CDK Global, which makes software for car dealers, experienced a cyber incident that halted vehicle sales and service across the US.

Source: Joe Hendrickson via Alamy Stock Photo

A supply chain cyberattack on software provider CDK Global forced thousands of car dealerships to shut down Wednesday, a traditionally busy day for sales with the Juneteenth holiday.

Reports said the first dealerships started getting booted offline around 2 a.m. Eastern Time on Wednesday, June 19. Some shut down altogether, unable to access critical information, while others maintained some services by relying on paper records.

On Thursday morning, CDK said that there had been a second cyber incident.

"Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems," CDK said in a statement provided to Dark Reading. "In partnership with third party experts, we are assessing the impact and providing regular updates to our customers."

CDK's statement added that it took systems offline as a precaution.

"We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online," CDK said in its statement. "Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner."

**Looking for Answers**

The specific nature of the supply chain cyber incident and whether systems have been restored remains unclear. However, Roger Grimes, data-driven defense evangelist with KnownBe4, said he suspects ransomware.

"It hasn't been released what type of 'cyber incident' this is, but there's a good chance it's related to ransomware," Grimes said in a statement. "When more details are released, I hope part of the details include how the cyber threat made its way into CDK's systems (e.g., social engineering, unpatched software or firmware, etc.). Because in order to mitigate future occurrences you need to start with how the current incident was caused."

According to Andrew Costis, chapter lead on the adversary research team at AttackIQ, the cyber incident is far from over for dealerships that rely on CDK software.

"CDK is suffering from not one, but two cyberattacks that have caused the SaaS provider to shut down IT systems," he told Dark Reading in a statement. "Given the extensive reliance on this third-party vendor, the fallout from this attack reverberates throughout the entire automotive industry."

Thousands of Car Dealerships Stalled Out After Software Provider Cyberattack

The notorious cyber espionage group has been harrying French interests for years, and isn't flagging now as the Paris Olympics approach.

Source: Paul Ward via Alamy Stock Photo

Midnight Blizzard, the Russia-backed advanced persistent threat (APT) behind the 2016 US elections interference and the 2020 SolarWinds attacks, has been taking aim at French diplomatic entities since at least 2021 — and it remains an active threat, according to French CERT.

Russia, which not coincidentally is banned from the upcoming Summer Olympics in Paris, shows no sign of easing off of its cyberattack activities, particularly against Ukraine and European friends of Ukraine, IT companies, and US critical infrastructure.

Now, CERT-FR has warned in a recent alert that Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, and The Dukes) has been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats, in an activity cluster it calls "Diplomatic Orbiter." The targets have included the French Ministry of Culture, the National Agency for Territorial Cohesion, the French Ministry of Foreign Affairs, the country's embassy in Ukraine, and others.

"Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," according to the CERT-FR alert (PDF). "These activities are also publicly described as a campaign called 'Diplomatic Orbiter.' The lure documents used in these attacks are typically forged to target diplomatic staff."

Once gaining initial access, the operators attempt to deliver custom, first-stage loaders to execute public tools such as Cobalt Strike or Brute Ratel C4. The ultimate goal is to access the victim's network, ensure persistence, and exfiltrate data. Many of the attacks have been unsuccessful, the organization stressed.

**About the Author(s)**

Russia's Midnight Blizzard Seeks to Snow French Diplomats

The old, but newly disclosed, vulnerability is buried deep inside personal computers, servers, and mobile devices, and their supply chains, making remediation a headache.

Source: Alexander Cimbal via Alamy Stock Photo

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

**The Rub With UEFI**

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

**The Good News and (More) Bad**

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of \[Phoenix's\] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences \[in architecture\] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

High-Risk Overflow Bug in Intel Chips Likely Impacts 100s of PC Models

The stream was briefly knocked offline, preventing millions of fans from accessing the game. Poland's head of digital services says "all leads lead to the Russian Federation."

Source: Fifg via Alamy Stock Photo

The UEFA Euro 2024 soccer championship tournament kicked off last weekend, but fans of European national teams aren't the only ones paying attention. Cyberattackers took aim at Polish public television, TVP, disrupting its online broadcast of Poland's Group D opening match against the Netherlands.

