The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

Source: Ketut Agus Suardika via Shutterstock

Cyberattacks targeting India-based organizations continue to double year-over-year, a rate far higher than the global average, highlighting the rapidly rising risk facing companies and government agencies in South Asia.

Overall, organizations in India encountered nearly 1.2 billion attacks in the third quarter of 2024, up from about 600 million in the same quarter in 2023, according to a quarterly report published by Indusface, a managed application security provider. Some 377 million denial-of-service (DoS) events and 215 million bot-based requests targeted API services and Web servers utilizing the firm's Web application and API protection (WAAP) service.

While attackers typically have used denial-of-service (DoS) attacks powered by bots against businesses, they are evolving, Ashish Tandon, founder and CEO of Indusface, said in a statement to Dark Reading.

Attackers are now focusing "on exploiting websites and APIs using diverse attack vectors," he said. "The rise of large language models (LLMs) has significantly lowered the barrier for executing vulnerability attacks, as reflected in our data, which shows triple-digit growth in such incidents."

The third-largest economy in Asia, India saw 5.4% growth overall in the third quarter, which is driving attackers to more often target Indian organizations — 44% of businesses have suffered a data breach costing at least $500,000 in the past three years, PricewaterhouseCoopers (PwC) stated in its "2025 Global Digital Trust Insights" (India edition). The attacks have resulted in Indian executives prioritizing cybersecurity over other risks, with 61% designating it one of their top three priorities.

Related:African Reliance on Foreign Suppliers Boosts Insecurity Concerns

"Top cyber-risks, including cloud-related threats, attacks on connected products, social engineering and software supply chain compromises, are areas where security executives feel particularly underprepared," PwC India stated in the report.

**Cyberattacks in India Accelerating**

In the second quarter of 2024, cyberattacks doubled both globally and against India-based organizations, rising 105% and 115%, respectively, Indusface stated. While the number of cyberattacks continued to balloon in the third quarter, the expansion decelerated globally, growing only 26% in the third quarter of 2024, compared with a year earlier.

In India, however, attacks continued to skyrocket, jumping 92% compared to the same quarter the previous year, the company stated in its "State of Application Security" report for Q3 2024. In August, the Reserve Bank of India (RBI) issued a warning to companies that their increasing use of digitization comes with increased risks.

Related:Middle East Cybersecurity Efforts Catch Up After Late Start

"While the DDoS attacks in India \[were\] similar to the last year, there was a huge growth in the bot and vulnerability attacks in India," the company stated, adding that attacks in general were on the rise because of attackers' use of AI tools.

"A big part of \[the increase\] could be because of the widespread use of LLM tools such as ChatGPT, which enable novice hackers to easily find and deploy scripts that could exploit open vulnerabilities," the company said. "This accessibility has lowered the barrier to entry for cybercriminals, resulting in an unprecedented rise in vulnerability exploitation."

**Cyber-Risks Heightened for Banks, Utilities**

Cyberattackers have tended to target specific industries in India, with the banking, financial services, and insurance industries collectively seeing twice as many attacks compared with the global average, while power and energy saw four times as many attacks per website, Indusface stated in its report.

"We believe that these industries are targeted for geopolitical reasons, as this will lead to disruption in all essential services," says Phani Deepak Akella, vice president of marketing for Indusface. He adds, "Last year, we saw more DDoS attacks, but this year we are seeing more growth in attacks targeting vulnerabilities. This could be because of LLM adoption, where hackers can get ready made scripts to exploit vulnerabilities such as SQL injection, for example."

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

Companies in India suffer from many of the same issues as businesses worldwide, especially around managing vulnerabilities in their attack surface area. Only 19% of companies use an automated scanner to manage their API security, with 45% using manual penetration testing and more than a third (36%) not testing their APIs, according to Indusface.

In addition, companies are slow to patch vulnerabilities in the software used to serve APIs, with more than 30% of critical and high-severity CVSS vulnerabilities remaining unpatched more than six months after discovery. Some 5 million attacks targeted the vulnerable API services, the firm noted.

Security misconfiguration and identification and authentication failures were the top classes of vulnerabilities discovered in production API servers, according to the firm's report. Web applications typically had blind SQL injection, server-side request forgery, and HTML injection issues.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Sees Surge in API Attacks, Especially in Banking, Utilities

The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

Source: Olga Yastremska via Alamy Stock Photo

NEWS BRIEF

Victims of online scams are being deterred from coming forward for fear of being associated with language like "pig butchering," a phrase used to describe long-con romance fraud schemes, according to Interpol, which has released an awareness campaign advocating for the use of "romance baiting" in its place.

Romance-baiting cybercrimes start with a fake relationship, in which the target "pig" is "fattened up" before they are scammed into sending money, then "butchered" and subsequently ghosted once they've handed over the "whole hog" of their assets. Once victims realize they've been manipulated and scammed, they're left heartbroken and embarrassed, and further labeling them as a pig isn't helpful, Interpol argues as part of its wider "Think Twice" campaign.

Run by sprawling international cybercrime operations, pig butchering scams cost victims billions every year. One large pig butchering operation was discovered to be running full-fledged call centers staffed by forced labor in Cambodia, Laos, and Myanmar, raking in more than $60 billion over the past three years. The pig butchering tactic has likewise been used in the war between Russia and Ukraine.

"Academic research clearly shows the links between the tactics of fraudsters and of perpetrators of domestic abuse and coercive control," Dr. Elisabeth Carter, associate professor of criminology and forensic linguist at Kingston University London, said in a statement from Interpol. "It is imperative that we do not adopt the terminology of these criminals but instead use terms that assist public protection and support victim reporting."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Interpol: Can We Drop the Term 'Pig Butchering'?

The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin's regime.

Source: JHG via Alamy Stock Photo

NEWS BRIEF

The Russian government has set a new precedent for itself by officially designating Recorded Future, the cyber threat intelligence (CTI) company, as "undesirable." It's a development that the company's CEO sees as a badge of honor.

The term is the country's official parlance for sanctioning, and it means that Recorded Future won't be able to operate within Russia or interact with any Russian companies or individuals. It's a status that was first introduced in 2015 as a way to cut off Russian citizens from the influence of nongovernmental organizations (NGO), media organizations, and other members of civil society that call out human rights abuses and other concerns about Vladimir Putin's regime, which is widely characterized as repressive and authoritarian.

Recorded Future is the first infosec organization and one of very few businesses to "earn" the designation, though the Russia Federation's Office of the Prosecutor General incorrectly labeled it as an NGO in its Dec. 18 announcement about the "undesirable" labeling.

Among the company's supposed crimes against the state: being funded by American businesses; providing services for searching, processing, and analyzing data including on the Dark Web; "specializing in cyber threats"; and actively interacting with the CIA and other foreign intelligence forces.

The Prosecutor General also called out the company, which incidentally is being acquired by Mastercard for $2.65 billion, for spreading "propaganda" and engaging in "offensive information campaigns" regarding its war with Ukraine, tracking Russian Army activities, and feeding intelligence to the Ukrainian authorities.

For his part, Recorded Future CEO Christopher Ahlberg took the news better than in stride, posting on X, "Some things in life are rare compliments. This being one."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Source: Anatolii Babii via Alamy Stock Photo

Attackers are spoofing Google Calendar invites in a fast-spreading phishing campaign that can bypass email protections and aims to steal credentials, ultimately to defraud users for financial gain.

The campaign, discovered by researchers at Check Point Software, relies on modified "sender" headings to make emails appear as if they were sent via Google Calendar on behalf of a legitimate entity, such as a trusted brand or individual, they revealed in a blog post published Dec. 17.

Initially, messages included malicious Google Calendar .ics files that would lead to a phishing attack, the threat hunters wrote. However, "after observing that security products could flag malicious Calendar invites," attackers began aligning those files with links to Google Drawings and Google Forms to better disguise their activity.

**Mass-Scale Financial Scamming Is the Goal**

Given that Google Calendar is used by more than 500 million people and is available in 41 different languages, the campaign provides a massive attack surface, so "it is no wonder it has become a target for cybercriminals" seeking to compromise online accounts for financial gain, the team noted.

"After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities," the researchers wrote in the post. Stolen data also can be used to bypass security measures on other victim accounts to lead to further compromise, they added.

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Attackers also are moving fast with the campaign, with researchers observing more than 4,000 emails associated it in a four-week period. In those messages, attackers used references to about 300 brands in their fake invites to make them appear authentic, they wrote.

**What a Google Calendar Phish Looks Like**

A message associated with the campaign looks like a typical invite from Google Calendar in which someone known to or trusted by the individual targeted shares a calendar invite with them. The appearances of the messages vary, with some that really look almost identical to typical Google Calendar notifications, "while others use a custom format," the team wrote.

As noted previously, the emails include a calendar link or file (.ics) that includes a link to Google Forms or Google Drawings in an attempt to bypass email-scanning tools. Once a user takes the bait, they are then asked to click on another link, "which is often disguised as a fake reCAPTCHA or support button," that forwards them to a page "that looks like a cryptocurrency mining landing page or bitcoin support page," according to the post.

Related:Wallarm Releases API Honeypot Report Highlighting API Attack Trends

"These pages are actually intended to perpetrate financial scams," the team wrote. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."

**How to Avoid Becoming a "Google" Phishing Cyber Victim**

Check Point contacted Google about the campaign, which recommended that Google Calendar users enable the "known senders" setting in the app to help defend against this type of phishing. This setting will alert a user when they receive an invitation from someone not in their contact list or someone with whom they have not interacted with from their email address in the past, the company said.

Corporate defenders can used advanced email security solutions that can identify and block phishing attacks that manipulate trusted platforms with the inclusion of attachment scanning, URL reputation checks, and AI-driven anomaly detection, the Check Point team wrote.

Organizations also should monitor the use of third-party Google Apps and use cybersecurity tools that can specifically detect and warn its security teams about suspicious activity on third-party apps.

Related:Texas Tech Fumbles Medical Data in Massive Breach

Finally, two often-cited pieces advice for organizations when recommending phishing defense — the use of multifactor authentication (MFA) across business accounts and employee training on sophisticated phishing tactics — also can work in cases like this to shore up security.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)--Wallarm, the leader in real-time blocking of API attacks, on Dec. 17 unveiled a comprehensive security research report based on data collected from the world's first globally distributed API honeypot network. The findings reveal critical insights into the growing threat landscape for APIs, showcasing their increasing vulnerability to rapid discovery and exploitation.

APIs have surpassed web applications as the primary targets of attackers, underscoring the urgency for businesses to implement robust API security measures. Organizations are plagued by uncontrolled API sprawl and lack of API governance, leading to significant breaches from exposed APIs. Wallarm’s study highlights several alarming trends that demand immediate attention from organizations deploying APIs.

Key Findings from the Report:

*   APIs Are the Prime Target: APIs now attract more attacks than traditional web applications.
    
*   Rapid Discovery: Newly deployed APIs are discovered by attackers in as little as 29 seconds.
    
*   Immediate Exploitation: Unprotected APIs are exploited within one minute of discovery.
    
*   High Velocity Data Theft: Attackers using batched API requests can exfiltrate millions of user records in seconds.
    
*   Targeting Well-Known Products: Recognizable and widely used API products face heightened targeting by attackers.
    

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Wallarm’s globally distributed honeypot, spanning 14 locations, captures data from diverse geographies and providers, revealing critical trends. The honeypot provides targeted responses to API requests across multiple protocols, including REST, XML-RPC, GraphQL, and others. Over half (54%) of observed request types were API-specific, demonstrating that APIs are the preferred vector for attackers. Among these, 40% of requests targeted known vulnerabilities (CVEs). While port 80 emerged as the most commonly discovered entry point, interactions were distributed across many ports, demonstrating that protecting only common ports is insufficient.

“This report sheds light on a rapidly evolving attack surface and represents a groundbreaking effort in API security research,” said Ivan Novikov, CEO and founder at Wallarm. “APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers. We hope this research helps organizations invest in strong protection for their APIs.”

Wallarm’s full report offers actionable insights and recommendations to safeguard APIs. To access the full research report and learn more about securing your APIs, visit http://www.wallarm.com/resources/api-honeypot-report.

Related:Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Wallarm Releases API Honeypot Report Highlighting API Attack Trends

Working closely with CISOs, chief financial officers can become key players in protecting their organizations' critical assets and ensuring long-term financial stability.

Shai Gabay, Co-Founder & CEO, Trustmi

December 18, 2024

4 Min Read

Source: Dzmitry Skazau via Alamy Stock Photo

COMMENTARY

Cybersecurity has spurred many changes in the past five years, from the technology and tools needed to protect an organization from cyberattackers to the skill sets required by IT professionals. The consistent and ongoing ripple effect has also influenced organizational roles and responsibilities. Arguably, one of the most dramatic shifts has been the role of the chief financial officer (CFO).

Today's CFOs must be collaborative leaders, willing to embrace an expanding role that includes protecting critical assets and securing the bottom line. To do this, CFOs must work closely with chief information security officers (CISOs), due to the sophistication and financial impact of cyberattacks. Financial professionals understand data flows and financial processes, while security professionals know the latest cyber threats and best practices to combat those threats. Combining this expertise results in more informed technical investments, faster detection of anomalies, and stronger overall cybersecurity measures.

This enhanced approach is critical as we see payments and unsuspecting financial professionals increasingly become the targets of cyberattacks. Both are prime targets because of the volume of money and transactions they process, often manually leaving organizations even more vulnerable to phishing schemes that can go undetected for months. Collaboration between finance and security departments is crucial to threat detection, maintaining compliance, addressing third-party risks, and providing companywide cybersecurity education and training.

**The Impact of a Security Breach**

The increasing financial impact of a cyberattack alone mandates CFO involvement in cybersecurity matters. According to IBM's "Cost of a Data Breach Report 2024," the global average cost of a data breach reached $4.88 million in 2024, a 10% increase over last year. This substantial financial risk underscores why CFOs must now consider cybersecurity a primary concern for an organization's economic health.

CFOs are uniquely positioned to understand the potential financial devastation from cyber incidents. The costs associated with a breach extend beyond immediate financial losses, encompassing longer-term repercussions, such as reputational damage, legal liabilities, and regulatory fines. CFOs must measure and consider these potential financial impacts when participating in incident response planning.

**Compliance Requires Protection**

The regulatory landscape for CFOs has evolved significantly beyond Sarbanes-Oxley. The Securities and Exchange Commission's (SEC's) rules on cybersecurity risk management, strategy, governance, and incident disclosure have become a primary concern for CFOs and reflect the growing recognition of cybersecurity as a critical financial and operational risk.

The SEC's cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide periodic updates on their cybersecurity risk management, strategy, and governance. This places significant responsibilities on CFOs, who must ensure timely disclosure of cyber incidents and help to develop and implement risk management strategies. As a result, CFOs must work closely with CISOs, board members, and executives to establish effective cybersecurity governance and provide detailed reporting on the company's cybersecurity posture and incident response capabilities.

CFOs must also navigate other cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and similar state-level regulations, and adhere to industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA). These regulations carry significant financial penalties for noncompliance, further emphasizing the critical role CFOs play in managing cyber-risks. As a result, CFOs must now be well-versed in cybersecurity best practices, incident response protocols, and the evolving regulatory landscape to protect their organizations' financial interests and maintain compliance effectively.

**Collaboration and Allocation**

Adding to the complexity, the CFO is now a cross-functional collaborator who must work closely with IT, legal, and other departments to prioritize cyber initiatives and investments. They must also work with the CISO and chief information officer (CIO) to educate the CEO and the board on cybersecurity matters and communicate broadly, at times, with employees, customers, partners, and investors.

CFOs needs to consider the corporate strategy and broader business decisions as they help determine the company's approach and investment in cybersecurity tools and technologies. This level of decision-making requires CFOs to understand the cyber landscape, threats and trends, and viable investment strategies. This expanded role requires CFOs to help their organizations build resilience against cyber threats while ensuring that security measures are cost-effective and aligned with overall business strategy.

**How CFOs Can Succeed**

Working closely with CISOs, CFOs can become key players in protecting their organizations' critical assets and ensuring long-term financial stability. To succeed in this new landscape, CFOs must foster strong partnerships with CIOs and CISOs, develop a deep understanding of cybersecurity risks and technologies, and integrate cybersecurity considerations into all aspects of financial planning and risk management. Doing so can help organizations build resilience against cyber threats while supporting broader business objectives and growth strategies.

**About the Author**

Co-Founder & CEO, Trustmi

Shai Gabay is the co-founder and CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Before Trustmi, he was General Manager at Opera and Vice President of Product and Services at Cynet. He also served as the CIO at Cyberbit and the CISO at Discount Bank, among other roles in cybersecurity and risk management. Shai holds a bachelor’s degree in software engineering from Shenkar College and a master’s in business administration and management from Tel Aviv University. Additionally, Shai was selected for the prestigious full scholarship executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of the Israeli Defense Force's Elite Units. Through this program, he studied with prominent co-founders and leaders at renowned global tech companies and professors at elite universities.

The Importance of Empowering CFOs Against Cyber Threats

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

Source: Funtap via Shutterstock

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

**Careful Planning**

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand's government, using a new and unwieldy backdoor dubbed "Yokai," potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

**Ghost in the Machine: US-Themed Lures in Phishing Attack**

From Thai, the lure documents translate to "United States Department of Justice.pdf" and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit "Kim" Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

"The lures also suggest they are addressed to the Thai police," notes Nikhil Hegde, senior engineer for Netskope. "Considering the capabilities of the backdoor, we can speculate that the attacker's motive was to get access to the systems of the Thai police."

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn't so jejune as that might suggest.

**Abusing Legitimate Windows Utilities**

To begin their attack chain, the attackers made use of "esentutl," a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows' New Technology File System (NTFS), files commonly contain more than just their primary content — their main "stream." An image or text document, for example, will also come packed with metadata — even hidden data — which won't be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

"ADS is often used by attackers to conceal malicious payloads within seemingly benign files," Hegde explains. "When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file."

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

**Inside the Yokai Backdoor Malware**

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, "Its C2 communications, when decrypted, are very structured." In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn't, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. "This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor," Hegde says.

Related:China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. "The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system's performance issues," he says.

In all, Hegde adds, "This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Thai Police Systems Under Fire From 'Yokai' Backdoor

The cyberattack impacts at least 1.4 million patients, as tranches of highly sensitive personal, medical, and financial data fall into the hands of cyber crooks who have everything they need to carry out convincing social engineering and fraud attacks.

Source: Kirby Lee via Alamy Stock Photo

NEWS BRIEF

Texas Tech University's Health Sciences Centers (HSCs) in Lubbock and El Paso are the latest victims of a disruptive cyberattack. The incident impacted the data of 1.4 million patients, exposing a treasure trove of valuable information that could be used for convincing follow-up social engineering attacks, identity theft, and more.

The attackers had access to the university's medical environments between Sept. 17 and 29, during which time they made off with "certain files and folders from the HSCs' network," according to a website notice.

**Cyberattackers Steal Reams of Sensitive Patient Data**

The folders contained patient names, dates of birth, Social Security numbers, driver's license numbers, financial data, medical information, billing and insurance data, medical records numbers, and more.

"The health and social-care sector has always been a popular target for cybercriminals," Brian Higgins, security specialist at Comparitech, said via email. "The combination of plentiful data points along with the often very sensitive nature of some of the information serves not only to add increased pressure on breached organizations to settle any ransom demands, but also to render individual client-side victims more susceptible to follow-up attacks seeking password or logon access and other personal information."

Related:Microsoft Teams Vishing Spreads DarkGate RAT

In October, a ransomware group called Interlock claimed to be behind the hack, saying that it stole 3.2 terabytes of data from the Red Raiders.

"The group posted images of what it says are stolen documents on its leak site," Paul Bischoff, consumer privacy advocate at Comparitech, said via email. "TTHUSC hasn't verified that claim, but no other groups have claimed responsibility at this time. Interlock is a new ransomware gang that first started adding targets to its leak site in October. This was one of the biggest medical data breaches of 2024."

**Texas Tech's Block & Tackle Incident Response**

For its part, the school is offering somewhat boilerplate information: "The HSCs are in the process of notifying individuals whose information may be involved in this incident," according to the notice, which added that free credit monitoring is available. "To help prevent a recurrence, the HSCs are reviewing existing security policies and procedures as part of the investigation and are implementing additional safeguards to enhance system protection and monitoring."

It also noted that affected individuals should monitor their credit reports and bank accounts for evidence of identity theft and fraud, review account statements, and scrutinize health care and health insurance billing statements for suspicious activity or errors.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"One can only hope that Texas Tech will offer a decent level of security mitigation measures … to try to alleviate what is an incredibly stressful situation for all involved," Higgins noted. "It's reasonable, after so many documented attacks, that users should expect high-risk sectors to harden, but that doesn't seem to be happening with the force and frequency necessary to combat the threat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading