A new version of the infamous browser extension is spreading through files on websites offering pirated wares and leverages unique persistence mechanisms.

Fake websites advertising pirated video games, films, and other wares are spreading a new variant of the ChromeLoader malware dubbed "Shampoo," that is anything but clean: It steals sensitive data, redirects searches, and injects ads into a victim's browser session.

Researchers from HP Wolf Security have been tracking the new campaign, which appears to have been active since March and distributes malware similar to the original ChromeLoader — first discovered in May 2022 — but that's noticeably harder to wash out of the proverbial IT hair thanks to multiple persistence mechanisms, they said.

The goal of the first version of ChromeLoader was to install a malicious Chrome extension for advertising, a process that includes "a particularly complex infection chain" that begins with victims downloading malicious ISO files from websites hosting illegal content that hijack browsers, wrote Jack Royer, an HP malware analyst intern, in a post on the HP Threat Research Blog published this week.

"ChromeLoader used in the Shampoo campaign is very similar; it tricks victims into downloading and running malicious VBScript files from websites, eventually leading to the installation of a malicious Chrome browser extension," he explained. "This campaign is very similar to ChromeLoader, in terms of its infection chain, distribution, and objective," with the two sharing code similarities and the ad-monetization feature.

One notable feature of Shampoo that's different than the original ChromeLoader is how it uses the browser's Task Scheduler to achieve persistence, by setting up a scheduled task to re-launch itself every 50 minutes, they said.

The script runs a PowerShell script that sets up the scheduled task, running a looping script every 50 minutes that downloads and runs another PowerShell script, the researchers said. This script downloads and installs the malicious ChromeLoader Shampoo extension that, once attached to a Chrome session, starts sending sensitive information back to a command and control (C2) server.

"This persistence mechanism allows the malware to remain active despite reboots or the script being killed by a security tool or user," Royer wrote.

**Inside the Shampoo ChromeLoader Infection Chain**

Users who encountered Shampoo did so by downloading illegal content from the Internet, such as movies, video games, or other files, from websites that offer pirated files, the researchers said. Victims are tricked into running malicious VBScripts that they think are pirated wares — for example, Cocaine Bear.vbs or Your download is ready.vbs — which triggers the infection chain, the researchers noted.

"The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps," with its author appearing to have used a free online JavaScript obfuscator to make the malware harder to detect, Royer wrote.

Other malicious activities that ChromeLoader Shampoo carries out on a victim's machine include disabling search suggestions in the address bar; redirecting Google, Yahoo, and Bing searches to the C2; logging the victim's last search query in Chrome's local storage; and logging the last search query in Chrome's local storage and preventing victims from accessing chrome://extensions by redirecting them to chrome://settings, likely to stop them from removing the extension, the researchers said.

The persistence mechanism that sets up the scheduled looping task also unregisters a list of tasks prefixed with "chrome\_" — such as "chrome engine," "chrome policy," and "chrome about," the researchers noted. "This is likely done to remove any previous or competing version of the same malware," Royer wrote.

**Be Wary of Illegal Downloads**

Though the first version of ChromeLoader was similar to Shampoo in that it was mainly aimed at hijacking browser sessions and stealing victim data, it has since evolved into a more dangerous threat, with attackers now using it to drop ransomware, steal data, and crash systems at enterprises.

It's unclear if the Shampoo variant also will be leveraged in this way in the future. However, the researchers advised that people shouldn't take chances, and provided tips for how to avoid infection as well as a list of indicators of compromise in the post.

One obvious way to avoid compromise by the Shampoo variant is not to download pirated material from the Internet, and to avoid downloading any files from untrusted websites in general, they said. This is particularly true for employees using Chrome in a corporate environment, who should be particularly wary of downloading anything from the Internet via a corporate network (or onto a shared work/personal device), lest it spread throughout an organization.

Organizations should also configure email gateway and security tool policies to block files from unknown external sources as added protection, advised Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, in a press statement.

'Shampoo' ChromeLoader Variant Difficult to Wash Out

Organizations that remain compliant with data-sovereignty regulations while enabling cross-border data sharing gain significant competitive advantage because they can make quick, agile, and informed decisions.

Since the dawn of the digital age, businesses have worked under the assumption that data is like water. It is the source of nourishment for business operations. It's been free-flowing – with little to no limitations on how it's collected, stored, processed, and moved. But today, that tap has been turned off, rivers rerouted, and dams created by privacy regulations blocking an essential business element.

Companies have built global businesses by sharing data, and decades of globalization are being reversed by privacy regulations. In the wake of data privacy's growing momentum through data sovereignty laws, they must now learn how to deliver the same level of customer service, meet delivery deadlines, and communicate across supply chains while remaining compliant. This leaves organizations needing to balance seemingly opposing goals: advancing business with data sharing, artificial intelligence (AI), and machine learning, while maintaining compliance.

May 2023 marked the fifth anniversary of the first (and arguably most comprehensive) data privacy law — the European Union General Data Protection Regulation (GDPR). Over 130 similar laws have passed since, with many more on the horizon. For example, Canada's Digital Charter Implementation Act, India's Digital Personal Data Protection (DPDP) bill, the Colorado Privacy Act (CPA), and the Utah Consumer Privacy Act (UCPA) go into effect this year. While consumers hail the laws' protections, organizations accustomed to collecting, using, and sharing data across borders struggle to balance compliance with meeting business needs.

**Compliance Challenges**

Businesses have long understood that data sharing has limits (or borders). Legal separations keep data from various subsidiaries distinct or limit sharing between partners to specific data types. Multi-tenant software applications often require logical partitions to keep customer data private. What is rapidly changing are new data sovereignty laws, often cloaked as "data privacy" regulations, that enforce geographic boundaries on where data is processed and stored. Businesses must comply with the laws of each country where they operate, and data sovereignty presents a clear compliance challenge as companies hurry to rethink how and where they safely acquire personal data to share and protect.

Countries enacting regulations keeping personal data inside their borders may deem their citizens' data of strategic national importance. More commonly, it's an enforcement mechanism that acknowledges personal data as an asset owned by individuals that businesses must use and share according to that country's laws. Recent data sovereignty requirements cannot be easily bypassed or pushed to the consumer's consent. They must be followed, making adhering to those policies while conducting business a significant challenge. Companies operating on a global scale need to move and process sensitive data across complex legal, corporate, geopolitical, and regulatory boundaries. Data localization puts their cloud strategies at risk.

**The Cost of Doing Business Across Borders**

Organizations face significant costs due to operating under data sovereignty laws. The most expensive is duplication of technology, people, or resources to meet sovereignty requirements. To comply with regulations, businesses often duplicate internal resources across regions or countries, ensuring data remains within its original jurisdiction. However, failing to take active measures to protect personal data can result in hefty fines.

Recently, the European Court of Justice imposed a $1.3 billion fine on US-based Meta for not adequately protecting EU citizens' personal data. Meta used "standard contractual clauses," a common technique that relies on contract language as an obligation rather than technical controls. However, the court found this approach to be insufficient for GDPR compliance. Therefore, robust data protection mechanisms are essential for companies to avoid costly fines and safeguard customer data.

Using expensive third-party data processors for localization requirements is another issue. While this diminishes compliance risks, it increases security risks due to sharing data with another party. Legacy technologies, including dynamic data masking, access control lists, and file-based protection methods, were not built to tackle today's compliance requirements.

Community and national leaders may argue that the extra costs to comply with sovereignty laws are the price of doing business. But for many, those costs could be too high.

**Solutions for Reintegrating Borderless Data**

As the Information Technology and Innovation Foundation states, "Data is the lifeblood of the modern global economy….Businesses use data to create value, and many can only maximize that value when data can flow freely across borders." However, for borderless data and data sovereignty to coexist, businesses must find compliant ways to enable cross-border data sharing. That's where tokenization comes in.

By tokenizing data, businesses can secure it while allowing different users and companies to access it, all while maintaining compliance with local regulations. An important ruling by the General Court of the European Union in April highlights the relevance of this issue. In GCEU Court Case T-557/20, SRB v EDPS, the court held that pseudonymized data transmitted to a data recipient would not be considered personal data if the data recipient does not possess the legal means to reidentify the data subject. This ruling has significant implications for companies with transborder data flows, making finding compliant ways to enable cross-border data sharing even more critical.

In a broader sense, for companies to achieve efficient global compliance, they need centralized data policy, logging, auditing, and monitoring that deliver efficiencies at scale to meet data sovereignty requirements for applications. Automated systems that offer centralized, continuous protection, audit, and compliance for personally identifiable information (PII) will reduce compliance costs and open new opportunities for businesses to compete on data. By federating the implementation of data security and privacy to more abundant resources, organizations can reduce costs.

**Policy and Commerce Can Co-Exist**

Data sovereignty laws constantly change as technology and digital trends evolve. Therefore, organizations can't fall back on a "one-and-done" approach to compliance. It's essential to continually monitor and adjust to changing laws. Organizations that remain compliant while enabling borderless data gain a significant competitive advantage because they can make quick, agile, and informed decisions about customers and products in existing markets. In addition, the ability to share data across new regions opens new markets worldwide.

Ultimately, by complying with privacy and security regulations, organizations can protect customer data, build trust, and enhance their reputation, leading to increased customer loyalty. Loyalty equals revenue, and revenue equals long-term success.

Borderless Data vs. Data Sovereignty: Can They Co-Exist?

NetSecOpen recently released a new draft of its testing and benchmarking guide, which could be adopted later this year.

Despite slow progress, NetSecOpen — a group of network security companies and hardware testing organizations — aims to have its testing and benchmark standards in place by later this year.

The group published the latest version of its network security testing standard for next-generation firewall technology in May to gather feedback as the group moves toward a final version. The end result will be a consensus method for testing and benchmarking network security appliances that allows comparisons of different vendors' devices, even if they are evaluated by different third parties, says Brian Monkman, executive director of NetSecOpen.

"What we're working on accomplishing here is something that's never been done — setting up standard test requirements that can be executed by multiple labs using different test tools and getting comparable results," he says. "It's something analogous to when the miles per gallon ... had different approaches and ... they tested things differently and so they forced the creation of a standard. That's kind of what we're doing here."

Established in 2017, NetSecOpen aims to ease the tension between product makers and test labs, which have occasionally become rancorous. Members include large network security firms — including Cisco Systems, Fortinet, Palo Alto Networks, and WatchGuard — as well as testing equipment makers, such as Spirent and Ixia, and evaluators, such as the European Advanced Networking Test Center (EANTC) and the University of New Hampshire InterOperability Laboratory (UNH-IOL).

While the latest standards document is published as part of the Internet Engineering Task Force (IETF) process, the eventual guidelines will not be an Internet standard to which equipment makers must adhere, but a common approach to testing methodology and configurations that improve the reproducibility and transparency of resulting tests.

The current testing standards for firewalls published by the IETF (RFC3511) are 20 years old, and the technology has changed dramatically, NetSecOpen stated in its draft (RFC9411).

"Security function implementations have evolved and diversified into intrusion detection and prevention, threat management, analysis of encrypted traffic, and more," the draft states. "In an industry of growing importance, well-defined and reproducible key performance indicators (KPIs) are increasingly needed to enable fair and reasonable comparisons of network security functions."

**Real-World Test Cases**

The NetSecOpen tests aim to use real-world data to pit the latest network security appliances against realistic network loads and security threats. The attack traffic test set, for example, brings together common vulnerabilities that have been used by attackers in the past decade.

The NetSecOpen draft recommends specific test architectures, traffic mixes between IPv4 and IPv6, and enabled security features. However, other aspects of testing include required elements, such as the capabilities of emulated browsers, attack traffic that targets a specific subset of known exploitable vulnerabilities, and tests of a variety of throughput performances, such as application traffic, HTTPS requests, and quick UDP Internet connections (QUIC) protocol requests.

Network security firm Palo Alto Network, a founding member of NetSecOpen, actively collaborates with NetSecOpen to "create the tests and actively participate in testing our firewalls using those tests," says Samaresh Nair, director of product line management at Palo Alto Networks.

"The testing process is ... standardized with accredited test houses," he says. "Customers can use it to evaluate various products with standardized results tested similarly."

The vulnerabilities test sets are in the process of being updated because the Cybersecurity and Infrastructure Security Agency (CISA) demonstrated that smaller, noncritical vulnerabilities can be strung together into effective attacks. The organizations had previously dismissed many of those vulnerabilities as a lesser threat, but attack chain data CISA collected show that attackers will adapt.

"There's definitely a class of CVEs out there that we, in the past, would have ignored, and we need to pay attention to those simply because vulnerabilities are being strung together," NetSecOpen's Monkman says. "That's going to be really the biggest challenge that we have because the CISA KEV vulnerability list might grow."

**Cloud Up Next**

In addition to new mixes of vulnerabilities — such as those that are currently targeting the education and healthcare sectors — NetSecOpen is looking to include detection of command-and-control channels used by attackers, as well as ways of preventing infection and lateral movement.

Testing the security of cloud environments — such as distributed cloud firewalls and Web application firewalls — is also on the future blueprint, says Chris Brown, technical manager at UNH-IOL, which joined NetSecOpen in 2019.

"Cloud would not change NetSecOPEN’s mission for well-defined, open, and transparent standards, but rather expand the products currently tested," Brown says. "In the foreseeable future, network perimeter defense will still be necessary despite the many benefits of cloud computing."

Network-Security Testing Standard Nears Prime Time

Attackers continue to attempt to steal Bitcoin and other virtual coins, with a 40% increase in phishing attacks and fourfold increase in incidents.

Cryptocurrency continues to be a favorite target of attackers, with attacks targeting Bitcoin and other currencies growing at a robust pace.

In the recently released "2023 Data Breach Investigations Report" (DBIR), Verizon noted that attacks in its dataset that specifically target cryptocurrency data grew 300%, to 48 incidents reported, up from 12 in 2022. Whether the trend continues this year remains to be seen, says David Hylender, senior manager of threat intelligence for Verizon.

"The crypto boom presented many opportunities for attackers to gain access to many valuable crypto assets," Hylender says. "However, the circumstances have changed somewhat over the past year, and they may result in corresponding changes in the degree that attackers will be targeting this type of data."

Of the attacks submitted to the Verizon DBIR, about half used an exploit, more than 40% used stolen credentials, and about a quarter incorporated a phishing attack, according to the report. While some of the attacks — more than 10% — used email as a vector, most compromised the user's account through the Web application or an application programming interface, the report stated.

Verizon's Hylender cautioned that the company had received only dozens of reports, much smaller than the hundreds or thousands of other types of compromises the company analyzed from other sources.

"We caveat in the report that although it has seen a fourfold increase, it is still a relatively small number compared to all other data types," he says.

**Volatile Markets, Stable Cybercrime**

Over the past decade, cryptocurrency has become an integral part of the cybercriminal ecosystem, allowing would-be attackers to pay for a variety of offensive-security services and receive payments from ransomware victims. Increasingly, the potential for quick and substantial financial gains has attracted speculative investors, who are, in return, targeted by scammers aiming to exploit this enthusiasm for their own benefit, says Kurt Baumgartner, a principal security researcher with Kaspersky.

"Cryptocurrency enables cybercrime in multiple ways," Baumgartner says. "We've seen cryptocurrency exchanges pilfered, cryptocurrency trading apps Trojanized and their related websites compromised for use as command-and-control, cryptocurrency used by cybercrime individuals and groups for employment and services payments, ... and cryptocurrency used as an easily laundered method of sometimes massive payment by victims in the millions for ransomware and other extortion crimes."

Even as the value of cryptocurrency fluctuates wildly in the market, it remains a popular financial instrument for cybercriminals to use _and_ abuse. Last year, the number of cryptocurrency-related phishing attacks targeting Kaspersky customers grew 40% to 5 million, up from 3.6 million in 2021, the company stated.

One campaign used a Trojanized Tor browser to steal cryptocurrency from more than 15,000 users in 52 countries, valuing at least $400,000, according to Kaspersky's research. In another campaign, cyber thieves used a loader dubbed DoubleFinger to install a Trojan — dubbed GreetingGhoul — that replaces the login window of common cryptocurrency wallets with an information-collecting duplicate.

"DoubleFinger, coupled with GreetingGhoul, is an advancement for crime elements both in terms of stealth technology and targeting when it comes to cryptocurrency theft," Kaspersky's Baumgartner says. "As cryptocurrency continues to be a highly valued object of online theft efforts, with individuals protecting themselves with cold wallets and the like, malware like these demonstrate serious advancement both in malicious technologies and techniques."

Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In

Microsoft says Cadet Blizzard wielded a custom wiper malware in the weeks leading up to Russia's invasion of Ukraine, and it remains capable of wanton destruction.

A threat actor that played a key role in the leadup to the Russian invasion of Ukraine was identified on June 14. Activity from the "Cadet Blizzard" advanced persistent threat (APT) peaked from January to June of last year, helping to pave the way for military invasion.

Microsoft detailed the activity in a blog post. Most notable among the APT's actions were a campaign to deface Ukrainian government websites, and a wiper known as "WhisperGate" that was designed to render computer systems completely inoperable.

These attacks "prefaced multiple waves of attacks by Seashell Blizzard" — another Russian group — "that followed when the Russian military began their ground offensive a month later," Microsoft explained.

Microsoft connected Cadet Blizzard with Russia's military intelligence agency, the GRU.

Identifying the APT is a step towards fighting Russian state-sponsored cybercrime, says Timothy Morris, chief security advisor at Tanium, "however, it is always more important to focus on the behaviors and tactics, techniques, and procedures (TTPs) and not solely upon who is doing the attacking."

**Cadet Blizzard's Behaviors & TTPs**

Generally, Cadet Blizzard gains initial access to targets through commonly known vulnerabilities in Internet-facing Web servers like Microsoft Exchange and Atlassian Confluence. After compromising a network, it moves laterally, harvesting credentials and escalating privileges, and using Web shells to establish persistence before stealing sensitive organizational data or deploying extirpative malware.

The group doesn't discriminate in its end goals, aiming for "disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," Microsoft explained.

But rather than being a jack of all trades, Cadet is more like a master of none. "What's perhaps most interesting about this actor," Microsoft wrote of the APT, "is its relatively low success rate compared with other GRU-affiliated actors like Seashell Blizzard \[Iridium, Sandworm\] and Forrest Blizzard (APT28, Fancy Bear, Sofacy, Strontium\]."

For example, compared to wiper attacks attributed to Seashell Blizzard, Cadet's WhisperGate "affected an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine," Microsoft explained. "The more recent Cadet Blizzard cyber operations, although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts."

All this considered, it's no surprise that the hackers also "appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups," Microsoft found.

**What to Expect From the Cadet Blizzard APT**

Though centered on matters related to Ukraine, Cadet Blizzard operations aren't particularly focused.

Besides deploying its signature wiper and defacing government websites, the group also operates a hack-and-leak forum called "Free Civilian." Outside of Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America. And besides government agencies, it often targeted IT service providers and software supply chain manufacturers, as well as NGOs, emergency services, and law enforcement.

But while they may have a messier operation in certain ways, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, warns that Cadet Blizzard is still a fearsome APT.

"Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity and enabling multifactor authentication (MFA) to protect against them," she says.

For his part, Morris recommends that organizations "start with the basics: strong authentication — MFA,

FIDO keys where necessary — implement principle of least privilege; patch, patch, patch; ensure your security controls and tools are present and working; and train users frequently."

Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks

St. Margaret's Health is shutting down due to a 2021 ransomware attack and other factors. It's an object lesson for how small and rural healthcare facilities face grave cyber-risk when extortionists come calling.

An Illinois hospital's decision to cease operations later this week at least partly because of a 2021 ransomware attack that crippled operations for months is a stark reminder of the sometimes-existential threat that online extortion campaigns can pose.

That's especially true for resource-strapped small and rural hospitals.

St. Margaret's Health (SMH) will permanently close its hospitals, clinics, and other facilities at Spring Valley and Peru, Ill. this Friday, June 16, after serving the community for 120 years. Multiple factors led to the decision, including unprecedented expenses tied to the COVID-19 pandemic, low patient volumes tied to social-distancing mandates, and staff shortages that forced the health system to have to rely on temporary staffing agencies.

But the February 2021 ransomware attack on its systems at Spring Valley had a big part to play; they  catastrophically impacted the hospital's ability to collect payments from insurers for services rendered, and the attack forced a shutdown of the hospital's IT network, email systems, its electronic medical records (EMR) portal, and other Web operations.

**A Contributing Factor**

SMH vice president of quality and community services Linda Burt says the attack lasted four months, during which employees had no access to the IT system, including email and the EMR system. 

"We had to resort to paper for medical records. It took many months, and in some service lines, almost a year to get back online and able to enter any charges or send out claims," Burt says. "Many of the insurance plans have timely filing clauses which, if not done, they will not pay. So, no claims were being sent out and no payment was coming in."

SMH is the latest to make the list that security analyst and researcher Adrian Sanabria maintains of organizations that were forced out of business because of a cyberattack over the past two decades. The list currently comprises 24 organizations — many of them small — across multiple sectors. Among the names in the list is payment processing firm CardSystems, which closed in 2005 following a data breach that exposed sensitive data associated with some 40 million credit cards; security firm HBGary which went kaput in 2011 after hackers broke into its systems and leaked information about the company; and Brookside ENT and Hearing Center which shut down in 2019 following a ransomware attack. Significantly, 10 of the cyberattacks on Sanabria's list are ransomware-related and all of those happened after 2014, when ransomware really started ramping up.

**St. Margaret's Won't be the Last Ransomware Casualty**

Joshua Corman, former CISA chief strategist and current vice president of cyber safety strategy at Claroty, expects what happened at SMH will happen to other hospitals, especially smaller ones and those located in rural areas. Corman, who was part of a CISA COVID-19 task force that looked into the potential correlation between excess hospital deaths and ransomware, says the hospitals most expected to close are those that are situated the farthest away from other hospitals and alternative care options.

"Small and rural hospitals already face significant financial strains from the last few years of \[the\] pandemic and very few have much cash-on-hand reserves for unplanned disruptions," Corman says. "Ransomware attacks can disrupt operations for weeks and months and can, therefore, represent the straw that breaks the camel's back."

A couple of factors might be exacerbating the situation. Often many small, midsized, and rural hospitals lack a full-time security staff. They also have a harder time getting cyber insurance, and when they do, it can cost more for less coverage. 

"Congress and the White House are exploring relief, and it's long overdue," Corman says. 

In the meantime, policy-makers and industry stakeholders need to find a way to raise the bar on cyber-hygiene in material ways, and provide financial assistance for smaller, target-rich, but cyber-poor entities. "Ransomware attacks represent a new, man-made, but material hazard deserving of Board-level attention," Corman says. "This hazard could drive smaller and rural hospitals into closure."

Mike Hamilton, former CISO for the City of Seattle and currently in the same role at healthcare cybersecurity firm Critical Insight, says it's unclear if the attack on SMH was opportunistic or targeted in nature. However, even healthcare entities like SMH, which likely don't have the ability to pay a ransom even if they wanted to, can become a target if the threat actor knows it carries cyber insurance, Hamilton says. "Knowing that organizations have cyber insurance allows threat actors to set the extortion demand just under the threshold for the cost of rebuild and recovery," he notes.

**Advocating for State & Federal Assistance**

Like Corman, Hamilton too views a cyberattack that disrupts operations as existential for healthcare providers that are already operating on thin margins.

Corman advises administrators and top management at smaller and rural healthcare systems to advocate for assistance from state and federal authorities. "To aid in minimizing risk, these systems should engage their regional CISA and HHS resources along with the FBI," Corman notes. They can also focus on prioritizing patching of CISA's Known Exploited Vulnerabilities and take advantage of some of the free cybersecurity tools that CISA offers such as Cyber Hygiene Scanning (CyHy) and Cyber Essentials.

Hamilton says healthcare IT teams need to limit employee access to the Internet from a healthcare environment as much as possible. "Use the analogy of a control room that operates a dam that generates power — no Internet access, period," he says. "Most attacks start with user action and limiting that access can have an outsized effect on prevention."

Illinois Hospital Closure Showcases Ransomware's Existential Threat

Microsoft quickly issued patches for the two security issues, which could allow unauthorized access to cloud sessions.

Two cloud security vulnerabilities — in Azure Bastion and Azure Container Registry — were found in Microsoft Azure's services, which "allowed an attacker to achieve cross-site scripting (XSS) by using iframe-postMessages \[and\] allowed unauthorized access to the victim's session within the compromised Azure service iframe," according to Orca Security.

Orca notified the Microsoft Security Response Center (MSRC) immediately upon discovery of the bugs. MSRC was able to reproduce the issues after it was notified of the vulnerabilities' existence in order to patch and verify them.

Cross-site scripting (XSS) is an event in which a threat actor injects malicious scripts into a credible website, ultimately executed by users' browsers unknowingly. At that point, this can lead to severe consequences, noted Orca Security, as threat actors can gain unauthorized access, compromise network systems, or even steal data.

However, "these vulnerabilities require a victim to be lured into visiting a compromised endpoint that the malicious actor controls," commented David Lindner, CISO at Contrast Security, in an emailed statement. "Should Microsoft fix this? Most likely, but I would not call these severe by any means. If anyone gets lured into an attacker-controlled endpoint, all bets are off anyway."

The fixes were automatic, so no further action is required from Azure users, but they may want to look for signs of compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

XSS Vulnerabilities Found in Microsoft Azure Cloud Services

CISOs need to be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape.

As someone who has been in the cybersecurity industry for nearly two decades, I find it refreshing to see federal entities are putting more focus on the changes that need to happen to keep organizations secure. With the Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and White House all releasing updated cyber guidelines and policies, a newfound — and much-deserved — sense of urgency and importance has been placed around cyber defenses, preparedness, and skilled talent.

Similarly, the long-anticipated proposed new cybersecurity requirements from the US Securities and Exchange Commission (SEC) allude to an impending incident disclosure rule and proof of cybersecurity expertise on company boards. While we await the final language, I believe these requirements are a step in the right direction for up-leveling transparency and communication, ultimately emphasizing how cybersecurity is a business imperative across all industries.

But with one important caveat.

As much as the added pressure from the SEC and other government agencies on timely reporting and disclosure is a needed force for change, many organizations aren't equipped to handle this level of oversight and reporting. Many security leaders currently lack the means to gather evidence to share with boards and executive leadership, resulting in fewer than 60% flagging breach readiness and incident response results. What's more, more than half of security leaders (55%) agree their cybersecurity team doesn't have the data needed to demonstrate readiness to properly respond to cyber threats.

**The Search for Better Approaches**

To comply with government guidelines, organizations must invest in more effective ways of building and proving cyber capabilities across teams through practical exercises. Organizations must make a paradigm shift in their approach to cybersecurity that comprises the following actions:

**1\. Provide specific metrics to prove resilience and capabilities.** Despite proof points and actionable metrics laying the foundation of nearly every other business function, measurement is practically nonexistent when it comes to identifying faults and strengths of organizations' cybersecurity postures. To advance an organization's cyber resilience, cybersecurity teams need better methods to assess and prove their capabilities and resilience, especially when you consider most cybersecurity leaders can agree their organization's board is placing more pressure on their cybersecurity team to prove cyber resilience.

Without metrics to gauge efficacy, how do leaders know whether costly training investments in training are worthwhile? So while teams have the right risk management tools and conduct breach readiness assessments, they aren't sufficiently assessing or training for resilience.

**2\. Move away from technological "spot solutions."** As the threat landscape continues to evolve, most security leaders are turning to more tech tools to add to their ever-growing tech stacks to prove their cybersecurity strength to key stakeholders. Implementing "spot solutions" is likely to leave holes in an organization, making it vulnerable to attackers. There are tools available that combat nearly every security challenge these days, but a plug-and-play approach isn't the most effective system.

Chief information security officers (CISOs) should consider consolidating their tools to mitigate complexity. Even so, a streamlined solution can't be the sole line of defense. One of Gartner's predictions for 2023 is that challenges confronting CISOs will evolve beyond technology, cybersecurity, and controls — and instead anticipates there will be a focus on the human element. Security tech solutions must be coupled with a battle-tested and capable workforce to be effective in responding to cyber threats if — and when — they do happen.

**3\. Put your people first in your approach to effective cybersecurity.** Adopting a people-centric, proactive cybersecurity approach puts organizations in a better position to combat cyber threats and prove resilience to boards and company leadership. While organizations may be investing in traditional cybersecurity training methods like certifications, table-top exercises, and classroom work, these tactics are largely insufficient to combat current cyberattacks, particularly with the recent surges in ransomware and generative AI technologies. I'm not alone in thinking this — despite the increase in training investments, 80% of cyber leaders don't believe their teams have the capabilities to respond to future attacks.

To address the ongoing staffing challenges and talent gap, cyber leaders should reevaluate hiring practices. HR and hiring managers are over-relying and overemphasizing certifications, rejecting qualified applicants or creating a costly barrier to entry for early career and diverse security talent.

To meet these new expectations, CISOs must be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape. Our current approach to cyber readiness and resilience needs some work — but it's promising to see that cybersecurity and its leaders are finally getting its seat at the head of the table. The sheer concept of multiple federal entities making a concerted effort to emphasize the need for communication and proof is promising momentum in the right direction.

Moving the Cyber Industry Forward Requires a Novel Approach

As business email compromise attacks continue to grow and become increasingly sophisticated, is your secure email gateway providing sufficient protection?

Email has always been an attractive target for cybercriminals in search of a money grab. Over the years, we’ve seen email attacks of all flavors — from basic spam and virus attacks, to mass phishing emails containing malware, to today’s attack du jour: business email compromise (BEC).

These attacks have evolved far beyond the Nigerian prince or CEO gift card scams typically associated with BEC. Now, cybercriminals are implementing increasingly sophisticated tactics — including vendor impersonation, spoofed domains, and local translations — to secure their payday.

And the rise of generative AI tools like ChatGPT has added even more power to attackers' arsenals, upleveling their ability to write more convincing emails at even greater scale. By inputting specific information about their targets, or snippets of previous conversation history, generative AI can help threat actors become better at engaging in highly realistic conversations with their victims.

Whether their endgame is convincing a target to pay a fake invoice, reroute payments to a different bank account, or share access to sensitive information, BEC attacks are confronting organizations of all sizes and across all industries, and costing billions of dollars. And even though employees are more aware of these scams, losses from BEC are continuing to increase year over year — costing $2.7 billion in 2022 alone.

Why? Because cybercriminals are getting smarter, and the tools put in place to stop them simply aren’t working like they should.

**The SEG Challenge**

Despite the rate at which BEC tactics are evolving, traditional secure email gateways (SEGs) have been slow to keep up. That’s because they’re designed to block attacks based on detection of known threat signatures, like malicious attachments or links and bad sender domains. This worked well when high-volume malware campaigns were common, but as savvy cybercriminals discovered how the SEG worked, they quickly learned how to outwit it.

Today, even inexperienced, non-technical hackers can bypass SEG detection, simply by sending text-based, socially engineered emails that omit traditional indicators of compromise — blending right in with ordinary inbox content. And not only does SEG miss sophisticated attacks, it also requires manual management that can drain the productivity of security teams that need to be focused on managing the most critical cybersecurity incidents.

So, how do you stop these BEC attacks, without requiring more time and resources from your team? One strategy to consider is replacing the SEG entirely.

**Behavioral AI to Better Secure Inboxes**

But if you’re going to sunset your SEG, what do you replace it with?

The problem with the SEG model is that it looks for known-bad indicators of compromise, which are constantly changing. What if you flipped this approach on its head — instead, learning what known-normal activity looks like to spot deviations that might indicate a potential attack?

This is how behavioral AI-based email security works. By ingesting behavioral signals across the email environment — like each user’s typical sign-in times and locations, the colleagues and vendors they ordinarily interact with, and the tone and language they tend to use in their emails among thousands of other signals — behavioral AI creates a system that learns and dynamically monitors baseline behaviors.

Any variation from the norm, no matter how subtle or novel, may indicate a social engineering attack — and can be remediated automatically before it reaches the target’s inbox.

**SEG Displacement in Action**

The benefits of swapping a SEG for a behavioral AI approach have been proven, too. Let's take a look at a couple examples.

Healthcare providers are appealing targets for cybercriminals that are after patient data, and the resulting data breaches are the costliest of any industry, especially given their hefty regulatory penalties.

Elara Caring, one of the largest home healthcare providers in the US, experienced this threat firsthand, when advanced phishing emails were bypassing its SEG, leaving employees struggling to decipher whether emails were authentic or attacks. Upon transitioning to a behavioral AI-based model, Elara Caring’s security team stopped hundreds of attacks in the first 90 days alone, including credential phishing attacks, attempts to trick the payroll team into directing paychecks to fraudulent accounts, and executive impersonation attacks.

Behavioral AI also helps organizations recoup inefficiencies caused by the SEG. At Saskatoon Public Schools, the largest school division in Saskatchewan, Canada, the security team was spending half a day or more on manually remediating attacks. After implementing behavioral AI-based security, in three months, the team detected and auto-remediated more than 25,000 attacks, saving the team hundreds of hours each month.

SEGs have served their purpose well, but as email attacks become more sophisticated by the day, it’s time for a new approach. The organizations that can modernize their email security accordingly will be in the best position to protect against the threats of today and what’s to come.

Sixty-five percent of Abnormal customers no longer use an SEG. Visit this page for more information about companies that have displaced their SEGs.

**Author the Author**

    

Mike Britton is the CISO of Abnormal Security, where he leads information security and privacy programs. Prior to Abnormal Security, Mike spent six years as the CSO and Chief Privacy Officer for Alliance Data. He brings 25 years of information security, privacy, compliance, and IT experience from a variety of Fortune 500 global companies. He holds an MBA with a concentration in Information Assurance from the University of Dallas.

Why Your SEG Could Be Your Email Security Achilles' Heel

Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.

Attackers may have exploited a flaw in Fortinet's FortiOS SSL-VPN in "a limited number of cases" that affected users in government, manufacturing, and critical infrastructure sectors.

Fortinet issued a fix for the vulnerability, tracked as CVE-2023-27997/FG-IR-23-097) and rated as critical, that it's urging customers to apply as they "monitor the situation," the company said in a blog post published this week.

Exploitation of the flaw can produce "data loss and OS and file corruption" for victims, which is why it's imperative for customers affected to update systems, according to Fortinet.

"If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release," Carl Windsor, Fortinet's senior vice president, product technology, wrote in the post. "If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading."

The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.

Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

"This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases," Windsor wrote.

**Potential Links to Volt Typhoon**

Though attackers used a previously identified Fortinet vulnerability — FG-IR-22-377/CVE-2022-40684 — in the recently discovered Volt Typhoon campaign against US criticial infrastructure targets, Fortinet so far is not conclusively linking CVE-2023-27997 to this series of attacks, the company said in the post.

However, Fortinet claimed this does not preclude its use in the campaign, whether it's currently being exploited, or if attackers will leverage it in the future.

"Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," Windsor wrote.

Discovered by Microsoft, Volt Typhoon is a series of attacks in which China-sponsored threat actors established persistent access within telecom networks and other critical infrastructure targets in the US.

Volt Typhoon attackers used CVE-2022-40684 — an authentication bypass vulnerability found in Fortinet FortiOS and FortiProxy — for initial access, Fortinet confirmed. Indeed, Internet-facing Fortinet devices are a popular target for various threat actors as a way to gain a foothold into enterprise networks.

Specifically, Fortinet researchers discovered admin accounts named "fortinet-tech-support" and "fortigate-tech-support" in customer devices related to the Volt Typhoon campaign, the company said.

"Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as 'living off the land' to evade detection," Windsor wrote.

**Mitigations Beyond Patching**

While applying product updates is the key way to avoid compromise, Fortinet made other suggestions to help affected organizations resolve the issue. One is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one exploited by Volt Typhoon, the company said.

Minimizing the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible can also help companies avoid being targeted in attacks that exploit existing vulnerabilities, according to Fortinet.

Source

DARKReading