Scans of the Internet find that millions of computers, virtual machines, and containers are vulnerable to one or more of the hundreds of cyberattacks currently used in the wild, despite being patchable.

More than 15 million instances of Internet-connected applications, services, and devices are vulnerable to software flaws that the US government has confirmed are being exploited by attackers in the wild.

More than 190,000 systems, for example, appear to still be vulnerable to the 8-year-old Heartbleed vulnerability (CVE-2014-0160), while nearly 6.5 million devices are vulnerable to a medium-severity flaw (CVE-2021-40438) that could be used to redirect traffic to another server. In all, millions of applications, services, and operating systems are exposed to more than 200 remotely detectable vulnerabilities from the Known Exploitable Vulnerabilities (KEV) Catalog, researchers from cybersecurity firm Rezilion stated in a report published on March 30.

The takeaway? There is a concerning lack of patching of systems known to be vulnerable to in-the-wild attacks, says Yotam Perkal, director of vulnerability research at Rezilion.

"While only a fraction of the vulnerabilities discovered end up being exploited, the vulnerabilities on the KEV Catalog _are_ being exploited, continuously, by sophisticated threat actors as well as advanced persistent threat (APT) groups," he says. "Not taking action is an invitation to get hit."

He adds, "Companies should do whatever they can to prioritize patching these vulnerabilities."

To boot, those estimates of just how many things are vulnerable out there are conservative, Perkal says, as the services affected by more than one vulnerability were counted only once.

"Given this conservative calculation approach, added to the fact that there are many CISA KEV vulnerabilities that can’t be identified with a high level of certainty (if at all) using Shodan, it is safe to assume that the actual number of vulnerable instances is much higher," he says.  

    

Vulnerabilities exploited by year of disclosure. Source: Rezilion

Typically, only a small fraction of vulnerabilities are exploited every year. In 2022, for example, more than 25,100 vulnerabilities were disclosed and assigned a Common Vulnerabilities and Exposures (CVE) identifier, according to the National Vulnerability Database. Yet only 107 of those issues are known to have been exploited, according to the Known Exploited Vulnerabilities Catalog, a list of more than 900 vulnerabilities maintained by the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

However, many of the KEV bugs are highly dangerous, such as the recently added vulnerability in IBM's popular Aspera Faspex file transfer stack and a bug in the ZK Java Web Framework.

**The Long Tail of Exploitation**

Using data gleaned from the KEV and information about the vulnerabilities contained in entries in the CVE databases, Rezilion researchers scanned the Internet using Shodan. They found 15 million services vulnerable to at least one exploit on the list.

Nearly 6.5 million instances of Apache HTTP Server were running a version still vulnerable to a critical sever-side request forgery (CVE-2021-40438) flaw. Another 2.1 million versions of the server were vulnerable to a separate flaw (CVE-2019-0211) that allows an attacker to escalate their privileges on the system. Despite its age, the Heartbleed flaw (CVE-2014-0160) ranked fifth on the list of most common vulnerabilities from the KEV Catalog, and the BlueKeep vulnerability from 2019 ranked ninth, with almost 52,000 instances discovered through the researchers' scans of the Internet. BlueKeep (CVE-2019-0708) is a critical remote code execution bug in the Remote Desktop Services Protocol in older and legacy versions of Windows.

Using data from threat intelligence service GreyNoise, the researchers discovered hundreds of scans on the part of threat actors searching for KEV vulnerabilities every day, making the threat very real, the company stated in its advisory.

"Failing to address these actively exploitable vulnerabilities poses a significant risk," the advisory stated. "While patching a vulnerability you know about, which is actively exploited in the wild and has a publicly available patch should be the easy part, the reality is that millions of systems remain exposed to these vulnerabilities — some even years after the vulnerability was discovered and a patch was made available."

**More Vulnerable Under the Surface**

In addition, companies are more vulnerable once an attacker gets past the perimeter. Shodan scans are limited to Internet-facing systems. Many of the flaws on the KEV list are generally only exploitable from inside a network, Perkal says.

"Some of the vulnerabilities on the CISA KEV Catalog are not vulnerabilities that exist in internet-facing applications," he says. "For example, local privilege escalation vulnerabilities are not vulnerabilities that Shodan will be able to identify."

Companies should first find which software components are affected entries on the KEV list and validate that the actual vulnerable code is part of running software. Since applications often do not use every function in an imported software library, the vulnerable code may never run. Rezilion security researcher Ofri Ouzan estimates that 85% of code with vulnerabilities is never actually run.

After that, companies can use the CISA KEV list to prioritize patching of issues. Beyond using the KEV list, other efforts are aiming to predict the likelihood of exploitation, which could help companies prioritize their effort.

15M+ Services & Apps Remain Sitting Ducks for Known Exploits

When runtime application self-protection is held to a higher standard, it can secure thousands of applications and prevent burnout in security teams.

In recent years, the application security world has seen the rise of runtime application self-protection (RASP) technology. As described by Gartner, RASP is a security technology that is integrated into an application or its runtime environment, capable of controlling and preventing real-time attacks. Unfortunately, many Web application firewall (WAF) companies saw an opportunity to leverage the term. They introduced "RASP-like" agents at the network layer, which isn't fully embracing the definition of RASP technology.

In contrast, genuine RASP technology operates at the application layer, where it has full context of the user, application logic, and domain information. This context allows a RASP to make informed decisions about the application's security and to prevent exploits before they can cause harm. As a result, a true RASP should have zero false positives and reduced latency, providing an immediate boost in performance. True RASP requires a list of immutable rules that use context to understand when a new vulnerability is introduced and act accordingly. This immutability is possible when rules are baked into the code base at the application layer and does not require any changes once deployed.

**Three Areas Where RASP Went Wrong**

**1\. The Barking Dog Problem: Most Alerts Are False Positives**

The issue with WAFs is that they work at the network layer, a lagging indicator of application execution. The resulting lack of context leads to high false-positive rates, long wait times, and poor performance, as WAFs can only guess about the nature of a vulnerability based on what they previously have been exposed to.

Imagine a guard dog in the yard barking whenever it hears a noise beyond the fence. These noises may be the approach of an intruder, but they could also be cars passing by. The guard dog cannot accurately gauge the difference, so the severity of any given noise is lost, making it impossible for the people inside the house to know which alerts are genuine and which are false positives. This scenario is essentially the capability of the standard RASP offering.

**2\. The 999 Bad Guys Problem: Only Capable of Testing a Sample**

Believe it or not, some vendors tell you to only run their security solution in production environments if you protect only a sample size. That means it pulls a sample — perhaps one in every 1,000 requests — and tests that sample while catching what happens for the next 999. Meaning, if you're a good actor, your signature will check out. But regardless of whether or not the following 999 actors have bad intentions, they will get through. This lack of consistency is all because WAF-based RASPs can't handle the performance requirements of having to test every request.

**3\. The "It Takes Too Long" Problem: Latency Affects Performance**

Any time you have a WAF-based RASP, you experience increased latency, since it cannot influence the application's code base in any way. Meanwhile, widely available RASPs have to send entire text payloads to their Web analyzer and then wait for it to be sent back, which can take a long time. And if your customers are waiting on payments to go through, they might give up and seek out your competitors instead.

Improving this process is similar to code optimization. When creating a list, developers set it up to add new items to the beginning of a list instead of the end. This optimization prevents the VM from rebuilding the entire list each time a new item is added, preventing increasing latency as the list grows. Compiler engineers addressed these issues by implementing just-in-time (JIT) compiling in the early 2000s, which automatically optimizes code based on the nuances of the given language.

**Why Has the Definition of RASP Been So Watered Down?**

Developing RASP technology requires a combination of security engineering and software engineering skills. To be effective, the RASP developer must deeply understand the application's architecture and the nuances of the programming language being used. This requires domain expertise that is rare among security professionals.

**True RASP Optimizes Code for Performance as Well as Security**

Because most RASP platforms behave like WAFs, there's a massive overhead involved, which requires running them in sample mode. In contrast, a genuine RASP performs the actual protection in the runtime.

These operations exist in memory, which is very efficient, and because this exists in the same space as your applications, they're very performant. By performing the protection in the runtime, there's no need to rate limit or perform protection in sample sizes because the actual operation takes just a few milliseconds.

Regardless of any changes made to the application, high-performance security remains constant. This philosophy aligns with the philosophy of infrastructure-as-code, in which you define the desired state of your infrastructure, and no matter what happens in the environment, the state of the infrastructure remains the same.

RASP, by definition, parallels many principles of infrastructure-as-code. This parallel is possible due to the deep contextual awareness of the application and the language in which it's built. Like infrastructure-as-code, a genuine approach to RASP can and should make use of immutability to ensure that rules are applied regardless of changes to the codebase.

Immutability is possible by performing a check on the output of a function the first time it's called and switching out any unhealthy functionality with protected functionality, ensuring that the application is always healthy as it runs.

This approach allows security to be deployment agnostic and doesn't require code changes to the application code, tuning, or waiting for deployment windows.

By performing protection in the runtime, patching results with immediate protection on all running instances of the application, one eliminates the need for constant false positives and removes the risk of future exploits.

**RASP Can and Should Be Held to a Higher Standard**

In short, RASP should be held to a higher standard. When done so, it's possible to secure thousands of applications, lowering the total cost of ownership of your WAFs and helping prevent burnout in your security teams.

What RASP Should Have Been

Cybersecurity startups face pressure during this economic uncertainty, but strategic investors can help them succeed in providing tech that defends against cyberattacks.

Economic uncertainty puts enormous pressure on cybersecurity startups already struggling to break into a crowded market. It's bad news for both these nascent companies and their potential customers: As cyberattacks grow more prevalent, the need for innovative solutions from startups is greater than ever.

How can these up-and-coming businesses navigate the storm?

**Doing More With Less**

Tough economic times force nearly all organizations to tighten budgets and do more with less, and cybersecurity isn't immune to these pressures. However, with pressure comes opportunity — the opportunity to partner with strategic investors, which can build value that will serve as the foundation for your startup's future success. A strategic investor, usually a larger company in the same industry, will choose a partnership because of their strategic interest in that business. Beyond capital, they provide guidance on how the startup can grow and evolve in the cybersecurity market.

This guidance comes from subject matter experts who have been through their own business challenges and downturns in the security space, and can share advice based on their experiences in unfavorable market conditions. Strategic investors may also provide go-to-market enablement and/or validate a security startup's capabilities at a time when customers are generally more risk-averse. Cybersecurity startups with low-friction deployment models can capitalize on the real estate of strategic investors to expand their sales pipeline, as direct sales opportunities become sparser in a tough economic climate.

**Seeking the Right Strategic Investor**

The capital and guidance of a strategic investor can make a substantial difference in growing a cybersecurity startup. However, it's imperative you choose the right strategic investor that aligns with your company's values and goals. Where does your business need help? Which strategic investors have the resources and expertise to provide it? What vision do you have for your technology and how it will help solve customers' problems in today's evolving threat landscape?

Education is the first step in this process. Strategic investors have a wealth of public information available that can help startups develop their pitch. You should evaluate the materials provided across investor relations pages, security product briefs, conference presentations, partnership and marketplace pages, and security industry analyst coverage. These resources can help ascertain whether a strategic investor will be a good fit.

**Questions to Evaluate Best Fit**

To help evaluate candidates, ask yourself the following questions:

*   Is this strategic investor a cybersecurity market leader?
*   Do they have the customer base, mindshare within the ideal buyer persona, and technology to warrant investment in a deep partnership?
*   Where is this strategic investor going? Does my startup's product complement theirs, or is it likely to be competitive in the near term?
*   Who else are they working with? Are they strategically aligned with my company's competitors in the security space?
*   Do they have any experience working or partnering with other cybersecurity companies?
*   Does this strategic investor have a gap in their security platform that my company's product is uniquely positioned to help them solve?
*   How is their platform built? Do they have the right architecture to enable seamless integration?
*   Does my company have shared customers that could validate the impact of an integration in the near future?
*   Who has this company invested in previously? Is there a healthy cadence of partnerships or are they more "one-off" in nature? Is there market evidence indicating value that goes beyond a press release?

**Is a Good Strategic Investor Also a Good Strategic Partner?**

Partnering with a strategic investor is different from working with a venture capital firm or angel investor. It's important you not only find the right strategic investor but the right technology partner for your cybersecurity business.

With the information you've collected and your answers to the above questions, you're well-prepared for a conversation with a potential strategic investor to review the technical aspects of your partnership. During this time, you can discuss integration hypotheses and seek feedback. Consider asking these questions:

*   How long does an integration typically take to build and go live?
*   How can we announce the partnership and maximize market impact?
*   What resources do you have in place to help accelerate go-to-market?

If their feedback is positive and there is a clear strategic fit, most strategic investors can provide non-production access to their platform with prepopulated data and documentation to scope potential integration anchor points. From here, you can evolve the partnership pitch and ask to be connected with the company's product management team to get buy-in from the correct stakeholders.

As part of this process, you may consider providing incentives to drive go-to-market prioritization. Determine the typical revenue share structure within your partnership agreements, and see if there's an opportunity to provide a more competitive revenue share based on your gross margin structure and the number of potential customers through the strategic investor.

**Strive for Mutually Beneficial Goals**

The value of your strategic partnership will depend on efforts from both your company and the strategic investor. Bi-directional effort fuels long-term stability. You should work with your partner to create 6-to-12-month, integration, and go-to-market plans, and establish mutually beneficial goals at the outset of the investment. Prioritize your relationship, meet regularly, and monitor your progress toward these goals.

Economic uncertainty is tough for cybersecurity startups, but you don't have to weather the storm alone. Strategic investors are invaluable for helping these startups succeed and provide much-needed technology to organizations defending against cyberattacks.

How Strategic Investors Can Help Cybersecurity Startups

Have you ever wondered how they design blue team exercises? One ransomware and cyber extortion simulation demonstrates the best practices.

It's Monday morning, 8 a.m. You walk into the office and, on your computer screen, you witness something you've only ever experienced in your nightmares.

"Boom! Your organization is hit with a ransomware attack," Sherri Davidoff, CEO of LMG Security, says in a first-look for Dark Reading of a planned tabletop exercise at the upcoming RSA Conference 2023. "All systems are down. What do you do?"

Hopefully, you know what to do thanks to practice runs for such scenarios, in the form of tabletop exercises that workshop incident response for various scenarios.

Creating such an exercise is an undertaking, but it's worthwhile to prepare security professionals for the challenges they'll one day inevitably face. "It's just like Red Cross CPR classes," Davidoff says. "Training your first responders matters."

On April 24, from 8:30 to 10:30 a.m. PT, Davidoff and Matt Durrin, director of training and research for LMG Security, will be hosting a tabletop exercise on ransomware and cyber extortion at RSA Conference 2023. The event will throw participants into a maelstrom inspired by real-life ransomware attacks and challenge them to evade the traps endemic to enterprise incident response.

**Designing a Tabletop Exercise**

"The big thing that we want to shoot for in these tabletops is as much realism as we can possibly get," Durrin says.

But realism is difficult to simulate. Davidoff jokes about how "we tried using ChatGPT to run a tabletop exercise," and it didn't turn out so well. "It's like: 'I am the facilitator,' and starts walking you through the steps. But it's very boring. It doesn't give you any curveballs."

Simulating realism, ironically, requires a good deal of showmanship: storytelling, audio and visual materials, and a certain creativity to generate the chaos and unpredictability you'd find in a cyberattack in real life. But little of this theater is completely made-up.

"We try to leverage the experience that we've gained over the years of actually dealing with these attacks in the wild," Durrin notes, "so we have elements that are in line with what a modern ransomware attack would look like."

For RSAC 2023, they chose to model their simulation after a classic LockBit attack. "First thing in the morning on a Monday morning you walk in and your network is completely offline," Durrin explains. "There are ransom notes on your desktop. They're telling you that your files have been encrypted. They might have broken into your printer and exhausted every piece of paper that you have, printing off copies of the ransom note."

All local data is encrypted and internal systems unrecoverable. The price to recover is $2.5 million, which will double after 48 hours.

Source: Trend Micro

Panic sets in. "How do we identify where we need to look for additional malware?" Durrin continues. "How do we figure out how long they've been in the network? And then what kind of changes do we need to make to our plan?" Participants perform triage, distribute tasks among group members, and gather evidence, in a scramble to contain the damage.

Any sense of control is erased, though, when more bad news arrives: The hackers have already exfiltrated data. A double extortion, one of a few curveballs the hackers will lob over the fence by the end of the campaign.

"This is where things get kind of scary, especially for the more executive audiences," Durrin says. "When we start talking about public exposure and reputational damage, that really gets them on the hook, and it leads to a good discussion between the technical and nontechnical people. There's so much interplay between those two groups during an attack."

**Do Tabletop Exercises Actually Help IRL Security?**

Multiple extortions may be a lot to fit into a two-hour event. But Davidoff and Durrin emphasize how a full 80% of ransomware victims experience double dipping, 68% within a month of their first breach.

Remarkably, 40% of ransomware victims pay two times, 10% pay _three_ times, and 1% actually pay _four ransoms_ to their attackers.

"That's part of why a tabletop is so important," Davidoff says. "You're actually walking through these issues, and everyone from frontline responders to executives are learning. Because a lot of times your frontline responders will be getting pressure from executives to restore as soon as possible, so they skip steps, and then the attackers get back in, and you have a worse problem. And they usually charge a higher amount the second time."

Enterprises that run these kinds of simulations tend to avoid those mistakes. "We've actually been able to see how those changes that we've made and tested inside of an incident response plan have benefited organizations in a very tangible and real sense," Durrin says, "in the speed of recovery, the quality of recovery and how the organization is actually able to get back on their feet after suffering from an incident."

The difference can be found in the bottom line. According to the IBM Cost of a Data Breach Report 2022, organizations with rigorously tested incident response plans save an average of more than $2.5 million over those without plans. So tabletop exercises aren't just a fun team-building activity.

"Those first few minutes and hours after an incident are absolutely critical," Davidoff says. "Everyone should make sure they're prepared."

Designing Tabletop Exercises That Actually Thwart Attacks

Proxyjacking is an emerging, low-effort and high-reward attack for threat actors, with the potential for far-reaching implications.

Threat actors have found a lucrative new attack vector that hijacks legitimate proxyware services, which allow people to sell portions of their Internet bandwidth to third parties. In large-scale attacks that exploit cloud-based systems, cybercriminals can use this vector — dubbed "proxyjacking" — to earn potentially hundreds of thousands of dollars per month in passive income, researchers from Sysdig Threat Research Team (TRT) have found.

In a February blog post, Kaspersky researchers described proxyware services like this: "\[Users install a client that creates a\] proxy server. Installed on a desktop computer or smartphone, it makes the device's Internet connection accessible to an outside party." That outside party — the proxyware service — then resells an agreed-upon portion of the user's bandwidth to other people. 

"Depending on how long the program remains enabled and how much bandwidth it is permitted to use, the client accumulates points \[for the user\] that can eventually be converted into currency and transferred to a bank account," according to researchers at Kaspersky.

In one attack that the Sysdig researchers observed, threat actors compromised a container in a cloud environment using the Log4j vulnerability, and then installed a proxyware agent that turned the system into a proxy server without the container-owner's knowledge, the researchers revealed in a blog post on April 4.

This allowed the attacker to "sell the IP to a proxyware service and collect the profit," in an unusual type of Log4j exploit. Usually, Log4j attacks involve an actor dropping a backdoor or cryptojacking payload on the device, Crystal Morin, Sysdig threat research engineer, wrote in the post. "While Log4j attacks are common, the payload used in this case was uncommon," she wrote.

Proxyjacking shares characteristics of cryptojacking in that both profit off the bandwidth of a victim — and both are about equally profitable for the attacker, Morin said. However, these attacks differ in that attackers typically install CPU-based miners to extract maximum value from compromised systems, while proxyjacking mainly uses network resources — leaving a minimal CPU footprint, she wrote.

"Nearly every piece of monitoring software will have CPU usage as one of the first (and rightfully most important) metrics," she wrote. "Proxyjacking's effect on the system is marginal: 1 GB of network traffic spread out over a month is tens of megabytes per day — very likely to go unnoticed."

**How Proxyjacking Works**

Proxyjacking is a relatively new phenomenon spurred by the growth and use of proxyware services in the last couple of years, the researchers said. As mentioned, these services, such as IPRoyal, Honeygain, and Peer2Profit, are installed as apps or software on Internet-connected devices that, when running, allow someone to share Internet bandwidth by paying to use the IP address of the app users.

Proxyware comes in handy for people who want to use someone else's IP address for activity such as watching a YouTube video that isn't available in their region, conducting unrestricted Web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP, the researchers said. According to the service, people pay for each IP address that someone shares via proxyware based on the number of hours they run the application.

In the attack investigated by Sysdig researchers, attackers targeted an unpatched Apache Solr service running in Kubernetes infrastructure to take control of a container in the environment, and then downloaded a malicious script from a command-and-control server (C2), which they placed in the /tmp folder to have privileges to perform their activity.

"The attacker's first execution was downloading an ELF file renamed /tmp/p32, which was then executed with some parameters, including the email address \[email protected\]\[.\]com and the associated password for their pawns.app account," Morin wrote in the post.

Pawns.app is a proxyware service that has been seen sharing IPs from IPRoyal's proxy network. Indeed, Sysdig TRT correlated the binary downloaded and executed in the malicious script to the command-line interface version of the IPRoyal Pawns application from GitHub, which uses the same parameters, researchers said. In this way, attackers began using the compromised pod to earn money on the service, they said.

Attackers covered their tracks by cleaning the compromised system of their activity, clearing the history, and removing the file they dropped in the containers and the temp files, the researchers added.

**Impact & Mitigation for Proxyjacking Attacks**

While the list of proxyware services reported as being used for proxyjacking is small right now, Sysdig researchers believe that this attack vector will continue to grow and eventually "defenders will uncover more nefarious activities," Morin wrote. "This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications."

Researchers estimate that in 24 hours of activity for one proxyjacked IP address, an attacker can earn $9.60 per month. In a modest compromise of, say, 100 IP addresses then, a cybercriminal could net passive income of nearly $1,000 per month from this activity, they said.

When exploiting Log4j on unpatched systems, this figure can climb even higher, as millions of servers are still running vulnerable versions of the logging tool, and more than 23,000 of them can be reached from the Internet, according to Censys, the researchers said. "This vulnerability alone could theoretically provide more than $220,000 in profit per month" for an attacker, Morin wrote.

To avoid "receiving potentially shocking usage bills" due to proxyjacking activity, organizations need to take actions to mitigate potential attacks, the researchers said. They recommended that organizations set up billing limits and alerts with their respective cloud service provers, which can be an early indicator that something is amiss, Morin wrote.

Morin advised that organizations should also have threat-detection rules in place to receive alerts on any initial access and payload activity preceding the installation of a proxyware service application on your network.

'Proxyjacking' Cybercriminals Exploit Log4j in Emerging, Lucrative Cloud Attacks

Authorities claw back funds from six crypto accounts they say were linked to a "pig-butchering" cybercrime ring.

Half a dozen cryptocurrency accounts, allegedly used to launder romance scam proceeds, have been seized by the Department of Justice.

The DoJ said in a statement that, in total, it seized more than $112 million in cryptocurrency that was being laundered through the accounts.

"Transnational criminal organizations are combining confidence scams with technological savvy to swindle Americans out of their hard-earned funds," Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department's Criminal Division said about the seizure. "Now that we have seized this virtual currency, we will seek to swiftly return it to victims."

They added, "In addition to our tireless efforts to disrupt these schemes, we must also work to raise public awareness and help inform potential victims: be wary of people you meet online, seriously question investment advice, especially about cryptocurrency, from people you have not met in person, and remember, investments that seem too good to be true, usually are."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ Recovers $112M in Crypto Stolen With Romance Scams

"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.

The threat actor — believed to be the Lazarus Group — that recently compromised 3CX's VoIP desktop application to distribute information-stealing software to the company's customers has also dropped a second-stage backdoor on systems belonging to a small number of them.

The backdoor, called "Gopuram," contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.

Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).

**Gopuram: Known Backdoor Linked to Lazarus**

Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group.

In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.

Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says.

Kaspersky's discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.

**A Major Supply Chain Compromise**

On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.

Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application's installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.

Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed. 

3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.

**Attackers Exploited a 10-Year-Old Windows Flaw**

Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature. 

In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company's update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.

In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn't have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers. 

"Microsoft was reluctant, for a time, to make this patch official," says Jon Clay, vice president of threat intelligence at Trend Micro. "What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers."

Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says the company's researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.

“I think the best advice for organizations at the moment would be to apply Microsoft's patch for CVE-2013-3900 if they have not already done so," O'Gorman says.

Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That's because the newer OS undid the effect of the patch, Kucherin and other researchers say.

"CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity," Clay says. Patching would help security products flag the file for analysis, he notes.

William Dormann, senior vulnerability analyst at Analygence says the attackers in the 3CX incident used CVE-2013-3900 to plant shellcode in a digitally signed binary and banked on the malware slipping past analysts because it was digitally signed. "Users who have applied the mitigation for CVE-2013-3900 would not have been protected in any way whatsoever against the 3CX malware on an otherwise default configuration of Windows," he says. No Windows platform includes a fix for CVE-2013-3900 at this point in time. It remains strictly optional. He also notes that with GitHub taking down the payload files attackers had stored on it, there's nothing more users can do to protect against the threat.

A Microsoft spokesman said an attacker would be able to add code to a signed DLL only if they had already compromised the code via a third-party. "As a best practice, we encourage customers to apply all the latest security updates for better protection," the spokesman said. 

"In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat," the spokesman added. Microsoft did not directly address a Dark Reading question on why the company had decided to make the fix for CVE-2013-3900. Instead, the spokesman pointed to Microsoft's original security advisory on the bug. "Regarding CVE-2013-3900 updates specifically, we recommend customers assess their system environment and follow the steps and suggested actions outlined in the security advisory," the spokesman said.

_This story was updated on 04/04 to include comments from Microsoft and analyst Will Dormann._

3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor

They rake in millions, but now, as much as zero-days and ransoms, cybercriminals are dealing with management structures and overhead.

Today's foremost cybercrime gangs operate like large enterprises, with more than $50 million dollars in annual revenue and around 80% of operating expenses going to wage bills.

In a report published April 3, researchers David Sancho and Mayra Rosario Fuentes of Trend Micro mapped out the economics of running a cybercrime business in 2023. Using "observations and estimations," they explained, they aimed to show "the quarterly financial reports for typical criminal groups under small, medium, and large enterprise categories."

"Our hypothesis was that the bigger these organizations are going to be, the more they're going to resemble the structure of a corporation," Sancho tells Dark Reading. The most surprising thing, he says, is "when you put everything together, how consistent the picture is."

Small, medium, and especially large cybercrime gangs operate just like their legitimate counterparts, from their managerial structure all the way down to benefits for the lowest-level employees.

The inner workings of cybercrime operations don't just make for fun facts, though. "If you agree with our conclusion that the larger the organism, the more structured it becomes," Sancho says, "that presents an opportunity for anybody who is investigating or otherwise dealing with these organizations."

**The Cybercrime Economy of 2023**

In parallel with the corporate economy, the researchers mapped cybercrime organizations into three categories:

*   Small: 1-5 staff and affiliates, one management layer, under $500K annual revenue
*   Medium: 6-49 staff and affiliates, two management layers, up to $50M revenue
*   Large: 50+ staff and affiliates, a few management layers, and more than $50 million in revenue

The smallest hacker groups operate with a "move fast and break things" kind of mentality — funding operations out of their own pockets, making income however they can, and with everybody on the team doing a little of everything.

But "as revenue grows larger and larger, there's a bottleneck," Sancho explains. "If we can get this much money with five hackers. Let's see what we can get with six."

At this point gangs begin to bring on full-time staff — necessary for maintaining million-dollar annual profits — and a defined organizational structure.

"When you're more than five, six people, somebody needs to be in charge of something, otherwise if everybody does everything, it's kind of a mess," the researcher notes.

"The more they start growing, the more the complexity grows," he continues. "And when you're thinking about organizations of 20-plus, 50-plus, you definitely need people arranged in some sort of structure. Some people do finance, some do marketing, some do sales."

These groups have IT and even human resources divisions, operating with a pyramid-style management structure. As a humorous case in point: The Conti group used to have employees of the month.

**How Corporate Cybercrime Targets Can Benefit **

As Sun Tzu famously observed in _The Art of War_: "When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. Know thy enemy and know yourself; in a hundred battles, you will never be defeated."

Hackers have a reputation for working in the shadows — dark rooms, anonymous identities, and so on — by their own design. Once enterprises can recognize a bit of themselves in their adversaries, it makes the job of dealing with them less confusing.

For example, if you've been hit by a small group, you might reasonably assume that they act more like a startup. "Those groups can be more flexible and attack you differently," Sancho says, and so victims should react with more caution.

Conversely, for the biggest, baddest criminal outfits. "Once you realize that criminal organizations behave in an enterprise manner, then you realize their need to have a repository of documents," he explains. "They need to have rules for how to interact with one another. They're mostly working remotely."

Investigators can look for data one might not otherwise associate with cybercrime gangs — mergers and acquisitions information, shared calendars, and the like. And if nothing else, businesses may take some comfort in knowing that their attackers have predictable systems in place.

Professionalization can also prevent agility for cyberattackers. Cybercrime gangs are just like corporations now and as long as that's true, Sancho concludes, "they'll have the same headaches corporations have," like, for instance, sourcing good talent.

For Cybercrime Gangs, Professionalization Comes With 'Corporate' Headaches

The company behind digital storage brand SanDisk says its systems were compromised on March 26.

Business operations for Western Digital, a data storage hardware provider, have been disrupted due to a recent systems breach that the company said occurred on March 26.

Western Digital Corporation is behind the personal and professional-grade data storage brands SanDisk, WD, and WD\_Black, which collectively offer a range of devices, including external drives, internal hard drives, flash drives, and more.

Western Digital has released a statement announcing that an unauthorized third party was able to compromise its systems, that the incident is ongoing, and the internal investigations are being coordinated with law enforcement.

The company added that some system data was compromised, but assessments about exactly what was accessed are underway, the Western Digital breach disclosure statement explained.

"Western Digital is actively working to restore impacted infrastructure and services," the statement read. "Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data Breach Strikes Western Digital

Whether protecting a financial institution or a hospital, everyone needs an effective strategy for fending off slippery threats like those that hide in memory.

Advanced threats are now more accessible than ever. On the Dark Web you can buy or rent zero-day attacks, fileless malware, supply chain compromises, and malware that targets device memory processes.

In 2021, memory compromise was the most common of the top five MITRE attack techniques, and the number of fileless attacks increased by over 900%. The number of zero-days seen in the wild more than doubled from 2020, according to Google's Project Zero. In 2022 data breaches were just 60 short of the all-time record of 1,862 breaches, set in 2021. There was a notable dip in data breach volumes during the first half of 2022, likely because Russia-based cybercriminals were too distracted or preoccupied by the invasion of Ukraine, along with volatility in the cryptocurrency market.

Advanced cyberattacks against well-defended networks have resulted in crippled oil pipelines, school systems, and even entire countries. And we will never know how many successful attacks on major enterprises occurred that never went public.

**Threats Hide in Memory to Avoid Detection**

Detection technologies are essential defenses in any IT environment. They include next-generation antivirus (NGAV), endpoint protection platform (EPP), endpoint detection and response/extended detection and response (EDR/XDR), and managed detection and response (MDR). But the most advanced threats and new variants of existing threats are specifically designed to evade these tools, usually by hiding in memory.

Scanners try to identify malware and malicious activity by looking at known signatures. But even if you have multiple layers of security technologies, these scanners cannot see threats that don't have recognizable signatures, are fileless, or exist in memory, which is impossible to scan effectively at runtime. After all, if you don't know what to look for and can't see your environment in real time, you can't find what you can't see.

Memory is a major vulnerability in modern cybersecurity because standard cybersecurity tools can't find stealthy, unknown, and evasive threats in memory — certainly not fast enough to stop attacks. As a result, security teams end up one step behind threat actors.

**The Memory Security Gap Is Growing**

Threat actors are targeting memory because it's the best place to persist on a device while remaining invisible. This is because runtime memory is such a big space that it's basically impossible to scan without massively degrading performance, leaving it mostly undefended by security controls.

To avoid compromising performance, detection-based solutions like EDR must look at memory selectively. They depend on picking specific times and spaces in memory to scan and looking for certain indicators, such as the recently released Cobalt Strike Yara rules.

Because threats can hide in a vast space and be reconfigured to avoid triggering rulesets, scanning solutions miss evasive threats almost all the time.

In a device's run-time memory environment, threats can steal credentials, hijack legitimate processes, and even turn a low-privileged user into a system administrator.

For example, malicious versions of the pen-testing framework Cobalt Strike enable threat actors to deploy a loader in the memory of a legitimate application, such as PowerShell. This means the threat exists purely in the memory environment while an application is running.

**Adding Memory Defenses**

The only way to reliably prevent compromise by advanced threats is to deploy a layered security posture that makes attackers' lives difficult. This means building secure networks, hardening systems, and deploying security technologies like EDR, EPP, and AV to spot malicious behavior and keep security teams informed about network activity. Security teams also need to consider solutions that protect memory by denying access to untrusted actors.

One way to protect memory is by using moving target defense technology to randomize the run-time memory environment so attackers can't find what they're looking for, breaking their attack chain. Instead of a static, known target environment, an attacker faces a dynamic memory environment containing decoy traps that capture unauthorized activity for forensic analysis.

As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.

Source

DARKReading