers to find your vulnerabilities. Conduct regular, API-focused penetration tests and fix the issues they uncover.
    

Here's the hard truth: If you're doing only some of these things, you're probably next on the hit list. The attackers are getting more innovative, more resourceful, and more persistent. They're probing your defenses right now, looking for that one weak API that will give them the keys to your kingdom.

The subsequent major breach isn't a matter of if, but when. And when it happens, the question won't be, "How did this happen?" We know how it will happen. The question will be, "Why didn't we do more to prevent it?"

It's time to wake up to the API security crisis and stop treating API security as an afterthought or a nice-to-have. With board-level visibility and dedicated resources, it must be at the forefront of your security strategy.

Because if you don't take API security seriously now, you'll be forced to take it seriously after a breach. And by then, it'll be too late.

The choice is yours. Act now — or explain to your customers later why you didn't.

**Additional Considerations**

As we delve deeper into the API security crisis, it's crucial to understand that this is not just a technical problem, it's a business problem. The repercussions of a major API breach can be devastating, affecting everything from your company's bottom line to its reputation in the market.

Consider the following:

1.  Regulatory compliance. With regulations like GDPR, CCPA, and others becoming increasingly stringent, API security is no longer just about protecting data — it's about avoiding hefty fines and legal troubles. A breach could cost your company millions in penalties and long-term damage to your brand.
    
2.  Third-party risk. Your API ecosystem likely extends beyond your organization. Third-party integrations and partnerships can be a significant vulnerability if not properly managed.
    
3.  Evolving attack vectors. Attackers are constantly innovating. From API poisoning to GraphQL abuse, new attack vectors are emerging faster than many organizations can keep up. 
    
4.  Continuous monitoring and improvement. The API security landscape is not static. What's secure today might be vulnerable tomorrow. Please make sure your API security posture evolves with the threat landscape.
    

Remember, you're only as strong as your weakest link in API security. It's time to fortify every aspect of your API ecosystem before it's too late. Your business's future may very well depend on it.

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

The API Security Crisis: Why Your Company Could Be Next

PRESS RELEASE

NEW YORK – Today, Verizon Business released its 2024 Mobile Security Index (MSI) report outlining the top threats to mobile and IoT device security. This year’s report, in its seventh iteration, goes beyond employee-level mobile usage and extends into the usage of IoT devices and sensors and the security concerns the growth of these devices can present especially as remote work continues to be a trend. This expanded view of mobile security concerns for organizations showcases the evolving threat landscape that CIOs and other IT decision makers must contend with.

As dependency on mobile devices grows, so too do the risks, especially in critical infrastructure sectors where the consequences of security breaches can be catastrophic. The 2024 MSI, which surveyed 600 people responsible for security strategy, policy and management, underscores this point.

**Employees are using more mobile and IoT devices, leading to increased cyber risks**

The survey finds that 80% of respondents consider mobile devices critical to their operations, while 95% are actively using IoT devices. However, this heavy reliance comes with significant security concerns. In critical infrastructure sectors, where 96% of respondents report using IoT devices, more than half state that they have experienced severe security incidents that led to data loss or system downtime.

“These findings highlight the continued friction that employers face as more and more work is done on personal mobile devices,” said Phil Hochmuth Research VP, enterprise mobility at IDC. “This is why we are seeing more and more employers move from a pure bring-your-own-device model to employer provided devices where CIO’s can have greater governance to protect critical infrastructure from cyber attacks."

Additionally, Hochmuth says, organizations should adopt robust frameworks such as Zero Trust and the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) 2.0, and comply with mandates like the European Union’s NIS2 Directive.

**Emerging AI cyberthreats meet new AI defenses**

Emerging artificial intelligence (AI) technologies are expected to exacerbate the mobile threat landscape, but it also presents opportunities for defense. A striking 77% of respondents anticipate that AI-assisted attacks, such as deepfakes and SMS phishing, are likely to succeed. At the same time, 88% of critical infrastructure respondents acknowledge the growing importance of AI-assisted cybersecurity solutions.

**Accounting for IoT growth in cybersecurity planning**

With companies increasingly deploying IoT devices, their digital landscapes are evolving, creating a need for cybersecurity strategies to evolve in kind.

“The Industrial Internet of Things (IIoT) is giving rise to a massive expansion in mobile device technology that goes well beyond phones, tablets and laptops. Enterprise networks now include all sorts of sensors and purpose-built devices that monitor, measure, manage and control commercial tasks and data flow,” said TJ Fox, SVP of Industrial IoT and Automotive, Verizon Business. “That IIoT growth brings with it a proportionate need for more knowledge, awareness and IT solutioning to ensure the security of those increasingly sophisticated networks. The growing importance that IoT plays in our customer’s technology ecosystem underscores why it should be a component in any sound cybersecurity program.”

**What business leaders should know**

The 2024 MSI helps inform cybersecurity decisions for leaders of businesses of all sizes and in key sectors. As mobile and IoT threats rise, the need for robust security measures has never been greater. In response to these growing threats, 84% of respondents have increased their mobile device security spending over the past year, with 89% of critical infrastructure respondents planning further increases.

This year’s MSI includes contributions from Verizon’s partners including Ivanti, Lookout, Jamf among others.  Help your organization lower cyber risks by deploying comprehensive security protections, continuous employee education and advanced threat detection capabilities. Read the Verizon Business 2024 Mobile Security Index to learn more about suggested best practices your organization can implement.

Verizon Business 2024 Mobile Security Index Reveals Escalating Risks in Mobile and IoT Security

PRESS RELEASE

WILMINGTON, Del.--(BUSINESS WIRE) -- Today, Intel 471, the premier provider of cyber intelligence-driven solutions worldwide, sponsored a partnership of 28 industry leaders serving public and private organizations across the vendor and consumer community. Together, these professionals volunteered their time, effort, and experience to launch the first version of the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), designed as the first-of-its kind vendor agnostic and universally applicable resource to support organizations of all shapes and sizes across the CTI industry. In today’s evolving threat landscape, the sign of a successful Cyber Threat Intelligence (CTI) program is a mature program that seamlessly integrates with an organization’s core objectives and key outcomes.

“Unlocking the full potential of your CTI program requires alignment with the capabilities of each stakeholder it supports, and a tangible measurement of success synchronized with organizational priorities,” said Michael DeBolt, Chief Intelligence Officer at Intel 471. “The CTI Capability Maturity Model (CTI-CMM) is designed to support CTI teams in building their capabilities by aligning to defined practices for stakeholder business domains unique to each organization. The Model establishes shared values and principles across the industry to empower organizations to take a holistic approach to cyber threat intelligence with stakeholders in mind.”

“Advising numerous clients globally, I have observed a consistent need for an outcome-focused model for cyber intelligence programs. The CTI-CMM bridges the gap to help CTI programs create impactful and demonstrable value for their organization,” said Colin Connor, CTI Services Manager at IBM X-Force.

The all-volunteer team behind the CTI-CMM is comprised of professionals representing a wide range of sectors, geographic regions, backgrounds and experiences, including leaders from Intel 471, IBM, Kroger, Venation, Mandiant, IntL8, Regfast, Trellix, Autodesk, Centre for Cybersecurity Belgium (CCB), Northwave Cyber Security, Workday, Marsh McLennan, Signify, Tidal Cyber, DeepSeas, BP, Gojek, SAND and many more. These individuals created CTI-CMM to elevate cyber threat intelligence across the industry through knowledge and experiences. Together, they defined the following values and principles to support the CTI community moving forward:

Shared Values

*   Intelligence provides value through collaboration with our stakeholders and supporting their decision-making process.
    
*   Intelligence is never completed. Improvement is continuous. This also applies to adoption. Constant improvement is crucial for success and distinguishing from other models which failed to keep up with the time.
    
*   Intelligence is not proprietary, nor is it prescriptive. Therefore, the model should never be claimed by a single commercial party.
    

Shared Principles

*   Contextualizing threat intelligence within risk
    
*   Continuous self-assessment and improvement
    
*   Actionable intelligence based on stakeholder needs
    
*   Quantitative and qualitative measurement of intelligence
    
*   Collaborative and iterative intelligence processes
    

This team made the decision to design the CTI-CMM to align with industry best practices and the concepts and format of a recognized cybersecurity maturity model, the Cybersecurity Capability Maturity Model (C2M2). Similar to the C2M2, the CTI-CMM is organized into ten domains. Each domain includes a “Domain Purpose” followed by a “CTI Mission'' description describing how the CTI function supports it and consists of the CTI Use Cases and CTI Data Sources.

