UAE security leaders warn that people, tech, and process gaps are exposing their organizations to cybercrime.

Source: Chroma Craft Media Group via Alamy Stock Photo

A vast majority of security chiefs in the United Arab Emirates believe their organization must improve how their teams, processes, and tech function in order to mitigate future cyberattacks.

Research by Trellix recently found that 96% of CISOs — who have experienced security incidents — feel improvements are needed, while 52% of respondents say their organization doesn't possess the technical knowledge to handle complex security incidents.

**Reliance on Manual Processes**

Forty-eight percent of security leaders believe that their organization is too reliant on manual processes, which hampers the mean time to detect and repair cyber incidents.

In addition to this, 44% blame the failure to fight cybercrime on poorly documented and implemented processes, with another 44% warning that disconnected security controls caused a lack of context.

Jake Moore, global cybersecurity adviser at ESET, says continual investment in protection is crucial for companies as cyber threats are increasingly sophisticated and common.

"Furthermore, now with the introduction of AI threats we are seeing cyberattacks become even more relentless and powerful," he says. "Companies need to bear in mind that the cost of recovery from an attack usually outweighs the cost of preventive security measures."

**Mind the Gaps**

While gaps in technical resources make it difficult for organizations to spot and respond to cybersecurity incidents, stretched or ill-equipped security teams also make this difficult. More than half of respondents (52%) cited gaps in their security capabilities as contributors to a security incidents experienced by their organization. 

Meanwhile, 44% admitted that they hadn’t properly configured their IT stacks or enabled their detection policies. A further 40% said their IT and security tools don't offer “adequate visibility” of incidents. 

Moore says: "Neglecting cybersecurity in terms of the people and process can leave a business dangerously exposed to preventable or mitigable attacks with potentially severe consequences."

**About the Author(s)**

Technology Journalist

Nicholas Fearn is a freelance tech journalist from the Welsh valleys. He's written for major outlets like Forbes, Financial Times, The Guardian, The Independent, The Telegraph, HuffPost and Business Insider, as well as tech publications like Gizmodo, TechRadar, Laptop Mag, Computer Weekly, ITPro and many more. When Nicholas isn't geeking over the latest gadgets and tech trends, he's probably listening to Mariah Carey on repeat.

Emirates CISOs Flag Rampant Cybersecurity Gaps

Saudi companies are seeking extra help in droves, because of a lack of tools and personnel.

Source: Hakan Gider via Alamy Stock Photo

More than half of Saudi Arabian companies plan to outsource their cybersecurity measures in the next year, as a lack of resources continues to plague the region.

Up to 58% of respondents plan to invest in different forms of outsourcing cybersecurity in the next 12 to 18 months as a measure to strengthen their posture, according to research from Kaspersky. Reasons given include a lack of necessary tools for threat detection (22%), and a shortage of internal IT security staff (34%).

Also, 42% plan to outsource their cybersecurity to managed service providers (MSPs), while 10% want the help of external consulting specialists.

The push for outsourcing comes as 71% of Saudi companies reported a cyber incident over the last two years, and 74% said the incidents were "serious."

**About the Author(s)**

Saudi Companies Outsource Cybersecurity Amid 'Serious' Incidents

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

The US Needs to Follow Germany's Attack-Detection Mandate

Apparently all it takes to get a chatbot to start spilling its secrets is prompting it to repeat certain words like "poem" forever.

Source: Ascannio via Shutterstock

Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?

The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot's susceptibility to leaking data when prompted in a specific way.

**'Poem' as a Trigger Word**

In a report this week, the researchers described how they got ChatGPT to spew out memorized portions of its training data merely by prompting it to repeat words like "poem," "company," "send," "make," and "part" forever.

For example, when the researchers prompted ChatGPT to repeat the word "poem" forever, the chatbot initially responded by repeating the word as instructed. But after a few hundred times, ChatGPT began generating "often nonsensical" output, a small fraction of which included memorized training data such as an individual's email signature and personal contact information.

The researchers discovered that some words were better at getting the generative AI model to spill memorized data than others. For instance, prompting the chatbot to repeat the word "company" caused it to emit training data 164 times more often than other words, such as "know."

Data that the researchers were able to extract from ChatGPT in this manner included personally identifiable information on dozens of individuals; explicit content (when the researchers used an NSFW word as a prompt); verbatim paragraphs from books and poems (when the prompts contained the word "book" or "poem"); and URLs, unique user identifiers, bitcoin addresses, and programming code.

**A Potentially Big Privacy Issue?**

"Using only $200 USD worth of queries to ChatGPT (gpt-3.5-turbo), we are able to extract over 10,000 unique verbatim memorized training examples," the researchers wrote in their paper titled "Scalable Extraction of Training Data from (Production) Language Models."

"Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data," they wrote. The researchers estimated an adversary could extract 10 times more data with more queries.

Dark Reading's attempts to use some of the prompts in the study did not generate the output the researchers mentioned in their report. It's unclear if that's because ChatGPT creator OpenAI has addressed the underlying issues after the researchers disclosed their findings to the company in late August. OpenAI did not immediately respond to a Dark Reading request for comment.

The new research is the latest attempt to understand the privacy implications of developers using massive datasets scraped from different — and often not fully disclosed — sources to train their AI models.

Previous research has shown that large language models (LLMs) such as ChatGPT often can inadvertently memorize verbatim patterns and phrases in their training datasets. The tendency for such memorization increases with the size of the training data.

Researchers have shown how such memorized data is often discoverable in a model's output. Other researchers have shown how adversaries can use so-called divergence attacks to extract training data from an LLM. A divergence attack is one in which an adversary uses intentionally crafted prompts or inputs to get an LLM to generate outputs that diverge significantly from what it would typically produce.

In many of these studies, researchers have used open source models — where the training datasets and algorithms are known — to test the susceptibility of LLM to data memorization and leaks. The studies have also typically involved base AI models that have not been aligned to operate in a manner like an AI chatbot such as ChatGPT.

**A Divergence Attack on ChatGPT**

The latest study is an attempt to show how a divergence attack can work on a sophisticated closed, generative AI chatbot whose training data and algorithms remain mostly unknown. The study involved the researchers developing a way to get ChatGPT "to 'escape' out of its alignment training" and getting it to "behave like a base language model, outputting text in a typical Internet-text style." The prompting strategy they discovered (of getting ChatGPT to repeat the same word incessantly) caused precisely such an outcome, resulting in the model spewing out memorized data.

To verify that the data the model was generating was indeed training data, the researchers first built an auxiliary dataset containing some 9 terabytes of data from four of the largest LLM pre-training datasets — The Pile, RefinedWeb, RedPajama, and Dolma. They then compared the output data from ChatGPT against the auxiliary dataset and found numerous matches.

The researchers figured they were likely underestimating the extent of data memorization in ChatGPT because they were comparing the outputs of their prompting only against the 9-terabyte auxiliary dataset. So they took some 494 of ChatGPT's outputs from their prompts and manually searched for verbatim matches on Google. The exercise yielded 150 exact matches, compared to just 70 against the auxiliary dataset.

"We detect nearly twice as many model outputs are memorized in our manual search analysis than were detected in our (comparatively small)" auxiliary dataset, the researchers noted. "Our paper suggests that training data can easily be extracted from the best language models of the past few years through simple techniques."

The attack that the researchers described in their report is specific to ChatGPT and does not work against other LLMs. But the paper should help "warn practitioners that they should not train and deploy LLMs for any privacy-sensitive applications without extreme safeguards," they noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Simple Hacking Technique Can Extract ChatGPT Training Data

Early disclosures related to September compromise insisted less than 1% of Okta customers were impacted; now, the company says it was all of them.

Source: Ilnur Khisamutdinov via Alamy Stock Photo

Identity access management vendor Okta has released an update following an investigation into a hack this fall on its systems, revising the number of impacted customers up from less than 1% to a staggering 100%.

A blog post dated Nov. 29 from Okta chief security officer David Bradbury explained that an analysis of a breach from September revealed that an unauthorized user was able to run a report on Sept. 28 containing data on every user of Okta's customer support system, which leaked the following data: company name, contact information, user name, role description, and a "collection of other data." This type of information could be useful to threat actors in launching social engineering attacks, like the ones that leveraged Okta to breach MGM Resorts and Caesars Entertainment.

Thus, Okta is warning all of its customers to be prepared for similar phishing and social engineering cyber-scams.

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users," Bradbury wrote. "While 94% of Okta customers already require MFA \[multifactor authentication\] for their administrators, we recommend all Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security."

The company added that it does not have any evidence the compromised Okta customer data is being actively exploited yet, however. Even so, cybersecurity experts advise Okta customers to focus on cybersecurity best practices, including user training.

"What is needed to secure Okta customers is a focus on best practices; for example, 6% of their users do not have multifactor authentication enabled," says Viakoo CEO Bud Broomhead. "Likewise, setting session timeouts or requiring reauthentication for sessions from a new IP address should be done across all Okta users."

**Okta Breach Brand & Financials Ramifications**

That bit of bad news for Okta customers was tempered by another piece of data out of Okta on Nov. 29. According to its latest quarterly financial report, the company announced that it has seen a more than 20% increase in revenues. The bottom-line growth increase is marked for the quarter ending Oct. 31, the same quarter Okta's systems were used in high-profile breaches of MGM and Caesars.

"Our Q3 performance was highlighted by solid top-line growth, record non-GAAP operating profit, and record free cash flow," Todd McKinnon, CEO and co-founder of Okta, said in a statement about the company's earnings. "We are particularly enthusiastic about the adoption of Okta Identity Governance and the general availability of Okta Privileged Access, which uniquely positions us as the only unified modern identity platform. Over 18,800 leading organizations around the world put their trust in Okta and we are thankful for their continued partnership."

The news of the leaked customer data did drive down Okta stock prices when it happened, but the investor fallout appears to be hovering in the single digits.

That said, the time lag for sales revenues to be impacted by major cyber incidents like the ones Okta has experienced should be taken into account when analyzing whether the breach impacted the brand, according to Jasson Casey, CEO of Beyond Identity.

"The sales cycle for midmarket customers is typically three to four months, while the enterprise sales cycle can be six-plus months," Casey tells Dark Reading. "Revenue numbers being reported today don't reflect the market's processing and intake of the latest news."

However, Casey tells Dark Reading that personally, he's seeing a market shift away from Okta.

"Anecdotally, we're seeing a large number of companies actively search for migration pathways from Okta to other SSO \[single sign-on\] platforms due to the continued string of news related to Okta security practices," he adds. "Okta has a hard road in front of them to convince the mid/enterprise market that security is a foundational principle given their continued missteps over the last two years."

Okta declined to comment on customer reactions to the compromise.

Okta Breach Widens to Affect 100% of Customer Base

Cybercriminals use legal search terms to ensnare unwitting victims, then launch ransomware or business email compromise attacks.

Source: The Lightwriter via Adobe Stock

Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and business email compromise (BEC).

On Nov. 24, managed service provider CTS, which provides IT services to law firms, acknowledged that the firm had suffered a breach, but did not give details about the source of the attack. The incident has reportedly affected services to dozens of law firms, particularly in the real estate sector. The attack follows claims by the LockBit group that it compromised London-based law firm Allen & Overy, listing the firm among the victims on its data-leak site and demanding a ransom. The firm confirmed a breach, but did not acknowledge the ransomware attack.

The attacks are only the latest to target law firms and legal departments. At least one attack group has targeted law firms specifically, seeding compromised sites with legal jargon to make the sites rise in search rankings and then deliver a ransomware attack chain to visitors, says Keegan Keplinger, a senior security researcher with managed detection and response firm eSentire.

"When \[the targeting\] hasn't been a legal organization, it's often been the legal department or a legal user — a paralegal or the legal consultant — in an organization," he says. "We saw a hospital get hit once, but it was the legal user in that hospital that downloaded \[the malware\]."

GootLoader, which leads to Blackcat ransomware, has focused heavily on law firms. Source: eSentire

Hackers have long favored law firms as a way to steal secrets, absconding with Uber drivers' personal information from law firm Genova Burns LLC in January; hijacking data on the contracts and personal emails from 200 high-profile celebrities — including Lady Gaga, Madonna, and Rod Stewart — from New York law firm Grubman Shire Meiselas & Sacks in 2020; and allegedly leaking the "Panama Papers" — 11.5 million documents on wealthy tax evaders — from Panama-based law firm Mossack Fonseca.

Traditionally, the attraction for online attackers has not been money, says Ilia Kolochenko, chief architect at application security firm ImmuniWeb.

"Law firms are pretty far from being attractive victims for cybercriminals," he says. "However, their clients — namely, secrets of their clients — make law firms a magnet for all kind of cybercriminals."

**Clickbait Turns to SEO Poisoning**

That has changed, as cybercriminals increasingly focus on law firms as a way to cash in with ransomware and BEC attacks. More than a quarter of law firms (27%) suffered a security breach in 2022, up from 25% in 2021, according to the American Bar Association's annual cybersecurity report, which stresses that a security breach is not as severe a classification as a data breach. The legal sector is the fourth most targeted sector by cybercriminals — behind services, manufacturing, and financial firms, according to eSentire's data.

The most significant threat to law firms may be GootLoader, a browser-based threat that is delivered through search engine optimization (SEO) poisoning. The group behind GootLoader has seeded malicious content and malvertising linked to 3.5 million search terms, a high percentage of which are legal terms. As a result, a lawyer or paralegal who searches for specific content may find the top search result leading to a GootLoader-infected file. Downloading and opening the file will execute the program, which almost always leads to BlackCat ransomware, says Joe Stewart, a principal security researcher at eSentire.

"This \[is\] what I call a landmine approach," he says. "They're just mining the entire Web with these search keywords and just waiting for somebody in the legal profession, or somebody who needs this legal document, to just stumble on it and open it up, say, 'What's this? Oh, I will click on this JavaScript. No problem.'"

Ransomware is not the only worry for law firms. A number of threat groups are also targeting law firms with BEC scams. Law firms are the perfect victims for such schemes, says Dan Caplin, director of cybersecurity and incident response at S-RM, a cybersecurity consultancy.

"Firstly, they do a lot of business over and in emails, and secondly, law firms often occupy a privileged position in situations where payment instructions and details are exchanged — this, again, is mostly done over email," he says. "This makes email account takeover, intercepting a thread about a legitimate payment, and diverting funds to a fraudulent bank account a really effective approach."

**Will Get Worse Before It Gets Better**

Because law firms tend to be smaller, often just one or two people, cybersecurity knowledge is often lacking, says ImmuniWeb's Kolochenko.

"Solo practitioners and small law firms are usually poorly protected, having very modest budgets for cybersecurity," he says. "Large law firms, however, increasingly spend more on cybersecurity and cyber defense, \[but most firms\] have similar problems as all other industries including shadow IT, working from home, \[and\] underprotected third parties."

Unfortunately, law firms are often tasked as the custodian of extremely sensitive information, making any breach a problem and making the firm more likely to pay a ransom. It's little wonder that GootLoader has targeted the industry, says eSentire's Keplinger.

"For a variety of reasons, law firms are behind the curve a little bit on security," he says. "With ransomware — especially the double whammy (both stealing and encrypting the data) — legal firms are an obvious organization that would be vulnerable to that — especially, that would care about publishing their data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Law Firms & Legal Departments Singled Out for Cyberattacks

A decade and a half after Gh0st RAT first appeared, the "SugarGh0st RAT" variant aims to make life sweeter for cybercriminals.

Source: Niday Picture Library via Alamy Stock Photo

A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan.

The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in March 2008. Remarkably, it's still in use today, particularly in and around China, albeit in modified forms.

Since late August, for instance, a group with strong Chinese links has been distributing a modified Gh0st RAT deemed "SugarGh0st RAT." According to research from Cisco Talos, this threat actor drops the variant via JavaScript-laced Windows shortcuts, while distracting targets with customized decoy documents.

The malware itself is still largely the same, effective tool it's ever been, though it now sports some new decals to help sneak past antivirus software.

**SugarGh0st RAT's Traps**

The four samples of SugarGh0st, likely delivered via phishing, arrive on targeted machines as archives embedded with Windows LNK shortcut files. The LNKs hide malicious JavaScript which, upon opening, drops a decoy document — targeted for Korean or Uzbek government audiences — and the payload.

Like its progenitor — the Chinese origin remote access Trojan, first released to the public in March 2008 — SugarGh0st is a clean, multitooled espionage machine. A 32-bit dynamic link library (DLL) written in C++, it begins by collecting system data, then opens up the door to full remote access capabilities.

Attackers can use SugarGh0st to retrieve any information they might desire about their compromised machine, or start, terminate, or delete the processes it's running. They can use it to find, exfiltrate, and delete files, and erase any event logs to mask the resulting forensic evidence. The backdoor comes fitted with a keylogger, a screenshotter, a means of accessing the device's camera, and plenty of other useful functions for manipulating the mouse, performing native Windows operation, or simply running arbitrary commands.

"The thing that's most concerning to me is how it's specifically designed to evade previous detection methods," says Nick Biasini, Cisco Talos' head of outreach. With this new variant, specifically, "they took effort to do things that would change the way that core detection would work."

It isn't that SugarGh0st has any particularly novel evasion mechanisms. Rather, minor aesthetic changes make it appear different from prior variants, such as changing the command-and-control (C2) communication protocol such that instead of 5 bytes, the network packet headers reserve the first 8 bytes as magic bytes (a list of file signatures, used to confirm a file's contents). "It's just a very effective way to try and make sure that your existing security tooling isn't going to pick up on this right away," Biasini says.

**Gh0st RAT's Old Haunts**

Back in September 2008, the office of the Dalai Lama approached a security researcher (no, this isn't the beginning of a bad joke).

Its employees were being peppered with phishing emails. Microsoft applications were crashing, without explanation, across the organization. One monk recalled watching his computer open Microsoft Outlook all on its own, attach documents to an email, and send that email to an unrecognized address, all without his input.

A Gh0st RAT beta model's English-language UI. Source: Trend Micro EU via Wayback Machine

The Trojan used in that Chinese military-linked campaign against Tibetan monks has stood the test of time, Biasini says, for a few reasons.

"Open source malware families live long because actors get a fully functional piece of malware that they can manipulate as they see fit. It also allows people who don't know how to write malware to leverage this stuff for free," he explains.

Gh0st RAT, he adds, stands out in particular as "a very functional, very well-built RAT."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets

Security updates are tedious and difficult, so users continue to use a weak version of a core protocol and remain exposed to major attacks on critical infrastructure.

Source: John Edwards via Alamy Stock Photo

Programmable logic controllers (PLCs) that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed — meaning they're still at risk.

More than 10 years after Stuxnet, new research shows users rarely switch on security controls such as using passwords, and feel updates are too cumbersome to be applied.

Colin Finck, tech lead of reverse engineering and connectivity at Enlyze, says the Siemens proprietary protocol which is used to read and write data as well as to program the S7 PLC. However, this is only protected by obfuscation, which the researchers were able to bypass.

Finck and his colleague Tom Dohrmann, software engineer, reverse engineering and connectivity, will present their findings at Black Hat Europe in London next week, in a talk titled "A Decade After Stuxnet: How Siemens S7 Is Still an Attacker's Heaven."

**Still Feeling the Stuxnet Effects**

In the 2010 attack, the Stuxnet attackers exploited several zero-day vulnerabilities in Microsoft Windows to ultimately gain access to Siemens software and the PLCs. This was done to gain access to and effectively damage high-speed centrifuges at the Iranian Bushehr nuclear power plant.

The impact of Stuxnet was huge, as it remotely damaged around a thousand centrifuges, and the worm's controllers were also able to analyze communication protocols between the PLCs to exploit further technological weaknesses. It also paved the way for things to come: After Stuxnet, a number of industrial control-related attacks were detected over the years, including BlackEnergy and Colonial Pipeline.

Finck tells Dark Reading that after the Stuxnet attacks took place, Siemens developed a revised protocol for the PLCs that added "lots of obfuscation and cryptography layers." However, the researchers in recent probing were able to bypass that obfuscation to give them the ability to read and write instructions for the PLCs, and ultimately stop the controller working in a proof of concept.

A statement from Siemens sent to Dark Reading acknowledged that the levels of obfuscation do not offer enough security, and a Security Bulletin from October 2022 stated that two of the PLCs "use a built-in global private key which cannot be considered anymore as sufficiently protected."

The statement added: "Siemens has deprecated this previous version of the communication protocol and encourages everyone to migrate to V17 or later to enable the new TLS \[Transport Layer Security\]-based communication protocol."

**Improved Firmware**

That most recent Siemens firmware released in 2022 does include TLS, but Finck claims there is no "long-term service for cybersecurity issues" and calls for Siemens to provide better means to update firmware "because right now, it's wide open to anybody who could just access it over the Internet."

In its statement, Siemens said it is aware of the talk scheduled for Black Hat Europe and stated that the talk "will describe the details of the legacy PG/PC and HMI communication protocol as used between TIA Portal/HMIs and SIMATIC S7-1500 SW Controller in versions before V17."

The company stated that no previously unknown security vulnerabilities will be disclosed in this talk and that Siemens is in close coordination with the researchers. Siemens recommended users to apply mitigations, including:

*   Applying client authentication using strong and individual access level passwords.
    
*   Migrating to V17 or later to enable the new TLS-based communication protocol for all SIMATIC S7-1200/1500 PLCs including SW Controller (see Siemens Security Bulletin SSB-898115 \[2\]).
    
*   Implementing the defense-in-depth approach for plant operations and configure the environment according to Siemens operational guidelines for industrial security.
    

Though the researchers praised the response by Siemens, they noted that PLC firmware is rarely updated by users, "and there's not an established update process to quickly roll out \[updates\] to a fleet of machines."

Finck says doing updates is "probably a tedious manual process to walk to every machine, plug something in and update the firmware," and thus, Siemens needs to offer better update processes so customers have an incentive to deploy those updates.

In the meantime, he says, "you better not have a direct connection to all PLCs right now, due to the aforementioned security problems."

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Siemens PLCs Still Vulnerable to Stuxnet-like Cyberattacks

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

Source: Yogesh More via Alamy Stock Photo

In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its cybercriminal activity.

The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io, or just Sinbad, a crypto-mixing service that the feds said has processed millions of dollars worth of virtual currency from crypto heists by the Lazarus Group, according to a press release from OFAC.

As a result of the action, all Sinbad property and interests in property in the US or controlled by anyone in the US must be blocked and reported to OFAC, and people in the US are prohibited from having any involvement with the service. Further, anyone who engages in transactions with the service also may be exposed to sanctions.  

Crypto mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is a popular service tapped by cybercriminals to obscure their illegal transactions. In the case of Lazarus, the group used Sinbad to launder crypto from various malicious incidents, including the Horizon Bridge and Axie Infinity heist, the government said.

The prolific threat actor is well known for conducting cyberattacks on behalf of the regime of North Korea's leader, Kim Jong Un, engaging in widespread crypto theft through various cyberattacks — including targeting crypto engineers or using compromised systems to mine crypto — to fund government activities, among other endeavors. The US government officially sanctioned Lazarus in 2019, effectively making it a crime to do any kind of business with the group or its associates.

**Crackdown on Crypto Mixing**

Other cybercriminal groups also use Sinbad to keep various illegal financial activities such as drug trafficking, buying child pornography, and other Dark Web transactions away from the prying eyes of law enforcement. However, global authorities have caught on to the use of crypto mixers and are now starting to monitor and block the activity.

In March, an international law enforcement effort led by the US Department of Justice (DoJ) led to the shuttering another known crypto-mixing service, ChipMixer. Then in May and earlier this month, respectively, the feds also seized one crypto mixer, Blender.io (Blender), and redesignated another, Tornado Cash — both known to be used by Lazarus, they said.

OFAC in April also sanctioned two over-the-counter virtual currency traders who facilitated the conversion of stolen virtual currency to fiat currency for North Korean actors associated with Lazarus.

“While we encourage responsible innovation in the digital asset ecosystem, we will not hesitate to take action against illicit actors," said Deputy Secretary of the Treasury Wally Adeyemo, in a statement. "Mixing services that enable criminal actors, such as the Lazarus Group, to launder stolen assets will face serious consequences.”

**Crypto Mixer of Choice**

All told, Lazarus, which has been active for more than 10 years, is believed to have stolen more than $2 billion worth of digital assets across multiple cryptocurrency heists, according to the US government.

Sinbad, which operates on the Bitcoin blockchain, has been one of the primary facilitators of the trafficking of these funds as the group's preferred mixing service. The service, which some security experts believe is the successor to Blender, aids cybercriminal transactions by obfuscating their origin, destination, and counterparties, so they are difficult to track.

Some of the larger sums that Lazarus has laundered through the crypto mixer include "a significant portion" of the following crypto heists: $100 million stolen in June from customers of Atomic Wallet; $620 million stolen from Axie Infinity in March 2022; and $100 million nabbed from Horizon Bridge in June 2022. 

Despite being sanctioned and constantly monitored by security researchers and global authorities alike, Lazarus remains undaunted and shows little sign of slowing down. Some of the group's most recent activity includes posing as Meta to deploy a complex backdoor at an aerospace organization, and aiming to lure crypto pros with fake job postings — the latter a common tactic of the group.

There are signs that the mounting pressure on the group has affected them, though. Lazarus recently aligned with other North Korean state-sponsored threat actors to make them collectively harder to track. However, this collaboration also sets the stage for more aggressive and complex cyberattacks that will demand strategic defense and response on the part of targets.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus

No Iranian bank customers are safe from financially motivated cybercriminals wielding convincing but fake mobile apps.

Source: Stephen Barnes/Finance via Alamy Stock Photo

A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets.

Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic's most significant financial institutions — Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran — hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards.

Apparently, that was just the opening salvo. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal.

And this new trove isn't just bigger — it's more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence.

**285 Fake Banking Apps**

The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights.

Besides banks, the attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase.

To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. For example, one little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this "allows for the server URL to be hardcoded on the application without the risk of being taken down."

The group's most notable new tactic, however, is how its apps abuse accessibility services. 

"While using the accessibility API, they get a way to programmatically access the UI's elements," explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. For example, "they can request for dangerous permissions (such as reading SMS) and when the user is prompted to accept the permission, they click on 'Accept' before the user even sees the notification. Or they prevent uninstallation by clicking on 'Cancel' when the user tries to uninstall the app."

Thus far the fake apps have been limited to Android devices. But among the attackers' belongings, the researchers did uncover phishing websites mimicking banking apps' Apple App Store pages, indicating that the campaign may expand to iPhones in the near future.

Long before that happens, the campaign will have touched thousands. "Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used (since one of them is private) and there is no guarantee that they didn't use other channels in the past." 

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading