Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.

Two North Korean state-backed threat groups, whom Microsoft is tracking as Diamond Sleet and Onyx Sleet, are actively exploiting CVE-2023-42793, a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

The attackers are leveraging the bug to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage, Microsoft said in a report this week. TeamCity is a platform that some 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate software build, test, and deployment processes.

**Critical Authentication Bypass Vulnerability**

Based on previous campaigns, Diamond Sleet presents a threat mainly to organizations in IT services, media, and defense-related sectors globally. Onyx Fleet has a somewhat narrower focus and has mostly targeted defense and IT services entities in the US, South Korea, and India. "While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation," Microsoft said.

JetBrains disclosed CVE-2023-42793 on Sept. 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The software vendor described the vulnerability as enabling an unauthenticated attack to perform a RCE attack and gain administrative privileges on an affected, Internet-exposed TeamCity server. The vulnerability is present in all on-premises versions of TeamCity.

**ForestTiger Backdoor and Other Payloads**

In Diamond Fleet's attacks targeting the flaw, the threat actor has been using PowerShell to download two malicious payloads from legitimate infrastructure that the threat actor appears to have compromised previously. One of the payloads is a backdoor dubbed ForestTiger that the attacker uses to run scheduled tasks on compromised systems and also to dump credentials. The other malicious payload is a configuration file for the malware that contains information on its command-and-control (C2) infrastructure and other parameters.

Microsoft said it also observed Diamond Sleet actors leveraging PowerShell to download a malicious dynamic link library (DLL), a technique that threat actors often use to execute unauthorized code on compromised systems.

Meanwhile, Onyx Sleet's tactic after exploiting CVE-2023-42793 has been to create a new user account on compromised systems with a name that appears designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account, Microsoft said. The attacker has then been adding the account to the Local Administrators Group and using it to download and decrypt an embedded Portable Executable (PE) resource which is then loaded and launched in memory. "The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure," Microsoft noted.

**Trivial to Find and Exploit**

Stefan Schiller, vulnerability researcher at Sonar, which discovered and reported CVE-2023-42793 to JetBrains, says the vulnerability is very easy for a threat actor to find and abuse. The version of a TeamCity instance can be determined by simply visiting the login page and determining whether the specific version is 2023.05.3 and below, which would mean it is vulnerable. "Once a vulnerable instance is identified, the exploitation is straightforward. Neither authentication nor any kind of user interaction is necessary to exploit the vulnerability," Schiller says.

Due to the nature of the vulnerability, its exploitation is also very reliable. "This makes it very likely that all publicly exposed, vulnerable instances are successfully exploited," he says.

The attacks are the latest manifestation of growing threat actor interest in software development pipelines as an initial access vector and avenue for stealing source code and secrets from companies and for potentially poisoning software and apps in SolarWinds-like fashion.

Vulnerabilities such as CVE-2023-42793 in a CI/CD platform enable supply chain attacks that can have far reaching consequences, says Henrik Plate, security researcher at application security company Endor Labs. It's often not just the organization using the affected software that feels the impact but also any downstream users that might download and execute software built on the system. "The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software," he says. "Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations."

**Addressing Supply Chain Risks**

At a high-level, software organizations should try and establish a traceable and verifiable link between the source code and the final build artifact that will be distributed to consumers, Plate says. They need to be able to answers questions like what version of the source code was used as input, which tools were used to compile and transform the various inputs, and what were their configurations. Resources such as the SLSA project and NIST's Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice on the steps software teams can take to address CI/CD security, Plate notes.

In addition, implementing practices such as Reproducible builds can help in post-compromise situations, because they produce bit-identical software artifacts, as long as the same inputs and environment are used. "However, making builds reproducible can take a considerable effort and must have been put in place before the incident," Plate says.

JetBrains released a fixed version of TeamCity (version 2023.05.4) at time of vulnerability disclosure and strongly urged organizations to upgrade to it, to mitigate exposure to the threat. The company also released a security patch that organizations — which cannot update to the new version immediately — can plug in to their existing TeamCity version to address the RCE.

North Korean State Actors Attack Critical Bug in TeamCity Server

Several countries in Europe as well as the United States and Japan were involved in the operation, which is aimed at defanging one of the bigger names in ransomware.

In an ongoing operation conducted by law enforcement, Ragnar Locker's Tor negotiation and data leak sites were taken down and replaced with a notice stating that the websites had been seized in a "coordinated international law enforcement action."

Europol is involved in taking action against the ransomware group, as well as law enforcement officials from the United States, and Japan. According to a Europol spokesperson, a press release will be announced on Oct. 20 when "all actions have been finalized."

"While on the surface, this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," stated Erick Kron, security awareness advocate at KnowBe4. "In addition, this could cause problems for people whose organizations have been impacted by a ransomware attack but have now lost a method to negotiate with the bad actors. Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover."

It is still unclear as to whether or not any arrests have been made or if any stolen funds were recovered. 

According to Dragos, the group is known for focusing on the energy sector. In the past, Ragnar Locker has been tied to various attacks, including when it hit the Mayanei Hayeshua Medical Center in Bnei Brak just this past summer, and when it targeted TAP Air Portugal's systems and claimed to have stolen data. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Europol Strike Wounds Ragnar Locker Ransomware Group

Dark Reading's special report on SecOps data analytics looks at the elements needed to set up a proper data foundation — because getting the data right when collecting, aggregating, and analyzing it is essential.

If there's something all security operations (SecOps) teams need, but few get right, it is the ability to use security data analytics effectively. After all, an effective SecOps data analytics program enables SecOps teams to continuously monitor their environments for signs of compromise and stop potential attacks before they can cause serious damage. Also, good data makes collaboration among SecOps teams and IT more effective.

"There are a lot of different ways to do aggregation and analysis. But there's no way to answer the question, 'Tell me the biggest threat to the business' if you're not doing systematic aggregation and analysis of your data," says Mike Rothman, general manager at Techstrong Research. "In many cases, you'll have a hard time answering it anyway. But if you're not even doing the basics, you have no shot."

Dark Reading's special report "The Secrets of Successful SecOps Data Analytics" digs into important decisions enterprises must make to effectively collect, analyze, and manage their security data so that SecOps teams can make the best decisions possible.

Paradoxically, security teams don't suffer from too little security data or too few security data sources — rather, they have too many data sources and too much data to sift through. This overabundance can make finding the most pressing threats daunting.

"SecOps teams are drowning under the weight of multiple security tools, alert fatigue, and manual operations," says Anton Chuvakin, security adviser at the office of the CISO, Google Cloud. "Analyzing large — the meaning of 'large,' of course, changing dramatically in 20 years — amounts of data at scale and speed have never been more important, but it remains tricky when this data is coming from so many disparate sources."

Getting the data right, however, when it comes to collecting, aggregating, and analyzing is essential. SecOps teams need data to be effective, and security teams can be only as effective as the information they've based their decisions and actions on. The better-quality data SecOps teams get, and the better they can analyze that data for swift decisions, the more effectively they can respond to the actions of the threat actors targeting them.

Read Dark Reading's "The Secrets of Successful SecOps Data Analytics" to understand how to keep and manage data connections across on-premises and cloud systems and help SecOps teams make decisions about how best to disrupt attacks before the threat actors manage to succeed in inflicting damage to the organization.

Tips for a Successful SecOps Game Plan

The Israelis are building a cyber defense system that will use ChatGPT-like generative AI platforms to parse threat intelligence.

Israel is rapidly developing a cyber defense system to address emerging digital threats and protect its critical infrastructure.

Modeled on Israel's Iron Dome defense air defense system, the Cyber Dome has been developed to include generative AI platforms to help filter out genuine threats from the sea of threat intelligence and cyberattack claims that the country parses every day.

According to media reports, it will be staffed by practitioners from various governmental departments, including the Israel Defense Forces (IDF) intelligence Unit 8200, the J6 and Cyber Defense Directorate within the IDF, cyber units of Mossad and Shin Bet, and the Israeli Ministry of Defense.

Gaby Portnoy, director general of the Israel National Cyber Directorate, told The Week that the various departments will work with the Israel National Cyber Directorate, with the latter doing "the internal work." Private companies and research organizations will also participate.

Plans were originally announced in summer 2022, but Cyber Dome development is now being advanced in light of the Gaza conflict, Portnoy said. No specific details regarding the mechanisms and tools of the cyber defense system have yet been provided to the public.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Powered Israeli 'Cyber Dome' Defense Operation Comes to Life

Without the proper context, organizations waste time mitigating software flaws that won't likely affect their systems.

**Question: The CVSS severity rating seems to lack real-world context. How can a company prioritize fixes in such a situation?**

**Shachar Menashe, Senior Director, JFrog Security Research:** Security teams and developers are wasting their precious remediation resources by relying on an incomplete method to determine whether a vulnerability is exploitable.

One of the most popular resources organizations use today is the Common Vulnerability Scoring System (CVSS), a standard framework for assessing the severity of vulnerabilities. It assigns each CVE a vulnerability severity score, ranging from 0 (no severity) to 10 (most critical), which reflects how hard the vulnerability is to exploit and how much damage it can cause if exploited. Most developers and security teams use the CVSS score as a guide for their vulnerability remediation programs.

The problem is that the CVSS severity ratings of most CVEs today are overinflated, so continuing to rely solely on this rating scale is misguided.

That's because the current CVSS scoring system is based on a complex set of factors that don't adequately incorporate the real-world impact of each vulnerability. Earlier this year, JFrog undertook an analysis of the 10 most prevalent open source software vulnerabilities from 2022 and found that, when looking at real-world impact, most flaws were harder to exploit than reported, and their high severity rating was deceiving. Specifically, 64% of the top 50 CVEs received a lower JFrog Security Research severity rating compared with the CVSS.

In that study, many of the more critical CVEs required complex configuration scenarios or very specific conditions for an attack to be successful, which was not reflected in the CVSS score. Without the proper context, organizations waste valuable resources mitigating software flaws that are unlikely to have any impact on their systems.

**The Real Metric: Exploitability**

Analyzing the context of a CVE requires considering real-world factors, such as:

*   Whether the vulnerability is exploitable in a service's default configuration or only under very contrived configurations.
*   Whether a reachable path to the vulnerable code exists.
*   Whether the software library vulnerability has a code precondition (meaning someone must use the library in a vulnerable manner).
*   The likelihood that a vulnerable API will parse untrusted data.
*   How potentially vulnerable software is deployed.
*   The network environment and overall security mechanisms applied to the vulnerable software.

While CVSS scoring provides some context through its impact metrics (confidentiality, integrity and availability), these metrics are rated according to a theoretical "face value" without considering the actual impact the attack has on real-world systems. For example:

*   A denial-of-service (DoS) attack that crashes a forked client process is much less severe than a DoS that crashes an important daemon, but they will both receive a high availability impact CVSS rating.
*   A buffer overflow that doesn't overwrite any meaningful variable has no security impact, but it will still receive a high integrity impact CVSS rating.

A good example of the latter is the OpenSSL CVE-2022-3602, identified in November 2022. The vulnerability was widely feared at first, but technical details revealed the vulnerability had no real-world impact. Nevertheless, CVE-2022-3602 is still rated with a high impact rating.

**CVSS 4.0 Doesn't Solve This**

While CVSS 4.0 will include an "attack requirement" metric to reflect the conditions needed for an attack to succeed, it is still not detailed enough. (It can only be set to "none" or "present," which does not account for the rarity of the attack requirements.) For example, a remote code execution (RCE) vulnerability that is exploitable only under extremely rare configurations or conditions and might not even be fully exploitable in any real-world scenario would have "attack requirements" marked as "present" — which would change the score slightly from 9.3 to 9.2. Organizations will still continue to receive 9.2 (critical) scores for theoretical RCE remote vulnerabilities that are exceedingly unlikely to happen. This needs to change.

**Advice: Add Context**

While the CVSS system is improving, using other resources in tandem can help provide a more accurate assessment of CVE criticality. When looking at nvd.nist.gov, pay special attention to the CVSS rating of the CNA, not just NVD's CVSS rating. Distro-specific severity scores, such as the Ubuntu and Red Hat Linux distributions, and project-specific severity scores, such as Apache Web Server, Curl, and OpenSSL, will usually have a more accurate severity rating.

Also consider ways to integrate context into your remediation process. Research indicates few vulnerabilities are exploitable without highly specific preconditions. Combine real-world exploitability, CVE applicability, and contextual analysis to guide your prioritization and remediation efforts. Instead of asking developers to "fix everything," arm them with the information they need to address the vulnerabilities that matter most.

Why Do We Need Real-World Context to Prioritize CVEs?

Amid the burgeoning war, Israel's tech sector is focused on resilience. Ofer Schreiber, senior partner at YL Ventures, weighs in on the conflict, funding for cybersecurity startups, overblown valuations, and what the future holds.

Israel has a strong start-up legacy of incubating cybersecurity vendors who have gone on to expand to global success. Investors have invested billions of dollars into these companies, and Tel Aviv last year was named one of the world's best technology ecosystems.

One of the more active investment firms in the region is YL Ventures, which funds early-stage Israeli cybersecurity start-ups. Its senior partner and head of the Israeli office is Ofer Schreiber, who oversees the firm's investment processes and due diligence, portfolio companies management, and value-add initiatives — and he has seen companies emerge from some challenging times recent years.

Dark Reading sat down with Schreiber to discuss the current state of investment in Israel's tech community, and how the events of the Israel-Hamas war could affect the start-up sector's outlook.

_**Dark Reading: How has the Israeli cybersecurity market been in the past few years, and are new companies still emerging?**_

_**Ofer Schreiber:**_ Cybersecurity innovation coming out of Israel is not stopping, but I think it's much harder today to build a new cybersecurity company compared to the last few years. One of the positive

    

Ofer Schreiber, senior partner at YL Ventures. Source: YL Ventures

things here is that from our perspective, the amount of entrepreneurial theory in Tel Aviv and Israel who are passionate about starting a new company to disrupt some of the industry's categories is not decreasing. There are great teams working on interesting ideas and the entrepreneurial spirit is as strong as in the past few years, that's for sure.

_**DR: What do you think the increasing challenges have been in the past few years?**_

_**OS:**_ The environment has changed, and it's harder to raise capital with good valuations compared to the past couple of years. You still see quite a lot of security startups that found themselves with very high valuations, and raised a lot of capital, but with not a lot of market traction to show for it.

We will start seeing more and more M&A activity during the next six or 12 months. The consolidation wave has already begun, and there's increased pressure on the entire industry from customers who are more interested in consolidation; they're interested in working with fewer vendors. They're expecting their big players to have wider suite of products and services, but \[users\] are drawn more to young and innovative startups, so that adds more pressure on younger vendors.

_**DR: How is the current Israel-Hamas conflict affecting the technology scene?**_

_**OS:**_ What is certain is that Israel is probably experiencing its biggest crisis in its short history. There is an analogy that we use about the Israeli tech ecosystem and its resilience, agility, and innovation. You can just see it across the entire country: we have been hit hard, but we are coping and we are regrouping.

There are so many initiatives from both the government and private sectors to support civilians that got hurt, and support the troops. The tech ecosystem is no different, everybody's doing something. A lot of the entrepreneurs and employees of our portfolio companies are in reserve duties in the intelligence core, and the ones who have not been recruited are spending a lot of time in private civilian initiatives. Everybody's using their skills.

There's always this cliche about the Israeli people, that we're constantly fighting with each other. But whenever there's an adversary, or whenever there is a crisis, we all put all our differences aside and we unite.

_**DR: What about from an investment point of view, does the conflict change the way businesses operate?**_

_**OS:**_ It would be foolish to say that it has no effect, just for the basic fact that a lot of people are \[busy\] in reserve duty or other civilian initiatives. If you think about Israeli startups, some of them have non-Israeli operations as well. Many are actually headquartered in the US, or they have departments outside of Israel, so those departments are almost unaffected.

For almost 100% of Israeli tech companies, they are definitely affected to some degree. What I can stay for certain, as with any other crisis that has happened in Israel, is that I think it's a very short-term impact on our industry. Like with every other bad thing that happened in Israel, we got hurt, but we show a lot of resilience, and I'm pretty sure that like any other negative event that happened in Israel, we will come out of it even stronger and more united as a country, and as a business ecosystem.

If I try to be an optimist, I'll say that it will have even a positive impact as we will get out of it stronger and more resourceful, and more united.

_**DR: Back to the valuation conversation — Do you see a lot of companies who literally launched with the view to being acquired within three years**__?_

_**OS:**_ I don't think that's the original intent of the vast majority of entrepreneurs. Entrepreneurs are optimistic in nature, that's why they're entrepreneurs, so they always have to be extremely visionary, but you have to be quite pragmatic at one point \[in\] the journey.

Most entrepreneurs aim to become a category leader, in whatever category they choose, and to build a sustainable business. Most of them will not succeed in doing that because that's just the reality of the start-up world in general, and definitely in cybersecurity, which is just a very big market with a lot of problems to be solved.

_**DR: Was there more investment after the COVID-19 pandemic started to slow down?**_

_**OS:**_ There were companies that raised ridiculous amounts of capital with ridiculous valuations, and investors who paid massive premiums just to invest and be a shareholder of a hot startup, and this basically pushed the valuations up.

I used to say that we were partying for two years, and now we're in the hangover stage. During 2021, the party was massive, and now we don't feel so well. So we have a headache but it will go away, it's a temporary situation. We need to realize that.

If you focused on building sustainable companies \[with\] sustainable growth, and focused on solving real problems and growing your area responsibly, you'll be fine.

Q&A: The Outlook for Israeli Cyber Startups, As War Clouds Gather

State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

State-sponsored threat actors from Russia and China continue to throttle the remote code execution (RCE) WinRAR vulnerability in unpatched systems to deliver malware to targets.

Researchers at Google's Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit CVE-2023-38831 to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLab's popular WinRAR file archiver tool for Windows, but systems that haven't been updated remain vulnerable.

"TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations," Kate Morgan from Google TAG wrote in a blog post.

Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6, Sandworm launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.

The infamous APT28 (aka Frozenlake, Fancy Bear, Strontium, or Sednit), another Russia-backed group, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.

Meanwhile, a phishing campaign from China-backed group IslandDreams (APT40) delivered infostealers to users in Papua New Guinea.

RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. "After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage," she wrote.

**Exploiting the WinRAR Flaw**

Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including one by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.

The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.

"The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive," Morgan wrote.

Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including fake ones — and exploit generators appeared on public GitHub repositories. These fueled further and ongoing attacks on vulnerable systems.

**Latest WinRAR Targeting**

In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex\[.\]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The file's payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.

Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.

In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APT's toolkit, according to Google TAG.

Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.

The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.

**Problematic Patching Delays**

Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.

In the meantime, WinRAR users are urged to update their systems if they haven't already, as the campaigns highlight yet again the importance of timely patching — something that still seems to be a global challenge for software users, Morgan noted.

"These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date," she wrote.

Patch Now: APTs Continue to Pummel WinRAR Bug

The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.

The Iranian state-aligned advanced persistent threat (APT) known as MuddyWater used an arsenal of new custom malware tools to spy on an unnamed Middle Eastern government for eight months, in just the latest of its many campaigns in the region.

That's according to Symantec, which describes a, at times, daily effort to steal sensitive government data by MuddyWater, which Symantec tracks as "Crambus." The group is also known variously as APT34, Helix Kitten, and OilRig. 

Despite penetrating a dozen computers, deploying half a dozen different hacking tools, and stealing passwords and files, the campaign managed to stay under the radar, lasting from February until September before being disrupted.

"They accessed quite a broad range of computers on the network, so it seems to be a more general attack, rather than going after anything specific," assesses Dick O'Brien, principal intelligence analyst for Symantec.

**MuddyWater's Malware Arsenal**

MuddyWater's latest campaign began on Feb. 1, when an unknown PowerShell script was executed from a suspicious directory on a targeted machine.

In the months that followed, the group deployed four custom malware tools, three previously unknown to the cybersecurity community.

First there's Backdoor.Tokel, for downloading files and executing arbitrary PowerShell commands. Trojan.Dirps is also used for PowerShell commands, and enumerating files in a directory. Infostealer.Clipog is, as the name would suggest, infostealer malware capable of keylogging, logging processes where keystrokes are entered, and copying clipboard data.

Finally there's Backdoor.PowerExchange, discovered but not specifically attributed to MuddyWater back in May. The PowerShell-based tool logs into Microsoft Exchange Servers with hardcoded credentials, using them for command-and-control (C2), and monitoring for emails sent by the attackers. Mail with "@@" in the subject line conceal instructions for writing and stealing files, or executing arbitrary PowerShell commands.

Alongside its own weaponry, MuddyWater also utilized two popular open source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities.

According to O'Brien, the group's months long staying power can be attributed to its choice of weaponry:

"If you introduce new tools, and if you're using legitimate tools, there are no automatic red flags. \[As an analyst\] you kind of have to wait until there's a notification of potentially malicious activity, and start pulling the threads from there."

**MuddyWater Is Back**

MuddyWater has been around since at least 2014, according to Mandiant. A few years back, though, it was written off. "Crambus was one of those groups that we thought might go away because they were heavily exposed in a leak, seemingly by a former contractor or team member," O'Brien points out.

Now, he adds, "they're definitely back."

Over the years, its spying campaigns have spread throughout most of the Middle East – Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, and the United Arab Emirates (as well as the United States) – touching the financial, energy, telecommunications, chemical, government, and critical infrastructure sectors. The APT has been the subject of US sanctions for its cyber espionage activity; and most recently, that activity has included cyberattacks on Saudi Arabia that featured another fresh malware, known as Menorah; and a supply chain attack on the UAE.

Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months

It's time to build a culture of privacy, one that businesses uphold.

We live in an exposed world — particularly when dealing with our digital presence. People have become desensitized to the transactional nature of exchanging pieces of themselves for access.

Availability to new accounts, social media platforms, educational opportunities, professional forums, and nearly every need and want that exists on the Internet demands an exchange of personal data.

Big data has discovered the keys to the kingdom, and they come in the form of your personal information.

**A Sense of Powerlessness When It Comes to Preserving Privacy**

The data trade has grown into a multibillion-dollar industry. It's a juggernaut that is constantly hurtling toward new profit margins, often at the expense of personal privacy. And one of the most disconcerting aspects of this concept is the public's often lackadaisical response.

What we've discovered is that it's not that people don't care; it's simply that they're existing in a state of information overload that lends itself to decision paralysis. They know that their privacy is being violated, but feel powerless in the face of well-oiled data brokers. The ability to take back control of their information seems just out of reach, especially with new ways to harvest data taking shape with such frequency.

After conducting a 2,000-person consumer privacy survey, we discovered that 50% of respondents would take more privacy action if they had better tools and 44% if they had a better understanding of what happens to their data once it is shared. The survey also revealed the extreme responsibility individuals feel to maintain their privacy, with 81% saying that they hold themselves most accountable to protect their personal information even after it has been shared.

These insights help us understand that to change the privacy landscape as we currently know it, we must unite in aggressive consumer education and advocacy to support actions that can drive new approaches to privacy.

**Education Requires a Collaborative Effort**

As generations of people begin growing up with constant access to the Internet, we're seeing more of the consequences associated with data sharing. Much like new medications that often don't initially display side-effects, we're starting to clearly feel the side-effects of the public presence of our personal information.

Data breaches feel commonplace — because they are. Nearly 422 million (more than the population of the United States) people were impacted by some form of breach in 2022. Yet, the response within the US is usually to wait and see what happens, maybe put a freeze on credit, or sign up for an activity-monitoring program.

**Personal, Organizational, and Systemic Advocacy Is Needed**

There's a certain culture of reactiveness rather than proactiveness when it comes to a violation of our personal privacy.

To activate change, there must be a collaborative effort between consumers, government agencies, and companies. New legislation has been moving forward, and the public has seen companies like Meta being held accountable for data violations. However, the missing piece is a culture of privacy that is founded and upheld by both established and emerging businesses.

People can take control over what they share, but as long as it comes at the cost of access, they'll continue to feel pressured to provide personal information. With this system of exchange still in place, consumers will have a difficult time advocating for themselves in meaningful ways.

Privacy as a human right is a social movement that all entities need to embrace and support through action. Only in doing this can we truly empower people to take control of their data in a lasting and meaningful way.

The Trifecta of Consumer Data Privacy: Education, Advocacy & Accountability

Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation?

As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's (SEC) new rules, CISOs face the challenge of deciding which details to report and, far more critically, which ones to omit.

"This \[SEC\] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction," says Merritt Maxim, a Forrester VP and research director. "You know you've been compromised, but you don't have all the facts on day one."

In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the SEC.

Although the new SEC rules take effect Dec. 18, CISOs can already look at the disclosures from three enterprises — Caesars, MGM, and two filings from Clorox — to get an idea of how to comply.:

Since the filings deal with very different incidents, it makes sense that the details contained are also very different. However, the filings are consistent in that they focus on what is known and avoid speculations and predictions. The filings do not share any details that are likely to change either.

**Competing Obligations**

CISOs are simultaneously juggling three competing objectives:

*   **Report as much as you can.** Legally, the goal is to share as much information as possible with investors and potential investors.
*   **Report as little as you can.** From a cybersecurity perspective, the goal is to tell potential attackers as little about your threat landscape and your defenses as possible, especially when the attack has not yet been fully contained.
*   **Report only what you are confident about.** Most initial details are wrong, and reports are repeatedly updated as the days, weeks, and months go by. That raises a thorny question: Is the enterprise obligated to disclose information that they consider to be — initially, at least — of very low reliability?

"Only report what you know by 80% to 90% certainty," says Dirk Hodgson, CISO of NTT Australia. "A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment."

Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It's one thing to conclude that the incident is material, he says, but selecting which specific details are relevant and meaningful for the investing public is quite different.

"Most enterprises have no idea what impact cyber operations will eventually have on their businesses," Brush says.

Clorox's SEC filings illustrate the "report what you are confident about" point well, says Phil Neray, vice president of cyber defense strategy at Gem Security. The organization "properly walked a fine line between saying what they knew and making basic estimates about how long it would take to restore operations," he says.

Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of SailPoint.

"Keep it at a super summary level \[to\] things that are tangible and measurable: which operations were interrupted, which systems were compromised," he says. "Talk about observed impact and not causation. And say that 'we will continue to investigate with outside entities.'"

**What You Don't Have to Say**

Another important element is whether the information is truly going to be of any actionable value to shareholders and potential investors. The value of revealing a specific vulnerability needs to be balanced with the potential of providing attackers with more information that they can use against you, Booth advises.

CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, more information was available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. That's the kind of detail you can't keep secret, even if you want to.

While it makes sense to report only confirmed details, that advice may not necessarily always be the right call. "On the one hand, you do have to make a judgment on the material of the information," says Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte. "But your obligation is to disclose."

CISOs should separate what happened from what the organization is going to do about it, Adib says. "There is no requirement to go out and discuss remediation," he adds.

**Higher Profile for Breaches**

From a practical perspective, nothing has changed regarding what has to be reported; the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing — within four days — and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front and center with every board of directors and, therefore, with every CEO and CFO.

"This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K," Booth says.

CISOs should also bring corporate counsel or outside legal advisers into the disclosure discussions and decisions, says Accel's Brush. This action brings necessary legal advice into the discussion and protects the conversations from being legally discoverable due to attorney-client privilege.

"The CISO's communications with the inside security team are all potentially discoverable," Brush says. With a lawyer present and thus protected, he adds, "As you are preparing your final statement, you can have open and frank discussions."

Source

DARKReading