The CTI-CMM is the blueprint for a successful and effective CTI program. It exists to support the people who make decisions and take action to protect organizations. For more information, please visit: https://cti-cmm.org/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using the real-time insights about adversaries, their relationships, threat patterns, and imminent attacks relevant to their businesses. The company's platform collects, interprets, structures, and validates human-led, automation-enhanced intelligence, which fuels our external attack surface and advanced behavioral threat hunting solutions. Customers utilize this operationalized intelligence to drive a proactive response to neutralize threats and mitigate risk. Organizations across the globe leverage Intel 471’s world-class intelligence, our trusted practitioner engagement and enablement and globally dispersed ground expertise as their frontline guardian against the ever-evolving landscape of cyber threats to fight the adversary -- and win. Learn more at https://intel471.com/.

Cybersecurity Industry Leaders Launch the Cyber Threat Intelligence Capability Maturity Model

PRESS RELEASE

ROCKVILLE, Md., Aug. 1, 2024 /PRNewswire/ -\- Dataprise, a distinguished provider of managed services (MSP) and managed security services (MSSP), today announced the acquisition of Phoenix IT, a cybersecurity incident response and managed service provider in Arizona. The acquisition broadens Dataprise's Cybersecurity platform with new Incident Response & Remediation Services and expands the company's managed services regional footprint to Arizona.

Dataprise's mission is to combine powerful, enterprise-grade solutions with local, personalized service delivery for outstanding client experiences. Phoenix IT uniquely adds to both commitments by enabling Dataprise to offer comprehensive incident response and remediation services, and to expand its reach to clients in Phoenix, AZ.

"Phoenix IT has built a prestigious reputation as the go-to for cyber incident response and recovery among clients and partners nationwide while cultivating a strong regional MSP business. This security-minded, client-first culture aligns naturally with Dataprise and will enable accelerated value on both fronts for clients. We look forward to bringing unexpected value to both Dataprise's clients with the new IR capabilities and Phoenix IT's clients with access to an end-to-end portfolio of IT services," said William Flannery, Chief Executive Officer, Dataprise.

"We are experiencing a rapid growth phase at Phoenix IT, driven by the increasing demand for our Incident Response & Recovery Services and the exceptional work of our expert team. Simultaneously, our commitment to supporting local Phoenix businesses enables us to maintain a comprehensive focus on the client experience," said Nathan Phillips, Founder and CEO of Phoenix IT. "Dataprise is a perfectly aligned partner for our business and clients, and we look forward to robust growth together as we continue to ensure our clients' safety and security."

"Phoenix IT has an exceptional leadership team, dedicated cybersecurity professionals, and a significant presence in Phoenix—a region of strong growth and opportunity. This blend makes Phoenix IT an ideal addition as Dataprise advances our strategy to expand our nationwide footprint and deliver the most advanced Cybersecurity portfolio in the market," said Christian Fulmino, SVP of M&A, Dataprise.

Lance Meilech served as the investment banker on the sale of Phoenix IT. 

About Dataprise  
Dataprise is a portfolio company of Trinity Hunt Partners, a growth-oriented private equity firm. Founded in 1995, Dataprise believes that technology should enable our clients to be the absolute best at what they do. This commitment to client success is why Dataprise is recognized as the premier strategic managed service and security partner to strategic CIOs and IT leaders across the United States. Dataprise delivers best-in-class managed cybersecurity, disaster recovery as a service (DRaaS), managed infrastructure, cloud, and managed end-user services that transform business, enhance user experiences, and eliminate risks. Dataprise has offices across the United States, employs 500+ of the industry's best and brightest, and supports more than 2,000 clients.

You May Also Like

Dataprise Acquires Phoenix IT Adding Cyber Incident Response &amp; Remediation Services

PRESS RELEASE

AUSTIN, Texas--(BUSINESS WIRE)-- Votiro, innovator in Zero Trust Data Detection and Response (DDR) and trusted to deliver safe and compliant content to industry leaders across the globe, announces an expansion of privacy toolsets and integrations within its DDR platform. New features include the ability to mask privacy data within documents in real-time, continuous monitoring and reporting on where unstructured data travels throughout an organization, alerts around potential compliance violations, and expanded integrations with key technology partners.

“Despite a growing data security market, data breaches are still running rampant, leading to more stringent data protection and privacy regulations,” said Darin Sanders, CRO at Novacoast. “Compliance has again become a major focus across many industries, and both Novacoast and Votiro are dedicated to helping these organizations not only quickly achieve a compliant posture but stay that way. Votiro’s Zero Trust DDR platform is the answer for teams looking for visibility, reporting, control, and masking.”

With enhanced data privacy functionality, Votiro’s Zero Trust DDR is now well positioned to address both facets of data security in a unified platform – data privacy risks and malware threats. Key new features and integrations include:

1.  Data masking and de-masking: Personally identifiable information (PII) or sensitive enterprise data is masked (obfuscated) while in-transit to satisfy various regional and international data regulations and privacy requirements. Users can also de-mask data based on established enterprise policy controls.
    
2.  Enhanced privacy and threat analytics dashboard: New analytics provided include, but are not limited to, commonly targeted channels and entry points, user behavior, the types of data being ingested and shared throughout the organization, and real-time logging of the files/data detected and masked/sanitized by Votiro.
    
3.  Expanded integration within the Microsoft ecosystem: Real-time data detection and response can be applied throughout the organization. In addition to Microsoft Office 365, Votiro now supports Microsoft Teams, SharePoint, and OneDrive to ensure seamless and safe collaboration for MS users and third-party contributors.
    
4.  Monitoring and masking static environments: If threat actors gain access to secure environments, sensitive data housed within these channels is already anonymized based on permissions and made useless to unauthorized parties looking to exfiltrate PII.
    

“We launched the industry’s first unified content security platform earlier this year to safeguard organizational data against privacy risks and malware threats and simplify compliance efforts. Since the initial launch, our team has been building new innovations within the Zero Trust DDR platform to further support this mission,” said Ravi Srinivasan, CEO at Votiro. “The newly available functionalities are plugging the gaps in many endpoint and reactive-only solutions, providing our customers with a one-stop-shop for preventative, data-centric security.”

Votiro is poised to grow internationally with notable new partnerships including Novacoast, an international cybersecurity company providing IT services and software development, and CyberKis, a full-service cybersecurity company in Israel. Votiro also serves governments worldwide, including government agencies and organizations in Japan with Asgent, where Votiro holds the dominant market position in terms of sales revenue for the last seven consecutive years.

Headed to BlackHat? Votiro will be there! Book time with Ravi Srinivasan if you want to chat more about the evolution of the data security market, Votiro’s Zero Trust DDR, or partnership opportunities.

To book a demo, start a free 30-day trial, or learn more about Votiro’s commitment to preventing privacy risks and malware threats, visit www.votiro.com.

About Votiro

Votiro's Zero Trust Data Detection & Response platform allows data to flow freely and safely. Our unified data security solution provides organizations around the globe with real-time privacy masking, data compliance, proactive file-borne threat prevention, and actionable data insights. The seamless, open-API proactively prevents risks to private data in-motion by detecting and masking information while disarming known and unknown cyber threats before they reach user endpoints.

Votiro is headquartered in Austin, TX, with offices in Australia, Israel, and Singapore. Votiro is SOC 2 Type II compliant. Learn more at www.votiro.com.

Votiro Unveils New Data Privacy Features and Integrations

While still under development, the malware contains Turkish-language filenames, can record the screen and keystrokes, and inject custom overlays to steal passwords and sensitive data.

Source: Muhammad Toqeer via Shutterstock

A threat intelligence firm discovered samples of a malicious Android program that appears to target Turkish-language speakers. The program can take screen grabs, capture keystrokes, and create custom overlays — also known as Web injections — that can fool users into entering sensitive information.

The Trojan, dubbed BlankBot, appears to be under active development — judging from a significant number of code variants and log files — and remains largely undetected by the anti-malware scanners hosted on VirusTotal, cyberthreat-intelligence firm Intel 471 stated in its report published on Aug. 1. The developers of the Trojan use openly available libraries for mimicking account pages and producing other overlays and showed other signs of cybercriminal sophistication, Intel 471's analysts, who asked not to be named, said in an email interview.

"The developers appear to be experienced Android application developers, and they also demonstrate an understanding of the ATO \[account takeover\] business," they said. "These libraries allow the malware operators to imitate real financial applications more closely and create a seamless, authentic-looking phishing page, making it more likely that a user will follow all the steps and give up their sensitive information."

At this point, the motive for the group's targeting of Turkey is unclear, the company said. In recent years, Turkey has become a target for cyberattackers, especially nation-state espionage groups. India's SideWinder group has targeted individuals in Turkey — in addition to the group's typical targets of regional rivals, such as Pakistan — while China's APT41 has targeted global shipping, technology, and automotive industries, including those in Turkey.

Meanwhile, the country has been developing its own cyber capabilities. A Turkey-linked group has targeted Kurdish opposition groups throughout Europe, the Middle East, and North Africa, while another cybercriminal group in Turkey is targeting corporate databases in the United States, Europe, and Latin America with ransomware.

**Malware Under Development**

The malicious application appears to be under development but already has a host of features. Like other Android malware, BlankBot requests permission and then uses Android's accessibility features to take control of the device. Once in control, the malware can record the screen via the MediaProjection API, with the recording saved as JPEG images, which are then sent to a remote server.

In a relatively rare technique, the malware also creates its own keyboard for input, so the application can more easily capture user keystroke input. BlankBot also uses two open source libraries, CompactCreditInput and Pattern Locker View, to create screens that mimic the data entry pages for various sensitive credentials, such as usernames, passwords, PIN combinations, and credit card information, Intel 471 stated in its advisory.

Finally, using the accessibility services, the company said that the malware can control certain features by spoofing finger swipes.

"Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes," the advisory stated. "Additionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting contacts, SMS text and a list of installed applications."

**Focused on Cybercrime**

The malware's lineage is still a question mark. While Turkey-linked groups have not shied away from sophisticated attacks against the country's rivals, Intel 471's analysts say the malware seems more likely targeted at financial gain through cybercrime.

"We're fairly certain that this malware was not written for espionage because it has all of the features required for account takeover for financial gain, such as overlays for popular financial applications," the analysts said in an email interview. "Some of those features have limited use for espionage purposes but would make the malware more likely to be detected by anti-malware products."

However, the malware has anti-analysis capabilities, such as obfuscated code and a feature for detecting if it runs in an emulator.

Finally, while Turkish language strings do appear in the code, the malware could easily be localized to target other users and mimic other institutions, Intel 471 stated in its advisory.

"\[N\]o specific financial institutions were identified as targets during our analysis, therefore, this malware could be distributed in campaigns against users in different countries," the advisory stated.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

BlankBot Trojan Targets Turkish Android Users

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Everyone expected some kind of cyberattack during the Olympics. If this is the best they've got, the bad guys don't deserve a spot on the podium.

Source: Alexandre ROSA via Alamy Stock Photo

Overnight on Saturday, Aug. 3, cyberattackers struck the computer systems belonging to the Réunion des Musées Nationaux et Grand Palais (RMN), a French cultural institution that oversees dozens of museums, shops, and exhibitions, as well as around 100 publications.

In its own words, RMN is "neither a museum nor a gallery, but an unidentified creature on the cultural landscape." This summer, its namesake Grand Palais complex has hosted various Olympics-related exhibitions and events, including fencing and Taekwondo competitions.

Between Aug. 3 and 4, RMN fell victim to a purported ransomware attack. Defenders quickly responded, and the organization reported little impact to any of its many related institutions.

France's Anti-Cybercrime Brigade has opened an investigation into the incident. According to the country's penal code, fraudulently accessing a data processing system is punishable by three years' imprisonment, and deleting or modifying the data therein adds another two years on top.

**What (Seems to Have) Happened**

Le Parisien was the first to report that a weekend attack against RMN involved ransomware. The attack targeted the system that centralizes financial data across its various related institutions. It suggested that a cryptocurrency ransom was involved, that data had been exfiltrated, and that organizations like the Louvre were affected.

In an Aug. 6 press release, however, the RMN said it had discovered no signs of data exfiltration. Meanwhile, the Louvre's chief of staff, in a post to X, denied that the attack had affected it.

The Grand Palais director clarified to reporters, "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency."

RMN noted that even those potentially affected shops "are operating normally, autonomously and the museums and their bookshops remain open to the public under the usual conditions."

**Hackers' Underwhelming Performance at the Olympics**

"Everyone expected the Olympic Games to be the target of cyberattacks," says Dr. Martin J. Kraemer, security awareness advocate at KnowBe4. If this attack was the best the bad guys have got, though, it will have been underwhelming.

"Attackers have used ransomware attacks on other occasions to cover the tracks of something else," Kraemer adds. "This might be the case here. However, it seems more likely that the scheme is a quick exploit and nothing else in this case."

Still, there are five more days of the Olympics to go. "It will be interesting to watch the situation unfold on the world stage," says Josh Jacobson, director of professional services at HackerOne. "There continues to be a significant risk of attacks against the event’s associated venues, attendees, and spectators. Fake ticketing sites, social engineering campaigns or phishing attacks still pose a significant risk until the games end and beyond that."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattack Strikes the Grand Palais RMN; Impact Appears Limited

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Source: Blackboard via Shutterstock

A convicted dealer of credit card accounts and identity documents and a hacker who helped steal sensitive data from companies to inform stock trades were among the eight Russian nationals traded last week to that country's government in exchange for 16 imprisoned Americans and Europeans.

In the most extensive prisoner exchange since the Cold War, the United States and its allies traded eight convicted Russian nationals — including cybercriminals Vladislav Klyushin and Roman Valeryevich Seleznev — for the release of four Americans, five Germans, and seven Russian political prisoners. Since 2017, Seleznev has been serving a 14-year sentence for participating in a massive cyber-fraud ring that stole more than $9 million from banks and $50 million in consumer losses. Klyushin was sentenced in September 2023 to nine years in prison for taking part in a hack-and-trade scheme.

The fact that the two cybercriminals were included in the exchange shows the importance that the Russian government puts on cyber operations, says Waithera Junghae, associate on the incident response team at S-RM, a global corporate intelligence and cyber security consultancy.

"Cyber activity aligns closely with real-world events such as conflict in Russia-Ukraine, and therefore it's perhaps not unsurprising that we see individuals engaged in this activity feature in negotiations and resulting releases," she says.

The massive exchange involved US diplomacy as well as the cooperation of at least five allies: Germany, Norway, Poland, Slovenia, and Turkey. The United States and its allies gained the release of three American citizens, an American green card holder, five German citizens, and seven Russian political prisoners, according to the White House. In addition to the two cybercriminals, Russia freed Vadim Krasikov, previously held by Germany after being convicted of assassinating a Chechen separatist in Berlin, news reports stated.

In remarks on Aug. 1, President Joe Biden stressed that the five countries who helped make the deal possible — either by releasing prisoners or in helping with logistics — showed the importance of the United States' alliance partners.

"They all stepped up, and they stood with us," Biden said. "They stood with us, and they made bold and brave decisions, released prisoners being held in their countries who were justifiably being held, and provided logistical support to get the Americans home. So, for anyone who questions whether allies matter, they do. They matter."

**Cybercriminals Pursued Unique Approaches**

The two cybercriminals released by US authorities included Klyushin, 42, who monetized hacks in an uncommon — if not unique — way. The Russian businessman, who owned the Moscow-based IT-security firm M-13, worked with four other co-conspirators to steal information on corporate earnings from publicly traded businesses, making trades around more than 2,000 "earnings events," according to a statement by the US Attorney's Office for the District of Massachusetts. The scheme netted the group around $93 million.

The "hack-to-trade" scheme is not unique, but it is a rare way for financially motivated cybercriminals to make money, Junghae says.

"Financially motivated cybercriminals typically opt for the quickest and easiest routes to make money, including encrypting and exfiltrating data or engaging in payment diversion schemes," she says. "However, in this particular case, Klyushin's strategy involved hacking companies to obtain confidential information for trading purposes."

Meanwhile, Seleznev — as part of the credit-card theft ring, Carder.su — created an automated portal for selling credit card data, allowing members to log in, search for specific types of account holders and card information, and then purchase the data by checking out. Seleznev, who used the handles Track2, Bulba, and Ncux, was sentenced to 14 years in prison in 2017, following a guilty plea. Law enforcement charged more than 55 individuals related to Carder.su as part of a concerted investigation dubbed Operation Open Market.

The scale and ease of the cybercriminal operation made Selznev, a pioneer at the time, Junghae says.

"High-profile cases like Seleznev's can embolden other cybercriminals, encouraging them to pursue similar activities under the belief that they too can evade detection and prosecution," she says. "The techniques and methods Seleznev employed can be adapted and refined by other criminals, thereby enhancing their capabilities."

**Not a Major Factor for Law Enforcement**

Some international policy experts have argued that the successful negotiated release of legitimately convicted Russian criminals poses a risk: Rogue governments could be incentivized to trump up charges and arrest other nations' citizens. Since 2021, the Biden administration has negotiated the release of prisoners from Russia, Iran, and Venezuela, according to Reuters.

"While it is or would be great to have these individuals released, it underscores how hostage-taking has become a prominent and frequent — if not growing — element of Russian strategy toward the U.S. and the West," Ian Brzezinski, a former US defense official, told Reuters.

Yet, the prisoner exchange will not change how law enforcement agencies pursue and prosecute cybercriminals, S-RM's Junghae says.

"This was an historic move, years in the making, that likely won't be repeated for some time," she says. "So, it would be remiss for countries and their government administrations to base future activity around further negotiated releases."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading