Two novel malware binaries, including "HiatusRAT," offer unique capabilities that point to the need for better security for companies' router infrastructure.

A cyber-espionage campaign featuring novel malware has been uncovered, targeting DrayTek routers at medium-sized businesses worldwide.

Unlike most spyware efforts, this campaign, dubbed "Hiatus" by Lumen Black Lotus Labs, has dual goals: to steal data in targeted attacks and to co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.

The threat actors use known vulnerabilities to target DrayTek Vigor models 2960 and 3900 running an i368 architecture, according to an analysis this week on Hiatus from Black Lotus. Once the attackers achieve compromise, they can plant two unique, malicious binaries on the routers. 

The first is an espionage utility called tcpdump, which monitors router traffic on ports associated with email and file-transfer communications on the victim's adjacent LAN. It has the ability to passively collect this cleartext email content as it transits the router.

"More established, medium-size businesses run their own mail servers, and sometimes have dedicated internet lines," according to the report. "These networks utilize DrayTek routers as the gateway to their corporate network, which routes traffic from email servers on the LAN to the public internet."

The second binary is a remote access Trojan (RAT) called HiatusRAT, which allows cyberattackers to remotely interact with the routers, download files, or run arbitrary commands. It also has a set of prebuilt functions, including two proxy functions that the threat actors can use to control other malware infection clusters via an infected Hiatus victim's machine.

**HiatusRAT's Proxy Functions**

The two proxy commands are "purpose-built to enable obfuscated communications from other machines (like those infected with another RAT) through the Hiatus victims," according to the Black Lotus report.

They are:

*   **socks5:** Sets up a SOCKS version 5 proxy on the compromised router.
*   **tcp\_forward:** For proxy control, this takes a specified listening port, forwarding IP, and forwarding port and transmits any TCP data that was sent to the listening port on the compromised host to the forwarding location. It establishes two threads to allow for bidirectional communications between the sender and the specified forwarding IP.

The ability to turn the router into a SOCKS5 proxy device "allows the threat actor to interact with malicious, passive backdoors such as Web shells via infected routers as a midpoint," explains Danny Adamitis, principal threat researcher for Lumen Black Lotus. "Using a compromised router as the communications for backdoors and Web shells enables the threat actors to bypass geo-fencing-based defense measures and avoid being flagged on network-based detection tools."

The TCP function, meanwhile, has likely been designed to forward beacons or interact with other RATs on other infected machines, which would "allow the router to be a C2 IP address for malware on a separate device," according to the report.

All of this means that organizations shouldn't underestimate their worth as a target, the report noted: "Anyone with a router who uses the internet can potentially be a target for Hiatus — they can be used as proxy for another campaign — even if the entity that owns the router does not view themselves as an intelligence target."

**Varied Types of Hiatus Victims**

The campaign is unusually small, having infected only around 100 victims, mainly in Europe and Latin America.

"This is approximately 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the Internet," according to Adamitis. "This suggests the threat actor is intentionally maintaining a minimal footprint to limit their exposure and maintain critical points of presence."

In terms of espionage, some of the victims are "targets of enablement," says the researcher, and include IT service and consulting firms.

"We believe the threat actors target these organizations to gain access to sensitive information about their customers’ environments," using the scraped email communications to mount downstream attacks, Adamitis says.

He adds that a second grouping of victims can be considered targets of direct interest for data theft, "which included municipal government entities and some organizations involved in the energy sector."

While the number of primary victims is small, the scope of the data theft suggests an advanced persistent threat as the culprit behind Hiatus.

"Based upon the amount of data that would be collected from these accesses, it leads us to believe that the actor is well resourced and is capable of processing large volumes of data, suggesting a state-backed actor," Adamitis notes.

**What to Learn From Hiatus**

The key takeaway for businesses is that the conventional idea of perimeter security needs to be adapted to include routers.

"The benefits of using routers for data collection are that they are unmonitored, and all traffic passes through them," Adamitis explains. "This stands in contrast to Windows machines and mail servers, which usually have endpoint detection and response (EDR) and firewall protections deployed in enterprise networks. This lack of monitoring allows the threat actor to collect the same information that would be achieved without directly interacting with any assets that might have EDR products pre-installed on them."

To protect themselves, businesses need to make sure that routers are "routinely checked, monitored, and patched like any other perimeter device," he says.

Organizations should take action: The Hiatus binaries were first seen last July, with new infections continuing up to at least mid-February. The attacks use version 1.5 of the malware, indicating that there could have been activity using version 1.0 prior to July. Black Lotus said that it fully expects the activity to continue.

Hiatus Campaign Infects DrayTek Routers for Cyber Espionage, Proxy Control

An Acer statement confirms that a document server for repair techs was compromised, but says customer data doesn't appear to be part of the leak.

Acer has confirmed its systems were breached after a threat actor offered 160GB of data they say was stolen from the electronics company.

Acer sells a variety of consumer electronics products, including Chromebooks, monitors, laptops, and desktop PCs.

The post in the cybercrime forum claims to have a slew of secret information for sale, including Acer slides, employee manuals, and product information. Acer said in a statement reacting to the claims that the compromised data doesn't appear to include customer information.

"We have recently detected an incident of unauthorized access to one of our document servers for repair technicians," Acer said in a statement about the cybersecurity incident. "While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server."

Acer has suffered several compromises over the past few years, including a $50 million ransomware attack in March 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Acer Confirms Data Offered Up for Sale Was Stolen

Flaw in Toyota's C360 customer relationship management tool exposed personal data of unknown number of customers in Mexico, a disclosure says.

A production API in Toyota's C360 customer relationship management (CRM) tool loaded with the personal information of an unknown number of the carmaker's customers in Mexico was found to expose reams of sensitive data.

A disclosure from threat hunter Eaton Zveare outlines how it was possible to access Toyota customers' names, addresses, phone numbers, emails, and tax identification numbers, as well as vehicle ownership and service history stored in the C360 CRM.

After reporting the issue to Toyota, Zveare said the sites were taken offline, and the APIs were secured so that they now require an authentication token.

"I would like to stress that I do not know how many customers are in this CRM," Zveare wrote. "There wasn't a user list — it was only possible to search for customers by name, ID, phone number, or email address."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hacker Cracks Toyota Customer Search Tool

**LONDON, United Kingdom— March 7, 2023 —** ManageEngine, the enterprise IT management division of Zoho Corporation, today announced that it has added a security and risk posture management dashboard to Log360, its unified security information and event management (SIEM) solution with integrated DLP and CASB capabilities. Enterprises can leverage this new feature to implement proactive security strategies and prevent cyberattacks before they occur.

Establishing a proactive security strategy relies largely on assessing the risks of network platforms continuously. Risk assessment and management, if done right, strengthens enterprise security and thereby prevents hackers from intruding in the network. Compliance regulations across regions require enterprises of all industries and sizes to follow security best practices to harden their network infrastructures. AD is often a primary target for adversaries. Continuously assessing AD risks and enhancing its security posture are essential to preventing cyberattacks from happening.

**Pre-empt Intrusions with Log360's Security and Risk Posture Management**

Stolen or compromised credentials are a common attack vector. Once an account within an organisation is compromised, attackers can get hold of other user accounts, move laterally through the network, and access sensitive data. This is where AD security hardening can help an organisation ward off security threats related to sensitive data. 

"With the introduction of more regional compliance mandates, aligning security and compliance is more crucial than ever and has become an important conversation in board meetings. Security and risk posture management—a proactive security strategy—is an integral part of many compliance requirements," said Manikandan Thangaraj, vice president of ManageEngine.

"ManageEngine has augmented its unified SIEM solution with security and risk posture management that allows enterprises to gain visibility into the current risk posture of their network resources. This helps identify critical loopholes and vulnerabilities that, if exploited, can cause significant damage. Furthermore, the feature helps curb account compromise and misconfigurations, two of the most commonly used techniques for launching an attack," Thangaraj said.

**Highlights of ManageEngine** **Log360's Security and Risk Posture Management**

*   Visibility into AD infrastructure compliance with Microsoft security baselines
*   Accurate detection of weak and risky AD infrastructure configurations and comprehensive security and risk posture calculations
*   Continuous assessments along with AD security posture recommendations to fix loopholes and reduce the risk of being attacked
*   A continuous risk assessment and management dashboard that helps you meet stringent compliance requirements with ease

Log360 also has extensive machine learning-based user and entity behaviour analytics that actively monitor user behaviour and identity compromise. By combining all these features, Log360 offers comprehensive protection against account compromise and identity theft and facilitates quick action against potential breaches.

**About Log360**

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, machine learning-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks and offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud, and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities. For more information about Log360, visit manageengine.com/log-management/.

**About ManageEngine**

ManageEngine is the enterprise IT management division of Zoho Corporation. Established and emerging enterprises—including 9 of every 10 Fortune 100 organisations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China and Australia, as well as 200+ global partners to help organisations tightly align their business and IT. For more information, please visit manageengine.com, follow the company blog and get connected on LinkedIn, Facebook and Twitter.

ManageEngine Launches Security and Risk Posture Management in its SIEM Solution

More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.

Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential information, client data, source code, or regulated information to the LLM. 

In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out \[remains to be seen\] — I think, we're in pregame; we're not even in the first inning."

With the surging popularity of OpenAI's ChatGPT and its foundational AI model — the Generative Pre-trained Transformer or GPT-3 — as well as other LLMs, companies and security professionals have begun to worry that sensitive data ingested as training data into the models could resurface when prompted by the right queries. Some are taking action: JPMorgan restricted workers' use of ChatGPT, for example, and Amazon, Microsoft, and Wal-Mart have all issued warnings to employees to take care in using generative AI services.

    

More users are submitting sensitive data to ChatGPT. Source: Cyberhaven

And as more software firms connect their applications to ChatGPT, the LLM may be collecting far more information than users — or their companies — are aware of, putting them at legal risk, Karla Grossenbacher, a partner at law firm Seyfarth Shaw, warned in a Bloomberg Law column.

"Prudent employers will include — in employee confidentiality agreements and policies — prohibitions on employees referring to or entering confidential, proprietary, or trade secret information into AI chatbots or language models, such as ChatGPT," she wrote. "On the flip side, since ChatGPT was trained on wide swaths of online information, employees might receive and use information from the tool that is trademarked, copyrighted, or the intellectual property of another person or entity, creating legal risk for employers."

The risk is not theoretical. In a June 2021 paper, a dozen researchers from a Who's Who list of companies and universities — including Apple, Google, Harvard University, and Stanford University — found that so-called "training data extraction attacks" could successfully recover verbatim text sequences, personally identifiable information (PII), and other information in training documents from the LLM known as GPT-2. In fact, only a single document was necessary for an LLM to memorize verbatim data, the researchers stated in the paper.

**Picking the Brain of GPT**

Indeed, these training data extraction attacks are one of the key adversarial concerns among machine learning researchers. Also known as "exfiltration via machine learning inference," the attacks could gather sensitive information or steal intellectual property, according to MITRE's Adversarial Threat Landscape for Artificial-Intelligence Systems (Atlas) knowledge base.

It works like this: By querying a generative AI system in a way that it recalls specific items, an adversary could trigger the model to recall a specific piece of information, rather than generate synthetic data. A number of real-world examples exists for GPT-3, the successor to GPT-2, including an instance where GitHub's Copilot recalled a specific developer's username and coding priorities.

Beyond GPT-based offerings, other AI-based services have raised questions as to whether they pose a risk. Automated transcription service Otter.ai, for instance, transcribes audio files into text, automatically identifying speakers and allowing important words to be tagged and phrases to be highlighted. The company's housing of that information in its cloud has caused concern for journalists.

The company says it has committed to keeping user data private and put in place strong compliance controls, according to Julie Wu, senior compliance manager at Otter.ai.

"Otter has completed its SOC2 Type 2 audit and reports, and we employ technical and organizational measures to safeguard personal data," she tells Dark Reading. "Speaker identification is account bound. Adding a speaker’s name will train Otter to recognize the speaker for future conversations you record or import in your account," but not allow speakers to be identified across accounts.  

**APIs Allow Fast GPT Adoption**

The popularity of ChatGPT has caught many companies by surprise. More than 300 developers, according to the last published numbers from a year ago, are using GPT-3 to power their applications. For example, social media firm Snap and shopping platforms Instacart and Shopify are all using ChatGPT through the API to add chat functionality to their mobile applications.

Based on conversations with his company's clients, Cyberhaven's Ting expects the move to generative AI apps will only accelerate, to be used for everything from generating memos and presentations to triaging security incidents and interacting with patients.

As he says his clients have told him: "Look, right now, as a stopgap measure, I'm just blocking this app, but my board has already told me we cannot do that. Because these tools will help our users be more productive — there is a competitive advantage — and if my competitors are using these generative AI apps, and I'm not allowing my users to use it, that puts us at a disadvantage."

The good news is education could have a big impact on whether data leaks from a specific company because a small number of employees are responsible for most of the risky requests. Less than 1% of workers are responsible for 80% of the incidents of sending sensitive data to ChatGPT, says Cyberhaven's Ting.

"You know, there are two forms of education: There's the classroom education, like when you are onboarding an employee, and then there's the in-context education, when someone is actually trying to paste data," he says. "I think both are important, but I think the latter is way more effective from what we've seen."

In addition, OpenAI and other companies are working to limit the LLM's access to personal information and sensitive data: Asking for personal details or sensitive corporate information currently leads to canned statements from ChatGPT demurring from complying.

For example, when asked, "What is Apple's strategy for 2023?" ChatGPT responded: "As an AI language model, I do not have access to Apple's confidential information or future plans. Apple is a highly secretive company, and they typically do not disclose their strategies or future plans to the public until they are ready to release them."

Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

By working together as an industry, we can develop the technologies needed to account for human error.

With more than 20 years of experience in security, I'm more attuned to the nuances of sophisticated phishing schemes than most people. But as cybercriminals adopt more advanced tactics to steal people's data, even the most seasoned security experts can fall victim. 

In 2021, there were more than 4,145 publicly disclosed breaches that exposed information across 22 billion records. And as phishing increased in 2022, 82% of breaches involved a "human element," meaning that individuals played a role in exposing their own or their companies' secrets. 

Fortunately, technology came to my rescue one recent morning (pre-coffee, I might add), after I was almost lured in. When I clicked the link in an email purporting to be from my credit card company, my password didn't automatically autofill — a telltale sign that the URL didn't match a website for which I'd input login information. I took a closer look: Sure enough, the URL was slightly off. 

I'm not the only one on my team who's been targeted. Here are a few examples of scams that security pros almost fell for, the aspects of human psychology that the threat actors leveraged, and strategies to ensure that you (and we) don't fall victim in the future.

**Exploiting "Confirmation Bias"**

On the morning in question, I was expecting an email from American Express. So when I appeared to receive one, confirmation bias kicked in. The email looked right: The grammar and spelling were perfect, the credit card depicted looked like my own card, and I immediately recognized the four digits of the card number that were included.

I clicked. Once I realized it was a scam (thank you, technology, for not auto-filling my password), I quickly noticed other discrepancies. The digits of my credit card number were the _first_ four digits, not the closely guarded last four. And while the color and design of my credit card were accurately depicted, thousands of customers no doubt have the same card.

Confirmation bias — defined as "the tendency to process information by looking for, or interpreting, information that is consistent with one's existing beliefs" — can help us process information efficiently. But it also has drawbacks, like hindering our ability to process critical information contradicting our assumptions. 

Being aware of our tendency toward confirmation bias is key. If you receive an email, call, or text that you're not 100% sure is legitimate, take a moment to pause and verify. 

**Preying on Our Deference to Authority**

Several members of our security team recently received a text purporting to come from 1Password's CEO, Jeff Shiner. In the text, "Shiner" explained that he was heading into a meeting and unreachable by phone, but needed this person to "run a quick task now for progress."

"Boss alerts" like this are increasingly common. They're a form of "pretexting" — a type of social engineering attack in which criminals create a story (or pretext) manipulating their target into sharing private information.

If you receive an email or text (known as "smishing" attacks, as they use SMS) from your boss or another executive, take a deep breath and ask yourself a few questions before responding. Can you confirm the phone number? What is it requesting (or demanding) of you? To verify the request, consider responding via another channel, like Slack or an email address you've used before. 

**Fabricating Urgency **

Another way scammers can throw us off guard is by creating a false sense of urgency. When we're overwhelmed, we may be tempted to put out a fire quickly so we can return to our regular workload.

Victims may be alerted that if they don't pay a bill immediately, their account will be shut down or they'll incur a late fee. They may be told that if they don't click a link to confirm, a package won't be delivered.

A colleague of mine almost responded to a legitimate-looking PayPal invoice saying they owed a large sum of money for their Norton Antivirus subscription. If this was a mistake, they were told, they should respond before being charged. While the request was sent via PayPal, my colleague noticed that the email address they were instructed to respond to was a Gmail account. 

Their suspicions were confirmed when they Googled "PayPal Norton invoice" and saw multiple references to this scam. To spare other victims, they alerted PayPal. 

**Technology Can Save the Day **

While phishing training and tests can raise awareness, they can't solve the root cause of the problem. And while security experts understand the value of practices like turning on two-factor or multifactor authentication (2FA/MFA) and of updating software regularly, many consumers don't. 

At the end of the day, we are and will remain human — even those who monitor security threats for a living. Technology is an essential backstop to human error, which is why it's ultimately the answer when it comes to cybersecurity. 

We need technologies that reduce risks from phishing — whether by erecting barriers to scammers, limiting the number of phishing attempts that reach consumers, or clearly marking scams as suspicious. Passkeys, which are both extremely secure and extremely easy to use, are one of the most promising solutions. Several leading tech and security companies are now collaborating on an effort to make it easier to use passkeys across multiple systems and devices. We need to work together as an industry to develop technologies like these that account for human error. It's incumbent on us to build systems that remain secure when an insider is compromised — wittingly or unwittingly, by phishing, smishing, or whatever strategy tomorrow brings.

Scams Security Pros Almost Fell For

**LONDON, UK / March 7, 2023** - Egress, a cybersecurity company that provides intelligent email security, today released its **Email Security Risk Report 2023**. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

**Email Security Risks Report 2023: Key findings**

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

**Organizations continue to fall victim to phishing attacks**

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

*   86% of surveyed organizations were negatively impacted by phishing emails.
*   54% of organizations suffered financial losses from customer churn following a successful phishing attack.
*   40% of incidents resulted in employees exiting the organization.
*   85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email. 
*   The top three types of phishing attacks that organizations fell victim to:

*   Phishing involving malicious URL or malware attachment.
*   Social engineering.
*   Supply chain compromise.

**Risky behavior and mistakes lead to costly data loss**

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

*   91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:

*   Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
*   Human error, including employees emailing confidential information to incorrect recipients.
*   Malicious or self-serving data exfiltration, such as taking data to a new job.

*   49% suffered financial losses from customer churn following a data loss incident.
*   48% of incidents resulted in employees exiting the organization.

**Cybersecurity leaders confess a dissatisfaction with SEG technologies**

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

*   58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
*   53% - Too many phishing emails end up in employees’ inboxes.
*   50% - It takes a lot of administrative time to manage.

**Is traditional security awareness and training (SA&T) effective at changing behavior?**

While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

*   59% say it’s necessary for compliance with regulations or cyber insurance.
*   46% say employees skip through it as fast as possible.
*   37% admit they are not confident people remember what they’re taught.
*   29% say employees find training annoying.

**How to defend against inbound and outbound email security threats**

The report highlights that people need real-time teachable moments thatalertthem to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

To read **Egress Email Security Risk Report 2023:** _Inbound and outbound email security threats in Microsoft 365,_ including all its analysis and findings please visit https://egress.co/ufxkz.

**About Egress**

Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

99% of Cybersecurity Leaders Are Stressed About Email Security

Third annual report identifies top security gaps and challenges for organizations operating in the cloud.

**SANTA** **CLARA,** **Calif.****,** **March** **7,** **2023** **/PRNewswire/** **\--** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today published its 2023 State of Cloud-Native Security Report. The report surveyed more than 2,500 C-level executives around the world to better understand their cloud adoption strategies, and how those strategies are working.

With organizations of all sizes moving more of their operations to the cloud, a majority are struggling to automate cloud security and mitigate risks. It's one reason why many companies are trying to improve security earlier in the development process, and looking for fewer vendors that can offer more security capabilities.

**Cloud Use Has Grown, Along With Security Concerns -** The expansion of hybrid work during the pandemic drove organizations to expand their use of clouds by more than 25%. As a result, DevOps teams are being pressed to deliver production code at warp speed — making application security more complex, and putting pressure on security organizations to keep pace.

**Most Organizations are Slow to Detect and Respond to Threats** \- 90% of organizations we surveyed said they cannot detect, contain and resolve cyber threats within an hour. Bad actors are working just as fast as developers to take advantage of organizations' vulnerabilities. What could go wrong often does go wrong and any cloud asset that is inadvertently exposed to the internet can be compromised within minutes. Detecting threats in real-time represents the new frontier of cloud security.

**Teams Don't Understand Their Security Responsibilities** - When asked about the challenges of moving to the cloud, respondents' top concerns remained unchanged from our 2020 report: struggles with comprehensive security, compliance, and technical complexity. A large majority (78%) of organizations said they have distributed responsibility for cloud security to individual teams, but almost half (47%) said a majority of their workforce does not understand their security responsibilities.

**A Greater Need for Code-to-Cloud Security -** As more applications are being built in the cloud using off-the-shelf software, there's a risk that any vulnerability in the development process could compromise an entire application later on. That's why more companies are encouraging a deeper level of engagement between application developers and security tools and teams — with 81% of respondents saying they have embedded security professionals inside their DevOps teams.

"With three out of four organizations deploying new or updated code to production weekly, and almost 40% committing new code daily, no one can afford to overlook the security of cloud workloads," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As cloud adoption and expansion continues, organizations need to adopt a platform approach that secures applications from code to cloud across multicloud environments."

**Moving Towards Consolidation** \- Three quarters of the leaders we surveyed say they struggle to identify which security tools are necessary to achieve their objectives. This has led many of them to implement numerous single point solutions — with the average organization using more than 30 security tools, including six to 10 dedicated to cloud security.

The sheer number of security tools makes it difficult for leaders to have in-depth visibility into their entire cloud portfolio. 76% of survey respondents reported that using multiple security tools creates blind spots that affect their ability to prioritize risk and prevent threats. And 80% said they would benefit from a centralized security solution that sits across all of their cloud accounts and services.

**A Clear Path Forward -** Despite the upheaval caused by the pandemic, organizations have mostly been able to succeed in their cloud expansions — and organizations that made cloud infrastructure a strategic focus across the business were generally more successful. This makes cloud security a clear enabler of business outcomes.

Of course better security does not guarantee success. But having security under control — consolidating tools and vendors and using proven DevSecOps and security automation strategies — lets development teams do their jobs better and gives organizations the tools they need to succeed.

**About the Survey**

This survey was administered online by Palo Alto Networks, and data was gathered from November 21, 2022, to December 14, 2022. Respondents were surveyed from across the globe, spanning the U.S., Australia, Germany, the UK, Singapore and Japan. Over half are from enterprise-sized organizations (over $1B in annual revenue), and respondents were gathered from both ends of the organizational spectrum between executive leadership and more practitioner-level roles in order to understand sentiments broadly across companies.

**Additional Resources**

*   Read more about the 2023 State of Cloud-Native Security Report in this blog.
*   Watch the State of Cloud-Native Security Report Webinar on demand.
*   Find out more about Prisma Cloud here.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ the United States _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Source

DARKReading