The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries.

From late 2022 to early 2023, a Chinese state-level threat actor used a novel malware to conduct espionage against foreign ministries in North and South America.

The group in question, APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) already "has a track record of honing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes," Symantec researchers explained in a June 21 blog post. In recent years it has targeted diplomatic organizations, government organizations, and NGOs.

This latest campaign primarily focused on ministries of foreign affairs, but also included a government finance department and a corporation. All the targets were based in the Americas, a region which "does appear to have become more of a focus for the group in recent times," the researchers wrote.

To carry out their espionage, APT15 employed well over a dozen tools, malicious and otherwise. Among its arsenal: Mimikatz and two of its variants, four Web shells including AntSword and China Chopper, and CVE-2020-1472, a three-year-old but CVSS 10.0 "Critical" privilege escalation vulnerability in the Windows server process Netlogon.

The attackers' only unique tool was Graphican, a new variant of its old Trojan backdoor used to run commands and download files from victim machines. "This backdoor has evolved some of its anti-detection mechanisms," acknowledges Avishai Avivi, CISO at SafeBreach. "That said, the fact that threat actors often use the same techniques allows companies to test their defenses proactively."

**What Is Graphican?**

Graphican is an iteration on APT15's other Trojan backdoor, Ketrican, itself an evolution of their earlier model, BS2005.

Graphican mostly distinguishes itself by foregoing a typical, hardcoded command-and-control (C2) server. Instead, it uses Microsoft Graph — an API for Microsoft 365 services — to retrieve an encrypted server address from a OneDrive folder.

Once the connection is made and the machine compromised, however, Graphican possesses the same basic functionalities as its predecessor — creating an attacker-controlled command line on the victim machine, creating new processes and files, and downloading files. "The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it," the researchers speculate.

Avivi sees it differently. "The reality is that APT groups are really looking for efficiency," he says. "Suppose a tool is proven effective for launching attacks or opening backdoors. In that case, they'll keep using it until it loses its efficacy or is stopped. R&D costs time and money for adversaries just like it does for companies."

**Who Is APT15?**

According to Symantec, APT15 has been around for nearly two decades. The group has made its biggest waves in recent years, however, so much so that in 2021 Microsoft's Digital Crimes Unit performed a coordinated seizure of its known infrastructure. Even that coordinated action from Microsoft wasn't enough to stop APT15, which returned a year later with a spyware campaign targeting Uyghur populations en masse.

Organizations interested in hardening against APT15 may not want to start with infection vectors. The group has been known to use phishing emails, "but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks," Symantec explained.

On the other hand, the relative consistency in APT15's malware can be of benefit to defenders.

"Adversaries will use proven techniques to accomplish their goals," Avivi says, pointing to APT15's rehashing of largely similar malicious backdoors. "That is one, among many reasons, why validating security controls against known patterns and cycles can help companies better defend against these threat actors."

20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks

The US Department of Justice adds litigators under its National Security Division to take on sophisticated cyber threats from adversarial nation-states.

The US Department of Justice has created a new National Security Cyber Section, also known as NatSec Cyber, to respond to increasing cybersecurity threats from nation-state actors.

The new NatSec Cyber division will work in coordination with the DoJ Criminal Division's Computer Crimes and Intellectual Property Section (CCIPS) and the FBI's Cyber Division, to quickly respond and prosecute cyberattacks from state-backed cybercriminals, according to the agency's announcement.

The naming of a dedicated team of DoJ cybercrime lawyers comes in the wake of major cyberattack campaigns targeting US interests including the Russian group Cl0P's ongoing ransomware attacks on the MOVEit file transfer zero-day flaw, and ramped-up cyber espionage attacks out of China including the recent Volt Typhoon cyberattacks.

"NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in a statement announcing the new team. "This new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New DoJ Cyber Prosecution Team Will Go After Nation-State Threat Actors

Gen Digital, the parent company of the security companies, is the latest victim in a rash of Cl0p attacks on the bug in the MOVEit transfer software, leading to employee data being revealed.

Gen Digital, the parent company of cybersecurity subsidiaries such as Avast and Norton, confirmed on June 20 that the personal information of its employees was compromised in yet another a MOVEit attack by the Cl0p ransomware gang.

The company stated that it was affected by a cyberattack in response to inquiries, confirming that personal information such as names, addresses, employee IDs, and email addresses were revealed. 

"We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed," according to Gen Digital's public notice, which further confirmed that it informed all parties that may have been affected, as well as data protection regulators. 

The bug, a critical-severity SQL injection tracked as CVE-2023-34362, started out as a zero-day vulnerability that has been part of an exploitation campaign at the hands of Cl0p ransomware gang. The attacks are ongoing even post-patch, and has targeted more than 100 companies and organizations so far.

"As a general best practice, we advise never to directly allow for apps like MOVEit Transfer to be directly exposed to the Internet in cloud environments," said Amitai Cohen, attack vector intel lead at Wiz, in an emailed statement. "Instead, place the app behind a VPN, a reverse proxy or a single sign-on (SSO) landing page. This strategy will help to mitigate the effect of potential attacks exploiting vulnerable or misconfigured application endpoints and other attacks that are similar in nature."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Avast, Norton Parent Latest Victim of MOVEit Data Breach Attacks

It's time to update what we think we understand about ransomware, including new defensive measures and how fast the attack response should be.

INFOSEC23 – London – With a threat as persistently pervasive as ransomware, myths and misconceptions are bound to emerge in tandem. Richard de la Torre, technical marketing manager at Bitdefender, used his time at the podium during this week's Infosecurity Europe conference to enumerate — and dispel — some of the more common ones.

While some of the items on de la Torre's list are likely very familiar to most security practitioners, he cites a ransomware misperception that there's no capability to fight this all too common hostage taking of business data. Not true — proactive organizations are increasingly using decryptors and also making more strategic use of threat intelligence to prevent or disrupt attacks, he adds. 

And despite all the worry and attention devoted to ransomware-as-a-service and more leading edge ransomware incidents, de la Torre claims ransomware attack vectors remain relatively basic. "The threat process has not changed and access starts through phishing attacks," he says.

**Ransomware Is Big Business**

All that being said, most organizations still haven't grasped that ransomware has mushroomed into big business, turbocharged by its RaaS business model with an operator who's sometimes state-sponsored. The operator variously buys, develops, and resells the ransomware code and hires affiliates, usually hackers, who infiltrate networks. They then plant malware, establish a command and control (C&C) server, detonate the ransomware, and collect ransom.

"These are multi-billion dollar organizations, who hire access brokers and data miners and HR teams and recruit on the dark and deep Web," he says.

Another misconception is that organizations must have a speedy response to a ransomware infection, and that time is of the essence to prevent encryption and loss of business data. While that may have been true a few years ago, times have changed, de la Torre notes. Most attackers now focus more on data exfiltration, and the "actual ransomware is used as a distraction while \[attackers\] exfiltrate data." 

More commonly, attackers will move laterally inside a network, for days or even months, doing reconnaissance to see if an organization has cyber insurance, identify key customers, and pinpoint where the richest datasets are.

De la Torre also says it's a misconception that attackers only go after large targets. Most ransomware attacks typically target small organizations, as larger organizations have SOC teams and more resources dedicated to cybersecurity. But the smaller targets aren't the prize, just a steppingstone. More often, ransomware attackers "target smaller organizations who have affiliations with larger organizations via a supply chain as a backdoor," he explains.

In terms of defense, he recommended having good defense in depth, with email security to stop phishing emails and good detection and response to "detect when there has been a change to Azure, for example," de la Torre says. "You want something tamper proof and that you are able to recover from."

Ransomware Misconceptions Abound, to the Benefit of Attackers

From fake job listings that ding your reputation to fake job applicants who hack your network, job scams are a major threat.

Job scamming is a pandemic within a pandemic. These operations can grow to multimillion-dollar businesses, operating in countries all over the world. In one survey, 32% of job seekers reported applying and even interviewing for a fake job, 15% had their personal information stolen, and 9% said they'd lost money to the scammers. Financial losses topped $367 million last year in the United States alone.

Gabriel Friedlander, founder and CEO of Wizer Training, says these scammers operate just like any other business. But instead of marketing products or services, their goal is to commit crimes.

"They have marketing, where they send out their scams," Friedlander says. "They try to capture leads, convert them to opportunities, and close the deal by scamming the person or hacking the company. They're using a lot of the tools that marketers are using. The thing is, they have a better mousetrap because they can offer anything."

**Risks to Companies and Brands**

Job scams not only hurt job seekers, but they also wreak havoc on company brands and expose sensitive data to exploiters. Roger Grimes, the data-driven defense evangelist at KnowBe4, says he's surprised by the sheer creativity of job scammers, who steal the credentials of real people and then apply to jobs using legitimate-looking emails or portfolio URLs. Often these emails will hide malware within resume attachments or links, according to a report by Trellix.

Fred House, senior director of detection research and operations at Trellix Advanced Research Center, gives one example: Qakbot malware in emails can be exposed, rooted out, and addressed. Then within a few days, Qakbot evolved into a new threat.

The scamming company is "an organization that's very well-funded, that's very agile," House says. "And that's the cat-and-mouse game."

Companies sometimes receive a huge volume of job applications through social media applications like LinkedIn or software-as-a-service apps like Workday, and making sure each applicant is legitimate can be a monumental task. Even if an application appears safe, these threat actors are also prepared for interviews.

Grimes says he has spoken with employers who think they've found the "perfect candidate" — someone who has answered all of their interview questions correctly. However, once the person is hired, they disappear or are unable to do the job.

"They're very rehearsed," Grimes says. "When you're trying to verify the legitimacy, they've heard \[it\] 100 times, and they know how to respond. They know what documents to send you. That can be very convincing."

Vulnerable companies include those without a cybersecurity team or software in place to monitor potential job applicants. While this implies smaller firms are at risk, it's often the Fortune 500 brands that are targeted.

"The bigger they are, the harder it is for them to verify that this headhunting firm is the one that's working on behalf of them," Grimes says. "It's not as easy as people make it out to be."

Adds AJ Nash, vice president of ZeroFox: "If you're a company that's desirable, that's a bigger brand, that's a bigger opportunity to lure people in. That dream is an opportunity. That's going to be enticing."

**How to Guard Against Scams**

The most important protections against scams for human resources and security departments are awareness, education, and training. Companies that lack knowledge about these kinds of job scams are more prone to attacks.

If you can't meet the applicant in person, conduct a thorough background check, says Wizer Training's Friedlander. Background checks, he adds, are no longer "nice-to-haves" but a must to keep companies safe. He also suggests reaching out to that applicant in multiple ways to make sure this is a legitimate person being hired for the role.

Having a tight security posture is fundamental to staying safe.

"It comes down to the protections they have in place," Trellix's House says. "How sophisticated is their email security? Do they have a Web proxy where once the user clicks on the link, it goes through their Web proxy, and it has a chance to analyze it?"

Companies should aggressively look to root out these scams and put pressure on job sites, like Indeed, and social media channels, like LinkedIn, to make sure these cybercriminals are defeated, according to KnowBe4's Grimes.

In a statement, LinkedIn acknowledged the "rise in fraudulent activity across the internet over the last several months, and we have the technology, including artificial intelligence systems, and teams of experts to stop the majority of detected fraudulent activity before you ever see it. In addition, we've introduced new tools to ensure a safe experience, including the ability to see if an account has a verified phone number or email." A LinkedIn report states that 57.9 million fake accounts were removed between July and December in 2022.

Listing specific do's and don'ts on the company's career page and social media platforms is one step to assisting potential job seekers on avoiding scams. This includes phrases such as "We will never ask you for money" and "We will never ask for your Social Security number or identifying information," says ZeroFox's Nash.

Outsourcing may be the best solution to combat these scams, based on the size of the company and the number of employees dedicated to cybersecurity. Nash says this includes setting up social media monitoring and brand protection. The potential damage to a company may be significant and requires investment in security.

"Companies who aren't doing that — they're going to find out the hard way when bad things happen," Nash says.

**Protect Your Reputation**

A company's reputation can be damaged, even if a company isn't affected financially after reports of fake jobs. Even though the company isn't responsible, leadership should understand how their brand can be stolen and used for malicious purposes, Nash says.

"It's not their fault, but it is going to reflect on them," Nash says. "When someone is scammed out of a job, their company name will be associated with that scam. A job seeker will now have a lesser opinion on that organization."

Once the HR department or security team is notified that a job scam associated with the company has occurred, Nash recommends showing empathy toward that potential job applicant. He recommends using language such as, "I'm really sorry to hear this has happened to you. Thank you for reporting it to us. We will take it under advisement, talk to our intel team — whatever it might be."

**The Future of Job Scams**

Grimes notes that these scams have evolved in the past decade or so. Finding a job applicant wasn't always this complicated.

"This is something our parents didn't have to worry about," Grimes says. "If you're applying for a job to GE, it really was for GE, and GE was hiring somebody. They were dealing with a person that they met in person. But I don't think the problems we have with the employment industry are going away anytime soon. I think it's as much of a part of our fabric as social engineering and phishing."

Learning to protect ourselves from cybercrimes is an unfortunate part of the Internet age. It's the way of the world, according to Friedlander.

"Cyber-risk is not as clear as physical risk," Friedlander says. "It's not tangible. And people need to be educated. You just can't see it most of the time."

**SIDEBAR: Will Job Scamers Use Deepfakes?**

Remember when the reverse image search was a great way to determine if a photo was fake or stolen? Thanks to synthetic scams using artificial intelligence and deep fake technology, that service isn't quite as useful.

"You go on websites and in one click have a fake image of a human being that never existed in the history of humanity, and it's really convincing," said AJ Nash, vice president of ZeroFox. "Whether it's video, whether it's pictures, whether it's audio, whether it's sound effects, there's a lot of synthetic scams. And the technology is really coming along quite well." 

The speed of this kind of tech and the ways they can be used maliciously can be mind-boggling. Gabriel Friedlander, CEO of Wizer, said voice cloning has become increasingly simple to do. 

Wizer posts training videos on security awareness and one features how a job seeker's face and voice were used to land an IT job to hack into a company. The only reason the scam was revealed is when the company reached out to the real person wondering why she had disappeared. The video is a demonstration but the scammers are very real. 

"Deep fakes, AI will continue to get really good to the point where we just won't know the difference between an AI deep fake and a real person," said Roger Grimes, KnowBe4's data-driven defense evangelist. "I mean that's absolutely going to happen."

The good news is that the technology isn't flawless. Nash said it's difficult to impersonate human interactions and human movements. He recommended finding a way to see the hands of an individual in a photo or on camera. Apparently, the intricacies of fingers haven't been perfected yet.

Keep Job Scams From Hurting Your Organization

A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.

Small and midsized businesses (SMBs) have some security work ahead as two major edge device vendors (Asus and Zyxel) announce critical security vulnerabilities to patch — and another (Western Digital) cuts off unpatched devices from the cloud.

Asus released new firmware on June 19 to fix nine separate vulnerabilities in several of the company's router models, one of which could let a cyberattacker gain code execution ability. Two of the most serious flaws are a critical memory corruption weakness in the Asus router firmware, tracked under CVE-2022-26376, and the second could allow a threat actor to "achieve arbitrary code execution," according to NIST, and dates back to 2018, tracked under CVE-2018-1160.

The same day, Western Digital announced it has blocked devices running unpatched firmware from its cloud as of June 15.

A severe vulnerability impacting Western Digital's MyCloud Home and other cloud storage devices could lead to remote code execution, according to NIST. Despite the fact that the bug, tracked under CVE-2022-36327, received a CVSS vulnerability-severity score of 9.8 out of 10, the flaw was known to the public for a full month before affected devices were blocked from accessing the Western Digital cloud.

Also this week, Zyxel released patches against code-injection vulnerabilities in three versions of its network-attached storage devices. The firmware command injection vulnerability is tracked under CVE-2023-27992 and could let an unauthenticated user execute operating system commands.

**SMB Edge Cyberattack Surface Explodes **

This glut of edge-device patch warnings this week showcases the fact that SMBs are increasingly at risk thanks to the exploding number of edge devices being connected to their networks. For an idea of the scale of the endpoint attack surface, experts put the number of active Internet of things (IoT) and edge devices around the world at more than 12 billion. That number is expected to hit 27 billion by 2025.

At the same time, many of these organizations are largely woefully lacking in basic cybersecurity hygiene and monitoring. At first, edge devices can seem like an economic choice for building out an SMB infrastructure, but they are much tougher to secure, explains Melissa Bischoping, director, endpoint security research at Tanium.

"For small businesses, using small-office-home-office (SOHO) routers and devices is often a cost-effective solution," she says, "but the lack of monitoring and centralized management in many of these devices can result in vulnerabilities and insecure configurations that provide easy access to an adversary."

Meanwhile, never ones to miss an opportunity, threat actors are making the most of this sweet spot.

“Edge infrastructure is an incredibly attractive target for attackers because it generally lacks the depth of monitoring and visibility that endpoints have, and is always public facing by design, removing an initial hurdle for access,” Bischoping explains.

Making these devices an even softer mark, many are built with open source components, says John Gallagher, vice president of Viakoo Labs.

"Edge devices like routers, NAS drives, IP cameras, and other IoT/OT systems are the fastest growing part of an organization’s attack surface due to their use of open source software components and often being unmanaged and unmonitored," Gallagher explains. “Traditional IT security solutions that are agent-based don't work for IoT/OT devices which require agentless solutions."

**How SMBs Can Secure the Edge**

Securing the SMB edge starts with knowing what there is to protect, according to Gallagher.

"First, make sure you have a complete inventory of devices by using an agentless asset discovery solution," Gallagher says.

Once cybersecurity teams have visibility into what there is to defend, that information can be used to direct resources effectively, Bischoping adds.

"Prioritize visibility of the edge assets and leverage that information to address patching, credential management, and configuration hardening as part of your ongoing security hygiene and controls," she says. "Other quick wins include ensuring you’ve rotated default login credentials on these devices, employed secure authentication mechanisms, and enforced least-privilege access for any accounts that may log in to those devices."

And, to handle with firmware and password updates at the scale required for IoT and edge devices, Gallagher recommends an automated approach.

Commenting on how SMBs can manage the edge more effectively, organizations should also consider whether devices need to be connected to the Internet, or would be better suited for a more secure internal network connection, advises Matthew Morin, senior director of product management with NetRise.

"In the case of many vulnerabilities announced by Asus, Zyxel, and Western Digital, ensuring the affected devices were only accessible via internal networks would have dramatically reduced the impact of the vulnerabilities," Morin recommends. "SMBs must understand what is publicly disclosed from their networks and regularly review if what is exposed needs to be there."

Teams should also look for devices with no particular owner or purpose and pull the plug. "Lastly, ensure that devices have clear ownership and tracking of their lifecycle management, so that devices that go end of life or end of support can be replaced before they get exploited." Gallagher adds.

Once those processes are in place, Morin says the next step for more mature organizations is incorporating software bills of materials (SBOMs) for added visibility.

"For more mature organizations, a good next step is ensuring that they have component-level visibility, such as an SBOM for network-connected devices," Morin adds. "In this case, with an SBOM, an organization could have been aware of this risk well before the vendor decided to patch the issue."

SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings

A threat you've never heard of is using double extortion attacks on mom-and-pop shops around the globe.

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web.

Since at least April 2022, 8base — not to be confused with the Florida-based software company of the same name — has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organizations on the cyber underground.

It didn't end there. "We've been keeping an eye on what they're doing, and this month they're busy again," says Matt Hull, global head of threat intelligence at NCC Group. 8base has already doxxed 29 new businesses this month.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. According to data scraped from their leak site, those victims include a British cleaning company, a sanitation company in Egypt, a private school in a Boston suburb, and a CPA in New York, among others of a similar profile.

The victims span science and technology, manufacturing, retail, construction, healthcare, and more. They're wisely distributed geographically as well: a shipping company in India, a Peruvian gift basket company, and a corrugated cardboard manufacturer in Madagascar. The majority, however, are focused in North America — around a third of the total — and South America. A dozen victims in both May and June were based in Brazil, in line with a recent wave of Brazilian cyberattacks more generally.

**How 8base Conducts Its Business**

With little yet known about 8base (it's part of a wave of ransomware newbies entering the market), one aspect of the group that is very clear is their preferred mode of operation. In a terms-of-service section of their leak site (see graphic), the group laid out 13 rules for their victims and themselves, written in ersatz legalese: "Participation of police departments is prohibited," and "Personal data will not be shared with third parties by the team."

    

Source: Hackmanac

Whether the gang is as honest as it would like you to think is another matter. On the About Us page, the hackers perfidiously claim, "We are honest and simple pentesters," adding that "this list contains only those companies that have neglected the privacy and importance of the data of their employees and customers."

NCC's Hull says 8base is not the first group to operate like this. "I think it's a result of the successes that other groups are having with these types of tactics," he notes.

Though 8base isn't breaking any new ground, actually defending against their tried-and-true methods is another matter.

"Budgets are tight, particularly for the smaller organizations. These organizations aren't going to be able to pay for a SOC or other advanced detection capabilities," Hull notes. "The main thing that anyone can do, whether it's an individual or small business, is get the fundamentals right." He points to password hygiene, multifactor authentication, and social engineering awareness as three simple changes small businesses can make to better their security without breaking the bank.

"Getting a hold of the basics goes a long way," he adds.

Emerging Ransomware Group 8Base Doxxes SMBs Globally

The emerging cyber-threat group is unusually persistent and nimble, bypassing MFA, stealing data, and using compromised environments for downstream customer attacks.

A new, unusually dogged threat group dubbed "Muddled Libra" by threat researchers is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims' customers.

The threat group has been attributed to more than half a dozen interrelated incidents from mid-2022 and early 2023, and makes use of the previously reported Oktapus phishing kit as initial entry into its attacks, researchers from Palo Alto Networks Unit 42 said in a report released today.

From there, the group — which has "an intimate knowledge of enterprise information technology" — maintains non-destructive persistence on a target organization's system until it achieves its goals, which typically are the exfiltration of data and the use of this data and the compromised system to conduct further attacks, Unit 42 researchers Kristopher Russo, Austin Dever, and Amer Elsad, said.

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen data set," they wrote. "Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response."

Indeed, the group doesn't just capitalize on opportunistic access to targets but has clear goals for breaches, seeking out and then stealing information on an organization's clients that can then be used it to pivot into those environments, the researchers said.

**Muddled Libra: A Targeted & Tenacious Cyberthreat**

Researchers have observed the group targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals but added that Muddled Libra also poses a substantial threat to organizations in the software automation, business process outsourcing, telecommunications, and technology industries.

Though it's not bringing "anything new to the table" in terms of malware or tactics, the group is particularly dangerous for a couple of key reasons, the researchers said. The threat actors are both methodical and flexible in their attack technique, able to pivot to another vector or even modify an environment to allow for their favored attack path.

Muddled Libra also shows proficiency in a range of security disciplines and can thrive and execute "devastating" attack chains rapidly, even in environments that organizations have adequately secured by most standards, the researchers noted.

Further, the group is unusually tenacious even after discovery, repeatedly demonstrating "a strong understanding of the modern incident response (IR) framework," that allows them to keep going even once they face attempted network expulsion, the researchers wrote. "Once established, this threat group is difficult to eradicate," they said.

**Oktapus Phishing, a Typical Cyberattack Vector**

The group's attacks typically start with reconnaissance to create profiles of targets, followed by the development of resources — such as setting up lookalike phishing domains and the deployment of the Oktapus phishing kit.

These resources eventually lead to a smishing attack that sends a lure message directly to the targeted employees' mobile phones. The message claims the need to update account information or re-authenticate to a corporate application and includes a link that emulates a familiar corporate log-in page.

One of the attackers then employs social engineering in conversation with the employee to gain access to the network, capturing credentials to be used for initial access and navigating multifactor authentication (MFA), either by asking for a code or generating an endless string of MFA prompts until the user accepts one out of fatigue or frustration, in a tactic known as MFA bombing.

Once establishing a network foothold, Muddled Libra moves quickly to elevate access using standard credential-stealing tools such as Mimikatz, ProcDump, DCSync, Raccoon Stealer, and LAPSToolkit. If the group can't quickly locate elevated credentials, it turns to Impacket, MIT Kerberos Ticket Manager, and NTLM Encoder/Decoder, the researchers said.

Muddled Libra also deploys at least a half dozen free or demo versions of remote monitoring and management (RMM) tools — which are legitimately used within organizations and thus won't arouse suspicion — once it gains access to an environment. This ensures that even if their activities are discovered, they can maintain a backdoor into the environment, the researchers said.

The group also engages in a series of evasive maneuvers, including disabling antivirus and host-based firewalls; attempting to delete firewall profiles; creating defender exclusions; and deactivating or uninstalling EDR and other monitoring products to ensure persistence on the network.

Finally, Muddled Libra eventually moves on to accessing and exfiltrating data, which appears to be its primary goal, as the researchers rarely saw the group engage in remote code execution, they said. To exfiltrate data, the group attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control (C2), or used common file-transfer sites or the Cyberduck file-transfer agent, they said. In some cases, the group then uses the compromised infrastructure as a trusted organizational asset to engage in follow-on attacks on downstream customers, the researchers said.

**Mitigation & Protection Against Sophisticated Data Theft**

To defend against such a sophisticated threat actor, organizations "must combine cutting-edge technology and comprehensive security hygiene, as well as diligent monitoring of external threats and internal events," the researchers advised.

Unit 42 researchers made a number of recommendations to this end, including the implementation of MFA and single sign-on (SSO) wherever possible, noting that Muddled Libra has its most success when it has to convince employees to help the group bypass MFA. "When they were unable to do so, they appeared to move onto other targets," they noted.

Organizations should also implement comprehensive user-awareness training, as the group is highly skilled at social engineering both help desk and other employees via phone and SMS. Training can help employees identify suspicious non-email-based outreach and thus mitigate attacks, the researchers said.

Credential hygiene should also be kept up to date and organizations should grant access to employees only when and for as long as necessary, the researchers said. Defenders also should limit the connection of anonymization services to the network, which ideally should only be allowed at the firewall level by App-ID, they said.

Moreover, organizations should maintain robust network security and endpoint security, the researchers advised. The latter should be an extended detection and response (XDR) solution that can identify malicious code through the use of advanced machine learning and behavioral analytics, blocking threats in real time as they are identified, they said.

Finally, in case an organization is breached, administrators should assume that the attacker "knows the modern IR playbook" and consider setting up out-of-band response mechanisms, they said.

'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms

Organizations need to start taking critical infrastructure threats seriously, as they could be a precursor to future, hybrid cyber-kinetic warfare attacks, experts warn.

INFOSEC23 – London – The concept of cyber warfare isn't new, but attacks on operational technology (OT) and industrial control system (ICS) environments could enable the development of kinetic weapons with physical effects, at least one expert is warning.

Speaking at Infosecurity Europe on "The Future of Cyberwarfare," Chris Dobrec, vice president of product marketing for Armis, looked at past examples of attacks that affected OT and ICS environments, such as Stuxnet, Havex, and Blackenergy, as well as the use of Ryuk ransomware on Colonial Pipeline. "Demonstrated attacks can have kinetic effect and can harm humans," he said.

**Are We Ready for Cyber Warfare?**

Pointing at the company's cyber-warfare research from last year, Dobrec showed results that found 24% of respondents were not prepared to handle the effect of these kinds of attacks — yet counterintuitively, three-quarters (76%) believe that they have appropriate controls in place. Also, the research found that after the Russian invasion of Ukraine, 74% of respondents agreed that response to OT attacks needs to be a board-level issue.

Pointing at the HSE attack last year, Dobrec predicted that there will be more attacks on healthcare organizations in particular in the future, as well as on utilities and transportation.

"It is bizarre that OT is now vulnerable and exposed, so widen that aperture in your overall organization and monitor for potential threats," he said. "Look for the potential vulnerabilities in these systems that you may have not been looking at previously, and then work to actually continuously monitor and remediate that."

He added, "Also engage the entire organization: it's not just the IT and security folks, but the operational folks that are involved in keeping those systems up and running."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattacks on OT, ICS Lay Groundwork for Kinetic Warfare

While it's impossible for an organization to be completely secure, there's no reason to be defenseless.

The cyber landscape continues to evolve as its economy grows. Ransomware attacks already account for trillions of dollars in damages to enterprises each year and standardized and sophisticated offerings such as ransomware-as-a-service and phishing-as-a service will soon become commonplace. While it's impossible for an organization to be completely secure, we're not defenseless.

Research shows that up to 95% of cyber incidents are a result of human error. Many of these breaches stem from oversights that include system misconfigurations or employee phishing campaigns, yet I would argue that an underreported component is the way threat actors target and manipulate human emotions. For example, when looking at the social engineering of phishing emails, you can see how nefarious actors use greed, curiosity, urgency, and the inherent need to help as means to hack the employee's behavior. Anyone can become a victim in these situations, which is why the key to establishing a sound cybersecurity culture within your workforce is placing people and realism at the center of your cyber strategy.

**Mitigate Human Biases**

Organizations must focus on human nature, including a person's innate soft skills and behaviors, when developing and implementing their cybersecurity strategy because attackers will use perception blindness and human biases to their advantage. One of the strongest is confirmation bias, where a person obtains a single piece of information, it prevents them from seeing any other possible options, and it causes them to draw incorrect conclusions and burn cycles in the wrong area. Job bias is another key human bias that hinders crisis response, as key stakeholders are unsure of the role they play and what their responsibilities are in certain situations.

It's critical to identify opportunities to emulate real-world use cases rather than best-case scenarios to understand how biases will impact remediation efforts. The most substantiated efforts leverage ideation, immersion, and gamification rather than passive information or lectures. Conducting tabletops and wargame exercises are effective ways of revealing multiple human biases that arise when your teams are under immense amounts of pressure. These allow you to integrate best practices into your organizational training and playbooks, which ultimately flips the attacker's script on human nature and enables you to use it _your_ advantage.

**Unify Technical, Business, and Risk-Oriented Frameworks**

Enterprises that undertake these tabletops and wargames feel prepared to face and mitigate a potential attack. However, it is imperative for leaders to understand that these immersive exercises are conducted in a controlled environment. Planned actions can easily be lost in the chaos during a real cyberattack, especially when employees attempt to address the "fog of war" caused by stress. Security culture starts with how the employees feel, act, and behave, and deploying a cohesive, holistic, and unified approach to incident response within the first couple of hours are critical for success.

A cyberattack response that unifies technical, business, and risk-oriented frameworks empowers enterprises to create a seamless detection and remediation strategy. This prepares the entire organization — from the board of directors down — for when a real attack hits. The response plan should be underpinned by a common cybersecurity and risk language within the workplace. Instituting this, and ensuring each person becomes fluent, should be a priority along with clearly defining key roles across the enterprise.

**Weave Cybersecurity into the Fabric of an Organization**

Cyber readiness is _everyone's_ job across the enterprise. Weaving cybersecurity into the fabric of your company and making it an everyday topic can reduce human-error-initiated cyberattacks at the source. After Equifax's 2017 data breach, it reinvented its security culture by starting with what it called "shared fate." This strategic pillar focused on how everyone in the company is responsible for protecting the organization with each micro-decision they make. It's proven to be highly successful, because when every individual feels personally responsible for keeping the workplace safe, it makes cybersecurity ubiquitous.

Highly mature organizations understand the importance of cyber-crisis preparedness. To further ingrain a strong culture of cybersecurity within an organization, leaders should suggest certain components of security training be conducted at home. If you can make individuals feel safe at a time when their role shifts from employee to parent, partner, or simply off duty, their sense of cybersecurity responsibility will extend beyond the workplace and become part of life itself. That takes your cybersecurity plan a step further and embraces widespread cyber readiness.

As the industry prepares for the next wave of attack methods and attempts to cohabitate with a new generation of cybercriminals, it's more important than ever for enterprises to reassess their cybersecurity posture. Successful cybersecurity policies keep the end user, the employee, the human in mind. In doing so, these policies are frictionless, making it is easy for employees to do the right thing, and they enable organizations to provide an explanation behind the "why" to mitigate resistance to change. While deploying technical resources and training are crucial steps in keeping the workplace and its assets safe, the cybersecurity battlefield is increasingly human. To win the war, leaders should acknowledge this and exercise their people as their best defense.

Source

DARKReading