APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance.

A well-resourced advanced persistent threat (APT) group aligned with Iran's Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and active since 2015 is targeting perceived threats to the Iranian government with sophisticated cybercriminal and surveillance operations, based on social engineering and fraudulent trust relationships.  

APT42, believed to be a subset of APT35/Charming Kitten/Phosphorus, uses highly targeted spear-phishing and social-engineering techniques in which they get victims to trust them, according to a blog post and detailed report (PDF) by Mandiant released Wednesday.

The goal is to exploit those relationships to steal personal info and credentials, after which the group then moves deeper into corporate networks, or targets colleagues or family of the victim to steal yet more data and perform other nefarious activities.

APT42 also engages in surveillance by installing Android spyware on mobile devices to keep a constant eye on targets. This is to ensure "regime stability by monitoring, and subsequently even arresting, those they deem to be a threat to the regime," Mandiant researchers told Dark Reading.

Threat actors also sometimes use Windows malware to complement these primary methods of attack, researchers said. Indeed, APT42 is capable of conducting multiple types of operations at any given time, Mandiant researchers told Dark Reading, which is somewhat unique. The group has already been identified as the perpetrator in about 30 known campaigns — a number that Mandiant suspects is a low estimate.

"Not only does APT42 conduct 'traditional' cyber-espionage activity targeting organizations in order to obtain information of strategic relevance to the Iranian government, the group also conducts targeted surveillance operations against individuals," researchers said in an email interview.

In terms of threats to the private sector, "APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest," they told Dark Reading. "They also change their targeting patterns over time as Iranian government priorities change."

Here at home, current and former US government officials and researchers at think tanks and in academia involved in Iran-relevant policy-making or research already have been targets of APT42, and this activity is not likely to cease, researchers said. In fact, the group may even cast a wider net and extended its activities to government contractors working on the same Iran-related issues, researchers told Dark Reading.

**3 Stages of Threat Activity**

APT42 has three main areas of threat activity. Initial compromise is done via credential harvesting, using targeted spear-phishing campaigns that emphasize developing trust with the victim beforehand. This is done by impersonating journalists or other professionals that a victim might trust or want to connect with.

The group then uses this entry method to collect multifactor authentication (MFA) codes so they can bypass security protections and pursue deeper access to the networks, devices, and the accounts of employers, colleagues, and relatives to steal information that might be relevant to the government.

The second key activity of the group is to conduct surveillance operations through Android mobile malware that tracks locations, monitors communications, and keeps track of the activities of dissidents and other people of interest to the government.

Finally, the group also has in its arsenal a raft of malware, including custom backdoors and other "lightweight" tools that it uses for operations that go beyond credential harvesting, researchers said.

**Connections to Other Threat Groups**

The state-backed APT has been on the radar screen for security researchers since it commenced operations in 2015. It's tracked via a number of nomenclatures by different companies, including TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), and ITG18 (IBM).

APT42 also has connections to and is likely a subset of APT35, the prolific group better known as Charming Kitten, but it has a different set of goals, researchers said.

Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the United States and Middle East to steal data to support the Iranian military and government operations. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability, researchers said.

**Specific, Agile State-Sponsored Cyber Campaigns**

Over the years, researchers have identified specific campaigns linked to APT42 and occasionally attributed to APT35/Charming Kitten/Phosphorus, due to the complexity of tracking the group's numerous operations, and the differences in how threat actors are identified.

A phishing campaign tied to APT42 and dubbed "Operation SpoofedScholars" occurred last year, with the group impersonating scholars with the University of London's School of Oriental and African Studies (SOAS). The operation targeted individuals focused on Middle East affairs in the United States and the United Kingdom to gain access to personal email inboxes.

Earlier this year, APT42 impersonated a legitimate British news organization in a February campaign targeting professors in Belgium and the United Arab Emirates that had ties to local governments or relatives holding dual citizenship in Iran, according to Mandiant. The activity obtained the personal email credentials of its targets, luring them by using a customized PDF document that invited them to an online interview, but instead linking them to a Gmail credential-harvesting page.

In addition to targeting scholars and journalists, APT42 also shows versatility and agility in its operations, researchers said. It was among threat groups that jumped on the bandwagon of targeting researchers in the pharmaceutical sector during the COVID-19 pandemic, with a campaign that occurred in its initial phase in March 2020, according to Mandiant.

"This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran," researchers said.

**Who's at Risk?**

Iran, like China and Russia, has a raft of threat actors at its service to conduct malicious cyber activity against organizations and individuals that the government has identified are threats. Its current offensive stance and rising cyber conflict with the United States is due to the unique position in geopolitics that the country currently occupies, Mandiant researchers told Dark Reading.

"The combination of regional tensions, the nuclear deal's negotiations, and domestic unrest about economic and social issues create an environment in which a group such as APT42 thrives," researchers said.

The group’s ability to pivot depending on the intentions of the government will continue to pose an immediate threat to both individuals and organizations globally, with global events and local politics continuing to drive operations and targeting priorities, Mandiant researchers said.

Iran-Linked APT Cozies Up to 'Enemies' in Trust-Based Spy Game

Here are a few measures your organization can implement to minimize fraudulent behavior and losses.

Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

**Understand Contributors to Fraudulent Behavior**

According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.

**Create a Web of Fraud Detectors**

There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one's means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.

Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.

**Create and Maintain Strong Internal Controls**

There are many aspects about an employee's personal life that an employer can't control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.

Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.

When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they're boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can't control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don't discover this fact until it's too late.

Some Employees Aren't Just Leaving Companies — They're Defrauding Them

A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.

Did you know that the BlackCat ransomware group has successfully breached more than 60 organizations in a couple of months? Government, healthcare, or public utilities — the group has made it abundantly clear that everyone is a target and will demand ransoms that can reach into the millions. Our own research shows that the BlackCat cybergroup favors exploiting vulnerabilities found in Windows operating systems, Exchange servers, and Secure Mobile Access products. Let's break down their tactics and ways to defend against their attacks. 

**Who is BlackCat?**

BlackCat (also known as AlphaV, AlphaVM, ALPHV, ALPHV-ng, or Noberus) is a relative newcomer to the ransomware scene but quickly gained notoriety during its first active months. Discovered in November 2021, the group was feared for its sophistication. Experts and researchers believe the group may be associated with other advanced-persistent threat (APT) groups like Conti, DarkSide, Revil, and BlackMatter.

**BlackCat: The Brief**

BlackCat has been observed to have the knowledge to exploit these five vulnerabilities: CVE-2016-0099 (High), CVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523 (Critical).  
\[1\]CVE-2021-34473 and CVE-2021-34523, are both critical vulnerabilities found in Microsoft Exchange Server and require immediate remediation.

Although CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 have high severity scores, they should still take priority in patching efforts for their potential use in vulnerability chaining attacks and have multiple known threat actor associations.

CVE-2019-7481 is an SQL injection vulnerability that impacted SonicWall SMA100 version 9.0.0.3 and earlier. As this version is longer supported by the vendor, an immediate version upgrade is advised.

**How BlackCat Operates**

BlackCat's entry into an organization's network begins by leveraging stolen access credentials. At the pace security breaches occur, it is difficult to gauge how many credentials are stolen or leaked to the public every year, but about 20,000 (or 50%) of security incidents in 2021 were initiated by stolen credentials. 

After initial access is made, BlackCat or similar ransomware groups silently collect information, mapping the entire network and manipulating accounts for deeper access. Vendor-specific ransomware is then created based on the intelligence gathered during the initial phase of the attack, and security/backup systems are disabled or made to appear to be functioning as expected. The final step is to execute the ransomware and drop ransom notes on their unsuspecting victims.

**Notable Characteristics**What sets BlackCat apart from other ransomware groups is its ability to create highly tailored executables for their intended target that contribute to its reputation for sophisticated attack patterns across environments.

BlackCat develops its tools with the Rust programming language which brings greater stability and integration possibilities. By taking advantage of command-line-driven and human-operated code, BlackCat brings a higher level of configuration.

Its ransomware can then encrypt victims' data with four types of encryption methods. The code can be deployed across different platforms, including Linux and Windows-based systems.

BlackCat also engages in the practice of selling its services to others, or more commonly known as ransomware-as-a-service. Although BlackCat is the first known group to develop its ransomware with the Rust programming language, its use is now becoming common in threat circles. The group is further known for its speedy data encryption, which gives victims a smaller window and fewer chances of preventing prolonged damage and disruption to their services. The group's public leak site makes it simple for users to search their database of stolen information by victim name, password, and document type.

**How Organizations Can Prevent a BlackCat Attack**The ransomware group is quickly becoming the preferred ransomware-as-a-service provider for many threat actors today. Although the true extent of BlackCat's havoc may never fully be known, more than 60 incidents involving the group have pushed the FBI to release an advisory warning of the group's potential danger.

Keeping this information in mind, here are some actions businesses and organizations can take to protect themselves from a ransomware attack.

Patch vulnerabilities that are known to be exploited by the group, like the ones listed at the top of this article. Make sure unused network ports are properly protected.

Deploy multi-factor authentication for all users, require consistent identity verification, and routinely refresh passwords.

Regularly perform attack surface management scans to identify exposures within organization assets like servers, applications, and cloud-connected deployments.

Consider a professional penetration test of company networks to find unknown exposures.

Maintain separate backup data to avoid contamination in the event of a ransomware attack.

Although the threat landscape evolves and BlackCat's methods adapt over time, organizations have a responsibility to consistently monitor their networks and patch vulnerabilities accordingly. Many vulnerabilities, like CVE-2016-0099 found in Microsoft Windows, have been known for years and yet are exploited today. When it comes to ransomware groups, give them an inch, and they will take a mile.

Everything You Need To Know About BlackCat (AlphaV)

The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.

A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.

According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.

In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.

ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.

"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."

**Worok's Custom Toolset**

Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.

Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).

For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.

While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.

"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."

**Few Links to Other Groups**

While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.

"\[W\]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."

For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.

"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.

Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools

What under-the-hood details of newly discovered attack control panel tells us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.  

Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.

There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that's been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey. 

Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.

The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.

Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That's because these attacks are notoriously difficult to detect or prevent with standard security controls. 

**Backdoor Attackers Diversify Their Attack Assets**

PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.

"A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data," the report explained. "Newer versions of the malware encode these different campaigns as campaign IDs."

**But Cyberattackers Will Actively Profile Victims**

At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.

"The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed," the report said, explaining this indicates targeting for cryptomining opportunities. "On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts."

The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.

**Resale Is an Important Part of Backdoor Monetization**

The way that the control panel's user options are set up offered researchers a lot of information about the group's "workflow and commercial strategy," the report said. For example, some filtering options were labeled "Sell" and "Sell 2" with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.

"This probably means that TA505 can not immediately earn a profit from exploiting those particular victims," according to the report. "Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals."

The PTI report said that based on the researchers' observations, the group's internal structure was "surprisingly disorganized" but that its members still "carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector."

The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.

Nevertheless, the backdoor attackers aren't perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.

"The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy," the report said. "After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505's backdoor attacks."

The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it's associated with Raspberry Robin infections.

TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks

Hours after Los Angeles Unified School District hit with ransomware attack, CISA issued an alert that threat actors are actively targeting the education sector.

As the school year kicks off across the country, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to districts that threat actor group Vice Society is targeting their systems.

The notice comes just hours after the Los Angeles Unified School District confirmed it was the target of a successful ransomware attack over the weekend. The K-12 school district, the second-largest in the US, has not yet recovered its systems fully, with its main student portal login page out of service, according to local parents speaking to Dark Reading. A district voicemail instructed parents to reset their students' passwords in person or via calling a telephone line, which was seeing hold times of greater than half an hour this morning, parents reported.

"Since the identification of the incident, which is likely criminal in nature, we continue to assess the situation with law enforcement agencies," the LAUSD said in a statement.

CISA explained school districts are attractive targets for ransomware operators because of their vast troves of personal student data stored in their systems.

The advisory added that Vice Society activity can be traced back to summer 2021, and that the group uses a variety of ransomware variants including Hello Kitty/Five Hands, Zeppelin, and others.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Actions speak louder than words, especially when you're dealing with a mime. So what's going on here? We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Sept. 28, 2022:

*   Email _\[email protected\]_ with the subject line "The Edge September 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

**Last Month's Winner**

Congratulations, Rachel Rawlings, system administrator at Penn Medicine, for winning last month's "Up a Tree" cartoon contest. Rachel's clever caption appears below.  
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Mime's the Word

The founder of Let's Encrypt and an EFF technologist, Eckersley devoted his life's work to making the Internet safer and more secure.

Peter Eckersley, beloved technologist with the Electronic Frontier Foundation (EFF), was a groundbreaking cybersecurity force for online privacy and fairness; he passed Sept. 2 following a brief illness.

Notably, Eckersley founded Let's Encrypt, an organization responsible for the internet's shift from insecure HTTP connections to HTTPS to protect users from threats at the network level. The EFF estimates about 90% of total webpage visits currently use HTTPS.

Eckersley's contributions to the field also include building a tool called Switzerland, which alerts users when their ISP is interfering with Web traffic; net neutrality advocacy; and much more, the EFF announcement explained.

Most recently, he founded a firm called AI Objectives Institute to monitor the malicious use of artificial intelligence (AI) and machine learning (ML).

"The impact of Peter's work on encrypting the web cannot be understated," the EFF announcement said. "Peter's vision, audacity, and commitment made the web, and the world, a better place. We will miss him."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Internet Security & Encryption Pioneer Peter Eckersley Passes at 43

This is the fourth DeadBolt campaign this year against QNAP customers, but it differs from previous attacks in exploiting an unpatched bug instead of a known vulnerability.

A critical zero-day security vulnerability in QNAP's network-attached storage (NAS) devices has been actively exploited in the wild to deliver the DeadBolt ransomware variant.

The vendor warned that the exploitation was first spotted over the weekend, and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." Photo Station allows users to centrally store and manage full resolution photos across devices via QNAP NAS.

QNAP is keeping the details of the bug under wraps for now, but it did recommend in its advisory that users disable the port forwarding function on the router to help mitigate their risk (along with applying strong passwords and performing regular data backups).

The discovery also prompted the company to push out an emergency firmware fix. The updated versions are:

*   QTS 5.0.1: Photo Station 6.1.2 and later
*   QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
*   QTS 4.3.6: Photo Station 5.7.18 and later
*   QTS 4.3.3: Photo Station 5.4.15 and later
*   QTS 4.2.6: Photo Station 5.2.14 and later

The DeadBolt gang has been hammering QNAP NAS hard this year; this is only the latest campaign using bugs in the system to infect devices. Previous waves of exploitation were seen in May using known vulnerabilities, and twice in June.

DeadBolt stands apart from other NAS-focused ransomware families, researchers noted earlier this year, because it deploys a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical QNAP NAS Zero-Day Bug Exploited to Deliver DeadBolt Ransomware

The high stakes and unique priorities for Internet of Medical Things devices require specialized cybersecurity strategies.

The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).

Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.

There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.

**1\. Pick Your Battles**

On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities _every month_. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.

Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an _environment-specific_ exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.

Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.

**2\. Introduce Security at Adoption**

Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.

In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device _acquisition_ processes enable better ongoing security and risk remediation outcomes.

**3\. Form Collaborative Teams of Experts**

Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.

While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.

**Make IoMT Security an Organizational Priority**

Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.

Source

DARKReading