Fourteen states, including Arizona, Iowa, and Pennsylvania, have called in the Guard to help with election network risk assessments and threat mitigation.

The National Guard has offered its 38 cyber units and 2,200 personnel to state and local election officials in an effort to help shore up cybersecurity during the 2022 US midterm elections.

Politico reported that during the midterm elections, the National Guard will have a Joint Cyber Mission Center staffed with personnel from the National Guard, Cybersecurity and Infrastructure Agency (CISA), and Department of Homeland Security to help coordinate detection and response efforts and thwart cyber threats to the election.

"We will surge during the election to ensure that we have 24 hour coverage throughout this whole process," Maj. Gen. Todd Hunt, adjutant general of the North Carolina National Guard, told Politico. "We are citizen soldiers, we live in this state, and we do have a vested interest in our state elections as well as our federal elections."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

National Guard Cyber Forces 'Surging' to Help States Protect Midterm Elections

One attack used 400 mule accounts to steal money by making fraudulent withdrawals, researchers say.

At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018. 

A new report from Group-IB explains it has been tracking OPERA1ER's activities since 2019; however, they waited to publish its findings until the group resurfaced after a 2021 break. Now the gang is back in action, the analysts explain, allowing Group-IB to document their OPERA1ER TTPs from 2019 through 2021, as well as the latest iteration in 2022. 

The researchers reported OPERA1ER has successfully breached the targets' systems at least 30 times since 2018. As an example of the group's sophistication and coordination, the report added, one of the of the group's attacks used more than 400 mule accounts to make fraudulent money withdrawals.

The group doesn't use exotic malware, in fact, the researchers said in the report that OPERA1ER's hallmark is easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. OPERA1ER delivers remote access Trojans (RATs) through French-language email phishing lures and takes its time gathering intelligence about its victims before "cashing out," the report added. 

"Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays," Rustam Mirkasymov, head of cyber-threat research at Group-IB Europe, said in a statement. "It correlates with the fact that they spend from three to 12 months from the initial access to money theft." 

Mirkasymov added the gang could be based out of Africa and the total number of OPERA1ER group members is unknown. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybercrime Group OPERA1ER Stole $11M From 16 African Businesses

An analysis by RSA Conference's security operations center found 20% of data over its network was unencrypted and more than 55,000 passwords were sent in the clear.

Even cybersecurity professionals need to improve their security posture.

That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

"As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a 'best-case' level of security awareness," she says. "Somewhat shockingly, unencrypted email is still being used in 2022."

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

**User Credentials at Risk**

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

"Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear," the report stated.

Yet the situation isn't as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

"This is not necessarily a high-fidelity threat," the report stated. "\[H\]owever, it does leak information about the device as well as the organization it's trying to communicate with."

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

**CISO Mistake**

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. "It is difficult to send email in cleartext these days, and analyzing these incidents found similarities," the report stated. "Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses."

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

"The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol," the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

"We've found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks," Cisco Secure's Oppenheimer says. "Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal."

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Unencrypted Traffic Still Undermining Wi-Fi Security

SMBs concerned about tightening security budgets despite increased risks.

**WATERLOO, ON, Nov. 7, 2022 /PRNewswire/** — OpenText™ _(_NASDAQ: OTEX), (TSX: OTEX), today released results of the OpenText Security Solutions 2022 Global Small-Medium Business (SMB) Ransomware Survey. Findings show growing concern about ransomware attacks, the impact of geopolitical tensions, and rising inflation rates. Eighty-eight percent of respondents noted they are concerned or extremely concerned about an attack impacting their business.

"SMBs are a sweet spot for hackers to exploit because they often lack cybersecurity resources, both technology and security expertise," said Prentiss Donohue, Executive Vice President, OpenText Security Solutions. "Today's complex threat landscape presents a huge risk to SMBs that don't have sufficient cyber resiliency preparation to stop the spread and recover quickly from an attack. With adversaries becoming increasingly sophisticated and relentless, a multi-layered protection strategy is no longer a nice to have, it is a necessity."

**Spotlight findings:**

**SMBs fear tightening security budgets amid growing concern of increased ransomware risks due to heightened geopolitical** **tensions.**

*   More than half (57%) of SMBs are worried about their cybersecurity budget shrinking amid rising inflation rates.
*   Fifty-two percent of respondents feel more at risk of suffering a ransomware attack because of heightened geopolitical tensions.
*   Eighty-four percent are concerned about a ransomware attack impacting their business.

**There's a concerning lack of awareness among SMBs when it comes to knowing if they've suffered a ransomware attack. Meanwhile, budgets to protect against these risks are low.**

*   Nearly half (46%) of SMBs have experienced a ransomware attack, yet 67% still don't think or aren't sure they are a ransomware target.
*   The majority (60%) of respondents are not confident or only somewhat confident that they can fend off a ransomware attack.
*   Despite many having experienced an attack before, security budgets are minimal to protect against ransomware and other threats:

*   60% spend less than $50,000 per year.
*   50% spend less than $20,000 per year.
*   Only 10% spend more than $50,000 per year.

**Managed service providers (MSPs) are an appealing security option for SMBs to offset resource constraints.**

*   More SMBs outsource their security to an IT provider or MSP than not, with 58% using external security management support.
*   Concurrently, 65% of SMBs that don't currently use a MSP would consider doing so in the future.

**Survey Resources Now Available:**

To learn more about the findings of the OpenText Security Solutions 2022 Global SMB Ransomware Survey, view the infographic (PDF) or read the blog.

**Survey Methodology**

OpenText Security Solutions polled 1,332 security and IT professionals from small and medium-sized businesses (SMBs), up to 1,000 employees, in the United States, the United Kingdom, and Australia from September 24 to October 10, 2022. Respondents represented a range of roles from security and technical employees to the C-Suite, and across multiple industries including technology, retail, education, manufacturing, healthcare and more.

**About OpenText Security Solutions**

As attack surfaces expand, OpenText Security Solutions help organizations of every size achieve cyber resilience with Webroot Security, Carbonite Data Management, BrightCloud® Threat Intelligence, and EnCase Digital Forensics and Threat Response. With a united front of best practices paired with layered solutions, we prevent, detect, and restore small, mid-sized and enterprise business operations in the event of a cybersecurity attack.

**About OpenText**  
OpenText, The Information Company™, enables organizations to gain insight through market leading information management solutions, powered by OpenText Cloud Editions. For more information about OpenText (NASDAQ: OTEX, TSX: OTEX) visit opentext.com.

**Connect with us:**  
OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise.

Copyright © 2022 OpenText. All Rights Reserved. Trademarks owned by OpenText. One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.

**SOURCE:** Open Text Corporation

OpenText Security Solutions Global SMB Ransomware Survey Reveals Heightened Worry About Increased Cyberattacks Due to Geopolitical Tensions

Investment round led by 11.2 Capital, Okta Ventures, and Mango Capital.

**LONDON and SAN FRANCISCO, Nov. 7, 2022 /PRNewswire/** — The newly available SURF zero-trust, identity-first enterprise browser reinforces organizational security by providing the critical visibility necessary to prevent attacks while simultaneously ensuring every user's privacy. The platform streamlines collaboration and delivers easy, secure access to applications and data for managed and unmanaged (BYOD) devices.

"The browser has become the main productivity tool for employees, which has turned it into the largest attack surface as well," said Pramod Gosavi, 11.2 Capital. "We invested because SURF directly addresses companies' security needs without compromising on the productivity and privacy of the end users."

The platform leverages identity first and already has deep integration with Okta's market-leading identity platform and access management (IDP) technology.

"The secure enterprise browser is one of the fastest growing markets," said Austin Arensberg, Senior Director, Okta Ventures. "We wanted to make sure we backed the most comprehensive solution - SURF, which simultaneously delivers on companies' critical priorities of identity, security, and privacy."

Founders Moty Jacob and Ziv Yankowitz spent five years working together as CISO and CTO at London-based ICAP-NEX Group, which was acquired by CME Group (the world's leading derivatives marketplace) for $5.4 billion. They built Chromium-based applications to strengthen security and ease management of financial transactions.

SURF Security was established to allow global enterprises to close security gaps – without affecting productivity -- by collapsing the security stack into one single powerful control point: the enterprise browser.

"Ziv and I have taken a pragmatic approach to building the browser, completely eliminating the trade-off between strengthening security at the expense of agility and productivity. We wanted to be business enablers," says Moty. "After many years of trying to stay one step ahead of threat actors with too many niche tools, we decided to integrate many security tools into a single solution, reinforced with zero trust and identity - while making everything easy for administrators and users."

Led by 11.2 Capital, Mango Capital, Okta Ventures, and security-focused Angel investors, the Seed round, combined with the already expanding customer base, allows the company the resources and support to grow significantly over the coming years.

"SURF has completely rethought browser endpoint security by natively designing the solution around Chromium and CDN/edge platforms, such as Cloudflare and Fastly," said Robin Vasan, Founder and Partner at Mango Capital. "They are also providing tight integration with key identity platforms like Okta and HashiCorp in user and machine identity security respectively, strengthening their market position."

The SURF browser observes every interaction between users and applications to discover policy breaches while enabling complete administrative visibility and control – without collecting individual personal data.

After quick and easy provisioning, enterprises can enforce security controls like DLP, content disarming and reconstruction, phishing prevention, session killswitch, on-the-fly file encryption, browser extension management, device posture checks, transactional MFA, watermarking, and more.

SURF replaces existing tools like VDI, VPN, RBI, DaaS, etc. Instead of adding overhead layers of virtualization, cost, and complexity and fracturing the user experience, the security and access controls are built directly within the browser. Users get full native experiences and streamlined performance, without any middle tiers, as if they were using the consumer version of any browser.

The platform delivers a complete end-to-end zero-trust experience for both on-prem and cloud applications, all built inside the browser. The comprehensive solution eliminates shadow IT, data leakage, social engineering, credential stuffing, unwanted extensions, browser-based attacks, and many other threats. Enterprises can streamline access to all software development tools and processes as well.

The SURF browser is available for Windows, Android, Apple, and Linux.

_Visit SURF at Oktane22 Nov. 8-10 at Moscone West in San Francisco._

**SOURCE:** SURF

Out of Stealth: New SURF Zero-Trust Enterprise Browser

Why are we still doing perfunctory penetration testing when we can be emulating realistic threats and stress-testing the systems most at risk?

I was on a call with a client the other day and she was in a great mood as she shared with me that her company's recent penetration test had come back with zero findings. There were only a few recommendations that were well in line with the goals that she had previously shared with the testing team.

She trusted this team as they had been used for a few years; they knew when she liked the testing performed, how she liked things documented, and could test faster (and cheaper). Certainly, the compliance box was being check with this annual pen test, but was the organization truly tested or protected against any of the most recent cyberattacks? No. If anything, the organization now had a false sense of security.

She also mentioned that their recent tabletop exercise (the portion of the penetration test where key stakeholders involved in the security of the organization discuss their roles, responsibilities and their related actions and responses to the mock cyber breach) for incident response was for ransomware. You _should_ be focused on ransomware if it hasn’t already been covered in previous testing, but what about human risk or insider threat? While, according to recent findings, three out of four cyber threats and attacks are coming from outside of organizations, and incidents involving partners tend to be much larger than those caused by external sources. According to those same studies, privileged parties can do more damage to the organization than outsiders.

So, why are we still doing perfunctory penetration testing when we can be emulating realistic threats and stress-testing the systems most at risk for maximum business damage? Why aren’t we looking at the most persistent threats to an organization using readily available insights from ISAC, CISA, and other threat reports to build realistic and impactful tabletops? We can then emulate that through penetration testing and increasingly realistic stress testing of systems to allow a sophisticated ethical hacking team to help, versus waiting for what is likely an inevitable breach at some point in the future.

Audit organizations and regulators expect companies to perform due diligence on their own tech and security stack, but they are still not requiring the level of rigor that's required today. Forward-looking organizations are becoming more sophisticated with their testing and incorporating their threat modeling tabletop exercises with their penetration testing and adversary simulations (also called red team testing). This helps ensure that they’re holistically modeling threat types, exercising their probability, and then testing the efficacy of their physical and technical controls. Ethical hacking teams should be able to progress from a noisy penetration test to a stealthier adversary simulation over time, working with the client to tailor the approach around touchy and off-limits equipment, such as financial services trading platforms or casino gaming systems.

Red teams are not just the offensive group of professionals pen testing a company’s networks; these days, they are made up of some of the most sought after cyber experts that live and breathe the technology behind sophisticated cyberattacks.

Strong offensive security partners offer robust red teams; organizations should be looking to ensure they can protect and prepare for today’s dangerous cybercriminal or nation-state threat actor. When considering a cybersecurity partner, there are a few things to consider.

**Is This Partner Trying to Sell You Something or Is It Agnostic?**

A legitimate and robust cybersecurity program is built by a team looking to equip your organization with the technology that is right for your circumstances. Not all technologies are one-size-fits-all, and therefore, products shouldn’t be recommended upfront but should be suggested following a thorough review of your company's needs and unique requirements.

**Deriving R&D From Defensive Data**

Find out if their team researches and develops custom tools and malware based on the most recent endpoint detection and response and other advanced defenses. There is no cookie-cutter approach to cybersecurity, nor should there ever be. The tools used to both prepare and defend an organization against advanced cyberattacks are constantly being upgraded and nuanced to combat the criminals' increasing sophistication.

**Get the Best**

Are their offensive security engineers truly nation-state caliber to evade detection and maintain stealth, or are they compliance-based pen testers? Simply put, do you have the best, most experienced team working with you? If not, find another partner.

**Check the Mindset**

Does the team lead with a compliance mindset or one of threat readiness? While compliance checklists are important to ensure you have the basics in place, it is just that: a checklist. Organizations should understand what, beyond the checklist, they need to stay safe 24/7.

Ultimately, find a cyber partner that will ask the hard questions and identify the broadest scope of considerations when analyzing a program. It should offer an offensive solution that will keep your organization one step ahead of the cybercriminals that continues to raise the bar for maximum resilience. Go beyond the pen test!

Beyond the Pen Test: How to Protect Against Sophisticated Cybercriminals

Dark Reading's analysis suggests that Human Security's acquisition of clean.io will significantly expand the company's fraud prevention and anti-malvertising portfolio.

When dealing with a medium as flexible as the Web, it’s impossible for the site owner to fully control what a user sees. The user doesn't need the site's consent to change the user interface or experience through add-ons, custom browser properties, proxies, and firewall settings.

However, certain things are still within the site owner’s control, such as advertiser selection, security, pricing, and content policy. That's the idea behind _site integrity_, that the user or third parties can't try to force a change on the server or the site's backend operations without consent. If someone, or something, can violate site integrity, that is a threat with real business impact.

An example is malvertising, when cybercriminals abuse the programmatic advertising ecosystem to deliver malware to end users via online advertisements. Exposing users to malware is bad enough, but malvertising creates a significant brand reputation problem for the brands and platforms delivering the ads.

How does Human Security's acquisition of clean.io — announced on Thursday for an undisclosed amount — change the market for anti-malvertising technology? Dark Reading's analysis of the two companies suggests that by joining forces, Human Security and clean.io will be able to offer publishers, platforms, and brands a full range of anti-fraud and anti-abuse tools for the advertising ecosystem.

**What's So Great About Clean Humans?**

Safeguarding the advertising ecosystem means ensuring the industry's $500 billion annual ad spend reaches real humans rather than funding criminal schemes. Toward that goal, clean.io employs real-time behavioral protections on the page, as opposed to relying on static creative reviews and pre-scanning techniques offline, according to Human Security. Integrating clean.io's client-side JavaScript behavioral analysis and mitigation to Human Security's Human Defense Platform will make malvertising incredibly costly for bad actors, the company says.

"Human and clean.io have long been strategic partners to help combat two of the most important problems we face in programmatic advertising: malvertising and fraud," Ron Lissack, senior vice president and chief architect at Xandr, said in the release announcing the acquisition. "This type of consolidation in the ecosystem is welcome news and brings with it a true and holistic, 360-degree approach to fighting cybercrime."

**A Solution to the Cart Problem**

Many merchants and retailers rely on coupons to help boost sales (more than 90% of online consumers say they search for and use coupon codes while shopping online), but when those coupons are abused, they have to deal with lost revenue and damaged brand reputation. Between taking the hit on the coupons themselves, having to pay affiliate fees to the coupon app folks, and getting false impressions about the success of certain ad campaigns, coupon fraud is no joke.

Fraud prevention is Human's bread and butter, and Dark Reading's analysis suggests that cart protection is one of the areas that will benefit from the clean.io acquisition. Human Security can expand its concept of site integrity to include fighting checkout fraud and automated coupon and affiliate code replication. By integrating clean.io's cleanCart technology into its BotGuard product, Human Security can expand coverage beyond the detection and elimination of fake leads from the first-party marketing pool.

This combination will eliminate fake affiliates from the pool in some cases, and in others drastically reign in affiliate payouts for out-of-scope automated coupon redemptions.

It's a potent combination; cleanCart was already boasting a 3% conversion rate boost, while claiming to pay for itself entirely within 90 days of purchase. Add BotGuard's improvement to lead quality and conversion rates, and the percentage of fraudulently sourced clients making it through the checkout process should be low.

**Final Analysis**

Human Security is creating a significant pattern of scalable growth through innovation and acquisition. While the recent merger with PerimeterX took them deep into the enterprise e-commerce checkout process, the clean.io acquisition will help stop fraud at its source through its anti-malvertising leadership and bridge the gap, making potential tech partnerships with e-commerce solutions as a whole (Shopify, WooCommerce, et al.) and cart-specific solutions (X-Cart, OpenCart, etc.) even more attractive.

The acquisition of clean.io by Human Security should give a significant boost to the company's real-time fraud detection capabilities and increase its ability to catch novel threats in the wild. The sheer amount of threat intelligence the combined company will have visibility into is another significant product advantage.

"With the clean.io acquisition, the Satori team will gain invaluable talent and threat intelligence. This will help us defend our customers from future attacks and support disruption efforts like 3ve, Methbot, PARETO, and most recently, Scylla," Gavin Reid, vice president of threat intelligence and research at Human Security, said in a statement. "We're looking forward to expanding our investigative power and strengthening our takedown mechanisms to continue safeguarding all of our clients and the industry as a whole."

Human Security Tackles Malvertising With Clean.io Buy

The software giant also recorded an increase in attacks on IT services companies as state-backed threat actors have adapted to better enterprise defenses and cast a wider net, Microsoft says.

Enterprise security executives that perceive nation-state-backed cyber groups as a distant threat might want to revisit that assumption, and in a hurry.

Several recent geopolitical events around the world over the past year have spurred a sharp increase in nation-state activity against critical targets, such as port authorities, IT companies, government agencies, news organizations, cryptocurrency firms, and religious groups.

A Microsoft analysis of the global threat landscape over the last year, released Nov. 4, showed that cyberattacks targeting critical infrastructure doubled, from accounting for 20% of all nation-state attacks to 40% of all attacks that the company's researchers detected.

Furthermore, their tactics are shifting — most notably, Microsoft recorded an uptick in the use of zero-day exploits.

**Multiple Factors Drove Increased Nation-State Threat Activity**

Unsurprisingly, Microsoft attributed much of the spike to attacks by Russia-backed threat groups related to and in support of the country's war in Ukraine. Some of the attacks were focused on damaging Ukrainian infrastructure, while others were more espionage-related and included targets in the US and other NATO member countries. Ninety percent of Russia-backed cyberattacks that Microsoft detected over the past year targeted NATO countries; 48% of them were directed at IT service providers in these countries.

While the war in Ukraine drove most of the activity by Russian threat groups, other factors fueled an increase in attacks by groups sponsored by China, North Korea, and Iran. Attacks by Iranian groups, for instance, escalated following a presidential change in the country. 

Microsoft said it observed Iranian groups launching destructive, disk-wiping attacks in Israel as well as what it described as hack-and-leak operations against targets in the US and EU. One attack in Israel set off emergency rocket signals in the country while another sought to erase data from a victim's systems.

The increase in attacks by North Korean groups coincided with a surge in missile testing in the country. Many of the attacks were focused on stealing technology from aerospace companies and researchers.

Groups in China, meanwhile, increased espionage and data-stealing attacks to support the country's efforts to exert more influence in the region, Microsoft said. Many of their targets included organizations that were privy to information that China considered to be of strategic importance to achieving its goals.

**From Software Supply Chain to IT Service Provider Chain**

Nation-state actors targeted IT companies more heavily than other sectors in the period. IT companies, such as cloud services providers and managed services providers, accounted for 22% of the organizations that these groups targeted this year. Other heavily targeted sectors included the more traditional think tank and nongovernmental organization victims (17%), education (14%), and government agencies (10%).

In targeting IT service providers, the attacks were designed to compromise hundreds of organizations at once by breaching a single trusted vendor, Microsoft said. The attack last year on Kaseya, which resulted in ransomware ultimately being distributed to thousands of downstream customers, was an early example. 

There were several others this year, including one in January in which a Iran-backed actor compromised an Israeli cloud services provider to try and infiltrate that company’s downstream customers. In another, a Lebanon-based group called Polonium gained access to several Israeli defense and legal organizations via their cloud services providers. 

The growing attacks on the IT services supply chain represented a shift away from the usual focus that nation-state groups have had on the software supply chain, Microsoft noted.

Microsoft's recommended measures for mitigating exposure to these threats include reviewing and auditing upstream and downstream service provider relationships, delegating privileged access management responsible, and enforcing least privileged access as needed. The company also recommends that companies review access for partner relationships that are unfamiliar or have not been audited, enable logging, review all authentication activity for VPNs and remote access infrastructure, and enable MFA for all accounts

**An Uptick in Zero-Days**

One notable trend that Microsoft observed is that nation-state groups are spending significant resources to evade the security protections that organizations have implemented to defend against sophisticated threats. 

"Much like enterprise organizations, adversaries began using advancements in automation, cloud infrastructure, and remote access technologies to extend their attacks against a wider set of targets," Microsoft said.

The adjustments included new ways to rapidly exploit unpatched vulnerabilities, expanded techniques for breaching corporations, and increased use of legitimate tools and open source software to obfuscate malicious activity. 

One of the most troubling manifestations of the trend is the increasing use among nation-state actors of zero-day vulnerability exploits in their attack chain. Microsoft's research showed that patches were released for 41 zero-day vulnerabilities between July 2021 and June 2022.

According to Microsoft, China-backed threat actors have been especially proficient at finding and discovering zero-day exploits recently. The company attributed the trend to a new China regulation that went into effect in September 2021; it requires organizations in the country to report any vulnerabilities they discover to a Chinese government authority for review before disclosing the information with anyone else.

Examples of zero-day threats that fall into this category include CVE-2021-35211, a remote code execution flaw in SolarWinds Serv-U software that was widely exploited before being patched in July 2021; CVE-2021-40539, a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, patched last September; and CVE-2022-26134, a vulnerability in Atlassian Confluence Workspaces that a Chinese threat actor was actively exploiting before a patch become available in June.

"This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them," Microsoft warned, adding that this should be viewed as a major step in the use of zero-day exploits as a state priority.

.

Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics

An analysis of the RomCom APT shows the group is expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). It's a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).

During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations. The researchers determined the UK and other English-speaking countries were new RomCom targets based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.

Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberry's analysis.

"It's predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia," Bestuzhev says.

Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.

"Information is valuable, and when it's strategic, it helps the attacker build better offensive strategies and take advantage in any domain," Bestuzhev adds. "Geopolitics will set new targets. Since RomCom has been widely exposed, it's reasonable to believe the group behind it might change their TTPs."

This isn't the first shift in strategy for the group. "When RomCom was discovered, it was publicly associated with ransomware," Bestuzhev says. "The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets."

**RomCom RAT's Wrap**

The trojanizing scheme isn't terribly complicated, the BlackBerry team explained in its report.

RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain that's likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.

The wrapping approach isn't new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and groups like FIN7 have used similar tactics.

"This attack looks like it's a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or 'wrapped' with malware," Barratt says. "The 'wrapping' process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment."

**RomCom Targeting Humans**

To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.

"With the current geopolitical situation, it's quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets," Parkin explains to Dark Reading. "They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface."

RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software

Operations at the world's most expensive ground-based telescope, high in the Atacama Desert, remain disrupted.

The Atacama Large Millimeter Array (ALMA) astronomical observatory in Chile became an unlikely target for a cyberattack this week when unknown assailants knocked its systems offline. The ALMA may not be a household name, but it has a marquee role on the international academic stage, which might explain why it was targeted.

The ALMA is a radio telescope, located 5,000 meters above sea level in the unpopulated, geoglyph-laden expanse of the Atacama Desert. There, the conditions are uniquely suited for its mission: imaging early star and planet formation, and offering clues to the origins of the universe. It's maintained in international partnership between Canada, Chile, the EU, Japan, South Korea, Taiwan, and the United States, and, built at the cost of $1.4 billion, is the most expensive terrestrial-based telescope in existence.

The attack, which happened last weekend, has forced "the suspension of astronomical observations and the public website," the observatory said in a statement on Wednesday. "There are limited email services at the observatory. ... The attack did not compromise the ALMA antennas or any scientific data. Given the nature of the episode, it is not yet possible to estimate a timeline for a return to regular activities."

At press time, portions of the website were functioning, but a banner on the site reads, "A number of ALMA online services are currently unavailable — work is in progress to remedy this situation," adding, "replying to tickets by email is currently unavailable."

While the nature of the malware used is unknown, motivations could be myriad. Scientific research is no stranger to targeting by nation-states looking for a competitive edge; and, of course, a victim of this caliber in astronomy circles is a good tool for a ransomware gang to use to burnish its Dark Web reputation.

Research telescopes have also been attacked in the past, seemingly for the lulz: In 2017, Australia's Zadko telescope was knocked offline, almost preventing it from capturing an anticipated, once-in-a-lifetime collision between two neutron stars in deep space.

Awareness that this academic sector is a target for cyberattackers is growing. Some telescopes have taken precautions, such as the National Radio Astronomy Observatory (NRAO) in Indiana, which has contracted the National Science Foundation's ResearchSOC to provide cybersecurity protection.

Source

DARKReading