The broadcaster determined that the attack was a distributed denial-of-service (DDoS) effort that was timed for the start of the match.

"At about 3 p.m., Polish Television recorded a DDoS attack carried out from IP addresses located in Poland," TVP said in a statement on social platform X (via Google Translate). "After less than a minute, we took action in collaboration with national operators, which led to a mitigation of the attack. The IT teams have restored the service."

**An Accidental Crash, or Russian Harrying?**

Bartłomiej Wypartowicz, editor at Eastern European cybersecurity outlet Defence 24, quickly raised the possibility that the incident might not have been malicious; more than half of the population in Poland reportedly tried to access the stream, and the group responsible for the majority of the traffic appears to be a legitimate community called "fans of the Polish national team on Sunday after lunch."

He posted on X, "Millions of IP addresses want to visit the site" (via Google Translate).

However, Pawel Olszewski, Poland's deputy minister of digital affairs, said in an interview with local media yesterday that the crash was certainly malicious, and likely backed by Russia, which wanted to "prevent Polish citizens from watching the match online."

Cybercriminals have a long history of attacking major world sporting events — from the now-infamous Russia-led Olympic Destroyer attacks against the 2018 Winter Olympics in Pyeongchang, to attempted disruptions to the 2022 UEFA World Cup in Qatar, to threats against the upcoming Summer Games in Paris.

In this case, "all leads lead to the Russian Federation," Olszewski told Radio RMF24 (via Google Translate). "It was a DDoS attack aimed at disabling the service. … This attack was repelled very quickly."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DDoS Attack Targets Poland's UEFA Euro Opening Match

Had the bill become a law, it would have given consumers the right to sue companies that violate their privacy.

Source: Wangkun Jia via Alamy Stock Photo

The Vermont General Assembly this week failed to override Gov. Phil Scott's veto of H.121, a bill that would have given the state one of the strongest data privacy protection laws in the US. While the Vermont House voted 128-17 to override, the state Senate voted 14 yeas to 15 nays, leaving the governor's veto standing and killing the bill.

The bill, officially named "An act relating to enhancing consumer privacy and the age-appropriate design code," notably contained a right-of-action provision that would allow consumers to sue companies that misused their sensitive data. The other half of the bill, dubbed "Kids Code," would have required online services targeted at people under 18 years old to account for privacy and to ensure that all content kids could access was appropriate for children.

In his June 13 letter to the General Assembly, Gov. Scott said he was vetoing the bill because the data privacy component would create a hostile business environment in the Green Mountain State. Scott also noted that the Kids Code part of the bills brought up First Amendment issues that California was already dealing with in courts. He recommended that Vermont adopt Connecticut's less litigious data privacy law to address the first half and wait for California to straighten out legal challenges to the second.

Companies might breathe a sigh of relief to avoid having to meet yet another set of data privacy requirements. If an organization conducts business in the European Union, for example, it has to comply with the General Data Protection Regulation (GDPR). As many as 19 US states have passed data privacy laws of their own, according to an industry interest group. And while federal data privacy legislation is still under development, US President Joe Biden issued an executive order at the end of February to firm up policies about how user data is handled nationally and internationally.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Consumer Privacy Bill Fails in Vermont

The "Markopolo" threat actors built a convincing brand and Web presence for fake software to deliver the dangerous Atomic macOS stealer, among other malware, to carry out cryptocurrency heists.

Source: Klaus Ohlenschlaeger via Alamy Stock Photo

A widespread campaign aimed at stealing cryptocurrency is spreading a wave of infostealers through fake virtual meeting software for both macOS and Windows platforms, particularly targeting the former with the dangerous Atomic stealer.

Discovered by Recorded Future's Insikt Group, the campaign attributed to a threat actor dubbed "Markopolo" is responsible for an elaborate Web and social media presence for a fake app called Vortax, according to a report (PDF) published this week.

Vortax is purported to be virtual meeting software for various platforms but actually is a delivery mechanism for three infostealers: Rhadamanthys, Stealc, and Atomic, the researchers found. Attackers target cryptocurrency users in the campaign through social media and Telegram channels for the purpose of stealing credentials, so they can in turn steal crypto from them, according to Insikt.

The campaign is connected to a previously reported attack by Markopolo, identified then only as a Russian-speaking threat group, that previously targeted the Web3 gaming community. The group is known for using shared hosting and command-and-control (C2) infrastructure in order to be able to pivot agilely to new scams when detected, according to Insikt.

"The campaign indicates a widespread credential-harvesting operation, potentially positioning Markopolo as an initial access broker or 'log vendor' on Dark Web shops like Russian Market or 2easy Shop," Insikt Group wrote in a blog post associated with the report.

The activity also demonstrates an uptick in infostealers that target macOS, which traditionally have been less prevalent than their Windows counterparts, Insikt Group noted in its report. Reports of Atomic stealer in particular have been on the rise based on recent research.

"The high volume of \[Atomic\] activity observed in this campaign builds on previous Insikt Group reporting, which found that mentions of macOS malware and exploit kits increased by 79% year-on-year from 2022 to 2023," according to the report. This "may indicate" a link between the overall number of references to macOS malware and the increased frequency of Atomic stealer campaigns observed in the wild, the researchers noted.

**Vortax: Threats Hiding Behind a Convincing Brand**

The foundation of the campaign is in Vortax, a fake "self-proclaimed" virtual meeting software marketed as cross-platform and AI-enhanced for which attackers built a convincing online brand. All major search engines index Vortax, which has a presence (@VortaxSpace) on social media platforms and even maintains a Medium blog using what are likely AI-generated articles.

The company behind the software claims to operate out of an address in Toronto that is actually an apartment building, and even boasts online about bogus awards from respected publications such as Forbes. However, closer inspection revealed that Vortax is a fraud, particularly shown by related website domains, vortax.io and vortax.space — the latter of which has since been suspended — that are rife with spelling and grammatical errors, according to Insikt.

Vortax advertises applications for Windows, Linux, macOS, iOS, and Android on its sites, though users cannot actually download the applications without a “Room ID," which functions as a meeting invitation.

Accounts associated with Vortax have four primary methods for sharing Room IDs — the most common of which are R12307012, R39264552, R87103129, and R71231209. These methods include: replies to the Vortax account on social media; direct messages on social media; posting in cryptocurrency-related Telegram channels; and posting in cryptocurrency-themed Discord channels.

These IDs ultimately lead to an installer for downloading Vortax, which as described just a front for delivering infostealing malware. On Windows platforms, the fake software delivers Rhadamanthys and Stealc, while it loads the Atomic stealer on macOS platforms.

To the user, it appears that Vortax is never actually installed, with the installation process "claiming that it encounters critical errors that impede it from running," while the software is actually "running many malicious processes" in the background, according to the report.

**Mitigation Against Malware-Hiding Software**

Insikt made a number of suggestions for mitigating the campaign, particularly across the macOS platform — which increasingly is being targeted and thus demands new vigilance and "robust defense strategies," according to the report.

Indeed, the distribution of Atomic stealer, previously distributed via fake software updates, demonstrates a pivot by by infostealing threat actors to macOS. One mitigation for the campaign, then, is to ensure that detection systems for Atomic infostealer are regularly updated to prevent infections, according to Insikt.

Organizations also should educate users on the risks of downloading unapproved software, especially from social media or search engines, and implement strict security controls to prevent employees from doing so. They also should encourage corporate network users to report suspicious activities encountered on social media and other platforms.

According to Insikt Group, using intelligence and monitoring platforms that scan for malicious domains and IP addresses associated with Atomic stealer and other macOS malware also can help prevent infection.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Vortax' Meeting Software Builds Elaborate Branding, Spreads Infostealers

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

Jamie Moles, Senior Technical Manager, ExtraHop

June 20, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) could not have come at a better time. Ransomware attacks have already built up a devastating track record on businesses and institutions across all industries in the past year: 58% of respondents to a recent survey experienced six or more ransomware attacks in the past 12 months. This comes among other concerns, including data breaches, generative AI threats, insider threats, and more, proving that cybersecurity needs to be more accessible than ever.

Historically, industry guidance to prevent these attacks was aimed at critical infrastructure or larger enterprises in high-risk industries. But cybersecurity is an "everyone" problem, and many organizations are beginning to catch on to the idea that cyber-risks are just as important as all other business risks. The same survey found that the average incident downtime is 56 hours, and considering that a survey conducted by ABB in 2023 puts the median cost of downtime at nearly $125,000 per hour, this downtime would cost $7 million — per incident. 

NIST's CSF 2.0, released this February, provides an important resource for organizations of all sizes to avoid these far-reaching costs by reexamining their security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

**Three Critical Changes Everyone Should Make in the Coming Year****1\. Building a New Approach to Securing Infrastructure**

The path to securing infrastructure may seem like an obvious route: Get the right tools to detect, defend, and respond to security incidents. But one area organizations often miss, and one of the most significant additions to NIST CSF 2.0, is governance. 

A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more. 

This is especially important for smaller companies with plans to continue scaling. Having a set plan in place to quickly and efficiently react to a potential security breach can alleviate the capital losses that come with the territory: Net income, quarterly earnings, and stock prices all drop significantly after data breaches. An effective plan can possibly reduce those effects.

**2\. Investing to Fit Specific Business Needs**

An organization may choose to handle risk in one or more ways, and this all depends on its specific business needs. NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions. This can feel overwhelming for many organizations, especially as solution providers are continuously innovating and developing new tools.

One universal truth in the industry is that security operations center (SOC) analysts are overwhelmed and resource strapped. AI- and ML-based solutions have arisen as a helpful bridge in combating this industry burnout to effectively manage risk and build business resilience against threats. Additionally, tools that enhance visibility are essential in further securing the attack surface. Despite investments in vulnerability management, endpoint detection and response (EDR), and security information and event management (SIEM) tools, there are many blind spots in the network, cloud, and more that organizations need to address as well.

**3\. Developing an Organizationwide Approach to Security Hygiene**

While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk. While the framework calls out a great number of risk factors, overall cyber hygiene is a critically undervalued part of cybersecurity.

This is an age-old method that works for attackers time and time again, and the costs add up. Luckily, for smaller organizations, they typically perform best on the cyber hygiene bell curve, with midsize organizations lagging behind. But one successful attack can be all it takes to financially destabilize a small organization, as respondents paid an average of nearly $2.5 million in ransom in 2023, and generative AI has only made social engineering attacks easier. 

**Taking Advantage of Industry Resources**

Though it provides essential guidelines, keep in mind that NIST's CSF 2.0 is meant to be used in conjunction with other frameworks and guidance, and is not a catch-all solution. It's also designed to be customized as an organization grows and evolves.

However, the framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation now that it is designed for organizations of all sizes. This includes understanding how threat actors are advancing and the new tools to defend against them, both of which are essential to building business resilience in the long run.

**About the Author(s)**

Senior Technical Manager, ExtraHop

Jamie Moles is senior technical manager at ExtraHop. He brings more than 30 years of cybersecurity experience helping customers understand and mitigate the risk contemporary threats pose to their business.

Catching Up on Innovation With NIST CSF 2.0

By integrating environmental initiatives, social responsibility, and governance into their strategies, security helps advance ESG goals.

John Donegan, Enterprise Analyst at ManageEngine

June 19, 2024

4 Min Read

Source: Aleksandr Davydov via Alamy Stock Photo

COMMENTARY

Inadequate cybersecurity architecture can cause irreparable damage to an organization, which is why boards and C-suite executives are heeding recommendations to implement policies and procedures to mitigate risk. In addition, boardrooms are also paying attention to other hot topics, including diversity, equity, and inclusion (DEI) and sustainability. So it's worth asking what cybersecurity personnel can do to support these initiatives.

Security leaders are in a unique position to not only protect the organization, but also to help direct it toward a more sustainable future. There are several ways they can support the three pillars of ESG: environmental initiatives, social responsibility, and corporate governance.

**Cybersecurity & Environmental Initiatives**

By "environmental initiatives," we're talking about how organizations affect the environment, such as carbon emissions, resource consumption, and waste output. Security personnel can make a palpable, positive impact on their organization's environmental initiatives with a few key implementations.

Endpoint management solutions. At the beginning of the hardware and software life cycle, cybersecurity personnel should make judicious purchases. Endpoint management software, for example, can be helpful, as such tools save energy by automatically installing patches and putting endpoints into sleep mode when devices are idle or threatened. \[Editor's note: The author's company is one of many that sell endpoint management software.\]

E-waste management. Cybersecurity teams already monitor corporate devices to maintain compliance and robust network security; they should collaborate with IT personnel to prolong these devices' lifespans via patching and software updates. By reusing and refurbishing hardware, security personnel and IT folks can work together to lower operational costs and reduce their company's environmental footprint.

Supply chain audits. To reduce greenhouse gas emissions effectively, it is also necessary to conduct supply chain audits. Security personnel should periodically orchestrate environmental audits of all the vendors within their supply chain. This entails an assessment of vendors' energy consumption and waste management, among other things.

Energy-efficient data storage and processing. Security personnel should make data center cybersecurity a priority. Data centers use a ton of energy and often contain sensitive information. A successful cyberattack on a data center would likely result in fines, loss of trust, and a rise in energy consumption to get operations back on track.

**Cybersecurity & Social Responsibility**

This pillar is concerned with the relationships that one's company has with various people and communities. In addition to diversity and inclusion, we believe that companies should consider digital inclusion and the ability to contribute to economies in underdeveloped regions.

Eco-friendly product procurement. While procuring software and hardware, cybersecurity professionals are usually focused on robust security, compliance, and cost. However, they should also be cognizant of their potential vendors' sustainability practices. In addition to making sure that downstream vendors don't introduce any cyber-risks, security teams should assess the overall environmental and social impacts of their third-party products.

It's important to assess the average lifespan of third-party vendors' products, as well as any applicable energy efficiency ratings or environmental certifications. By choosing energy-efficient vendors that are committed to sustainable manufacturing practices, cyber personnel can bolster their own corporate reputation and attract environmentally conscious customers.

For organizations that sell cybersecurity tools, it's wise to consider digital inclusion. A component of social responsibility, digital inclusion is the idea that people of all socioeconomic backgrounds should have access to technologies. By keeping cybersecurity software prices affordable, security companies can provide more tools to more people.

Effective data management. Cybersecurity personnel are responsible for ensuring the confidentiality, integrity, and availability of their organization's data. Without adequate cybersecurity tools, such as endpoint management solutions, identity and access management tools, and security information and event management software, organizations cannot protect their customers' data, which, of course, they have a social responsibility to do.

**Cybersecurity & Governance**

Governance refers to an organization's internal procedures, its ability to comply with laws, and how well the company is managed. When it comes to governance, cybersecurity professionals' knowledge and guidance is indispensable.

Materiality assessments and regulatory compliance. Given that cybersecurity professionals are well-versed in dealing with compliance requirements, the executive branch should consult with them in their efforts to comply with regulations.

Besides helping establish cybersecurity compliance and data-handling protocols, security professionals can also ensure that the organization is in compliance with environmental legislation across the globe. To do so, they should help with their organization's ESG materiality assessments.

In addition to assessing sustainability from a financial angle, ESG assessments list how operations affect society and the environment. Organizations need to have cyber personnel on their steering committees to bring a risk management lens to the conversation. By sitting on these committees, cybersecurity team members remind upper management just how invaluable they are to the organization.

Adherence to data privacy laws. Again, organizations have a social — and legal — responsibility to adhere to all data privacy laws. By doing so, cybersecurity personnel help the organization properly manage customer data, while also mitigating threats from bad actors.

**Cybersecurity Is ESG**

As the examples above show, corporate sustainability initiatives cannot be successful without the active participation of cybersecurity personnel. Whether we are talking about environmental initiatives, social responsibility issues, or governance, cybersecurity professionals need to take their seats at the table.

**About the Author(s)**

Enterprise Analyst at ManageEngine

John Donegan is an enterprise analyst at ManageEngine. He covers infosec and cybersecurity, addressing technology-related issues and their impact on business. John holds several degrees, including a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

How Cybersecurity Can Steer Organizations Toward Sustainability

The service, likely a rebrand of a previous operation called "Caffeine," mainly targets financial institutions in the Americas and EMEA and uses malicious QR codes and other advanced evasion tactics.

Source: ronstik via Alamy Stock Photo

A highly organized phishing-as-a-service operation (PhaaS) is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor authentication (2FA) bypass, QR codes, and other advanced evasion tactics to maximize success, researchers have found.

Security analysts from EclecticIQ in February discovered a broad phishing campaign targeting financial institutions, in which threat actors used embedded QR codes in PDF attachments to redirect victims to phishing URLs, according to a blog post published June 18. Specific organizations targeted included banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East and Africa (EMEA) regions.

EclecticIQ eventually tracked the origin of the campaign to a PhaaS platform called ONNX Store, "which operates through a user-friendly interface accessible via Telegram bots," Eclectic IQ threat intelligence analyst Arda Büyükkaya wrote in the post.

A key part of the ONNX service is a 2FA bypass mechanism that intercepts 2FA requests from victims using encrypted JavaScript code, to decrease the likelihood of detection and bolster the success rate of attacks, Büyükkaya noted. Moreover, the phishing pages delivered in the attacks use typosquatting to closely resemble Microsoft 365 login interfaces, making them more likely to trick targets into entering their authentication details.

**Snapshot of an ONNX Attack**

A typical email used in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page.

The use of QR codes is an increasingly common tactic for evading endpoint detection, Büyükkaya noted: "Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees' mobile devices, making it challenging to monitor these threats."

The attacker-controlled landing page is designed to steal login credentials and 2FA authentication codes using the adversary-in-the-middle (AitM) method, analysts found.

"When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the user's browser and the server," Büyükkaya wrote. In this way, attackers can quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect, he noted.

Another PhaaS operator, Tycoon, also has used a similar AitM technique and a multifactor authentication (MFA) bypass involving a Cloudflare CAPTCHA, demonstrating how malicious actors are learning from each other and adapting strategies accordingly, Büyükkaya said.

ONNX also shares overlap in both Telegram infrastructure and advertising methods with a phishing kit called Caffeine (first discovered by researchers at Mandiant in 2022), the researchers found — so it could be a rebranding of that operation, according to ElecticIQ.

Another scenario is that the Arabic-speaking threat actor MRxC0DER, who is believed to have developed and maintained Caffeine, is providing client support to the ONNX Store, while the broader operation "is likely managed independently by a new entity without central management," Büyükkaya wrote.

**JavaScript Encryption Adds Level of Evasion**

Another anti-detection measure in the ONNX phishing kit is the use of encrypted JavaScript code that decrypts itself during page load, and includes a basic anti-JavaScript debugging feature. "This adds a layer of protection against anti-phishing scanners and complicates analysis," according to the analysis.

EclecticIQ researchers observed a functionality in the decrypted JavaScript code that's specifically designed to steal 2FA tokens entered by the victims and relay them to the attacker, who then uses the stolen credentials and tokens in real time to log in to Microsoft 365.

"This real-time relay of credentials allows the attacker to gain unauthorized access to the victim's account before the 2FA token expires, circumventing multifactor authentication," Büyükkaya wrote.

**Mitigating and Preventing ONNX Phishing Attacks**

ElecticIQ provided countermeasures for combatting specific tactics used by ONNX Store. To mitigate threats from embedded QR codes in PDF documents, organizations should block PDF or HTML attachments from unverified external sources in email server settings. They also can educate employees on the risks associated with scanning QR codes from unknown sources.

To combat the typosquatted domains used by the threat actor to impersonate Microsoft, organizations can implement domain name system security extensions (DNSSEC), which protects domains from multiple cyber threats, including typosquatting.

There are also measures that defenders can take to combat the theft of 2FA tokens, such as implementing FIDO2 hardware security keys for 2FA; setting a short expiration time for login tokens that limits a cyberattacker's window of opportunity to use them; and using security monitoring tools to detect and alert for any unusual behavior, such as multiple failed login attempts or logins from unusual locations.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'ONNX' MFA Bypass Targets Microsoft 365 Accounts

By offering to buy Atos' big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

Source: Aleksandar Malivuk via Shutterstock

The government of France's recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company's vital importance to the country's defense interests.

It's a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

The French government has similar stakes in multiple other entities such as Air France, Airbus, Renault, and aviation, space, and defense giant Safran. So, the move to invest in Atos is not unprecedented.  Even so, it demonstrates the French government's keen interest in keeping information technology of strategic national security importance out of foreign hands.

**Atos: A Pivotal Govt. Player in France**

Atos is a pivotal entity in France, says Morgan Wright, chief security advisor at SentinelOne: "It has constructed the supercomputers for the nuclear-deterrent program, secured a 2019 contract to establish a big-data platform for the armed forces, and is a driving force in the development of the Scorpion combat-information system." Wright adds, "the French government's \[planned\] acquisition of these assets \[is\] a strategic move to maintain control and prevent potential competitors from developing technology that could be used against the country or its allies."

Atos last week disclosed that it had received what it described as a non-binding offer from the French government for its advanced computing, mission-critical systems and cybersecurity products businesses. Atos' board of directors and the company's top management will discuss the $750 million offer, but there is no guarantee that negotiations will lead to a definitive agreement between both parties, the company said in the statement.

The nearly $12 billion Atos provides a wide range of information technology products and services worldwide. In recent years the company has struggled financially and has accumulated a debt load that currently stands at over $5 billion. Airbus earlier this year offered between $1.65 billion and $2 billion to buy Atos' big data and cybersecurity business for between $1.65 billion and $2 billion — or more than twice what the French government has currently offered. But the aerospace giant abruptly walked out of the deal midway through discussions, tanking Atos' already degraded stock values in the process. Some European analysts had perceived Airbus as acting as sort of proxy for the French government when it made the offer.

**A Bid to Protect Self Interests**

The French government's subsequent direct bid to buy Atos' cybersecurity business is not entirely unsurprising in that context. Some in France had actually called for the government to nationalize Atos prompting a government denial.

"Atos delivers critical services to multiple departments within the French government, some of which are highly critical or require a specific skill set or authorization — \[like\] top secret security clearance," says Luigi Lenguito, founder and CEO, BforeAI. "Ensuring the know-how and workforce Atos has built, stays as consolidated as possible, is a primary concern," for the French government, he says.

In Europe, moves by the government to take a direct stake in companies deemed as providing critical value are not unusual, he says pointing to examples such as Air France and ITA (formerly Alitalia). Italy's Leonardo SpA — which like Atos provides a wide range of IT and security services — is an example even within the technology realm, he notes. The Italian government currently holds a 30% stake in Leonardo.

"This is not new; other large security organizations in Europe have some form of public 'golden share,'" as well, Lenguito says. "These arrangements have already been established in other critical sectors like telecommunication and utilities."

In other cases, governments have used legislation limiting who can tender specific services, he says.

**The US Approach to "PubSec"**

The chances of the US government stepping in to buy a stake in a critically important private sector IT or cybersecurity company are significantly lower. However, the government does have close oversight over foreign investments through the Committee of Foreign Investments in the United States (CFIUS), says SentinelOne's Wright.

"China has been blocked several times from acquiring certain US companies for national security reasons, because of the technology they are involved with," he says, i.e., Huawei's blocked bid to become a top 5G infrastructure provider for US telecoms. But for the federal government to buy a private cybersecurity company would be an exceptional circumstance, he notes.

"It could happen in the US, but I think the company would have to be so strategic that the transfer of ownership to an adversarial interest would harm the national security of the country," he says.

Dave Gerry, CEO at Bugcrowd, says that while the government buying a cybersecurity provider isn't exactly commonplace in the US, there is some precedent for it reviewing what technologies and companies can end up being owned by foreign buyers. He too points to the role by the CFIUS in reviewing transactions that could impact a national security interest.

"Recently, we've seen this play out in the non-cyber world when Japan's Nippon Steel attempted to acquire US Steel," he says. "In this case, it appears the French government has a strong reason to believe that Atos' acquisition by a foreign buyer would jeopardize France's national security interests."

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. "It makes sense for the French government to upgrade its defenses," says Mike Janke, co-founder of DataTribe. "For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We'll see if this emerges as a trend."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading