The router specialist says the attacker's claims to have heisted millions and millions of records are significantly overblown. But an incident did happen, stemming from a successful phish.

Taiwan-based network equipment vendor D-Link this week confirmed that it was the victim of a recent data breach, but dismissed the seeming perpetrator's claims about the severity of the incident as inaccurate and exaggerated.

On Oct. 1, an individual using the handle "succumb" claimed on the BreachForums online community for cybercriminals about having breached the internal network of D-Link in Taiwan. The individual claimed to have exfiltrated some 3 million lines of customer information and source code pertaining to D-Link's D-View network management software.

The self-proclaimed hacker's post identified the stolen data as including names, emails and physical addresses, phone number, and company information on D-Link's customers. 

"This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company," the hacker's BreachForum post went on to add.

**Nowhere Near in Scale As Hacker's Claims?**

According to D-Link, an investigation of the incident that it conducted with its internal team and with experts from Trend Micro showed that while a breach happened, it was nowhere near the scale the hacker portrayed on BreachForums.

For one thing, D-Link said the data that the hacker obtained was outdated, and did not contain any personally identifiable information (PII) or financial data. The number of records that the attacker appeared to have accessed was also just 700 or so — not remotely near the 3 million records the hacker claimed.

Available evidence suggests that the intruder most likely exfiltrated "archaic" registration related data from a D-View system that reached end of life in 2015, D-Link claimed. None of the records that the hacker obtained appear to be currently active. "However, some low-sensitivity and semi-public information, such as contact names or office email addresses, were indicated," D-Link said.

D-Link said it believes the attacker gained access to the "long-unused and outdated data" via a successful phishing attack on one of its employees." 

Following the incident D-Link noted that it has reviewed its access control mechanisms and will implement additional controls as necessary to mitigate against similar threats. "D-Link believes current customers are unlikely to be affected by this incident. However, please get in touch with local customer service for more information if anyone has concerns," the company advised.

**Signal Breach Claims: A Similar Incident in Recent Days**

The incident is the second in recent days where a company has been forced to initiate a review of its security measures, after a breach claim that turned out to be false of exaggerated. 

Earlier this week, the security team at Signal had to respond to rumors about an alleged zero-day vulnerability in the secure messaging service that allowed for full device takeover. After what the company described as a "responsible investigation" of the claims, it determined the claim was just a viral rumor. 

"We have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels," Signal said on X (formerly known as Twitter). As part of its verification efforts, Signal said it checked with people across the US government to see if anyone had encountered issues with the service.

In D-Link's case, the hacker's claims prompted an immediate shut down of servers that its security team thought might be relevant. 

"We blocked user accounts on the live systems, retaining only two maintenance accounts to investigate any signs of intrusion further," the company said. The company also scoured its software test lab systems to determine if any sensitive data had leaked into the environment. During the process, D-Link's security team disconnected the test lab from the company's corporate network.

D-Link Confirms Breach, Rebuts Hacker's Claims About Scope

The sensitive nature of medical records, combined with providers' focus on patient care, make small doctor's offices ideal targets for  cyber extortion.

Cybercriminals are stealing medical records from plastic surgery offices to extort doctors and patients.

On Oct. 17, the FBI published a rather bespoke public service announcement aimed at plastic surgery providers, indicating that hackers have been targeting their industry specifically. Their idea, it seems, is to capitalize on the sensitive nature of these procedures, threatening to publish personal information and explicit photographs in order to get both providers and their patients to pay up.

In the last several months, plastic surgery providers have reported data breaches in California and South Dakota. The trend extends beyond US borders, as plastic surgeons in Brazil and the UK have been hit in recent years with ransomware extortion as well.

It's only the latest evidence of a much broader, deeper issue in healthcare cybersecurity.

"There was a time when malicious actors would 'take it easy' on healthcare providers," says Shawn Surber, senior director of technical account management at Tanium. "However, in the last couple of years, that type of behavior has changed and more healthcare accounts are coming under full attack."

**Plastic Surgery Cyberattacks**

As Surber points out, "targeting plastic surgeons and their patients makes a lot of financial sense. Plastic surgery is a lucrative and largely pay upfront business. This means that both the surgeon and patients generally have significant disposable income and are interested in protecting their privacy more against embarrassment than concerns about identity theft."

Then, there are the issues that plague any independent practice. "They're small offices with limited, usually contracted IT support, and they often partner with private surgery centers who have similar limitations. This means that the physician and the surgery center are also potentially communicating outside of traditionally secure channels — like using personal or Web-based email, for example — creating further opportunities for malicious actors to intercept data, credentials, and intelligence."

Hackers are taking advantage of all of these security shortcomings, with what the FBI is characterizing as three-phase attacks.

First, the attackers conduct phishing attacks, deploying malware for the purposes of harvesting sensitive patient information and photos.

Next, they "enhance" the data they've collected by pulling more information about patients from social media, or via further social engineering.

With everything they need in-hand, the attackers contact both patients and their providers, requesting payment in exchange for not sharing the harvested data online. This is where the data "enhancement" comes into play. Beyond publishing the data to a public-facing website to exert extra pressure on victims, the attackers share some of the data with family, friends, and colleagues, promising to stop only once they've been paid.

**How Doctors and Patients Can Defend Themselves**

In its advisory, the FBI offered a few security tips for patients, including practicing good password hygiene, monitoring for suspicious bank account activity, and applying strict privacy settings on social media accounts, to prevent unknown individuals from learning more about you or even posting to your page.

For providers, on the other hand, a few helpful tips won't be sufficient.

"Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries. Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it's become the perfect hunting ground for malicious attackers," Surber laments.

And as bad as extortion is, cyberattackers with the same kind of access to health systems can also do far worse, putting lives at risk by infecting critical devices or otherwise shutting down entire systems.

In lieu of better protections, more stringent regulations, or more funding, Surber offers one potential direction for the industry to pursue.

"I'm of the opinion that healthcare providers need to be more organized into a critical infrastructure working group, with standards of security and group pricing available to them in a managed service model," he suggests. "It certainly won't be a cheap solution, as there are tens of thousands of providers in the US alone. But perhaps if they were all working together effectively, we could see our way to a future where they're not alone and vulnerable. A future where their systems are maintained and updated continuously, and they're alerted as things happen rather than when they get an extortion demand."

FBI: Hackers Are Extorting Plastic Surgery Providers, Patients

Analysis of more than 1.8 million admin portals reveals IT leaders, with the highest privileges, are just as lazy about passwords as everyone else.

After sifting through more than 1.8 million pages identified as admin portals, researchers made a disheartening discovery — 40,000 of them used "admin" as its password, making it the most popular credential used by IT administrators.

The research was conducted on 2023 passwords between January and September by a team with Outpost24, which also found an increased reliance on default passwords.

The top 10 passwords discovered by the analysis included common defaults and easy-to-guess options:

1.  admin
2.  123456
3.  12345678
4.  1234
5.  Password
6.  123
7.  12345
8.  admin123
9.  123456789
10.  adminisp

"While our top 20 findings are limited to known and predictable passwords, the fact that they were associated with admin portals also tells us that bad actors are well equipped to target privileged users," the Outpost24 team explained.

The researchers highlighted the continuing efforts of "traffers," organized groups of cybercriminals that use malware to target admins and steal their credentials.

"To secure passwords and consequently business data, there are two key takeaways," the report added. "One is securing passwords through standard best practices, and the second is avoiding malware infection."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Most Popular IT Admin Password Is Totally Depressing

Under the Security Appraisal Framework and Enablement (SAFE) program, device manufacturers will be able to work with approved auditors to verify firmware.

In a bid to improve data center hardware and firmware security, the Open Compute Project announced the Security Appraisal Framework and Enablement (SAFE) program at OCP Summit event this week.

The program would provide an open source, standardized audit checklist and criteria for selecting third-party auditors to review device firmware. The idea is twofold: have the OCP community develop a device-specific audit checklist and criteria for auditor selection, and then have customers use the criteria to select auditors who use the checklist to verify firmware. The framework is intended to reduce costs and redundancy around device security reviews, according to the OCP.

"The OCP S.A.F.E Program defines and enforces a consistent framework for testing, validating, and assuring the security and integrity of devices at the very heart of today's cloud," said Gunter Ollmann, CTO at IOActive, one of the organizations currently enrolled as a security review provider for the program, in a statement. "Data center owners that have struggled to maintain and enforce their unique security requirements for hardware and firmware, and device vendors that have had to piece together a costly jigsaw of overlapping and inconsistent requirements across their many data center customers, can now align against a single consistent and stringent methodology delivered by an accredited and mutually trusted pool of security auditors."

At the moment, independent third-party audits of firmware are complicated because only a subset of customers ever see audit results. SAFE's objective is to allow device and system manufacturers to commission an OCP-approved security review provider to audit their firmware and then share the results with customers. With this framework, cloud providers and data center operators could increase the pace at which they receive, trust, and deploy critical firmware updates in their environments, according to the OCP.

While the program is a step in the right direction because it draws more attention to underserved areas in cybersecurity, such as firmware security, it might not be enough to impact the ecosystem because the focus is still on costly and slow audits, according to Alex Matrosov, founder and CEO of Binarly.

"I see a combination of the approaches we tried before, but unfortunately, it doesn't change much," he says.

It is not clear how the results of the SAFE audits will be visible in the long term and what type of impact it will create on the ecosystem.

"Relying heavily on manual code reviews is inherently limited in scalability and is deeply influenced by human factors," Matrosov says. "While introducing such workflows might guarantee steady work for code audit shops, I remain skeptical about their efficacy without the support of proper tooling and automation."

Binarly has disclosed more than 400 "high-impact vulnerabilities" during the year, and the timeline for fixing them remains very slow. For example, even after Binarly's joint disclosure with Qualcomm last January, Microsoft has not finished patching its ARM devices.

For things to change, the industry needs to emphasize "automation in vulnerability discovery, risk assessment, and prioritization," Matrosov says.

OCP Launches SAFE to Standardize Firmware Audits

The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.

A critical security vulnerability in Citrix NetScaler patched last week is under active attack — and has been since at least August.

Making matters worse, the bug (CVE-2023-4966, CVSS score 9.4), can't be fully remediated by simply applying the patch, Mandiant warns.

To that point, "organizations should ... terminate all active sessions," Mandiant CTO Charles Carmakal explained in a LinkedIn post on the active Citrix exploitation this week. "These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated."

Technically an information-disclosure vulnerability, the flaw allows cyberattackers to hijack existing authenticated sessions and potentially bypass multifactor authentication (MFA). The result is full control over NetScaler environments, which control and manage application delivery within enterprises.

**Zero-Day Exploitation Since August**

Mandiant has traced attacks exploiting the bug back to late summer, carried out by an unknown threat actor. Carmakal said that the ongoing exploitation appears focused on cyberespionage, with professional services, technology, and government organizations so far in the unknown attackers' sights.

"We anticipate other threat actors with financial motivations will exploit this over time," he added.

That's a likely prediction given that organizations have a poor track record when it comes to mitigating known threats against Citrix gear. For instance, earlier in the month it came to light that legions of attackers are still targeting CVE-2023-3519 (CVSS score of 9.8), a critical pre-authentication remote code-execution (RCE) vulnerability in Citrix NetScaler gateways that was addressed in July (but exploited as a zero-day for a month before that).

Thousands of credential-theft attacks ensued after the disclosure, cresting in August as patching lagged. As of early October, according to the Shadowserver Foundation, more than 1,300 backdoored NetScaler instances were still appearing in scans.

As far as the latest critical security bug goes, customer-managed Citrix NetScaler ADC and NetScaler Gateway installations are affected; cloud instances are not, as outlined in the Citrix bug advisory, which also includes information about patched versions. Mandiant on Wednesday also offered updated, detailed remediation guidance for CVE-2023-4966.

Critical Citrix Bug Exploited as a Zero-Day, 'Patching Is Not Enough'

Endpoint management based on open source agents, such as osquery, could simplify IT management and security while giving larger firms more customization options.

A smattering of security startups are building ecosystems around the open source security agent osquery as a way to allow companies to reduce their reliance on proprietary software and to customize the IT monitoring and security tool to their needs.

On Oct. 17, endpoint management firm Fleet updated its lightweight osquery agent with the capability to execute scripts on managed hosts, allowing the agents to not only monitor systems, but to manage them and respond to incidents as well. Enterprises have seen a proliferation of agents over time, with separate agents to manage antivirus, firewalls, logging, data security, and configuration now common, to name a few.

The result has been complexity creeping into IT management and security operations, says Mike McNeil, co-founder and CEO of Fleet.

"On one hand, you've got people that are buying these giant monolithic things, and then on the other hand, you've got the people that are stringing together a bunch of open source tools, and you end up with these architectural diagrams that are a big — frankly, kind of a big mess," he says. "I think that people are looking for a consistent interface to everything, something that's a little bit more modular."

Many companies are fighting back against the creep of complexity by using osquery as the universal endpoint agent, says Santiago Bassett, founder and CEO of Wazuh. Facebook originally developed osquery for internal use and then open-sourced it in 2014. The osquery agent monitors the operating system's state, saves it in an SQL database, and allows administrators to query the agent to receive information about the system, such as log analysis, compliance state, configuration management, and results of security checks.

"That's the trend, where users are consolidating different agents that have very specific purposes, and now they have \[fewer\] agents that are more comprehensive, more horizontal, that deliver more capabilities," he says. "I wouldn't be surprised if there are more initiatives to say — this specific capability that everybody is actually using relies on the same source code, which is open source, so let’' all agree on using that same \[agent\]."

**Osquery, the Universal Endpoint Agent?**

The idea of using osquery as a universal endpoint monitoring agent is one at least as old as the open source agent itself. Other open source tools, such as Sysdig and OSSec, have some overlap in functionality with osquery but different focuses. Sysdig allows the low-level instrumentation of the kernel, which makes it a popular way to monitor containerized applications in the cloud, while OSSec is focused on host-based intrusion detection (HID) and compliance on Linux and Windows systems.

A variety of companies have based their technology on osquery, which works on Windows, MacOS, and Linux systems. In addition to Fleet, open security platform Wazuh, zero-trust solution provider Kolide, open source Apple device manager Zentral, and cloud and endpoint management firm Uptycs all use osquery or integrate with systems already running the agent.

Security and IT management vendors have differentiated their offerings, but much of that differentiation can be accomplished in how the information provided by osquery is operationalized. The basic functionality of instrumenting the endpoint should not be that point of differentiation, says Wazuh's Santiago.

"Vendors are always going to have some interest in differentiating, of course, from other vendors that say, 'Oh, we add value here, we have value there,' but there are things that are already solved in the industry that we all do," he says. "There's really no way to add value to how I collect logs from a Windows system — I just read those logs."

**From Passive Monitoring to Active Response**

But companies do not just want visibility and monitoring, which is why Fleet added the ability to execute scripts using the osquery agent. Using the capabilities, which other providers have as well, helps turn the agent into a tool for managing endpoints as well. Companies can now push patches to remote devices and shut down specific features, such as USB ports, to better secure systems and reduce their attack surface area, says Fleet's McNeil.

The goal is not to replace endpoint detection and response, but to give companies the ability to have greater visibility and, if they detect something odd, to do something about it, he says.

"The idea of self remediation — being able to detect malware with Yara and automatically you'll run a script to remove it or isolate the computer on the network — now you can kind of own all those tools and build that yourself any way you want," he says. "So the more we can simplify this and open it up, the better."

Open Source Security Agents Promise Greater Simplicity, Flexibility

Facing a potential cascade of legal challenges from industry groups and state attorneys general, the EPA has rescinded its cyber-rules. But where does that leave local water safety?

_**TL;DR: Facing legal challenges from state AGs and water associations, the EPA decided to give up its fight to mandate cyber-risk assessments for water utilities — for now. Experts warn that the sector is woefully at risk for escalating cyberattacks, and they explain why and offer insights for what utilities should do next.**_

The Environmental Protection Agency last week withdrew rules governing cybersecurity standards for the public water sector, after industry groups and Republican lawmakers brought litigation on the issue. But cybersecurity experts warn that public safety and health is at risk without cyber improvements in the sector, as cyberattacks threaten to flow freely.

The now-defanged rules were established in a March 3 interpretive memorandum (PDF), and they would have required water systems to include a cybersecurity evaluation for operational technology (OT) and industrial control systems (ICS) during any sanitary survey.

The Sanitary Survey Program requires periodic, mandated onsite reviews of the water source, facilities, equipment, operation, and maintenance of a system to make sure that it can produce and distribute safe drinking water. The cyber dimension is an augmentation of the existing rule that the EPA added, thus circumventing the usual, politically charged rulemaking process for introducing new regulation.

According to Mike Hamilton, CISO of Critical Insight, the augmentation is "just a requirement to assess each environment and provide those results to the EPA," adding that the ask is "truly not hard or expensive to meet." The exercise would allow the federal government to determine the extent to which support (through grants, for example) should be allocated, he says, and "more importantly, the aggregate results would identify areas of systemic vulnerability that could be addressed as a priority." 

However, others in the political and policymaking world disagree on the need for the requirements as they were proposed — specifically three state attorneys general and a pair of industry groups.

**EPA Blowback From Industry, Conservatives**

The sanitary surveys aren't going away, but including cybersecurity checks within them is a bridge too far, argued Republican lawmakers, who quickly mounted a multistate legal challenge to the augmentation of the Sanitary Survey Program, arguing that the EPA has no right to simply amend existing rules without a public comment period or legislative approval.

They also argued that the cost of considering cybersecurity as part of sanitary checks would be prohibitive — although estimates as to the cost of the reviews have not been made public.

"Rather than cleaning up our water, the federal government is hurting Iowa's small towns," said Iowa Attorney General Brenna Bird, in a statement made in April after joining the litigation. "At a time of soaring inflation, where it's hard enough to make ends meet, the federal government insists on making Iowans' water bills more costly. We're going to hold the Biden Administration accountable and protect Iowans' pocketbooks."

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) meanwhile in July won a petition to the US Court of Appeals for the Eighth Circuit to stop the cybersecurity rules from going into effect until the litigation was complete.

"NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented," said NRWA CEO Matthew Holmes in a statement at the time. "While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences."

In absence of cybersecurity mandates, the EPA is hoping to work with states, drinking water systems, and wastewater systems to implement voluntary measures, including conducting cybersecurity risk assessments and providing user training.

"There are upwards of 150,000 water facilities in the US. Expecting a small, rural water board to be able to operate under the same requirements, cyber or otherwise, as New York City is presently unrealistic," says Stephen Mozia, OT cybersecurity practice leader at Optiv. "A combination of local, state, and federal regulations and voluntary measures, such as investing in cybersecurity best practices, can bridge the gap in the long term."

**Cyberattackers Look to Make Waves**

The developments come as threats to water utilities continue to lurk on the edges of the critical infrastructure landscape.

"Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities," according to the EPA's recent notice withdrawing the rules (PDF). In the March memo, it put a finer point on the problem: Cyberattacks have the "same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack," it warned.

Indeed, Kaspersky's 2023 H1 incident overview report on ICS systems showed that water supply and sewage companies were among the most-attacked critical infrastructure industries, with four officially confirmed incidents. In one instance, Galil Sewage Corp. in Israel's Galilee region confirmed that an attack targeted its programmable logic controllers (PLCs), which led to a temporary halt of its irrigation operations.

Evgeny Goncharov, head of Kaspersky ICS CERT, notes that the water system attacks were carried out by low-skilled actors and hacktivists, demonstrating how easy it is to access and manipulate OT systems.

"As the time passes, we see that both the hacktivists evolve, and more and more attacking tools and knowledge becomes available for them," he warns.

APTs could get into the mix too, he adds: "The geopolitical tensions may change everything in a minute — should another state decide attacking critical infrastructure of a 'non-friendly country' is not a taboo anymore."

To boot, financially motivated actors could be another risk.

"Cybercriminals may decide that the current most common monetizing scheme (data lock and/or extortion for ransomware and resale) is not efficient anymore \[and\] they may switch to locking physical equipment … which would be way more devastating than the current \[ransomware attacks\]," he says.

Unwanted outcomes could include loss of water quality through compromise of chemical injection and filtration processes, complete loss of availability of control systems and the need to revert to manual processes (traveling to manually open valves, measuring water levels), and, importantly, "disruption to waste treatment processes (also part of the water sector) that can very rapidly devolve into a public health emergency," Critical Insight's Hamilton points out.

**Water System Cybersecurity Takes Long-Term Vision**

While security researchers note that the EPA's heart is in the right place, securing and hardening water infrastructure is an incredibly complex task that will require a mesh of different yet related courses of action, and a good amount of industry-sector education.

"Water utility infrastructure is something not that easy to secure because of its diverse and distributed nature," explains Goncharov. "Lots of small and midsize objects equipped with different OT systems by multiple vendors, normally outdated, with various type remote connections. The other problem would be lack of qualified cybersecurity specialists to manage all the infrastructure security and the general low cybersecurity culture of personnel."

To get arms around the problem, Hamilton recommends that utilities first take the EPA up on its offer to support voluntary risk assessments. While funding is there for some improvements — the Cybersecurity for Rural Water Systems Act of 2023 has earmarked $7.5 million for rural water systems security, for instance — operators need to determine how to spend it.

"Operators are fully capable of using the NIST Cybersecurity Framework (CSF) to self-assess, identify areas of risk, and develop a corrective action plan with budget estimates," he says. "This information could be brought to the utility commissions that manage rates and potentially address the costs through rate increases. This assessment is not difficult, can be performed over one or two days, and would help the operators understand more broadly how to manage risk in these environments."

In addition, security specialists and government resources should put effort into deep cybersecurity awareness programs.

"Operators of water utilities, and especially the small and rural utilities that raised the objection regarding costs of assessments, generally come from a background in the trades and not information technology and are not versed in cybersecurity," Hamilton says. "Risk management is typically aligned with physical security to the exclusion of IT and OT."

Kaspersky's Goncharov suggests that regulatory bodies also "should do the hard work of preparing answers and how-tos to all the most common questions, explaining to the organizations both things technical (such as how the state/central incident monitoring system is secured and why they should trust it, and how it would be supporting the sector); and organizational/financial."

EPA Turns Off Taps on Water Utility Cyber Regulations

The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.

North Korea's Kimsuky advanced persistent threat (APT) continues to evolve its attack methods and grow in sophistication, expanding its ability to control victims' systems with the use of legitimate system remote-desktop tools and novel custom malware in its latest attacks.

The threat group — one of several that work at the behest of North Korean Supreme Leader Kim Jong-Un — recently has been spotted abusing Remote Desktop Protocol (RDP) and other tools that allow it to remotely take over targeted systems, even installing open source software to an environment if RDP is not present, researchers from South Korea's AhnLab revealed in a blog post Oct. 18.

"The Kimsuky threat group is continuously abusing RDP to obtain control over infected systems and exfiltrate information," according to the post by the AhnLab Security Response Center. "RDP can also be used in the initial access process using brute force and dictionary attacks, or during lateral movement."

Kimsuky, active since 2013 to commit cyber espionage on the behalf of Jong-Un's regime, is also evolving tactics beyond this protocol to gain remote control of compromised desktop systems in recent attacks, according to the researchers.

In addition to RDP abuse, the group is wielding the open-source virtual network computing (VNC) tool TightVNC, which is similar to RDP in that it's a screen-sharing system for remote control of other computers. In some cases, the group even tapped Chrome Remote Desktop, which is supported by the Google Chrome browser, to control infected systems, the researchers said.

**Malware Mix**

Overall, recent attacks show Kimsuky continuing to use spear phishing as its initial method of access to compromise systems with BabyShark, its oft-used custom malware for persistence and the collection of system info, before attackers move on to installing other custom-built and open source malware.

The group also has added new post-compromise malware to its arsenal, leveraging RevClient to send commands from its command-and-control (C2) server to add user accounts to a victim's system, and public malware TinyNuke, a banking Trojan.

As is typical, the ultimate goal after gaining control of systems is to steal internal information and technology from its targets, which are typically research, defense, diplomatic, and academic sectors in South Korea but also other countries that demonstrate a political or strategic interest for the regime.

**Multiple-Session RDP**

One particularly interesting bit of novel RDP functionality that Kimsuky has been seen wielding recently is the ability to support multiple sessions of RDP on a Windows system — something that Windows desktop OS natively does not allow.

"Ordinarily in Windows desktop environments, only one session is supported when connecting via RDP, unlike servers," according to the post. "As only one session is supported for one system, even if the user accounts are different, when the threat actor remotely connects to a system, the existing user's session is terminated."

In previous attacks, Kimsuky used Mimikatz and other malware to patch the memory of the currently running RDP service process to bypass the single-session limit. However, in recent attacks, the group now is using malware named "multiple.exe" to support multiple-session RDP, as well as to add user accounts for further control.

The novel malware RevClient that the group deploys in recent attacks also has features similar to "multiple.exe" but executes multiple-session capability in a different way, according to the researchers. Kimsuky also is leveraging RevClient to receive commands from C2 to perform user account-related tasks as part of its overall control of a compromised system.

**Defending Against RDP Abuse**

With lines beginning to blur between Kimsuky and other North Korea-sponsored groups like Lazarus as they organize and align to share tools and tactics, it's important that organizations do what they can to protect themselves against these evolving threats, according to AhnLab.

RDP is an especially sensitive attack surface because it's one of the services that come pre-installed in Windows systems, demanding adequate management to detect or prevent such incidents of compromise.

To do this, users should refrain from opening attachments on suspicious emails or when installing external software and instead only purchase or download them from official websites, the researchers noted. Desktop users also should set complex passwords for their accounts and change them periodically to diminish chances that they can be brute-forced.

Updating to the latest and most secure versions of the Windows OS and employing endpoint security products as well as sandbox-based APT solutions can also help protect systems against cyberattacks.

North Korea's Kimsuky Doubles Down on Remote Desktop Control

Building a culture of cybersecurity is achievable by acknowledging its importance and consistently reinforcing that message.

Highly experienced information security team in place? Check.

Leading endpoint detection software and monitoring in place? Check.

Multifactor authentication enabled on all environment entry points? Check.

By all accounts, cutting-edge technology and skilled cybersecurity resources should be the end of the story for ensuring network integrity, right? If only it were that simple. With a recent survey indicating that 74% of cyber incidents include a human component to enable a threat actor, a company must do more to ensure a culture of cybersecurity and to protect its organization. 

So what does _more_ look like?

**A More Secure Organization**

More starts with understanding there is _always_ a cybersecurity risk and ultimately ends with an established culture across all levels of the organization committed to collectively mitigating that risk. Let's  run through a few approaches that can help establish that culture and, thus, a more secure organization.

*   **It starts at the top:** Building a culture from the top down is not a new concept, but its relevance to cybersecurity within organizations is gaining the traction it deserves. At a base level, in order to simply have the technical applications and experienced personnel in place to adequately protect an organization, you need the individuals with the purse strings to be onboard. The sell likely has become easier over the past several years as incidents are in the news, the visibility grows, and those in the C-suite see similarly situated organizations fall victim to cyberattacks. At the end of the day, the message needs to be loud and clear from an organization's leadership that: a) we understand and appreciate the evolving cybersecurity risk to our company; and b) we are willing to invest in the security of our environment (both from technical and non-technical standpoints) to protect our business.
*   **Demonstrate that cybersecurity matters:** It might seem like we're asking a lot of an organization's leadership when it comes to creating a culture of cybersecurity, and that might be true. But building a culture of any kind within an organization begins with leadership embracing an idea and then continuing to acknowledge and engage on the topic. In this context, it means making cybersecurity part of the lexicon of an organization and finding the right opportunities to continuously demonstrate its importance to the company. How an organization decides to do this might depend on how it communicates with its workforce generally on other important topics, but some simple options include: 1) Regularly re-engaging on the topics of cybersecurity via an email newsletter from the chief information security officer (CISO) — highlighting not just what the company is doing on the technical side, but what challenges all organizations are facing related to evolving threats (e.g., AI) and the CISO's take on how every employee can help; and 2) Discussing cybersecurity on CEO- or COO-led companywide calls and emphasizing the importance of a strong cybersecurity culture to the longevity and success of the business. The more leadership discusses the importance of a culture of cybersecurity, the more employees will acknowledge that risk and ultimately accept a level of responsibility for the organization's cybersecurity safety.
*   **Educate (and then test and test again):** Ben Franklin once said, "An investment in knowledge pays the best interest," and when the average cost of an incident globally is in excess of $4 million, that certainly rings true when it comes to cybersecurity. There can be no doubt, the investment in educating and building an employee base knowledgeable about cybersecurity has _real_ economic value to an organization. This training allows employees to act as the last line of defense against a range of cyber threats, but perhaps equally as important, it empowers every employee to be a cybersecurity advocate for the organization, reminding their colleagues the importance of vigilance in support of a culture of cybersecurity. So how do you educate your employees? It starts with implementing a robust cybersecurity training program (hopefully something both educational and fun) and it continues by keeping your employees on their toes — using test phishing emails (and even text messages). The training and testing are then followed up with subsequent "re-training," if needed, to keep cybersecurity top of mind. Organizations can then share the outcomes of these test phishing emails with all employees (on standing calls or in their CISO newsletter) to take advantage of another key opportunity to speak to and re-enforce the importance of cybersecurity with real data and then share ways to help everyone do better.

At the end of the day, building a culture of cybersecurity is achievable by acknowledging its importance and consistently reinforcing that message. The goal is to have people thinking and talking about cybersecurity as part of their normal course of business and not simply in the context of "another training" or as something completely divorced from their role. When you find your teams are having a conversation about the latest phishing test email (for a free Thanksgiving turkey) or a recent cyber event impacting a competitor, you are witnessing the true reflection of a successful culture of cybersecurity. You should take a moment to applaud your team's success, and then, of course, plan for how to keep it going.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Need for a Cybersecurity-Centric Business Culture

The hacktivists known as SiegedSec identify ICS targets, but there's no evidence of attacks yet.

The hacktivist group SiegedSec has claimed responsibility for a series of attacks against Israeli infrastructure and industrial control systems (ICS), but there is no indication that the listed IP addresses have experienced any attacks.

The hacking group put together a list of what it claims are its Israeli ICS targets, which was recently uncovered by SecurityScorecard's Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team. An image of the list — found via analysis of various dark Web groups — shows a series of IP addresses with the claim "we have unleashed mass attacks on Israeli infrastructure."

**Who Made the List**

According to a new report from STRIKE, SiegedSec claims it conducted a series of denial of service (DoS) attacks against a number of ICS devices and other Israeli infrastructure with the support of the pro-Iranian hacktivist group Anonymous Sudan. The purported targets included: global navigational satellite system receivers, building automation and control networks, and Modbus ICS — a communication protocol for communication between industrial electronic devices.

However, a sample of NetFlow data seen by SecurityScorecard does not indicate that the listed IP addresses had experienced volumes of traffic consistent with a DoS attack.

"In the absence of reported disruptions to Israeli infrastructure, the available NetFlow sample appears to support assessments that SiegedSec's attacks were either unsuccessful or have not yet begun in earnest," the report said.

Other researchers' assessments also determined that these attempts were likely to have been unsuccessful, and to conduct a DoS against these targets may be outside the attacker's capability.

That said, rather than just being a list of targets the SiegedSec planned to hit, Robert Ames, staff threat researcher at SecurityScorecard, says the document could be a "call to action" to other attackers who could potentially take advantage of the target identification.

He says: "This seems particularly likely given they also mentioned collaborating with Anonymous Sudan in the same post where they listed their targets. Groups like Anonymous Sudan and KillNet have, in the past, used their Telegram channels to name specific targets in hopes of enlisting further support from their channels' followers."

Ames adds, "SiegedSec is, in certain respects, comparable to Anonymous Sudan: Neither appears to possess the same sophistication or capabilities as a nation-state-backed advanced persistent threat group, but both appear to be motivated by publicity."

**Who Are SiegedSec?**

The SiegedSec group appeared shortly after the Russian invasion of Ukraine in 2022, and has conducted a series of attacks around that conflict, including an alleged data theft on the NATO Communities of Interest Cooperation Portal in July, followed by a second attack on multiple NATO portals earlier this month.

The group was also reportedly behind the attack on Atlassian in February, where a third-party app was breached, compromising employee data and floor plans of Atlassian offices located in San Francisco and Sydney, Australia.

To avoid compromise from this or any other attacker, SecurityScorecard recommended that organizations review the business necessity of exposing ICS devices to the wider Internet and place them behind a VPN or firewall when possible. Also, organizations should consider restricting access to ICS devices by adding dependent IPs to an allow list. 

The firm also recommended blocking the listed IPs in SecurityScorecard's KillNet Bot Blocklist, putting in DDoS mitigations, and configuring DNS resolvers and proxy servers to only accept requests from internal IP addresses and authorized users.

**A Week of Attack Claims**

At the start of last week, the US National Security Agency's director of cybersecurity Rob Joyce said US intelligence had not observed evidence indicating there had been any significant cyberattacks so far in the Israeli-Hamas conflict.

Yet a number of claims of attacks were made at the start of last week, with Anonymous Sudan naming the Israeli government in online discussions as a main target, and the AnonGhost hacktivist group said it had managed to breach the "RedAlert" airstrike warning app to send messages.

Also, information operations entered the discussion last week when pro-Iranian and pro-Chinese groups were detected as being involved in anti-Israel propaganda campaigns.

Source

DARKReading