As the threat landscape increases, public cloud security needs to evolve.

Multicloud services have become the norm rather than the exception as organizations shift to accommodate increasingly dynamic workloads. IDC has predicted that by the end of 2022, more than 90% of enterprises worldwide will rely on a mix of on-premises, dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As these changes continue to take root, the threat landscape has increased, and security approaches developed for the public cloud also need to evolve.

This is particularly true for government agencies. Cloud infrastructure delivers benefits including agility, mobility, cost control, and performance, but government agencies manage significant volumes of sensitive information. The stakes are higher when they move to the cloud and network traffic patterns change. As the Internet now serves as the network, firewalls, virtual private networks (VPNs), and the concept of perimeter security is obsolete. This dynamic requires a new security model, one that leverages the power and scale of the cloud.

**New Challenges**

Multicloud models enable new services for citizens and improve efficiency across the federal government; however, they also introduce new security challenges, including:

*   **Understanding and prioritizing cloud risk:** Gartner predicts that by 2025, 99% of cloud security incidents will be an enterprise's own fault, as cloud processes are managed by well-intentioned employees with little knowledge of secure cloud configuration or understanding of highly dynamic cloud environments.
*   **Applying security policies across multicloud environments:** Agencies must ensure security across infrastructure, applications, and data in multiple clouds. But managing a multicloud architecture is extremely complex, as cloud providers can be very different in terms of access and resource management.
*   **Gaining workload visibility and understanding risk exposure:** The whirlwind pace of cloud adoption creates new opportunities for threats as the attack surface expands. Security teams may find it difficult to keep pace with agile development methodologies and, in the process, lose visibility into infrastructure and risk.
*   **Ensuring misconfiguration does not expose private services or data:** Continuous development, testing, and deployment improves efficiency, but can also allow misconfigurations to slip through the cracks and introduce security vulnerabilities.
*   **Achieving workload segmentation:** IP-based network segments are typically configured to be open whether they need to be or not, which increases the attack surface. Workload segmentation, on the other hand, uses machine learning and cryptographic identity to segment application workloads and automatically update security policies.
*   **Routing traffic among multicloud environments:** Multiple environments can mean fragmented security solutions across the various cloud and data center environments. Fragmented security creates points of weakness that can make agencies vulnerable to attack.

The federal community is working to improve multicloud security. The National Institute of Standards and Technology's (NIST) Multi-Cloud Security Public Working Group explores best practices for securing complex cloud solutions involving multiple service providers and clouds. NIST has recreated a resource hub that includes free assessment tools (many developed by industry partners) to help agencies understand their cyber-risks. And, the General Service Administration Data Center and Cloud Optimization Initiative's Program Management Office has released a Multi-Cloud and Hybrid Cloud Guide for agencies migrating and deploying various cloud services.

**Multicloud Best Practices**

You can reduce multicloud security risks with best practices including:  

*   **Implement zero trust:** Protecting government data in a cloud-based, mobile-enabled world demands a “trust nothing, inspect everything” approach as mandated by the May 2021 cybersecurity executive order. A recent survey of federal cybersecurity decision-makers found that 82% agree allocating staff and budget to zero trust is vital to national security.
*   **Securely connect** **users, devices, and workloads using business policies over any network:** A cloud-delivered approach to providing fast, seamless, and policy-based access to external and internal applications can ensure employees work securely and productively from anywhere.
*   **Reduce risk of lateral threat movement**: Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops.
*   **Simplify cloud communications:** Once lateral threat movement has been reduced, the next step is to secure workload communications to the Internet, other clouds, and data centers. Agencies need zero-trust connectivity across multicloud and hybrid cloud infrastructure, securing workload-to-Internet, workload-to-workload, and workload-to-data-center communications without the need for hubs, virtual firewalls, VPNs, or network-based policies.

Although implementing multicloud security can be a heavy lift for the government, agencies are making progress. The Technology Modernization Fund has invested in a total of 29 projects to secure and modernize IT across 17 federal agencies. And 91% of federal cybersecurity decision-makers believe the 2021 cybersecurity executive order has made US data and critical infrastructure safer.

To keep on this trajectory, government agencies need to apply lessons learned from each other, while also utilizing the expertise industry can offer.

Evolving Security for Government Multiclouds

Only 30% of respondents from other industries are as concerned about the risks associated with their IT staff.

**FRISCO, Texas, Nov. 15, 2022 /PRNewswire/ —** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report.

Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44% of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47% worry about contractors and partners, compared to 30% and 36% respectively in other verticals surveyed.

"Financial organizations experience accidental data leakage more often than companies in other verticals: 32% of them reported this type of security incident within the last 12 months, compared to the average of 25%. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organizations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed," comments Dirk Schrader, VP of Security Research at Netwrix. "Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process."

All sectors say phishing is the most common type of attack they experience. However, 91% of financial institutions say they can spot phishing within minutes or hours, compared to 82% of respondents in other verticals.

"Even though financial organizations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated," adds Schrader. "To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organization and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration".

**About Netwrix**

Netwrix makes data security easy, thereby simplifying how professionals can control sensitive, regulated and business-critical data, regardless of where it resides. More than 11,500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

44% of Financial Institutions Believe Their Own IT Teams Are the Main Risk to Cloud Security

**TEL AVIV, Israel, Nov. 15, 2022 /PRNewswire/ —** Cloud Identity and Access Security provider Authomize today announced the launch of its Identity Threat Detection and Response (ITDR) Platform, enabling customers to eliminate identity threats across all their cloud environments.

ITDR is the new category defined by Gartner for closing the security gap between Identity and Access Management (IAM) and infrastructure security controls, enabling them to protect against insider threats, account takeovers, privilege escalation, lateral movement, and other dangers to their identity and access layer.

It recognizes that just as every infrastructure surface, whether it be endpoint, network, or cloud requires a protective layer to monitor and secure it from exploitation, identity is the new perimeter and it needs security in the face of increased attacks seen over the past few years.

"From SolarWinds to Colonial Pipeline to Uber, adversaries are stepping up their focus on identities and the IAM infrastructure tools we use to manage those identities' associated access as their path to a successful breach," says Authomize's CEO and Co-founder Dotan Bar Noy. "With the launch of Authomize's ITDR Platform, we will give our customers the single point of visibility and control they need to reduce risk of an identity-based breach, detect active threats targeting the identity layer, and enable faster, more efficient responses through automation with security operations."

ITDR platform builds on Authomize's expansive Cloud Infrastructure Entitlement Management (CIEM) solutions that give it the deep, cross cloud visibility across IaaS, SaaS, and other cloud environments for the fullest spectrum of coverage over customers' identities, assets, access privileges, and activities. Their Machine Learning-driven Smart Groups engine connects to all of the environments, collecting, normalizing, and analyzing the data to create a comprehensive picture of access to the organization's cloud that is used for providing actionable recommendations for mitigating risk.

This unparalleled visibility answers the question of who has access to what, and how they are using their privileges, allowing the organization to take effective action in securing it.

"Organizations depend on valuable IAM infrastructure to help them manage their declared access, but are left blind to the state of their actual de facto access as it exists in their cloud environments," says Authomize's CTO and Co-founder Gal Diskin. "Only with Authomize can they fully understand and take control of their identity layer, proactively protecting their IAM infrastructure from malicious manipulation."

Authomize's ITDR Platform enables organizations to:

*   Harden security posture by reducing threat surface risks like stale access, over-privilege, cloud and IAM misconfigurations, and privilege escalation paths that can all lead to potential exploitation, helping them to achieve continuous Least Privilege
*   Detect active threats like creation of new admins, user impersonation, and malicious activity
*   Accelerate investigations and responses with clear visibility over identities' access in an easy to digest Access Explorer graph, along with webhooks and integrations with SIEMS, SOARs, ITSMS, and XDRs for more efficient remediation with security operations

As part of the launch of the new ITDR capabilities available on the platform, Authomize is now offering a free assessment report for interested organizations to uncover potential risks, misconfigurations, and threats to their IAM infrastructure. No agents or commitments are required to benefit from the FREE assessment.

For more information on the FREE Assessment, use the link provided here.

Authomize Launches Identity Threat Detection and Response Platform to Protect Against Identity-Based Attacks

API discovery and threat-monitoring solution tokenizes API data at its source for secure behavioral analytics, storage, compliance, and investigations.

**PALO ALTO, Calif., Nov. 15, 2022 /PRNewswire/ —** Neosec, the pioneer in discovering and identifying API threats using behavioral analytics, today announced that it now tokenizes API activity data to enable organizations to fully see and store API data, removing the possibility of keeping sensitive data at-rest.

Today, many organizations are blind to the threats lurking within their API traffic. Even worse, organizations are forced to implement basic logging of its API traffic that doesn't contain the meaningful information about who accessed, what records were accessed or manipulated and how. There exists a justified fear of logging sensitive data or being out of compliance, and with the lack of technology that can perform it at scale, they prefer to log with low fidelity. Those logs tell you that "somebody modified or accessed a record" but typically don't disclose who accessed it, which record, or what action was performed.

This decision also results in a downstream issue of "insufficient logging", which is noted by the Open Web Application Security Project as one of the top security problems in its 2021 OWASP API Top 10. "Insufficient logging" is poor for incident forensics and, in practice, means that you can't detect abuse or investigate a case, even if you know it happened.

Tokenization is the process of substituting a sensitive data element, like a credit card number, for a non-sensitive equivalent that has no intrinsic or exploitable value or meaning. Neosec's automated tokenization is part of its 'privacy by design' philosophy and is already deployed successfully at customers around the world in financial services, insurance and hospitality companies among others.

The process allows retaining tokenized API activity data for the purposes of performing true behavioral analytics over time, ensures that sensitive data is never stored at rest, and enables only the customer to de-tokenize, based on the strictest data privacy practices.

"Solving API security starts with basic visibility and the ability to see how the APIs are used. The problem is that virtually every company logs API activity with low fidelity that doesn't enable this basic visibility" said Giora Engel, co-founder and chief executive officer, Neosec. "In order to perform true behavioral analytics and investigate cases you must store and examine historical data. But if this analysis is performed on un-tokenized data you risk storing PII and creating compliance issues. Neosec successfully retains all API activity data, in the highest fidelity, and ensures it meets data privacy standards."

This focus on data and the visibility it brings is what previously defined the creation of the EDR (Endpoint Detection & Response) security space. "Trying to implement API security without enabling basic visibility of activity is like going back to the antivirus age before the advent of EDR. Visibility into API activity allows you to detect threats, understand behavior, investigate and remediate" said Engel.

The Neosec API security solution discovers and maintains an up-to-date inventory of all APIs in use by an organization and then uses machine learning and behavioral analytics on tokenized data to find fraud and abuse by third parties and attackers. Neosec also enables proactive API threat hunting and investigations without storing any sensitive data.

The automated API data tokenization is now a capability of the Neosec platform and is fully available. There is no extra cost for use of this unique capability.

For more information about the Neosec platform or the use of tokenization:

*   Read more: Can behavioral analytics help secure APIs?
*   Read more: What does XDR have to do with API security?
*   Free Trial: Request a trial of the Neosec platform

**About Neosec**

Neosec is re-inventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities together with a team of expert threat hunters. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel. To learn more, visit Neosec.com.

Neosec Introduces Automated Tokenization to Enable Full API Visibility Without Exposure of Sensitive Data

Extends cyber asset attack surface management solution to multi-cloud environments,

**SAN JOSE, Calif., Nov. 15, 2022 /PRNewswire/ —** Balbix, provider of the world's leading platform for cybersecurity posture automation, announced today the general availability of support for Google Cloud Platform (GCP). Security teams can now use Balbix to easily quantify, prioritize and mitigate risks in their Google Cloud environments. With this announcement, Balbix has also extended its Cyber Asset Attack Surface Management (CAASM) solution to support multi-cloud environments that span both GCP and Amazon Web Services.

The rapid move to the cloud has made IT environments more complex to manage and secure. As a result, security teams struggle to get a consolidated view of risk. Yet, 63 percent of organizations say they look at security posture in the cloud separately from on-premises, according to Cybersecurity Insiders' 2002 State of Security Posture Report.

"Our customers' environments can include over 1 million assets, spread across multiple clouds and their own facilities. Managing an attack surface this large is no longer a human-scale problem," said Gaurav Banga, Founder and CEO of Balbix. "With Balbix's new support for GCP, our customers can use automation to manage cybersecurity posture across more of their environment."

**Cyber Security Posture Automation for Google Cloud Platform  
**Balbix now provides support for popular Google Cloud services, including Compute Engine, Cloud Storage, Cloud SQL, Google Kubernetes Engine (GKE) Cluster & Deployments, Cloud Functions, Cloud Key Management Service (KMS), Pub/Sub and Secret Manager. As a result, Balbix customers with Google Cloud environments can use automation and advanced analytics to:

*   Get comprehensive, near real-time visibility of their Google Cloud assets.
*   Combine data from Google Cloud with their other IT and security tools to gain security and business context for their assets.
*   Discover misconfigurations – the most exploited attack vector for the cloud – as well as unpatched software vulnerabilities, weak credentials and trust issues.
*   Measure risk in terms of breach likelihood and business impact in order to prioritize remediation.
*   Calculate and report on cyber risk quantified in dollars (or other currencies) instead of risk scores

**Cyber Asset Attack Surface Management for Multi-Cloud Environments  
**The addition of support for GCP extends Balbix's CAASM solution to multi-cloud environments. Security practitioners no longer need to use multiple tools or combine data manually from these tools in a custom spreadsheet to understand their security posture. They can see the relationships between assets, applications and users no matter where the assets are in the cloud or on-premises. They can also identify any gaps in coverage for security controls.

Balbix provides more than just visibility. Unlike other vendors, Balbix combines CAASM with Risk-Based Vulnerability Management (RBVM) and Cyber Risk Qualification (CRQ) solutions so security teams are able to immediately take action to reduce their cyber risk. They can continuously identify, prioritize and mitigate security issues as they emerge, while quantifying and tracking residual cyber risk in dollars. Daily cybersecurity decisions – operational as well as executive – can be made using a unified and up-to-date view of cyber risk.

"By adding support for Google Cloud, Balbix has broadened its risk model to be inclusive of multiple public cloud platforms and allowed organizations to better measure their overall cyber risk," said Ed Amoroso, Founder and CEO of research and advisory firm TAG Cyber. "Customers can leverage this unified risk model to quantify cyber risk by business unit, geography, site, asset type or business owner – and quickly remediate those risks."

The API-based Balbix Connector for Google Cloud Platform collects asset inventory and misconfiguration data and is available now. Visibility into other types of vulnerabilities is provided by optional Balbix sensors. These sensors also catalog the software bill of materials (SBOM) of applications running in GCP. Data collected by Balbix connectors and sensors is automatically deduplicated, correlated and inferenced to provide security teams with an accurate and unified view of risk.

To learn more about Balbix and its CAASM solution, visit https://www.balbix.com.

**About Balbix  
**Balbix enables businesses to reduce cyber risk by identifying and mitigating their riskiest cybersecurity issues faster. Our SaaS platform, the Balbix Security Cloud™, ingests data from businesses' security and IT tools so they can understand every aspect of their cybersecurity posture, build a unified cyber risk model and obtain actionable insights for risk reduction. With Balbix, businesses can automate inventory of their cloud and on-premise assets, conduct continuous risk-based vulnerability management and quantify cyber risk in dollars. Executives and operational teams can make cybersecurity decisions based on data not opinions.

A rapidly growing set of Fortune 500 companies trust Balbix as the "brain" of their infosec programs and are realizing the benefits of maximally automated workflows and reduced cyber risk. Balbix was recognized in CNBC's 2022 list of Top 25 Startups for the Enterprise and ranked #32 on the 2021 Deloitte Fast 500 North America.

Balbix Announces Cybersecurity Posture Automation Support for Google Cloud Platform

**SAN FRANCISCO, Nov. 15, 2022 /PRNewswire/ —** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that CREST, the gold standard for quality assurance accreditation in the cybersecurity industry, has named the company as a CREST Accredited provider for penetration testing. The certification acknowledges that Bugcrowd meets the CREST standards for:

*   Company operating procedures and standards
*   Testing by trusted, reliable, qualified pentesters
*   Ethical and effective testing procedures
*   Protecting customer data

"CREST accreditation is widely considered a proof point for thorough, effective, reliable penetration testing, especially in regulated industries like Financial Services and Public Sector," said Casey Ellis, Founder, Chairperson and CTO, Bugcrowd. "We're proud to have earned this distinction for Bugcrowd Penetration Testing."

"We are pleased to welcome Bugcrowd as a CREST member company," said Rowland Johnson, president of CREST. "Bugcrowd's accreditation for providing penetration testing in the UK gives its customers added reassurance that its services meet the very highest standards because CREST accreditation requires rigorous assessment of business processes, data security and testing methodologies. This puts Bugcrowd in a strong position, along with other CREST members, to take advantage of the growing demand for high quality penetration testing services."

**About CREST**

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence services and Security Operations Centre (SOC) services. All CREST member companies undergo regular and stringent assessment; while CREST-qualified individuals have to pass rigorous examinations to demonstrate knowledge, skill and competence. CREST is governed by elected Councils of experienced security professionals who also promote, develop and support awareness, ethics and standards within the cyber security marketplace.

**About Bugcrowd**

Today's organizations demand a proactive approach to cybersecurity that uncovers hidden vulnerabilities in the attack surface, before malicious hackers find them. Bugcrowd offers the only multi-solution platform for crowdsourced security that orchestrates data, technology, and human intelligence to find risks that other approaches commonly miss. With that unique approach, the Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation, and customers from being blind-sided by cyberattacks through Bug Bounty, Vulnerability Disclosure Programs, Penetration Testing, and Attack Surface Management. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Earns CREST Accreditation for Pen Testing

Automating security for OT infrastructure can help organizations combat a rising volume of cyber threats in an era when security professionals are in short supply.

Security teams are tasked with the challenge of processing large amounts of operational technology (OT) and IT security telemetry. To make this easier, Swimlane announced a low-code security automation platform to create a centralized system of record and control point.

The platform integrates with other OT security providers, including Nozomi Networks, Dataminr and 1898 & Co, Swimlane says. This allows OT security teams to unify threat detection and response by providing access to intelligence and telemetry from both the OT and IT environments.

"This cyber-physical threat response saves organizations crucial minutes when connecting with staff members who might be affected by a natural disaster, accident, or social unrest, or other types of physical risk," explains Cody Cornell, co-founder and chief strategy officer of Swimlane. 

For example, integrating automation with Nozomi Networks will allow industrial and critical infrastructure security operations teams to maintain continuous asset compliance and mitigate the risks of attacks from combined OT and IT entry points. The Dataminr integration provides automated processes to mitigate physical risks and warn at-risk employees as soon as possible to ensure their safety. And the integration with 1898 & Co allows industrial and critical infrastructure entities to add managed threat detection services that are specifically designed to address OT-specific challenges, Cornell says. That includes detecting both OT and IT-born threats, machine-speed threat validation and scoring, and rapid remediation of threats using OT response methods.

**Turning to Automation as Threats Pile Up**

"Cyber threats have increased in frequency and severity, which will only worsen with time," Cornell notes. "SecOps teams in industrial organizations are regular targets for cyberattacks due to the importance of their systems and infrastructure."

With the limited resources at their disposal, security teams working in organizations that rely on OT struggle to keep up with new threats. The industrial cybersecurity sector has also been attempting to address the OT security skills gap over the past few years.

"The need for security professionals to understand and safeguard cybersecurity and deal with the issues posed by antiquated and unsupported legacy processes and control systems makes the talent shortage in the OT security sector particularly more severe," Cornell adds.

The combination of factors - a cybersecurity skills shortage in OT and an overwhelming amount of OT and IT data and telemetry to analyze - creates a situation that could benefit from automation. In the OT sector, automation could play a critical role in defending against rising cyber threats in a more effective and efficient manner.

Automation has become a must-have technology for security operations: The US Executive Order on Improving the Nation's Cybersecurity from May 2021 highlighted multiple areas where automation should be adopted to manage the ever-increasing volume of threats and talent shortage.

**Going Low-Code to Transcend SOAR**

Legacy security orchestration, automation, and response (SOAR) products have earned a reputation of being rigid and unapproachable for the average security professional, Cornell notes. With security automation at the center, organizations could maximize the productivity of their existing security investments and staff while gaining greater visibility into critical assets, accelerating their response to incidents targeting their critical infrastructure, and improving overall team efficiency.

"Traditionally, OT systems were completely segregated from internet-facing technology," Cornell says.

However, as critical infrastructure operators increasingly seek to carry out digital transformation initiatives, these systems are being modernized and connected to IT systems. The result is an expanded attack surface as previously isolated OT systems, once relatively immune to cyberattacks, are now internet-accessible and high-value targets for threat actors.

"Mission success depends on secure operations, but IT, OT, and IoT assets all have different characteristics, communications, behaviors -- and unique security challenges," Cornell says. "We created this ecosystem to help critical infrastructure operators take defense up a notch and reduce cyber risk with a proactive approach designed to secure their complex ecosystem of IT, OT, and IoT assets."

**Vendors Stepping up Automation Offerings**

Swimlane isn't the only company using automation to ease security pain points while managing security telemetry. Security operations platform ThreatQuotient recently released ThreatQ TDR Orchestrator, which is designed to address industry needs for simpler implementation and more efficient operations.

In June, Snowflake released a tool to help underpin cybersecurity capabilities including SIEM, compliance automation, and vulnerability management. The workload offers customers access to cybersecurity capabilities including SOAR, compliance automation, and vulnerability management through connected applications that run on top of their existing Snowflake environments.

Earlier in the year, Sophos acquired SOC.OS, a spinoff company of BAE Systems Digital Intelligence with a software-as-a-service (SaaS) solution for automating the monitoring and triaging the growing volume of data and alerts across organizations.

Swimlane Introduces Low-Code, Automation Approach to OT Security

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

A dangerous new malware loader with features for determining whether it's on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months.

Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.

**Living Off the Land**

BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black's managed detection and response (MDR) team said in a report released on Nov. 14.

VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader's operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.

The security vendor said that in one late October incident, an eSentire customer arrived at a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses the information to retrieve a second-stage payload.

"What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer," says Keegan Keplinger, research and reporting lead with eSentire’s TRU research team. "It then drops the type of malware appropriate for the situation."

**Selective Payload Delivery**

For example, if BatLoader hits a personal computer, it downloads Ursnif banking malware and the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer.

"If BatLoader lands on a personal computer, it will proceed with fraud, infostealing, and banking-based payloads like Ursnif," Keegan says. "If BatLoader detects that it's in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro."

Keegan says eSentire has observed "a lot" of recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for trusted and popular free software tools. 

"To get in front of organizations, BatLoader leverages poisoned ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader."

**Overlaps With Conti, ZLoader**

VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the Conti ransomware operation. 

The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations. 

In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.

Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a threat actor using "free productivity apps installation" and "free software development tools installation" themes as SEO keywords to lure users to download sites. 

"This initial BatLoader compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization," Mandiant said. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

An international counter-ransomware task force has been announced by Australian authorities following the recent Optus and Medibank data breaches.

Australian authorities have announced a new offensive against cybercrime, standing up a a joint operation between the Australian Federal Police and the Australian Signals Directorate to disrupt cybercriminal operations. 

The move comes after two headline-making breaches against Australian companies Optus and Medibank. The task force will collect information about cyber threats and identify targets with the potential to inflict harm on Australian national interests, according to the announcement about the new offensive cybercrime strategy. 

"This operation will collect intelligence and identify ring-leaders, networks and infrastructure in order to disrupt and stop their operations — regardless of where they are," a statement from the Australian Attorney General explained about the new ransomware task force. "It sends an important message to criminals and hackers intending to do harm — Australia will fight back."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Australia Declares War on Cybercrime Syndicates

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action.

That's according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform.

The result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats: ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud.

CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided detection details and indicators of compromise (IoCs) to help security teams.

"Cyber-threat actors may be targeting unpatched ZCS instances in both government and private sector networks," according to a Zimbra advisory.

CISA and the MS-ISAC strongly urged users and administrators to apply the guidance in the Recommendations section of this Cybersecurity Advisory to help secure their organization's systems against malicious cyberactivity.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading