The high-severity CVE-2024-5806 allows cyberattackers to authenticate to the file-transfer platform as any valid user, with accompanying privileges.

A high-severity security vulnerability in Progress Software's MOVEit Transfer software could allow cyberattackers to get around the platform's authentication mechanisms — and it's being actively exploited in the wild just hours after it was made public.

MOVEit Transfer is an application for file sharing and collaboration in large-scale enterprises; it was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, UCLA, and more. The level of mass exploitation was such that it materially affected the results of this year's "Data Breach Investigations Report" (DBIR) from Verizon.

The new bug (CVE-2024-5806, CVSS: 7.4) is an improper authentication vulnerability in MOVEit's SFTP module that "can lead to authentication bypass in limited scenarios," according to Progress' security advisory on the issue today, which also includes patching information. It affects versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 of MOVEit Transfer.

Admins should patch the issue immediately — not only is MOVEit on cybercriminals' radar screens after the events of last year, but the ability to access internal files at Fortune 1000 companies is a juicy plum for any espionage-minded advanced persistent threat (APT). And, according to a short note from the nonprofit Shadowserver Foundation, "very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts." It also reported that there are at least 1,800 exposed instances online (though not all of them are vulnerable).

Progress didn't provide any details on the bug, but researchers at watchTowr, who called the vulnerability "truly bizarre," have been able to determine two attack scenarios. In one case, an attacker could perform "forced authentication" using a malicious SMB server and a valid username (enabled by a dictionary-attack approach).

In another, more dangerous attack, a threat actor could impersonate any user on the system. "\[We can\] upload our SSH public key to the server without even logging in, and then use that key material to allow us to authenticate as anyone we want," according to watchTowr's post. "From here, we can do anything the user can do — including reading, modifying, and deleting previously protected and likely sensitive data."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fresh MOVEit Bug Under Attack Mere Hours After Disclosure

More than 200 regional and national government agencies have been impacted by the ransomware attack, and few of them are once again operational.

Source: Peter Treanor via Alamy Stock Photo

A cybercrime group is demanding $8 million after compromising Indonesia's national data center — an amount the government is refusing to pay.

More than 200 government agencies have been disrupted by the cyberattack since June 20, according to Samuel Abrijani Pangerapan, director general of informatics applications with the Communications and Informatics Ministry. He told the Associated Press that these agencies are at both the regional and national levels, and though some of them have returned to operations (such as immigration at airports), others are still not yet operational. 

According to Herlan Wijanarko, Indonesia's director of network and IT solutions, the threat actors are holding data hostage and offering a key to access the information in exchange for the $8 million ransom.

Communication and Informatics Minister Budi Arie Setiadi, however, told the AP that the government will not pay the ransom. Instead the National Cyber and Crypto Agency is carrying out forensics as the center does its best to recover from the attack.

The head of the crypto agency also noted that it detected a sample of LockBit 3.0 ransomware.

"The disruption to the national data center and days-long needed to recover the system means this ransomware attack was extraordinary," said Pratama Persadha, Indonesia's Cybersecurity Research Institute chairman. "It shows that our cyber infrastructure and its server systems were not being handled well."

This is the most severe cyberattack on the country's government agencies and companies since 2017.

**About the Author(s)**

Indonesia Refuses to Pay $8M Ransom After Cyberattack

An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.

Source: SeventyFour via Shutterstock

An unknown threat actor may have accessed critical information on US chemical facilities by compromising the US Cybersecurity and Infrastructure Security Agency's (CISA) Chemical Security Assessment Tool (CSAT) earlier this year, by way of known Ivanti flaws.

Data the adversary may have accessed includes the types and quantities of chemicals stored at different facilities, facility-specific security vulnerability assessments, site security plans, and personnel identity information of individuals who might have sought access to restricted areas at high-risk facilities.

**Anti-Terror Related Data**

CISA required chemical facilities around the country to provide this information as part of the Department of Homeland Security's Chemical Facility Anti-Terrorism Standards (CFATS) program to enhance security at high-risk chemical facilities in the US. CFATS expired in July 2023.

According to CISA, a threat actor may have accessed data in its CSAT application after chaining together several zero-day vulnerabilities Ivanti disclosed earlier this year in its Connect Secure appliance. In a notification letter to stakeholders, DHS associate director Kelly Murray said the intrusion happened during a two-day period, sometime between Jan. 23 and Jan. 26, 2024.

After gaining access to the Ivanti appliance, the threat actor deployed a web shell on it that enabled remote command execution and arbitrary file writes to the underlying system, Murray said. The attacker accessed the web shell several times during the two-day period but there is no evidence of any data exfiltration or lateral movement beyond the Ivanti device, she said.

"While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts," Murray said. "All information in CSAT was encrypted using AES 256 encryption and information from each application had additional security controls limiting the likelihood of lateral access," she noted.

Even so, David Brumley, CEO of ForAllSecure, says the CVEs that CISA pointed to in its advisory would allow an attacker to go from a remote and unprivileged status over the network to having full access. And at least one of the vulnerabilities already has a public exploit, Brumley says.  
"CISA is saying for users to rotate their passwords, but I'm sure internally they're doing an internal investigation as well," he notes. "The vulnerabilities listed would have given attackers access to key parts of the network potentially."    
Brumley says its somewhat ironic that the very entity that notified other organizations about these vulnerabilities became a victim itself.

"If CISA can't patch fast enough, what does that say about the rest of us?", Brumley says. "We need to be investing in quicker turnarounds from time-of-vulnerability-disclosure to having all systems patched."

**Potential Safety Implications**

Howard Goodman, technical director at Skybox Security, says the breach has potential security implications given the nature of the CSAT tool and the sensitive data it contains. "The exposure of chemical inventories and security plans could potentially be exploited by malicious actors to target facilities, posing risks to public safety and the environment," Goodman says.

Affected organizations should conduct a thorough review of their existing cybersecurity measures and, if needed, update them. They should also consider enhancing physical and cybersecurity measures, especially in areas identified in their CSAT submission. In addition, they should "increase monitoring and threat detection capabilities to identify any suspicious activities that may indicate targeted attacks," Goodman says. "Engage in information sharing with industry peers and relevant government agencies to stay informed about potential threats and best practices."

**Ivanti Zero-Days**

The DHS breach notification did not identify the specific Ivanti vulnerability or vulnerabilities that the threat actor exploited to gain access to the CSAT application. However, it directed stakeholders to a CISA advisory on Feb. 29, 2024, that warned about exploit activity targeting three vulnerabilities in Ivanti Connect and Policy Secure Gateways: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. The flaws affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. Attackers can exploit the vulnerabilities in a chained fashion to bypass authentication mechanisms, craft malicious requests, and execute arbitrary commands with admin level privileges on affected systems.

The flaws were among several critical vulnerabilities Ivanti disclosed earlier this year, prompting a complete overhaul of its security practices.

In an emailed comment, Roger Grimes, data-driven defense evangelist at KnowBe4, expressed some dissatisfaction with CISA's decision not to mention whether the agency had patched the flaws. 

"If they were exploited by a known vulnerability where a patch was available...why wasn't the patch installed?" Grimes said. "Was it simply due to the fact that the exploit happened faster than the patch could be applied \[or\] was the patch missed?"

CISA itself has recommended that all affected chemical facilities maintain their current cybersecurity and physical security postures and address vulnerabilities as they would normally.

"While the investigation found no evidence of credentials being stolen," CISA added, "CISA encourages individuals who had CSAT accounts to reset the passwords for any account, business or personal, which used the same password."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Threat Actor May Have Accessed Sensitive Info on CISA Chemical App

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

Source: Primakov via Shutterstock

A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.

WordPress.org's Plug-in Review team warned users on Monday that a plug-in called Social Warfare was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org plug-ins injected with the same code, according to a blog post published by Wordfence on June 24.

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1.

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that's been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.

