Cybersecurity startup RAD Security, a finalist in this year's Black Hat USA Startup Spotlight competition, looks for "drift events," or events that vary from the baseline.

Source: THP Creative via Alamy Stock Photo

Consider these two statistics: By 2025, 95% of new applications will be deployed on cloud-native platforms. And in 2023, 90% of teams working with containers and Kubernetes reported a breach.

RAD Security cites these two figures to illustrate the challenges enterprise defenders face in detecting supply chain and cloud-based attacks. The cybersecurity startup offers a behavioral cloud detection and response solution that generates a "consistent, predictable, behavioral baseline" of an organization's cloud environment in order to detect anomalous activity, according to the company, in response to emailed questions from Dark Reading.

RAD Security calls its approach "behavioral workload fingerprinting." Behavioral fingerprints are represented by the deduplicated hierarchy of programs, processes, and files that a container image exhibits at runtime. RAD Security creates "fingerprints that contain 'golden signals,' created by a proprietary algorithm, with key metrics and behaviors that indicate the health and security status of each container," the company says.

The company looks for "drift events," or those events that don't match the baseline, and adds posture and identity context so that defenders understand what is happening in the environment.

"Anomaly detection is not something you can verify in your environment, as it happens in a black box," the company says. "And there are simply not enough cloud attacks to be able to use machine learning to analyze millions of cloud attacks and find new ones."

This approach is appropriate for clouds because it is transparent and portable, the company says.

The team is currently working on making behavioral fingerprints a de facto standard for how behavioral detection and response is done in cloud security, "all the way from early on in the software supply chain to runtime," RAD Security says.

**Startup Spotlight Finalist**

RAD Security was a Kubernetes Security Operations Center (KSOC) until earlier this year. The name change reflects how the company's scope has evolved beyond being a "best-of-breed Kubernetes Security solution," according to the company. The RAD in RAD Security is not an acronym but references the fact that something radical is technically exciting and "an "irreverence to the status quo," the company says. The name RAD Security is "straightforward, just like the solution we provide."

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to RAD Security's booth will be able to see demonstrations of the platform. The company also announced new features to the platform to "change the way investigations are done in the cloud."

**Startup Brief**

If the company were a band, what would its band name be?

RAD, and our band would be a full experiential show (like the Sphere in Las Vegas) that engages all your senses.

If your company had a mascot, what would the mascot look like?

"Funny you should ask — we have unveiled our new mascot, their name is BRAD!" Brad is a bear that knows how to be rad when it comes to security.

Startup Spotlight: RAD Security Brings Behavioral Profiling to Cloud

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security.

David O'Berry, vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

August 6, 2024

4 Min Read

Source: Science Photo Library via Alamy Stock Photo

COMMENTARY

Quantum computing has been projected to enable market-defining and life-changing capabilities since its inception more than three decades ago. From financial portfolio optimization and improved electric vehicle (EV) battery production to enhanced drug discovery and advanced semiconductor manufacturing, quantum computers can perform complex calculations at faster speeds than both traditional and super computers. 

Thanks to the recent artificial intelligence (AI) boom, quantum computing is predicted to become even more significant in the coming years. Quantum computers will facilitate advancements in AI algorithms — better known as quantum AI or QAI. These quantum-enabled AI models will be faster as well as more accurate and efficient, due to quantum computers' parallel processing abilities that can simultaneously solve complex problems and prepare large datasets. This also means that quantum computing can deliver more energy-efficient AI algorithms, as well as hybrid architecture, neural network-enabled data modeling, and improved AI and data security.

Despite the positivity surrounding quantum computing, there is also a dark side to this burgeoning technology. Cybersecurity criminals are increasingly using quantum computing techniques to attack enterprises and break encryptions. It is believed that in the next five to 10 years, quantum computers will be able to break the majority of today's cryptographic algorithms.

This reality leaves corporate leaders and cybersecurity experts with one choice — prepare for the future of post-quantum cryptography (PQC) before it's too late.

**Current State of Post-Quantum Cryptography**

Encryption has been a highly divisive cybersecurity tool in the United States for several decades. In fact, if it was not for the work of experts like Phil Zimmerman catalyzing public-private discussion during the Crypto Wars, we could be living in a more vulnerable world, where encryption was still widely outlawed. 

Fortunately, after years of debate and a growing onslaught of concerning cyberattacks, cryptography is now a broadly accepted security technique, backed by the US government. Encryption is used to protect everything from emails to cryptocurrencies to private wireless networks. However, of all the cryptographic applications, post-quantum cryptography in particular is now the gold standard.

In 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act to ensure all federal entities will have quantum-resilient plans and technology in the coming years. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) also collectively developed the "Quantum Readiness: Migration to Post-Quantum Cryptography" information sheet last year, to advise US defense agencies and private enterprises alike on the new reality of cybersecurity in our post-quantum world. 

This surge in PQC legislation is largely due to the fact that most of our existing encryption is weak and cannot withstand a quantum-enabled attack. And while there is some work being done to advance quantum-proof algorithms, it is not nearly enough. Organizations across industries will be subjected to quantum-led attacks, including government agencies, financial and insurance enterprises, government suppliers — such as aerospace and defense companies — and corporations managing critical infrastructure like telcos and utilities. In other words, PQC is a matter of national security and personal privacy. 

**Bolstering Unbreakable Security**

Cyber leaders have always been tasked with preparing for the unpredictable, but now perhaps for the first time, they must prepare for the unknown. Cyber teams have limited knowledge of both quantum-enabled attacks and quantum-resistant encryption. So how can leaders across sectors bolster their defenses in the unfolding era of PQC?

To start, preparations should begin with risk assessments and inventories to help organizations understand where they have cryptographic gaps. Cyber teams should ask themselves where and how they are using encryption. Moreover, they should identify the various kinds of encryption algorithms and their current use cases across the enterprise. This will, in turn, help companies achieve crypto agility across systems. 

Leaders must also enable a cultural and technological reset. Most cybersecurity professionals will need to be trained to identify, mitigate, respond to, and even predict and prevent quantum-driven threats. These upskilling and reskilling initiatives will typically require third-party support from cyber vendors with deep expertise in quantum technologies.

In order to ultimately protect data and secure AI models using post-quantum cryptographic protocols, algorithms, and systems, organizations will also have to revamp their key management strategy, public key infrastructure deployments, and certificate life cycle management practices. 

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security. The US government has seen the writing on the wall — and now, enterprises must meet the unknown head-on as well. 

**About the Author**

vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

David currently leads the vCISO Practice for the Converged OT/IT, Enterprise, and Cyber Resilience Towers for the North America Cybersecurity Practice at Capgemini. In this role, David also works on the creation of Capgemini’s Cybersecurity Delivery Center of Excellence in North America. Most recently, David served as the chief architect for a large North American utility, helping to lead a $100 million-plus cybersecurity transformation initiative. David has more than 30 years of experience in IT, OT, converged IT/OT, network security, and consulting services.

Preparing for the Future of Post-Quantum Cryptography

A security vulnerability in Rockwell Automation's ControlLogix 1756 programmable logic controllers, tracked as CVE-2024-6242, could allow tampering with physical processes at plants.

Source: Kay Roxby via Alamy Stock Photo

A security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices could open critical infrastructure to cyberattacks on the operational technology (OT) that controls physical processes.

According to Claroty's Team82, the bug (CVE-2024-6242, CVSS 8.4), could allow a remote attacker with network access to the device to send elevated commands to the CPU of a programmable logic controller (PLC), from an untrusted chassis card.

"Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis," Claroty researcher Sharon Brizinov explained in a blog posting on the bug.

The result? Successful attackers can download new logic for controlling a PLC's behavior, and send other elevated commands that would interfere with the physical operations of a manufacturing site.

Rockwell has issued a fix, and users are urged to apply it immediately; and the Cybersecurity and Infrastructure Security Agency has published mitigation advice, noting that exploitation is a low-complexity endeavor.

According to Rockwell, ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, widely deployed in industrial manufacturing environments, are affected by the vulnerability.

**Manipulating the Trusted Slot Mechanism**

The 1756 chassis is a modular enclosure that houses various cards within physical slots that are responsible for communicating with sensors, actuators, and other OT equipment; they also provide the physical and electrical connections to allow those components to interoperate and talk to each other. All of the communication and connections are carried out via a shared circuit board known as the backplane, using the common industrial protocol, or CIP.

"A 1756 PLC in a production line might be connected to multiple sources via different network cards, for example, the human-machine interface (HMI) panel, engineering workstation, and other devices," Brizinov explained. "To ensure that only specific individual devices are performing elevated operations on the PLC such as download logic, a security mechanism was introduced called trusted slot."

The trusted-slot feature ensures that only authorized slots can communicate with each other, protecting against potential tampering. It does this by requiring slots to essentially authenticate to the PLC.

However, Claroty found a way around that.

"Since all slots are connected via the backplane, and CIP supports path (routing), we could generate a CIP packet that will be routed through a trusted card before it reaches the CPU," according to the blog post. "Basically, the method involved 'jumping' between local backplane slots…This technique allowed us to traverse the security boundary that was meant to protect the CPU from untrusted cards."

To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell's patches immediately:

*   ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
    
*   GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later.
    
*   1756-EN4TR: Update to versions V5.001 and later.
    
*   1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Rockwell PLC Security Bypass Threatens Manufacturing Processes

Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years.

Source: Tero Vesalainen via Shutterstock

An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.

Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.

**Post-Exploit Malware**

"LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims' devices," Kaspersky researcher Dmitry Kalinin wrote in a blog post this week. "It remains unclear which vulnerability the attackers might have exploited in the former scenario."

LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the NSO Group's Pegasus Software and the Intellexa alliance's Predator. Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.

In many instances — as was the case with last year's Operation Triangulation iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed BadBazaar last year and another espionage tool dubbed SandStrike in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.

**A Three Year Campaign**

Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.

Unlike some so-called zero-click spyware tools, LianSpy's ability to function depends, to a certain extent, on user interaction.  When launched, the malware first checks to see if it has the required permissions to execute its mission on the victim's device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name ("mu" instead of "su") to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.

"Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges," Kalinin wrote. "This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone."

**Data Harvesting and Exfiltration**

LianSpy's primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.

"The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder," Kaspersky said in a technical writeup on the malware.

One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. "Interestingly, root privileges are used so as to prevent their detection by security solutions," the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.

"Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion," Kalinin said. "Unlike financially motivated spyware, LianSpy's focus on capturing instant message content indicates a targeted data-gathering operation."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Sophisticated Android Spyware Targets Users in Russia

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone did — or didn't — do something they should or shouldn't have, but no one wants to claim responsibility. What's your take? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the August 28, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Props to Marcello Delcaro, implementation manager at Exiger, whose caption for last month's "Cyber Cloudburst" contest snagged first place and a $25 Amazon gift card. Many thanks to all who played!

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Pointing Fingers

In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end.

Source: Nirbokphoto.com via Alamy Stock Photo

Tens of thousands of small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable on the open Internet to a five-year-old bug, researchers are warning.

In January 2019, broadband Internet expert Jim Troutman warned that an exposed port in dozens of Ubiquiti Internet of Things (IoT) gadgets was being exploited in denial-of-service (DoS) attacks. The underlying vulnerability, CVE-2017-0938, was assigned a "high" 7.5 score on the CVSS scale.

Seven months after that, researchers from Rapid7 were still able to find nearly 500,000 vulnerable devices. And now, even though Ubiquiti has long since acknowledged and patched the issue, around 20,000 devices remain vulnerable, Check Point Research noted in a new blog post.

"We can see that some of them were compromised," says Radoslaw Madej, vulnerability research team leader at Check Point Software. "Also, I've only done pretty rudimentary fingerprinting of the devices. It's quite possible that there are more of them \[compromised\] too."

Check Point also warned that besides being used in a SOHO botnet for DoS attack amplification, compromised devices can leak potentially sensitive data, too.

**Exposed Cameras & Routers Can Leak Data**

In probing Ubiquiti gadgets like the G4 Instant Camera — an Internet-enabled camera with two-way audio — Check Point homed in on port 10001, where the exposed process was first identified five years ago. The service at issue: Ubiquiti's discovery protocol, used to communicate between the device and its CloudKey+ controller.

Using spoofed packets, the Check Point researchers discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication. Further, the messages they received in response to their pings included specific information about the devices, plus their owners' names and locations.

"In a few instances, actually, there was a first name and the last name of a person, and what turned out to be a location where a Ubiquiti router was located," Madej recalls. "All this information … it took only one packet from me to receive that response.

"If I wanted to attack this entity, it would be easy for me, knowing the type of router they have, the name of the person, the exact software version, and their business address. \[I could\] find their contact details, and call them up saying: 'Hey, I'm calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.' Because I can validate myself to this person by giving them all the information they need."

**The Issue with IoT**

Patched Ubiquiti products have a safeguard against Internet-based attacks: They do not respond to pings coming from the wider Web, only from internal IP addresses.

Despite the easy availability of such a simple fix, tens of thousands affected products in the wild remain unpatched. This seems to have a lot less to do with Ubiquiti itself than IoT security in general.

"We got used to patching our Windows machines and MacBooks and mobile phones and whatnot, but we're still not really used to the fact that we should also take care about our IoT devices, be it Wi-Fi routers, cameras, vacuum cleaners, fridges, and washing machines," Madej says.

"Of course," he adds, "the question is: To what extent an end user should even be bothered about it. We live in a time when all devices should have automatic updates enabled by default. I don't think that should be a concern of the end user."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

20K Ubiquiti IoT Cameras &amp; Routers Are Sitting Ducks for Hackers

Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege.

Source: Wachiwit via Alamy Stock Photo

The Justice Department, alongside the Federal Trade Commission (FTC), filed a civil lawsuit against TikTok on Aug. 2, due to allegations that the popular social media app and its parent company, ByteDance, violate children's online privacy protections.

In 2019, Musical.ly, TikTok's predecessor, was sued for violating the Children's Online Privacy Protection Act (COPPA), which prohibits website operators from knowingly collecting, using, or disclosing personal information from children under the age of 13 unless express consent is obtained from the child's parents. The company was then court ordered to adhere to certain measures in compliance with COPPA.

Since that time, TikTok allegedly has continued to allow children to create TikTok accounts as well as content on the platform, and has collected and retained personal information from these accounts without notifying the children's parents or obtaining consent, according to the Department of Justice (DoJ) and FTC. They also said that the company has failed to honor deletion requests from parents of those underage profiles.

"TikTok knowingly and repeatedly violated kids' privacy, threatening the safety of millions of children across the country," said FTC chair Lina Khan in a DoJ announcement. "The FTC will continue to use the full scope of its authorities to protect children online — especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data."

**About the Author**

FTC Slams TikTok With Lawsuit After Continued COPPA Violations

The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers.

Brian Jackson via Alamy Stock Photo

A critical pre-authentication remote code execution (RCE) security vulnerability in Apache OFBiz could open organizations to data theft, lateral movement by threat actors into various applications and parts of their networks, and more.

The bug, tracked as CVE-2024-38856, carries a notably high CVSS score of 9.8, given how impactful exploitation could be. Apache OFBiz is an open source enterprise resource planning (ERP) system that has highly privileged access to various business processes for the purpose of single-pane management and automation; these can include accounting, human resources, customer relationship management, order management, manufacturing and e-commerce.

CVE-2024-38856 exists in the override view functionality, and can allow threat actors to access critical endpoints using a crafted request, according to the SonicWall Capture Labs threat research team, which discovered the vulnerability and shared its details with Dark Reading.

To protect their organizations, admins should upgrade their implementations to version 18.12.15 or newer.

OFBiz customers number around 170 and include some heavy hitters, such as Atlassian JIRA, Home Depot, United Airlines, and Upwork Global, according to SonicWall.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Apache OFBiz Vulnerability Allows Preauth RCE

The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Cybersecurity startup Knostic, a finalist in this year's Black Hat USA Startup Spotlight competition, adds guardrails to how AI uses enterprise data to ensure sensitive data doesn't get leaked.

Source: Deemerwha Studio via Shutterstock

The intense popularity of public generative artificial intelligence (GenAI) tools over the past two years has resulted in many applications rolling out new chat capabilities and other features driven by large language models (LLMs). However, many organizations are learning that connecting LLMs to their internal knowledge repositories is a risky endeavor.

"Business leaders are surprised when the search tools provide anyone \[with\] answers to sensitive questions, such as, 'What are people's salaries?' and 'What are the most recent M&A due diligence results?'" says Sounil Yu, co-founder and CTO of Knostic. Even if the permissions and access controls are set correctly on the files containing sensitive data, the inferences made by the LLM can also lead to oversharing.

AI without controls potentially exposes the organization to increased risk, primarily by exposing information to the wrong people, said Gadi Evron, co-founder and CEO of Knostic, in an April interview with Dark Reading.

"How can we curate personalized information and actually give you value — answer with what you need to know instead of just saying stuff?" Evron said.

Knostic says it is the only company defining per-user need-to-know and creating a knowledge control layer.

"Most companies are focused on addressing the oversharing problem solely through data scanning/permissions and information classification," Yu notes.

Knostic's technology provides organizations with visibility, control, and curation. For visibility, the platform continuously queries the GenAI tool (currently Microsoft's Copilot) on various sensitive topics from the perspective of different users and roles to identify unexpected exposures. For control, Knostic's technology captures and displays permissions for content and gives users the ability to modify those permissions. Just because a user can access the data file doesn't mean the user is supposed to know its contents, Yu says.

"By correcting the permissions of sensitive content, we can prevent oversharing through Copilot," Yu says.

Access should not be binary — either yes or no — so the technology gives security teams the ability to curate search query answers to fit the user's need-to-know level.

The company started by focusing on Copilot for M365. Looking ahead, the company is working on solving the need-to-know problem for tools beyond Copilot and Glean for all software-as-a-service tools that incorporate LLMs as a feature.

**Startup Spotlight Finalist**

Evron and Yu originally planned to call the company Knowalls, a play on words that could mean "no walls," "know walls," and "knows all," but decided against it because of the negative connotation around "know-it-alls." The word Knostic is based on the Greek word gnostic, meaning relating to knowledge, which fits with what they were building, Yu says.

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to Knostic's booth will be able to see how the solution "provides visibility into what is being overshared, capture need-to-know, and control and curate access to knowledge based on a user’s need-to-know," Yu says.

**Startup Brief**

If the company were a band, what would its band name be?

Guardians of Gnosis (thrash metal).

If your company had a mascot, what would the mascot look like?

A barn owl, because an owl is known for its knowledge and wisdom.

Source

DARKReading