The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.

The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.

**BOSTON****,** **Dec. 14, 2022** **/PRNewswire-PRWeb/** -- Cybereason, the XDR company, today issued a new global threat alert warning public and private sector organizations about the emergence of the Royal Ransomware Group and the unique tactics, techniques and procedures they are deploying in attacks to evade detection. Companies should be on high alert for ransomware attacks during the holiday season and on weekends, as a recent Cybereason study shows attackers preying on vulnerable organizations.

The Royal Ransomware Group first emerged earlier this year, and so far has victimized dozens of companies around the world. The group appears to be operating under the supervision of other well known ransomware gangs, including Conti Group. The threat level from Royal attacks is HIGH and organizations should have precautionary steps to avoid falling victim.

Key Report Findings

*   Unique approach to evade anti-ransomware defenses: Royal ransomware expands the concept of partial encryption, which means it has the ability to encrypt a predetermined portion of the file content and base its partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions.
*   Multi-threaded ransomware: Royal ransomware employs multiple threads in order to accelerate the encryption process.
*   Global ransomware operation: Royal ransomware operates around the world, and reportedly on its own. The group doesn't appear to use ransomware-as-a-service or to target a specific sector or country.
*   High Severity: Cybereason assesses the threat level from Royal Ransomware to be HIGH given the rapid increase in attacks coming from this group over the past 60-90 days.

Ransomware attacks can be stopped. Cybereason offers the following recommendations to organizations to reduce their risk:

*   Practice good security hygiene: For example, implement a security awareness program for employees and ensure operating systems and other software are regularly updated and patched.
*   Confirm key players can be reached at any time of day: Critical response actions can be delayed when attacks occur over holidays and weekends.
*   Conduct periodic table-top exercises and drills: Include key stakeholders from other functions beyondsecurity, such as Legal, Human Resources, IT, and top executives, so everyone knows their roles and responsibilities to ensure as smooth a response as possible.
*   Implement clear isolation practices: This will stop any further ingress on the network and prevent ransomware from spreading to other devices. Security teams should be proficient at things like disconnecting a host, locking down a compromised account, and blocking a malicious domain.
*   Consider locking down critical accounts when possible: The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
*   Deploy EDR on all endpoints: Endpoint detection and response (EDR) remains the quickest way for public and private sector businesses to address the ransomware scourge.

About Cybereason 

Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Learn more: https://www.cybereason.com/

Follow us: Blog | Twitter | Facebook

SOURCE Cybereason

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Editors' Choice

Tyler Farrar, CISO, Exabeam

Jai Vijayan, Contributing Writer, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started
*   A Roadmap to Zero Trust: Steps for Meaningful Progress Amongst the Hype

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   Enterprise Cybersecurity Plans in a Post-Pandemic World
*   Forrester Total Economic Impact Study: Team Cymru Pure Signal Recon
*   SANS 2021 Cloud Security Survey

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   State of Email Security
*   Ransomware Resilience and Response: The Next-Generation
*   State of Ransomware Readiness: Facing the Reality Gap
*   How Hybrid Work Fuels Ransomware Attacks

Events

*   Black Hat USA - August 5-10 - Learn More
*   Black Hat Asia - May 9-12 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

More Insights

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Cybereason Warns Global Organizations Against Destructive Ransomware Attacks From Black Basta Gang

**SANTA ROSA, Calif.--**(BUSINESS WIRE)--Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, announced the new APS-M8400 Modular Network Cybersecurity Test Platform, which provides data center network equipment manufacturers (NEM) and operators with the industry’s highest density 8-port 400GE Quad Small Form Factor Pluggable Double Density (QSFP-DD) network security test platform.

Data center operators and service providers are facing exponential growth in encrypted traffic volumes and security threats driven by increases in video streaming, cloud computing, artificial intelligence (AI), machine learning (ML), and internet of things (IoT) devices. In addition, with the introduction of 400GE, critical infrastructure is placed under even greater demand as these growing volumes of encrypted traffic are being delivered at unprecedented speed. To meet these requirements, data center NEMs and operators need tools that can validate that their products and services support hyperscale loads without compromising security and usability.

Keysight’s APS-M8400 addresses this challenge by delivering a modular, 400GE network security test platform that aggregates compute and field programmable gate array (FPGA) resources to deliver hyperscale application and cybersecurity test and validation.

The APS-M8400 test platform offers the following benefits:

*   **Industry leading 400GE port density:** The APS-M8400 offers the ability to test 8 x 400GE QSFP-DD, supporting industry moves from 100GE to 400GE without the need for additional switches or infrastructure.
*   **Ease of management:** The APS-M8400 provides a centralized, “single pane of glass” management of up to 16 compute nodes reducing the management learning curve and simplifying system upgrades and maintenance.
*   **Flexible testing options:** The APS-M800 offers flexible aggregation of compute and FPGA resources to optimize the performance and scalability requirements for any simulated workload, using one or multiple 400GE test interfaces.
*   **Hyperscale performance:** The APS-M8400 can drive hyperscale application and cybersecurity test performance, including encrypted traffic loads, to effectively emulate the rigorous demands put upon data center and service provider infrastructure. This platform can generate up to 3+ Tbps of Layer 4-7 traffic, 5+ billion concurrent connections, 2.4 Tbps of transport layer security (TLS) traffic, and 2.4 million TLS connections per second.
*   **Scalable solution:** The APS-M8400 is designed as a “pay-as-you-grow" solution, allowing users to build out a system that supports today’s test needs and spending constraints, with the flexibility to add capacity as requirements change and budgets allow.

**John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said:** “The world’s fastest NGFWs need an equally nimble testing platform to validate their capabilities. Fortinet is the only vendor delivering 400GE interface speeds on a hyperscale firewall via the FortiGate 7121F, 4800F, and 3700F. Keysight’s groundbreaking 8x400GE APS-M8400 cybersecurity test platform delivers the port density, multi-terabit application and TLS throughput rates, and session scalability that help Fortinet test and validate the performance and real-time threat protection our customers expect.”

**Ram Periakaruppan, Vice President and General Manager, Keysight's Network Test and Security Solutions, said:** “Data center NEMs and operators face conflicting demands to produce solutions that support ever increasing data volumes and traffic speeds driven by new standards like 400GE, while protecting systems against a growing, dynamic cybersecurity threat landscape - all without breaking the bank. Keysight’s APS-8400 meets these teams where they are, delivering hyperscale application and cybersecurity test loads via an industry leading 8 x 400GE of test port density in a flexible solution that allows users to add test capacity as demands and budgets change."

**Resources**

*   APS-M8400 Network Cybersecurity Test Platform

**About Keysight Technologies**

Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world. Keysight’s dedication to speed and precision extends to software-driven insights and analytics that bring tomorrow’s technology products to market faster across the development lifecycle, in design simulation, prototype validation, automated software testing, manufacturing analysis, and network performance optimization and visibility in enterprise, service provider and cloud environments. Our customers span the worldwide communications and industrial ecosystems, aerospace and defense, automotive, energy, semiconductor and general electronics markets. Keysight generated revenues of $5.4B in fiscal year 2022. For more information about Keysight Technologies (NYSE: KEYS), visit us at www.keysight.com.

Additional information about Keysight Technologies is available in the newsroom at https://www.keysight.com/go/news and on Facebook, LinkedIn, Twitter and YouTube.

Keysight Announces 400GE Network Cybersecurity Test Platform

**BOILING SPRINGS, S.C.****,** **Dec. 14, 2022** **/PRNewswire/ --** Epic Management LLC ("Epic"), a healthcare management company, has learned of a data security incident that may have impacted data belonging to certain patients.

On September 2, 2021, Epic discovered unusual activity in its digital environment. Upon discovering this activity, Epic immediately took steps to secure the environment. Epic also engaged independent cybersecurity experts to conduct an investigation. As a result of this investigation, Epic learned that an unauthorized actor accessed certain files and data stored within its email tenant. Upon learning of the unauthorized access, Epic undertook a complex and time-consuming review of the potentially affected data. On December 9, 2022, Epic determined that personal information may have been affected.

While Epic has no evidence that any information potentially involved in this incident has been misused, out of an abundance of caution, Epic is informing affected individuals about the steps they can take to help protect their information. Epic is also providing credit and identity protection services to individuals whose Social Security numbers were impacted. The potentially affected information varies by individual, may have included the individuals' first and last names, dates of birth, Social Security numbers, health insurance information, medical information, drivers' licenses, passport numbers, financial account numbers and routing numbers, biometric data, usernames and passwords, and/or payment card numbers alongside its associated expiration date and/or security code.

Epic has taken steps in response to this incident and has made alterations to its cyber environment to help prevent similar incidents from occurring in the future. 

Epic has established a toll-free call center to answer questions about the incident and to address related concerns.  Call center representatives are available Monday through Friday between 8am to 8pm CST and can be reached at 1-833-896-7338.

Epic is located at PO Box 160038, Boiling Springs, SC 29316.

SOURCE Epic Management LLC

Epic Management Provides Notice of Data Security Incident

Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity.

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained in an advisory issued on Dec. 13. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

Code signing is used to provide a level of trust between the software and the operating system; as such, legitimately signed drivers can skate past normal software security checks, helping cybercriminals move laterally from device to device through a corporate network.

**SIM-Swap, Ransomware Attacks**

In this case, the drivers were likely used in a variety of post-exploitation activity, including deploying ransomware, the computing giant acknowledged. And Mandiant and SentinelOne, which along with Sophos jointly alerted Microsoft to the issue in October, have detailed the drivers' use in specific campaigns.

According to their findings, also issued on Dec. 13, the drivers have been used by the threat actor known as UNC3944 in "active intrusions into telecommunication, BPO \[business process optimization\], MSSP \[managed security service provider\], and financial services businesses," resulting in a variety of outcomes.

UNC3844 is a financially motivated threat group active since May that usually gains initial access to targets with phished credentials from SMS operations, according to Mandiant researchers.

"In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM-swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments," Mandiant detailed in a separate Dec. 13 blog post on the issue.

In service of those goals, the group was observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two pieces: Stonestop, a Windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Windows driver that uses Stonestop to initiate process termination.

SentinelLabs also observed a separate threat actor using the same driver, "which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling."

To combat the threat, Microsoft has released Windows Security Updates that revoke the certificate for affected files and suspended the partners' seller accounts.

"Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity," the company noted in the advisory.

Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Version 2.0 of the Common Security Advisory Framework will enable organizations to automate vulnerability remediation.

Today, nearly every party that issues security advisories uses its own format and structure. Plus, most security advisories are only human-readable, not machine-readable.

System administrators have to read each advisory, determine if they use the products and versions listed, and evaluate the potential risk and existing mitigations. Based on their system's exposure and the business value, they make a decision about if and when to patch.

It’s a time-consuming process that delays vulnerability remediation and increases risk. Vendors and providers of software and hardware need to disclose security vulnerabilities in a way that accelerates this process and empowers customers to use automation.

**The New Standard for Security Advisories**

The Common Security Advisory Framework (CSAF) 2.0 supports the automation of vulnerability management by standardizing the creation and distribution of structured machine-readable security advisories.

CSAF is an official standard of OASIS Open. The technical committee that developed CSAF includes numerous public- and private-sector technology leaders, users, and influencers.

Manufacturers can use CSAF to standardize the format, content, distribution, and discovery of security advisories. These machine-readable JSON documents enable administrators to automate the comparison of advisories against a user’s asset database or even a supplier's software bill of materials (SBOM) database.

The automated system can filter vulnerabilities based on the products of interest and prioritize based on business value and exposure. This dramatically speeds up the evaluation process and enables administrators to focus on managing risk and fixing vulnerabilities.

**CSAF, VEX, and SBOMs**

Vulnerability Exploitability eXchange (VEX) is a profile in CSAF. VEX was developed in the SBOM community as a way for manufacturers to easily convey that a product is not affected by issuing a so-called negative security advisory. VEX is designed to work with SBOMs, although it is not necessary to have an SBOM to use VEX documents.

A VEX document must include information about the disposition of each vulnerability as it impacts each product. A product can be marked as under investigation, fixed, known affected, or known not affected. For those products that are marked as known not affected, VEX requires that the publisher include a justification for that status.

Being able to communicate the various statuses of a vulnerability — including under investigation and not affected — means customers can get that information without calling the vendors or manufacturers, which will be a relief to customer support. Moreover, it enables customers to better manage vulnerability risk.

When paired with an SBOM, VEX documents enable administrators to use asset management systems to quickly determine what vulnerabilities are not exploitable, which frees them to focus on any vulnerabilities that could put their businesses at risk.

**Other CSAF Profiles**VEX is one of five profiles in the CSAF schema. Each profile has certain required fields and is designed to address a specific need.

The CSAF base profile serves as the foundation for all of the other profiles. It defines the default required fields for any CSAF document — primarily information about the document itself, such as who published it, when it was published, and if it has been revised.

The security advisory profile includes information that we see in most security advisories today — details about the vulnerability, products affected, and remediations.

The informational advisory profile can be used to provide information about a security issue that is not a vulnerability, such as a misconfiguration.

Finally, the security incident response profile can be used to provide information about a security breach or incident that happened at the company, or about the impact that an incident involving another party (like a contractor or component manufacturer) had on the company.

**CSAF Tools and Guidance**

CSAF defines conformance targets that help consumers and producers to find the right tool for their requirements. The OASIS CSAF technical committee also developed a suite of tools for using CSAF, including:

*   Secvisogram is an online editor to create, update, and view CSAF documents. It also can produce a human-readable version of the document.
*   CSAF CMS back end is a work-in-progress implementation of a CSAF content management system. The system will support producers of CSAF documents by providing workflows and automation of metadata creation.
*   CSAF validator service is a REST-based service that implements the CSAF full validator target. It tests a given CSAF file according to the specification.
*   CSAF Provider is an implementation of the role CSAF Trusted Provider and offers a simple HTTPS-based management service. It acts as a static site generator to present CSAF files as required by the standard.
*   CSAF Checker is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard. It checks requirements without considering the indicated role.
*   CSAF Downloader is a tool for downloading advisories from a CSAF provider.

To help issuing parties to write actionable CSAF documents, there is guidance for each field, which can be found here.

CSAF Is the Future of Vulnerability Management

Without many details, Apple patches a vulnerability that has been exploited in the wild to execute code.

The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. 

The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory. 

As for the active exploitation, the mobile giant noted that it is "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

Apple has been plagued by zero-day exploits over the past several months.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Zero-Day Actively Exploited on iPhone 15

Former pure-play deception startup Illusive attracts Proofpoint with its repositioned platform focusing on identity threat detection and response (ITDR).

Less than year after a shift to the burgeoning identity threat detection and response (ITDR) market from its initial roots as a pure-play deception technology startup, Illusive reached the liquidity promised land this week. Proofpoint has announced plans to purchase the firm for an undisclosed amount, with the deal set to close in early 2023.

According to executives from Proofpoint, which specializes in email and cloud security, the pickup was spurred by a drive to reinforce its technology portfolio with identity-focused protections. The company said it was drawn to Illusive for its identity risk discovery and remediation capabilities, in addition to post-breach defenses that could build out Proofpoint's protections against ransomware​ and data theft.

"It's currently far too easy for an attacker to turn one compromised identity into an organizationwide ransomware incident or data breach," said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in a statement.

**Deception Tech: Not Enough on Its Own**

Initially founded in 2014 by former Check Point Software Technologies veteran Ofer Israeli, Illusive touted itself for a long time for its deception technology capabilities, focusing primarily on breach detection through the use of decoy assets — including credentials — seeded on customer networks. 

The firm had raised more than $54 million in venture funds with that market positioning. However, pure-play deception increasingly has been subsumed as a narrow feature set within broader segments, like extended detection and response (XDR).

As Forrester's David Holmes put it in his analysis of the acquisition of deception player Attivo by XDR vendor SentinelOne in March, "Deception tech, while _super cool_, was never able to achieve escape velocity on its own, and some of its shining stars are disappearing into portfolios of larger vendors."

Amid that kind of market action, Illusive pivoted.

**Entering the ITDR Space**

Earlier this year, it repositioned itself as an identity risk management vendor, with the launch of its Illusive Spotlight ITDR platform in February. 

The platform is not that big of a departure from its deception roots — it works hand-in-hand with the deception technology the vendor had developed and sells through its Illusive Shadow product. But the launch of Spotlight gave Illusive leave to reposition itself as a major identity player and go after a market that industry analysts are increasingly promoting as an important component of security programs of the future. 

In March, Gartner named the rise of ITDR as one of the top security and risk management trends for 2022.

"Organizations have spent considerable effort improving \[identity access management\] IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure," Peter Firstbrook, research vice president for Gartner, said in that prediction. "ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation."

In many ways, this deal by Proofpoint mirrors SentinelOne's purchase of Attivo. Forrester's Holmes said at the time that the company was attracted to Attivo's identity capabilities first, with the deception element coming second.

"What acquisitions like this one ultimately mean for security and risk decision-makers is that they can pivot from deploying a stand-alone deception tech product and start evaluating how deception gets paired with one or two key tactical domains such as identity," Holmes wrote at the time.

The Proofpoint purchase of Illusive solidifies that assessment.

Proofpoint Nabs Illusive, Signaling a Sunset for Deception Tech

The proliferation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and the threats to open source software supply chains.

An automated attack within the NuGet open source ecosystem for .NET developers has resulted in a flood of malicious packages containing links to phishing campaigns.  

That's according to a joint report on Wednesday from Checkmarx and Illustria, which, upon digging deeper, found that automated attacks are taking aim on a broad level, against users of the npm, NuGet, and PyPI software developer ecosystems.

The attack vector in the NuGet ecosystem involves the use of automated processes to create a large number of packages with names and descriptions designed to lure those interested in hacking, cheats, and free resources. These contain links to phishing campaigns built to steal personal information or other sensitive data.

The scale of this attack is unique, according to the report, because it involves the creation of over 144,000 packages by the same threat actor — a significantly larger number of packages than is typically seen in such attacks, making it an especially large and significant event.

"The use of automated processes to create the packages and user accounts makes it difficult for security teams to identify and take down the packages," Jossef Harush, head of supply chain security engineering at Checkmarx, tells Dark Reading.

Harush adds, "This makes the attack more dangerous and harder to defend against. It also highlights the need for organizations to be vigilant and take steps to protect themselves against these types of attacks."

**Automation: Improving Efficiency, Reducing Risk to Hackers**

Harush explains the attackers likely invested in automation to poison the NuGet, PyPI, and npm ecosystems because it allows them to create a high volume of packages and user accounts in a short amount of time.

"This allows them to spam the open source ecosystem with many packages, potentially reaching a significant number of users and increasing the likelihood that they will fall victim to the phishing campaigns," he says.

Additionally, because the use of automation makes it difficult for security teams to identify and take down the packages, the attackers can continue their campaign for a longer period.

"Automation also reduces the risk of the attackers being caught and allows them to operate more efficiently and with less risk," Harush notes.

**Malicious Packages: Key Preventive Measures**

In addition to monitoring networks for signs of the phishing campaigns and other suspicious activity, and educating employees about the importance of being cautious when downloading packages from open source ecosystems, businesses should consider security tools and services to help identify and protect against such threats to their software supply chains.

"Security postures against software supply chain attackers need to evolve in several ways to better defend against these threats," Harush says. "First, the package managers need to improve their ability to detect and prevent the publication of malicious packages to open source ecosystems like NuGet, PyPI, and npm."

He explains this may involve the use of technology to monitor these ecosystems and identify suspicious activity, as well as the development of better security practices and processes for identifying and responding to threats.

Harush points out that overall security postures against software supply chain attackers need to be more proactive, adaptable, and collaborative to effectively defend against these threats.

"This may involve a combination of technology, processes, and people working together to identify and respond to these threats in a timely and effective manner," he says.

A recent report from Google also noted that security leaders should take a more holistic approach to addressing supply chain risks, and should work to implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity.

Automated Cyber Campaign Creates Masses of Bogus Software Building Blocks

Learn to think three moves ahead of hackers so you're playing chess, not checkers. Instead of reacting to opponents' moves, be strategic, and disrupt expected patterns of vulnerability.

Many an article chronicles hacked passwords available in bulk on the evil "Dark Web." It's presented as evidence that the bad behavior of users is the root of all hacking. But as a former red teamer, the end user isn't the only one who is a prisoner to discernable behavioral patterns.

There is a "pattern of vulnerability" in human behavior extending far beyond end users into more complex IT functions. Finding evidence of these patterns can give hackers an upper hand and speed the timeline of compromise.

It's a reality I recognized earlier in my career in operational roles. I've physically helped rebuild and relocate data centers and rewire buildings from top to bottom. It gave me a great perspective of what it takes to build in security from scratch, and how unconscious behaviors and preferences can put it all at risk. In fact, understanding how to identify these patterns gave me a very reliable "superpower" when I moved into red teaming, which ultimately resulted in a patent grant. But more on that later.

**Fatal Recall**

Let's start by examining how our addiction to patterns betrays us — from credentials, to software operation, to asset naming.

While technology has afforded us so many benefits, the complexity of managing it — and the cumbersome controls intended to protect — drives people to repeatable patterns and the comfort of familiarity. The more regular the task or function becomes, the more complacent we get with the pattern and what it telegraphs. For a red teamer, the ability to watch routines, from the physical to the logical, can offer a wealth of intelligence. Repeatability offers opportunity and time to discern patterns, and then to find the vulnerability in those patterns that can be exploited.

Internal naming schemes in particular — be they asset names, system names, or credential groupings — lend themselves to picking common words for descriptive categorization. I saw one organization that used the names of mountains. And while you may not know which system K2 versus Denali is, it acts as a filter for an attacker as they explore an environment. It's also an excellent social engineering tool, allowing an attacker to "speak the internal IT lingo." You may ask, OK, but "what's in a name?"

**Brutal Reality**

I'm sure you've heard of brute-force attacks where attackers throw guesses in volume at a target to find the right combination that leads to access. It's a numbers game and a blunt instrument. However, if you can discern the use of naming conventions, it sharpens the ability to focus on a range of accounts or systems, and then understand their potential attributes. It speeds up the clock for an attacker.

But, you ask, "if these are _internal_ conventions, how does an _external_ attacker even find this type of information"?

**Patently True**

Enter my aforementioned superpower. As any experienced red teamer knows, information leaks out of organizations in many ways, you just need to know where to look, and how to find the signals in the noise.

Internal naming groups and conventions become exposed to the outside world in a variety of ways. They're buried in website code, detailed in technical documentation or as part of APIs, or just simply published in public system information.

Admittedly, this is a very large haystack, but finding the needles is exactly what the patent I was involved in (US Patent 10,515,219) endeavors to do. Site-scanning tools collect a range of information, and unsurprisingly, an overload of information. My approach strips out all the technical programming information (such as markup, JavaScript, etc.), and leaves just words. It then compares results with lists of English words. The algorithm then identifies groupings of words or abbreviations _not_ present in the selected language that, presumably, _may_ signify an internal naming convention or credentials. As is common with brute-force campaigns, it may not, but as the axiom goes, the attacker only needs to be right _once,_ so the ability to generate context-sensitive word lists may make or break your next campaign. This is when the picture may start to become clearer and the shape of things such as user groups, system names, etc., manifest.

**Actions Speak Louder**

So, we've established how our deeply rooted behaviors can betray our security literally with "writing on the wall." How do we change, or at least be more aware of, our very nature?

There's the old joke summed up in the punch line that you don't need to outrun a tiger — you just need to outrun your companions. In this way, **first use the basic "sneaker" technologies**. Password managers, multifactor authentication (MFA), and the like at least allow you to outrun your peers so attackers can focus on the laggards in the herd.

**Second, elect for regular change.** Change is uncomfortable, but that discomfort triggers better situational awareness. If you know yourself and your environment better, and force change, that helps prevent an attacker's ability to get to know you too well.

**Next, trust your gut**. If something doesn't seem right, it probably isn't. If you focus on failure and not the familiarity of the behavior around failure, you're better equipped to see the bad guys coming and make sure a small anomaly doesn't become a big problem.

**Finally, play chess, not checkers**. Too many organizations think they're playing chess, and may be employing more complex pieces and roles, but if, ultimately, you're playing in reaction to your opponents' moves, it's checkers in disguise.

It's a lesson I am teaching my own son while he's interested in learning chess. He's learning the _strategy_ behind the game. He understands using the pieces and their characteristics to manipulate the game, and is quickly catching on to the fact that he also needs to focus on manipulating _me_. I'm teaching him to think three moves ahead, think about what is possible, and lure his opponent into doing what he wants them to do, not what they want to do — and, most importantly, to trust the gambit.

How Our Behavioral Bad Habits Are a Community Trait and Security Problem

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

**Taking the Crown as a Rapidly Evolving Threat**

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

**A New Twist on Partial Encryption**

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call _GetNativeSystemInfo_ to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

**Shielding the Enterprise From a Royal Threat**

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

_"_Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

Source

DARKReading