**Malicious Behavior**

The malicious code injected in the plug-ins "attempts to create a new administrative user account and then sends those details back to the attacker-controlled server" located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.

"The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow," Chamberland added.

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don't know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.

**Mitigating Attacks Via WordPress Plug-Ins**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.

As such an attack demands greater vigilance, Wordfence — which focuses on the security of the WordPress platform — is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and "go into incident-response mode," Chamberland said.

"We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan" to remove any malicious code, she said.

Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

Source: Ianni Dimitrov Pictures via Alamy Stock Photo

COMMENTARY

In October 2023, the British Library underwent a crippling cyberattack that took down its website, a majority of its online services, including card transitions, reader registrations, and ticket sales, along with access to its digital library catalog. The attack cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year. 

Analyzing the British Library's initial response reveals that it effectively executed a carefully planned response strategy. With its vast store of 170 million items, the national library of Great Britain acknowledged a critical oversight in not having a security team on retainer and readily available, resulting in overreliance on an external team unfamiliar with the environment and scrambling in the eleventh hour. 

Welcoming transparency, the institution issued its report outlining details of the attack and sharing valuable lessons of benefit to other organizations in their cyber preparedness and mitigation efforts. 

**How Did Attackers Breach the British Library?**

While the exact method of entry is unknown due to the extensive damage caused by the attackers, investigators were able to trace unauthorized access at the Terminal Services server, which was installed in 2020 — COVID era — to facilitate remote access for external partners and internal IT administrators. 

Many of these outside parties had privileged access to specific servers and software. It is believed that the root cause behind the attack could have been the compromise of privileged account credentials, possibly via phishing, spear-phishing, or brute-forcing credentials. The library admitted to having an unusually diverse and complex technology estate comprising a stack of legacy tools and infrastructure that led to the severity of the incident. Although the Terminal Services server was protected by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection — a gross oversight.

**What Did Hackers Steal?**

Like most ransomware attacks, these adversaries stole sensitive data that could be either monetized on underground marketplaces or used to demand a ransom payment. Threat actors are said to have copied 600GB of files. Attackers used three methods to identify sensitive data: 

*   Network drives were copied from finance, technology, and HR departments. 
    
*   Keyword attacks were launched to scan the network for sensitive words such as "passport" and "confidential." Files were also copied from the personal drives of staff members. 
    
*   Native utilities used to administer networks were hijacked, then used to create backup copies of 22 databases, including contact details of external users and customers.
    

**What Else Is Known About the Attackers?**

The infamous ransomware-as-a-service provider Rhysida claimed responsibility for the attack. This criminal group is also known for its attacks on the Chilean army, as well as attacks on schools, power plants, universities, and government institutions across Europe. Rhysida and its affiliates have an attack methodology that typically involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. It uses a host of anti-forensics tactics, covering its tracks by deleting log files, making it difficult to trace its activities. Rhysida demanded some 20 bitcoins from the British Library. UK government policy forbids the payment of ransom, so when the library refused to cooperate with the extortionists, the gang released images of employee passports and leaked most of the material to the Dark Web. 

**Takeaway Lessons Learned From the Library Attack**

*   Assess your technical debt: When a decision is made to use hardware and software beyond their supportable or useful life, it can leave gaping holes in the security posture. It is important that organizations know and evaluate this technical debt from a cyber perspective. Remember that recovery times and costs are far greater than building something new from scratch.
    
*   Maintain a holistic view of cyber-risk: Ensure that essential business stakeholders tasked with deciding on whether to accept, mitigate, or transfer cyber-risks have a thorough understanding of these risks. Such comprehension is crucial for effectively allocating resources, prioritizing necessary actions, and determining the order in which they should be conducted.
    
*   Practice good information governance: Contemporary threat actors often target specific assets for seizure. Lacking a solid grasp of your information governance can result in uncertainty regarding the location and significance of your most critical assets, leading to a protracted, arduous, and costly recovery process. That's why it's advisable to run simulation exercises frequently, just to understand where weaknesses reside. By urgently mobilizing needed resources within the first hour, organizations can significantly limit the blast radius.
    
*   Adopt a defense-in-depth approach: A defense-in-depth security approach is a type of layered security that can help curtail the blast radius and limit the damage even when an adversary infiltrates your environment. For example, had the British Library activated MFA on its servers, or had it segregated its network into multiple segments, it would have been in a superior position to detect the attacker’s presence early, limiting their progression to make lateral movements, and preventing data exfiltration.
    

The British Library attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow the above best practices to help protect themselves from sophisticated and destructive cyberattacks.

**About the Author(s)**

CEO, Information Security Forum

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions that meet the business needs of its members. He is a frequent speaker on the board's role in cybersecurity and technology.

Key Takeaways From the British Library Cyberattack

For a while, the botnet spread but did essentially nothing. All the malicious payloads came well after.

Source: Phil Degginger via Alamy Stock Photo

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.

The unimaginatively named "P2PInfect" is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was first discovered about a year ago, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.

This is not the case anymore. According to Cado Security, an update has been propagated across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.

"Last year we were sitting there, scratching our heads, going: 'Why?,'" Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. "It wasn't until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs."

**How PRPInfect Started**

On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldn't.

First, the known: P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis' leader-follower topology, in which a designated "leader" node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.

This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasn't being used for much at all.

Researchers did note, though, that the word "miner" popped up in P2PInfect's code — a potential indication of what was to come, perhaps, but nothing more.

"Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because they'll have a significant number of hosts," Carchrie says.

That prediction has now come to fruition.

**How P2PInfect Is Going**

P2PInfect has been updated with a usermode rootkit, and its "miner" binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.

Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.

For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.

More to the point: Redis doesn't save any data to disk by default—its whole value proposition surrounds storage in-memory. It can be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. "With that in mind," Cado wrote, "it's unclear what the ransomware is actually designed to ransom."

**What to Do**

From Carchrie's vantage point, P2PInfect infections appear to be most concentrated in East Asia.

Redis is commonly used in businesses across the globe, though. Its open source version has more than four billion Docker pulls, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.

So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.

And while it's not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. "The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. You'll be looking for indications of those," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'P2PInfect' Worm Grows Teeth With Miner, Ransomware &amp; Rootkit

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.

Source: kmls via Shutterstock

At least three cyber-espionage groups have compromised telecommunications operators in multiple countries in the Asia-Pacific region, placing backdoors inside the communications providers' networks, stealing credentials, and using custom malware to gain control and compromise other systems, according to analyses published by two cybersecurity firms in the past week.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime, says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team.

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," O'Brien says. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

In April, senior US officials warned that China-linked attackers had begun compromising critical infrastructure as a way to pre-position their offensive cyber operations for future conflicts. Japan and the Philippines created a trilateral alliance for sharing information on cyber threats, especially those from China. The alliance is similar to another trilateral information-sharing agreement between Japan and South Korea.

The attacks come as other Asian nations continue to struggle with increasing cyberattacks. On June 24, Indonesia's government acknowledged that cybercriminals had compromised its National Data Center and demanded an $8 million ransom. Rather than pay, the government is trying to recover, but the attack has disrupted services for more than 200 agencies.

Taiwan is currently dealing with a spate of attacks by a Chinese state-sponsored group, dubbed RedJuliett, which has attacked 24 different government agencies, educational institutions, and technology firms, threat-intelligence firm Recorded Future stated in an analysis published on June 24.

**Cyberattackers Reach Out and Call**

The focus on telecommunications companies is unsurprising: The infrastructure operators are the hub for most traffic on the Internet, making compromising their infrastructure extremely valuable, says Sergey Shykevich, threat intelligence group manager at cybersecurity firm Check Point Software.

"The ultimate jackpot for an attacker with access to telecom networks is the CRM database of telco clients, allowing real-time access to SMS messages, locations, and other sensitive information," he says. "Disruption of telecommunications companies can definitely be devastating for countries and users, as it happened just several month ago in Ukraine. However, in most instances, I believe the primary objective of targeting telecommunication companies is espionage and the valuable data they possess."

In October 2023, Check Point Research released details of an Iran-linked espionage campaign that had primarily targeted government agencies and telecommunications providers.

Another example: Pakistan has become a focus of communications-based attacks, as the quickly digitalization of the country and its geopolitical environment has made it the leading target of reflection-based distributed denial-of-service (DDoS) attacks by a significant margin last year, says Donny Chong, director at Nexusguard, a Singapore-based firm focused on defenses against denial-of-service attacks.

"The risk surrounding telecoms is that if you disrupt telecoms infrastructure, you also disrupt a lot of other critical infrastructure," he says. "There are other sectors, too, which we frequently see targeted by application and multivector attacks — the tech, finance, banking, and insurance sectors in particular have had a hard time with these attacks."

**Multiple Threat Groups**

The attack on the unnamed Asian telecommunications firm included three custom attack tools, executing code in memory to avoid detection, and using legitimate software to load in malicious code — a technique known as sideloading. (Symantec would not name the targeted firms nor the two countries where they were investigating attacks.)

The threat group, or groups, are relatively sophisticated, says Symantec's O'Brien.

"The fact that most of the payloads run in memory means that they can be difficult to detect," he says. "The technique of sideloading using legitimate executables is favored by APT actors, presumably because the legitimate files they leverage are less likely to raise red flags."

The analysis suggested that, while the threat groups could be collaborating with one another — say, different arms of the Chinese government working together — other connections are possible, such as different groups using the same tools or a single group using all three tools.

The connections between actors are often complicated. In 2021, a campaign of espionage attacks — dubbed "Stayin' Alive" — targeted the telecommunications industry and governments of Vietnam, Uzbekistan, and Kazakhstan, using a simple downloader known as CurKeep. The attackers used the same infrastructure as a group known as ToddyCat by cybersecurity firm Kaspersky, which considers the threat actor fairly sophisticated.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China-Linked Cyber-Espionage Teams Target Asian Telecoms

Daily operations at some 15,000 automotive dealers remain impacted as CDK works to restore its dealer management system, following what appears to be a ransomware attack last week.

Source: Jonathan Weiss via Shutterstock

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

**Ransomware Attack?**

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

**Contingency Planning for SaaS Apps**

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

**The Rush to Repair**

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CDK Attack: Why Contingency Planning Is Critical for SaaS Customers

AppSec is hard for traditional software development, let alone citizen developers. So how did two people resolve 70,000 vulnerabilities in three months?

Source: David Grossman / Alamy Stock Photo

Application security (AppSec) programs are difficult to use and filled with vulnerabilities. Overloaded staff face an inadequate budget. Communication with developers is challenging. These sayings are so true, so ubiquitous, that they've become tropes. This is why meeting a team of two who managed to resolve 70,000 security vulnerabilities in three months made me gasp.

**70,000 Vulnerabilities? Really?**

Actually, they found 80,000, 70,000 of which they were able to fix within 90 days. These numbers do not indicate particularly vulnerable applications. They indicate taking a real look in the mirror, beyond the usual lines drawn in the sand between professional development and citizen development, which we sometimes call shadow IT.

Citizen developers are now embedded in every part of large enterprises. Yes, that includes yours. Last year, Microsoft announced that Power Platform, its popular low-code/no-code platform built into M365, had surpassed 33 million users, growing 50% year over year. These users work for the enterprise — your enterprise. They build critical applications, from finance to risk and customer care. It's a real boost to digital transformation, for the business and by the business (user).

**Citizen Development Security Challenges**

A few aspects of citizen development make building an AppSec program around it particularly challenging:

*   The scale of citizen development is between 10x and 100x that of professional development, whether you measure it in terms of numbers of developers, number of applications, or any other metric.
    
*   The variance of business units can be so big that it is easier to think of some business units as separate entities. Indeed, in a large enough corporation, some business units fall under different laws and regulation and have a different risk appetite.
    
*   Citizen developers, as business users, are not security-savvy. If you try to explain injection attacks to a business user, it would probably not be a fruitful conversation or a good use of anyone's time. Citizen developers should do what they do best: move the business forward.
    
*   Finally, the lack of process can be tricky — citizen development is all about moving fast. You edit right in production, adapt quickly, and move forward.
    

Fortunately, some standards have emerged that document and categorize the security vulnerabilities in low-code/no-code apps built by citizen developers.

**AppSec for Citizen Development**

The good news is that the unique challenges of citizen development force us to think outside of the box. Any manual review or process goes out the window. Blocking business users from developing software is never a real option, even when we pretend it is.

Building a successful AppSec program for citizen developers requires heavy reliance on automation and self-service. We need to design a process, think about the edge cases, and automate it completely. For example, when a developer says they have fixed an issue, can you retest to confirm? Is there a clear route for escalation and asking for exemptions? What happens when service-level agreements (SLAs) aren't met? We have answers to all of these questions for traditional AppSec, relying on the software development life cycle and years of working with developers. Though none of the established processes work as is with citizen development, we can use our learnings from pro developers to design a solution that does.

To build your program, start with the basics:

1.  Inventory. Know what you have, but don't stop there. Ask: Who is the owner for each app?
    
2.  Policy. Clarify your risk appetite. Which applications are outside of your accepted use cases? Which should never have been built?
    
3.  Security assessment and retesting. Know your risk, and have a way to automatically test whether this risk has been mitigated.
    
4.  Self-service. Provide clear documentation. Create a self-service portal where citizen developers can learn about issues and how to fix them, where they can ask for clarification or exemptions.
    
5.  Enforce SLAs. What happens if a vulnerability isn't fixed under an SLA? Take preventive action where possible.
    
6.  Track and report. Ensure you get and maintain executive tailwinds by keeping everything informed on progress.
    

The team I mentioned at the beginning of this article followed all of these points and more. They invested time in designing the process, down to its nooks and crannies. This gave them the confidence to hit "play" on the campaign and drastically reduce the security risk in their environment.

It's an incredible success — two employees, three months, 70,000 vulnerabilities, no business disruption. Those results may be exceptional, but you can achieve incredible results at your business as well.

**About the Author(s)**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

What Building Application Security Into Shadow IT Looks Like

In an incident with direct parallels to the recent Ticketmaster compromise, an Aussie live events giant says it was breached via a third-party cloud provider, as ShinyHunters takes credit.

Source: Jon Arnold Images Ltd via Alamy Stock Photo

The ShinyHunters cybercrime gang has claimed another victim, this time in Australia. The group recently posted information on a Dark Web forum that it says is for about 30 million users of Ticketek, Down Under's top live events ticketing organization.

Ticketek Entertainment Group (TEG) had already disclosed the breach in late May. According to a statement on its website, it noted that information had been heisted via an unnamed third-party cloud provider, with hackers making off with customer names, dates of birth, and email addresses. No user accounts were compromised, and payment information wasn't caught up in the incident, TEG stressed.

The circumstances are eerily similar to the Ticketmaster breach, which came to light at the beginning of June after ShinyHunters posted information impacting 560 million customers on the BreachForums underground market. That breach was also due to the compromise of a third-party cloud account, which was quickly revealed by researchers to be Snowflake.

Researchers subsequently determined that the Ticketmaster incident was part of a much broader cyber campaign against poorly secured Snowflake accounts that hit as many as 165 organizations, including Advanced Auto Parts and (most likely) Santander Bank. The attackers targeted low-hanging fruit: cloud accounts that lacked multifactor authentication (MFA), using credentials from previous breaches. Some of the passwords hadn't been rotated for three years, according to a recent analysis from Mandiant.

Despite researcher speculation, TEG has not confirmed a Snowflake connection nor ShinyHunters as the culprit for the cyberincident, though a 2022 case study (PDF) names the cloud provider as a technology partner for the ticketing giant. Neither company immediately returned a request for comment from Dark Reading.

**About the Author(s)**

Source

DARKReading