At Next '22, Google Cloud announces updates to its trusted cloud ecosystem with new Sovereign Solutions initiative and partnerships spanning critical areas of cybersecurity.

SUNNYVALE, Calif., Oct. 11, 2022 /PRNewswire/ -- Google Cloud today announced a significant expansion of its trusted cloud ecosystem, highlighting new integrations and offerings with more than twenty partners focused on enabling greater data sovereignty controls, supporting Zero Trust models, unifying identity management, and improving endpoint security for global businesses.

Global businesses face growing challenges in cybersecurity and data protection, as cyber threats become increasingly sophisticated, hybrid work becomes the norm, and governments adopt new requirements for data sovereignty and control. Google Cloud provides businesses with industry-leading, end-to-end security capabilities to support customers across their cloud and on-premises environments—and today it is announcing a series of partnerships that extend its leadership as an open and trusted cloud.

By embracing its ecosystem of partners, Google Cloud is ensuring that global businesses have choice and flexibility to work with leading cybersecurity vendors and to deliver diverse sets of applications on infrastructure compliant with growing data protection requirements.

"Providing businesses with extensible cybersecurity solutions in the cloud, and a collaborative ecosystem of partners, is the only practical approach to addressing enterprises' greatest cybersecurity challenges," said Sunil Potti, VP, Cloud Security at Google Cloud. "Our partners play a critical role in keeping customers secure and compliant, whether enabling secure hybrid work, safeguarding critical infrastructure, or meeting stringent data residency requirements."

"Success with today's digital business platforms requires a connected and trusted ecosystem of partners to help ensure better security outcomes for customers," said Prem Iyer, VP, GSI and CSP Ecosystems at Palo Alto Networks. "We remain committed to continuing our momentum with Google Cloud, delivering best-in-class solutions that simplify cloud security for our joint customers while improving their security posture."

"The Symantec Enterprise Division and Google Cloud are committed to addressing critical requirements of governments and highly regulated industries to establish sovereignty over data at rest, in use, and in transit," said Rob Greer, VP and GM at Symantec Enterprise Division, Broadcom. "The Google Cloud Ready–Sovereign Solutions program provides Symantec customers with a transparent and flexible approach to meet local data security and privacy laws, across our cybersecurity solutions."

**Bringing partner applications to European sovereign clouds**  
Google Cloud is announcing a new Google Cloud Ready–Sovereign Solutions program to help customers identify partner applications validated to be compatible with Google Cloud's portfolio of Sovereign Solutions, including partner offerings from T-Systems in Germany and S3NS in France. This program will give customers the confidence to continue using applications that are critical to their business while meeting their digital sovereignty objectives.

Today, a diverse group of software partners are committing to validate their platforms for this program, including Aiven, Broadcom (Symantec), Cloud Software Group (Citrix), Climate Engine, Commvault, Confluent, Datadog, DataIKU, Dell Technologies, Elastic, Fortinet, Gitlab, Iron Mountain, LumApps, MongoDB, NetApp, OpenText, Palo Alto Networks, Pega Systems, Siemens, SUSE, Thales, Thought Machine, Veeam, and VMware.

**Expanding Zero Trust architecture with partners**  
Businesses around the world utilize Google Cloud's BeyondCorp Enterprise Zero Trust solution to enable secure access to applications and resources and to safeguard data. In 2020, Google Cloud announced the BeyondCorp Alliance, creating an ecosystem of partners to help enable customers to integrate products and utilize information from leading security vendors including CrowdStrike, Palo Alto Networks, VMware, and more.

Today, Google Cloud is taking a significant step forward in the extensibility of its Zero Trust offerings by partnering with Palo Alto Networks to ensure customers can embrace a ZTNA 2.0 strategy, protecting all users and applications on devices connected across any network.

**Simplifying identity management across platforms**  
Unified identity management is another critical component to secure hybrid work, because it safely eliminates the need to maintain separate user identities across multiple platforms. Alongside its own Identity and Access Management products, Google Cloud is announcing new integrations with ForgeRock, JumpCloud, Okta, and Ping Identity that will automatically extend identity management capabilities and policies to joint customers, adding significant value to investments customers have already made, and helping further secure commonly-used applications.

**Improving endpoint security and operations**  
These partnerships build on Google Cloud's existing ecosystem of endpoint and security operations partners. Strong endpoint protection helps businesses maintain data security while giving their workforces the flexibility to access key applications and information seamlessly across devices, including mobile phones, desktops, laptops, and more. Through its Chronicle Security Operations platform, Google Cloud offers a modern, cloud-first suite that better enables cybersecurity teams to detect, investigate, and respond to threats.

Google Cloud's ecosystem of partners like CrowdStrike, Cybereason, and Fortinet integrate their platforms with Chronicle, ensuring customers have the flexibility and choice to modernize their endpoint security operations.

With the addition of Mandiant to Google Cloud, endpoint partners will also have opportunities to deepen their integrations with Google Cloud's end-to-end security operations suite, with even greater capabilities to support customers across their cloud and on-premises environments.

**Delivering implementation and managed services through systems integrators**  
Google Cloud's top systems integrators including Deloitte will provide implementation customization and managed services for customers, bringing together Google Cloud's capabilities in security analytics, threat intelligence, automation, and SecOps with those of its ecosystem to help customers more quickly prevent and respond to cyber threats.

Learn more about Google Cloud's ecosystem of security partners here.

**About Google Cloud**  
Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology – all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

SOURCE Google Cloud

Google Cloud Advances Partnerships with 20-Plus Software Companies Focused on Digital Sovereignty and Cybersecurity

Silent Eight announced an extension to its existing partnership with HSBC to tackle financial crime.

LONDON, Oct. 11, 2022 /PRNewswire/ -- The new service will cover the deployment of Negative News Screening that leverages machine learning to identify individuals who pose a greater risk for money laundering, fraud or terrorist financing. As financial crime continues to present a challenge, banks need to pivot to an increased use of Machine Learning within compliance, and move away from manual processes or alert scoring.

Silent Eights' solution provides a more effective approach to address true matches and resolve the issue of false identifications. With this expansion, Silent Eight will be solving name screening matches across every risk type within HSBC.

"HSBC is dedicated to drive AI innovation in the financial services field, and with Silent Eight's capabilities, we continue our focus on tackling financial crime more effectively and make the industry safer. We are excited to see the value that they will create by integrating Negative News screening into our platforms," said Mark Turkington, Group Head of Financial Crime Detection.

Silent Eight CRO, Matt Leaney, said, "Working with a technology leader like HSBC who is embracing machine learning within compliance is a pleasure for us. It is a true partnership of shared goals and interests, we look forward to deepening our relationship and supporting their goals for many years to come."

**About Silent Eight:**

Silent Eight makes crime bad business and with its banking, insurance and payment partners is responsible for stopping bad actors accessing the financial system Silent Eight leads the world in Artificial Intelligence solutions for the compliance challenges of today and tomorrow. Spanning customers and transactions, covering Sanctions, Adverse News, PePs and monitoring Silent Eight ensures all potential risks are investigated and decided quickly, accurately and consistently.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

HSBC and Silent Eight Expand Machine Learning Partnership

Nexusguard DDoS Statistical Report reveals key attack observations and analysis from the first half of 2022.

SAN FRANCISCO--(BUSINESS WIRE)--In the first half of 2022, the amount of DDoS (distributed denial of service) attacks increased by 75.6% compared to the second half of 2021, according to new Nexusguard research revealed in the company’s DDoS Statistical Report for 1HY 2022. While the total number of attacks did grow, the average (0.59 Gbps) and maximum (232.0 Gbps) attack sizes each decreased by 56% and 66.8%, respectively, during the same period. Notably, application attacks increased a whopping 330% compared to the second half of 2021, and amplification attacks increased by 106.7%.

Single-vector attacks represented 85% of all attacks globally in H1 2022. UDP (User Datagram Protocol) attacks, which quickly overwhelm the target defenses, and HTTPS Flood, which exhaust servers with valid HTTPS requests, were the two most predominant vectors. Nearly four out of 10 (39.6%) attacks were UDP, an increase of 77.5% from H2 2021, and the two groups combined accounted for more than half (55.5%) of DDoS attacks globally. UDP attacks frequently serve as a smokescreen to mask other malicious activities such as efforts to compromise personal identifiable information (PII) or the execution of malware or remote codes.

New to Nexusguard DDoS reports are statistics describing top reflected attack destinations. Reflection attacks spoof the IP address of the target, tricking it to believe it has received an authentic request, typically via UDP, to which the target responds. Nearly three-quarters (74.6%) of all reflected attacks targeted organizations in Brazil and South Korea. Within Europe, the United Kingdom received almost a quarter (24.6%) of all reflected attacks in that region and in the Middle East and Africa, the Seychelles and Saudi Arabia combined received more than half (55.5%).

Stealthy Bit-and-Piece attacks continue to plague ASN-level Communications Service Providers (CSPs) globally, especially internet service providers (ISPs). While 81% of attacks globally were less than a single Gbps, Bit-and-Piece attacks by /24 networks registered minimum sizes of 0.0637 Gbps and a maximum of 123.7 Gbps. By drip-feeding doses of junk traffic into a large IP pool, the traffic remains small enough to evade traditional threshold-based detection, but accumulates to be enough to clog and disable the target.

“Attackers came out of winter hibernation with never-before-seen levels of intent, showing an incredible increase of attacks in Q2 2022 alone and by June, reaching the highest first-half levels since 2018,” said Juniman Kasman, chief technology officer of Nexusguard. “We’ve expanded our DDoS reports to include data on reflected attack destinations and have separated Europe from the Middle East and Africa regions to provide organizations with even more information on DDoS attacks. The wide variability in attack types shown by our latest report demonstrates that companies must remain vigilant in protecting themselves against the risk of DDoS attacks.”

Read Nexusguard’s DDoS Statistical Report 1HY 2022 for more information on attack vectors, stats and trends based on data gathered from CSPs, honeypots, botnet scanning and research on traffic moving between attackers and their targets.

**About Nexusguard**

Founded in 2008, Nexusguard is a leading cloud-based distributed denial of service (DDoS) security solution provider fighting malicious internet attacks. Nexusguard ensures uninterrupted internet service, visibility, optimization and performance. Nexusguard is focused on developing and providing the best cybersecurity solution for every client across a range of industries with specific business and technical requirements. Nexusguard also enables communications service providers to deliver DDoS protection solutions as a service. Nexusguard delivers on its promise to provide you with peace of mind by countering threats and ensuring maximum uptime. Visit www.nexusguard.com for more information.

Nexusguard Research Shows Total Number of DDoS Attacks Increased during First Half of 2022 While Maximum Attack Size Decreased Compared to Second Half of 2021

Resistant AI and ComplyAdvantage launch AI transaction monitoring solution to combat fraud and money laundering.

LONDON, Oct. 11, 2022 /PRNewswire-PRWeb/ -- Holvi, the digital banking service for small businesses, is among the initial group of customers to implement the AI-driven solution to manage their financial crime risk.

Resistant AI, the AI and machine learning financial crime prevention specialists, and ComplyAdvantage, the financial industry's leading source of AI-driven financial crime risk data and detection technology, today announced the general availability of their solution for fighting financial crime across  
the U.S. and Europe.

Financial crime is a multi-trillion-dollar problem. According to the \[United Nations, the estimated amount of money laundered globally in one year is 2 - 5% of global GDP, or 800 billion - 2 trillion US dollars. While the cost of fraud and money laundering to financial organizations and other businesses is significant, the cost and damage to economies and society as a whole is immeasurable.

Adding Resistant AI's capabilities to ComplyAdvantage's transaction risk monitoring platform extends anti-money laundering (AML) and anti-fraud protections offered to financial institutions and other businesses by:

\-- Enabling them to detect previously unknown patterns of behavior and identify new risks faster.  
\-- Delivering alert prioritization so organizations can focus on the highest-risk areas and make the best use of their investigative resources.

With these capabilities, organizations can transition to a more dynamic approach to financial crime that uncovers novel behavior as it happens.

"Effectiveness and efficacy are key to scaling," comments Valentina Butera, Head of AML and AFC Operations at Holvi. "Integrating an AI-driven transaction monitoring solution means we can grow our customer base without growing our headcount at the same rate. With Resistant AI and ComplyAdvantage, we can manage our known risks more efficiently while also identifying and adapting to previously unknown risks."

Martin Rehak, founder, and CEO at Resistant AI, commented, "We are delighted that our joint solution is now available to drive game-changing efficiency gains. Alert prioritization, the ability to make systems more effective and identify previously unknown risks enables the most effective use of investigative resources and ensures a true risk-based approach."

"In a complex, rapidly shifting world, criminals continue to find new ways to exploit financial services to launder the proceeds of their crimes. At ComplyAdvantage, we are passionate about giving our clients the best tools to protect themselves - and their customers - from these bad actors and fight back.

The addition of Resistant AI's capabilities will allow our clients to do just that," said Charles Delingpole, founder, and CEO at ComplyAdvantage.

Today's announcement coincides with the launch of a new thesis paper on AI in transaction monitoring. Co-authored by ComplyAdvantage and Resistant AI, it explores how customers like Holvi can increase the speed and accuracy with which they monitor transactions for fraud and other financial crime risks.

**About Resistant AI**

Founded in 2019, Resistant AI uses AI and machine learning to provide identity forensic solutions that protect automated financial services from fraud and manipulation, including customer onboarding, AML and existing fraud detection systems. The Resistant AI founding team has a deep background in machine learning, artificial intelligence and computer security with more than 15 years of experience applying AI in the computer security domain. Backed by GV (formerly Google Ventures), Index Ventures, Credo Ventures, Seedcamp, and several angel investors specializing in financial technology and security, Resistant AI is headquartered in Prague with offices in London and New York.

Visit resistant.ai to learn more.

**About ComplyAdvantage**

ComplyAdvantage is the financial industry's leading source of AI-driven financial crime risk data and detection technology. ComplyAdvantage's mission is to neutralize the risk of money laundering, terrorist financing, corruption, and other financial crime. More than 500 enterprises in 75 countries rely on ComplyAdvantage to understand the risk of who they're doing business with through the world's only global, real-time database of people and companies. The company identifies thousands of risk events daily from millions of structured and unstructured data points.

ComplyAdvantage has four global hubs in New York, London, Singapore, and Cluj-Napoca and is backed by Goldman Sachs, Ontario Teachers', Index Ventures, and Balderton Capital. Learn more at https://complyadvantage.com/.

Resistant AI and ComplyAdvantage Launch AI Transaction Monitoring Solution To Combat Fraud and Money Laundering

HackerOne Assets combines ASM with insights from security experts to protect known and unknown digital assets.

SAN FRANCISCO, October 13, 2022: HackerOne, the leader in Attack Resistance Management, today announced the general availability of its HackerOne Assets product. Assets combines the core capabilities of Attack Surface Management (ASM) with the expertise and reconnaissance skills of ethical hackers to bring visibility, tracking, and risk prioritization to an organization's digital asset landscape. Research from ESG revealed that 69% of organizations have experienced a cyberattack through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. Assets form a key part of HackerOne’s Attack Resistance Management portfolio that aims to discover unknown assets and vulnerabilities and close organizations’ security gaps.

With Assets, customers can manage both the discovery and testing of assets in a single platform. The solution blends security expertise with asset discovery, continuous assessment, and process improvements to reduce risk. HackerOne’s community of ethical hackers enrich the asset and scan data and analyze it themselves, ensuring that newly found assets are tested for risk and mapped according to their metadata. Once the assets have been identified and ranked for risk, security teams can use these insights to initiate pentests on newly discovered assets and add assets to their bug bounty scope.

“HackerOne Assets solves for the inefficiencies in traditional ASM scanning” explained Ashish Warty, SVP of Engineering at HackerOne. “It’s impossible for security teams to see their entire attack surface, while cloud transformation, agile product cycles, and mergers and acquisitions keep the threat landscape growing. By combining attack surface management with the creative power of the ethical hacking community, Assets reduces manual work, increases the accuracy of scanning results, and speeds up time to remediation by prioritizing based on real world risk.”

“Having in-depth visibility of our attack surface is a core part of our security strategy,” said Roy Davis, Lead Security Engineer at Zoom. “With HackerOne Assets and the insights it brings from the hacking community, our security team has been able to effectively prioritize those areas of our attack surface that need the most attention, helping us address security gaps faster.”

HackerOne has already been running an early access program with selected enterprise customers, helping to gain critical insights into customers’ ASM drivers and investigating how to leverage the hacking community as an ASM force multiplier. With this general launch, HackerOne continues to augment its Attack Resistance Management Platform, which includes Asset Inventory, OpenASM and Assets API, Automated and Hacker-led Discovery, Continuous Scanning and Monitoring, Risk Ranking, and Attack Surface Coverage.

To learn more about how the Attack Management approach can close security gaps, visit: HackerOne.com

ABOUT HACKERONE

HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.

Newly Introduced HackerOne Assets Goes Beyond Attack Surface Management To Close Security Gaps

Distrust and verify, because you can't protect what you can't see.

Even before the Biden administration announced US federal agencies and contractors must adopt new zero-trust cybersecurity standards, many enterprise-level companies had already begun their journeys toward zero-trust architecture (ZTA) adoption.

According to a recent survey conducted by Forrester, 78% of global security leaders said they plan to bolster zero-trust operations this year, though only 6% said they have fully implemented their zero-trust projects. These organizations recognize that networks today can be local, reach into the cloud, or extend anywhere remote workers are — which limits the effectiveness of traditional defenses.

In dealing with direct attacks such as the recent Log4j vulnerability, indirect attacks such as phishing with malware, and internal lateral movement, traditional perimeter-based network access control has proven insufficient in detecting, much less preventing, compromise. Zero trust — based on the concept that users must be authenticated and continuously validated to be granted access to applications and data — is much more effective because it protects resources rather than network segments.

But successful execution is more like a journey than a switch that can be flipped on. It requires various technologies working together — including multifactor authentication, endpoint security, and identity protection — with full zero-trust adoption becoming an ongoing process of enhancements, refinements, and policy adjustments.

There's an old adage that became well known during the Cold War: "Trust, but verify." More of each is needed in today's highly distributed world, where networked environments are dynamic and network infrastructure, services, users, and more can rapidly change. Organizations cannot blindly assume their zero-trust architecture (ZTA) is always functioning as intended. Organizations need to actively distrust _and_ verify as they refine their network infrastructure, services, and operational policies. Thankfully, continuous deep packet monitoring provides the independent intelligence necessary to improve policy enforcement decisions.

**The Role of Deep Packet Monitoring**

In the Zero Trust Maturity Model laid out by the Cybersecurity and Infrastructure Security Agency (CISA), five distinct pillars reflect how advanced an organization is in its zero-trust implementation. Cutting across these pillars are guidelines for visibility and analytics, automation and orchestration, and governance — suggesting the need for cross-pillar collaboration, integration, and management for more mature ZTAs.

In traditional, non-zero-trust deployments, packet monitoring at the perimeter and occasionally in sensitive areas of the internal network provides the foundation for network visibility and analytics. But as an organization's ZTA matures, traditional perimeters blur or even vanish altogether. North-south traffic will always need to be seen and controlled, but equally as importantly, east-west traffic must be seen and controlled to detect and prevent lateral or deeper compromise in the environment. To achieve zero-trust maturity, pervasive network visibility of the entire network through deep packet monitoring is required.

Packets are the best source of high-fidelity network data available, especially for organizations further along in their digital transformation journeys toward greater public or hybrid cloud use. In these environments, organizations often lose a degree of visibility compared with traditional data centers, and traditional cybersecurity safeguards like endpoint defenses may not even come into play. Packet data transcends the limitations of distributed infrastructure to help verify performance and policy compliance in near real time, offering a single source of truth that can be analyzed months or even years later.

While networking teams have traditionally used packet monitoring to analyze networks, manage traffic, and identify performance issues, the data that packets provide to security teams can be just as invaluable for threat detection and investigations. Packet data allows security teams to trace communications between interconnected devices and historical trends, for example, and can assist in orchestrating mitigation between management and enforcement tools through APIs. It also fills in visibility and data gaps left by other cybersecurity tools (e.g., security information, event management, and endpoint detection), making those tools and existing cybersecurity staff more effective. Finally, organizations can use packet monitoring to classify networks, servers, and services based on risk, allowing for very rapid and concise verification of ZTA.

In summary, enterprises just beginning their zero-trust journeys will require refinements to their architectures as they mature. Their solutions will increasingly rely on automated processes and systems, with greater integration across pillars and more dynamic policy enforcement decisions. For these systems to remain successful, continuous validation of zero-trust designs and enforcement boundaries is required, and deep packet monitoring offers the most comprehensive level of visibility available to verify their effectiveness.

At the end of the day, zero trust is a philosophy. To buy in completely, nothing can be taken for granted. Even organizations with more mature zero-trust implementations must continually verify their adherence with constant, pervasive network visibility. After all, you can't protect what you can't see, and what you can't see, you shouldn't trust.

Comprehensive Network Visibility Is Imperative for Zero-Trust Maturity

A timing attack helps cyberattackers lob malicious code-bombs at corporate targets by cloning private package names.

A novel timing attack has emerged for targeting private corporate software packages hosted in the npm code repository. The goal is to uncover the legitimate offerings and then create malicious public packages using the same names in order to trick employees into downloading the doppelganger blocks.

Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories on npm and elsewhere. The idea is to avoid software supply chain attacks and other code dependency issues, and to protect sensitive internal developer code. As such, if they can be hijacked or weaponized, they provide an attractive avenue for cybercriminals looking to crack corporate networks and exfiltrating sensitive information.

**Code Dependency Confusion Rides Again**

Last year, researcher Alex Birsan pioneered what's known as the code dependency confusion attack, using benign proof-of-concept (PoC) code blocks to target internal apps at Amazon, Lyft, Slack, and Zillow, among others. He created "copycat" packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. What ensued was that internal projects began defaulting to importing the new public packages instead of the private ones.

The PoC demonstrated how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla, and Uber. Unsurprisingly, it didn't take long for malicious actors to replicate the attack pattern.

One way to defend against these kinds of attacks is to keep the package names secret so they can't be cloned. But according to Aqua Security’s Nautilus research team, it's possible to reveal private packages names by using a glitch in npm's registry API.

**A New Type of Timing Attack**

Npm's registry API allows users to check for the existence of packages, download them, and receive information about them. If a user searches for a private package or one that doesn't exist, the website throws a 404 HTTP error message in both cases. However, there's a difference in the amount of time it takes to return that error page: The average response time to 404 a private package is 648 milliseconds, while the average time when a package doesn't exist at all is just 101 milliseconds.

"If a threat actor sends around five consecutive requests for information about a private package and then analyzes the time taken for npm to reply, it is possible for them to determine whether the private package in fact exists," Nautilus researchers said in an Oct. 13 blog post.

There are a few methods that could be used to create a list of private package names to test with the timing attack, according to the research. These include:

*   Guess the names of the private packages by performing a dictionary attack using the patterns found in the nomenclature of the organizations' public packages.
*   Use online public data sets (such as libraries.io) access historic information about public packages that were deleted — these may have been converted to private packages.

The researchers reported the issue to npm owner GitHub's bug bounty program, getting this response: “Because of these architectural limitations, we cannot prevent timing attacks from determining whether a specific private package exists on npm.”

To protect themselves, the researchers said, corporations should be actively looking for typosquatting, lookalikes, or copycat packages, and verifying that there are no other packages with the same name as internal private packages being hosted in repositories.

Novel npm Timing Attack Allows Corporate Targeting

The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.

Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.

The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed "Alchimist," a previously unseen remote access Trojan (RAT) called "Insekt," and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.

"Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor," says Nick Biasini, head of outreach at Cisco Talos.

**A Cobalt Strike Alternative?**

Researchers from Cisco Talos who discovered the attack framework described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver. 

"The emergence of such frameworks in the wild suggests that threat actors are actively trying to develop alternative solutions to popular attack frameworks ... whose increasing popularity has led to rigorous detection efforts," Biasini says. 

In a blog post on Oct. 13, Cisco Talos described Alchimist as a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist's primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.

"\[Alchimist\] can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands," the report noted. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

Of note, the Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system, Biasini says.

A campaign utilizing the attack framework has been active since at least January. 

"Although Talos does not have information on the precise targeting intended in this campaign, the intention of the attacks is to compromise and establish long-term access into victim environments," Biasini says.

**Stand-Alone Frameworks**

Cisco Talos has compared the Alchimist framework with another attack framework it discovered recently, dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver that a threat actor was actively using in a campaign involving COVID-19 and China-themed lure documents.

Both Alchimist and Manjusaka are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations. Both come ready to use with no installation required, and both can patch and generate implants such as the Insekt RAT on the fly, Cisco Talos said.

One feature of the new C2 that the company highlighted as being notable is its ability to generate PowerShell and wget code snippets for Windows and Linux.

The snippets give threat actors the ability to create an infection vector for Insekt RAT without having to author custom code or utilize additional tools, Biasini says. Attackers can simply add the PowerShell/wget code to a delivery vector such as a malicious document's VBA Macro or to a malicious shortcut file and then distribute it to victims for infection. 

"This offering may be an attempt by the authors to provide bonus features in the C2 framework and make it more enticing to threat actors," he notes.

Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments

Company enables organizations to mark endpoint performance and take immediate action to mitigate risk.

KIRKLAND, Wash., Oct. 13, 2022 – Tanium, the industry’s only provider of converged endpoint management (XEM), today announced the launch of Tanium Benchmark, an industry-first solution that delivers real-time, holistic assessments of the security and operational risks associated with connected endpoints, empowering teams to prioritize efforts, collaborate effectively, and take risk-mitigation action while reducing IT costs and complexity.

Benchmark, powered by the Tanium XEM platform, determines real-time risk scores by analyzing up-to-date, comprehensive data from millions of endpoints across Tanium’s global customer base. Benchmark compares a customer’s endpoint metrics against their industry peers to establish a baseline for ongoing measurement and evaluation. Benchmark also enables IT operations, risk, and security teams to provide corporate board members and executive leadership with just-in-time data to make more informed decisions.

“A near-real-time risk score with comprehensive visibility into the state of endpoints enables executives to better understand the impact of cyberattacks on business outcomes,” said Phil Harris, research director in the Cybersecurity Risk Management Services practice at IDC. “Decision makers can prioritize severe vulnerabilities and response to breaches much nor quickly to reduce the attack surface radically.”

Customer IT and operations teams can utilize Tanium Benchmark findings to manage and track the current state of endpoints and mitigate risk proactively based on more than 20 different metrics including vulnerability, outstanding patches, and lateral movement risk.

“Without accurate real-time data, you are flying blind and unable to make the best decisions from a security and risk perspective,” said Tanium Chief Product Officer Nic Surpatanu. “Tanium Benchmark is a game-changer with its unprecedented insight that instantly assesses the very heart of your most important functions—IT, Risk, and Compliance—and delivers the ability to compare and contrast scores with similar organizations, bringing unique clarity to what is working and where there are areas for improvement. Benchmark enables you to make accurate and effective decisions on where to invest to improve your risk posture.”

Get your no-cost risk assessment now to experience the peace of mind that Tanium Benchmark delivers and make the most of your technology investments.

About Tanium  
Tanium, the industry’s only provider of converged endpoint management (XEM), leads the paradigm shift in legacy approaches to managing complex security and technology environments. Only Tanium protects every team, endpoint, and workflow from cyber threats by integrating IT, Compliance, Security, and Risk into a single platform that delivers comprehensive visibility across devices, a unified set of controls, and a common taxonomy for a single shared purpose: to protect critical information and infrastructure at scale. Tanium has been named to the Forbes Cloud 100 list for seven consecutive years and ranks on Fortune’s list of the Best Large Workplaces in Technology. In fact, more than half of the Fortune 100 and the U.S. armed forces trust Tanium to protect people; defend data; secure systems; and see and control every endpoint, team, and workflow everywhere. That’s the power of certainty. Visit www.tanium.com and follow us on LinkedIn and Twitter.

Tanium Benchmark Sets New Standard for Tracking and Improving Security and Operational Metrics

The QAKBOT group has successfully ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

The QAKBOT malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week.

In the most recent incident, cybersecurity firm Trend Micro observed QAKBOT-infected systems deploying Brute Ratel, an "adversary emulation" platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities. Another group, known as Black Basta, is likely responsible for the subsequent attacker activity using the two platforms, Trend Micro said.

Black Basta's use of the QAKBOT, also known as QBot or Pinkslipbot, highlights how cybercriminal groups are specializing in particular attack-chain activities, says Jon Clay, vice president of threat intelligence for Trend Micro.

"QBot appears to have improved their offering as they have to compete with other groups selling similar services in the underground — BlackBasta is one such group that feels their tool set works for them," he says. "They continue to update their code and malware to enhance obfuscation and ability to successfully compromise victims."

After QAKBOT infects a system, the attack tools conducts automated reconnaissance and then downloads and installs Brute Ratel, which is then used by Black Basta to move laterally to other systems in the network and execute payloads, according to Trend Micro's report.

Other security firms have also noted that cybercriminal groups have increasingly focused on specific elements of the attack chain. While QAKBOT started out as a banking trojan, different groups have augmented its capabilities with additional modules, according to the NCC Group, a threat intelligence firm.

"QBot is considered a banking Trojan, but thanks to its modular design, it can also act as an infostealer, a backdoor — with its _backconnect_ module — and a downloader," the Global Threat Intelligence Team at NCC Group said in response to questions from Dark Reading, adding: "After the takedown attempt on Emotet and the recent pause of its operation, QBot and Bokbot had been sharing the market."

The approach has garnered success for the group. In a separate report, threat researchers at cybersecurity firm Kaspersky said that QAKBOT had infected at least 1,800 victims, at least half of which are business systems or workers' computers.

Black Basta is just one of the groups that have either use a QAKBOT service or distribute the malware themselves. The Black Basta group first appeared in April, conducting double extortion operations in which the attacker installs ransomware and steals data to put pressure on the business to pay the ransom. The group is likely made up of member of the Conti gang, which dissolved in May, but whose members continue to be a threat.

**Brute Ratel in the QAKBOT Mix**  
In May, a malicious file linked to the attack tool, Brute Ratel, was uploaded to VirusTotal, a common way to check whether current anti-malware scanners can detect a new variant. None of the 56 scanners detect that the file contained malicious code, Mike Harbison and Peter Renals, two threat researchers at network security firm Palo Alto Networks, wrote in an analysis of Brute Ratel in July.

The attack likely came from a Russian group known as APT29 and poses issues for companies, the researchers stated.

"While \[Brute Ratel C4\] has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," Harbison and Renals wrote. "Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities."

Trend Micro concurred with Palo Alto Networks that, while Cobalt Strike is a well-known payload used by many cybercriminals, more attackers are starting to use Brute Ratel for extending their compromise and delivering payloads, especially after stolen code and leaked licenses have made pirated copies of the software available.

Obscurity helps the program be successful, Trend Micro stated in its analysis.

"This makes Brute Ratel and other less established C2 frameworks an increasingly more attractive option for malicious actors, whose activities may remain undetected for a longer period," the company stated.

Since the current QAKBOT group extensively uses spam, targeted emails, and compromising email threads as a way to distribute the initial links and malware, Trend Micro recommends that users follow email security best practices, such as verifying the email sender and content before downloading attachments and hovering over embedded links to see the actual target URL. Security-awareness training is important part of raising the level needed to infect a company.

Source

DARKReading