Today, the processing of mountain-high stacks of alarms is considered "security." That system is failing customers and the cybersecurity workforce.

In one of my first jobs, I worked as a file clerk. I would arrive early in the morning to be greeted by a mountain-high stack of manila folders to process. I would spend the day knocking down the pile, only to be greeted by a new one the next day. It was clear that I was never going get ahead in that job.

Recently, I read a cybersecurity provider's infographic that depicts the logs from 350,000 machines feeding a security information and event management (SIEM) system, resulting in a data lake consisting of 1.1 billion security events. An artificial intelligence detection layer, employing thousands of algorithms, processes those billions of events into an investigation layer and visualization platform.

My first thought was, it's that clerk job all over again! How can a security operations center (SOC) team possibly get ahead in this environment? At a time when SOCs are more critical than ever, SOC analysts have never been stretched so thin from the relentless, reactive, and "always on" mode their job demands. As a result, the cybersecurity industry is in danger of losing a generation of talented analysts because of low morale, crushing workloads, and new security products that are built upon outdated approaches.

There is already a well-documented shortage of qualified security personnel today. According to the "(ISC)2 Cybersecurity Workforce Study," the shortage is estimated to reach 2.72 million globally. Increased workloads are a major contributor to burnout in our industry. In a survey conducted last fall, 51% of professionals surveyed were kept up at night by the stress of their jobs, and nearly half were working more than full-time hours.

Security teams are drowning in a sea of alert fatigue, incident response workload, and false positives. In today's cybersecurity ecosystem, the processing of mountain-high stacks of alarms is considered "security." That system is simultaneously failing customers and the cybersecurity workforce. Indeed, a recent study shows 45% of all daily security alerts are false positives, and 75% of organizations spend an equal amount — or more — on false positives than on legitimate attacks. In a multicontinent survey of security experts, 74% claimed their volume of false positives was steady or rising and 26% shared they "turn off alerts because they are too noisy." It comes as no surprise, therefore, that in 2022, many IT professionals are leaving their jobs — and the industry entirely.

Cybersecurity professionals are charged with protecting vital business as well as personal and national interests. With the average cost of a data breach now at an all-time high of $4.35 million and 83% of organizations having experienced more than one breach, the impact these professionals bring to the business is clear. A dearth of qualified people will only make the challenges of maintaining our vital interests more difficult, creating a terrible cycle. Providing the best work environment possible to retain and attract highly skilled professionals must become our highest priority as it is essential for long-term business success.

**Better Tools**

The problem cannot be solved by raising a few salaries. Instead, a transformative new approach is needed in which cybersecurity professionals have access to better tools and technologies so they can apply their talents and energies to address their actual priorities instead of chasing seemingly endless false positives and security alerts that lead nowhere and do not result in better organizational security. Not only will such a cybersecurity workforce be more fulfilled, but they will also be able to maintain a realistic work-life balance as well as deliver tangible value to business. Without this twofold approach to industry reform, we will continue to see the best and the brightest reconsider their chosen field and look elsewhere for opportunity, resulting in a massive destabilization of infrastructure.

We must immediately embrace new approaches that focus on prevention at scale and offer technologies that dramatically reduce incident response and false alerts. As singer-songwriter John Mayer describes gravity, "Twice as much ain't twice as good." Reducing the flood of alerts will make room for much-needed focus. Embracing a preventative approach will free up cybersecurity professionals to address their real priorities: protecting their clients, defeating malicious attackers, maintaining secure business continuity, and delivering more business value.

Cybersecurity professionals should be outthinking and outmaneuvering adversaries rather than being mired in alerts. The resulting security and protection will provide even more benefit to their organizations. It is possible to create a future for the cybersecurity industry that allows professionals to lead balanced lives while maintaining fulfilling careers without sacrificing the safety of critical networks.

Even though cyber threats continue to evolve and increase, forward-leaning organizations that embrace new, preventive approaches are benefiting from superior security, better business results, and meaningful, impactful work for their talented cybersecurity professionals. Employ a new preventative approach. Reduce the noise. Create better outcomes. Retain your best talent.

We Can Save Security Teams From Crushing Workloads. Will We?

Some 400 mobile apps have posed as legitimate software on Google Play and the Apple App Store over the past year, and were designed to steal Facebook user credentials.

Facebook is contacting about 1 million users of its platform about their account details potentially being compromised by malicious Android or iOS applications.

In a blog post on Oct. 7, Facebook's parent company Meta said its researchers had detected 400 malicious Android and iOS apps over the past year that were designed to steal usernames and passwords belonging to Facebook users and to compromise their accounts. The poisoned apps were uploaded to Google's and Apple's app stores and masqueraded as legitimate games, VPN services, photo applications, and other utilities.

When users downloaded and attempted to use one of the malicious apps, it would prompt them to enter the user's Facebook username and password. If a user entered their credentials, attackers would gain full access to the individual's account, private information, and their friends on the social media platform, Meta said.

"This is a highly adversarial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores," David Agranovich, Meta's director of threat disruption, and Ryan Victory, malware discovery and detection and engineer, wrote in the blog post. 

Meta reported the apps to Apple and Google, and the researchers noted, "We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials and are helping them to secure their accounts."

**Posed as Legitimate Apps**

Many of the iOS and Android apps that Meta detected on Apple and Google's mobile stores purported to have some fun or useful functionality, like music players and cartoon image editors. A plurality (42%) posed as photo editors, some of which claimed they could turn a user's photo into a cartoon. 

About 15% purported to be business utilities, such as VPNs that claimed to help users access blocked content and websites or to boost their Internet browsing speeds; 14% were phone utilities, such as flashlight apps that purportedly helped brighten the phone's flashlight. 

Mobile games accounted for about 11% of the 400 or so malicious apps that Meta's researchers discovered. Fake reviews might have helped boost the reputation of some of these apps and helped hide potential negative reviews of these apps, Meta said.

Facebook did not say how many of the 400 apps were Android-based. But Apple said that out of the 400 total apps mentioned in Meta's blog post, 45 were on iOS — leaving 355 for Android. 

A Google spokesman says all the apps identified in the Meta report are no longer available on Google Play. "Users are also protected by Google Play Protect, which blocks these apps on Android," he said.

Apple also confirmed that the apps were removed from the App Store.

**An Ongoing Issue

The issue of malicious apps finding their way into Google and Apple's official mobile stores is by no means new. Both companies have been dealing with the problem for years and have implemented numerous mechanisms for vetting third-party applications published to their stores. 

However, malware authors have consistently been able to sneak their apps in anyway. One tactic that attackers have commonly used to bypass Google and Apple's testing processes has been to separate the malicious capabilities of the software from the benign and using a dropper to install the malicious code later once the testing is complete.

Over the years, numerous vendors have reported discovering malicious apps disguised as legitimate software on both stores. One of the more recent examples is BitDefender's discovery of 35 malicious apps on Google Play that together had some 2 million downloads. The security vendor found some of the apps, which were designed to serve ads, renamed themselves after installation to make detection and removal harder. 

In July, Dr. Web reported discovering and reporting to Google nearly 30 adware Trojans on Google Play with combined downloads of more than 9.8 million.

While attackers have tended to target Play more heavily, there have been numerous similar instances on the Apple App Store as well. In September, Human Security's Satori research team reported on a massive ad-serving operation that involved dozens of malicious apps on Google Play and at least nine on the Apple App Store. Together, the apps were downloaded about 13 million times since at least 2019.

**

Meta Flags Malicious Android, iOS Apps Affecting 1M Facebook Users

Test methodologies published today, and their scope includes security effectiveness, performance, stability and reliability, and total cost of ownership.

**AUSTIN, Texas, Oct. 6, 2022 / PRNewswire/** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, will begin testing Enterprise Firewalls and Data Center Firewalls this fall with group test scores and ratings to be released in 2023. Test methodologies have been published at CyberRatings.org and are provided at no charge.

CyberRatings invites all leading vendors to submit their offerings to be tested for free. Products with significant market share, as well as challengers with innovative technologies, will be included at CyberRatings' discretion. The scope of the methodologies includes security effectiveness, performance, stability and reliability, and total cost of ownership.

Enterprise Firewalls (also known as Next Generation Firewalls) are one of the largest and most mature markets in the industry, projected to grow 10% year over year. A firewall is the first line of defense that monitors incoming and outgoing network traffic. Its purpose is to protect the network by allowing or blocking data packets based on a set of security rules. Without a firewall, networks and data can be vulnerable to thousands of attacks.

"While Cloud Firewalls and SASE are new categories that garner a lot of attention, the Enterprise Firewall market is vast, and while mature, is still growing. Most firewalls remain at the enterprise perimeter or data center," said Vikram Phatak, CEO of CyberRatings.org. "Our test methodologies are designed to address the challenges faced by enterprise security and IT professionals in selecting and managing security products. We welcome feedback from the community about which firewalls should be tested."

CyberRatings.org test reports are primarily reserved for members with a paid subscription. In observance of Cybersecurity Awareness Month and courtesy of Keysight CyPerf, CyberRatings.org is making its recent Cloud Network Firewall test reports for Fortinet, Forcepoint and Juniper Networks available for free. Additional products are currently being tested with ratings and a comparative report to be published in the coming weeks.

If you would like to see an Enterprise Firewall or Data Center Firewall product tested, please contact us at \[email protected\].

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org.

**SOURCE:**  CyberRatings.org

CyberRatings.org Invites Industry Participation in Forthcoming Enterprise Firewall and Data Center Firewall Tests

The infosec conference named after the UK's calling code returned this year with a focus on building a healthy community.

44CON -- London — After a two-year break, information security conference 44CON returned to London, where passionate security evangelists were joined by architects and managers from leading technology companies to enjoy a two-day festival of cybersecurity research from global headliners. From Sept. 15 to 16, people came to meet, do business, talk, and learn, with the 44CON crew providing fun, great food, and cybersecurity-themed entertainment.

It was a bit like the Babylon 5 of the UK infosec community.

I asked Adrian Mahieu, the founder of 44CON and the driving force behind the conference's resurrection, what motivated him to start up again post-COVID. 

"I wanted to make a conference that I'd like to go to, with some serious, in-depth technical talks \[and\] a few interesting sponsors that are not the usual suspects you'll see at other technical security conferences," he said. "But most interesting for me is getting people talking and learning from each other."  

This focus was apparent even in simple aspects, such as the way conference organizers devoted a large communal area to tabled seating, allowing attendees to share coffee, enjoy some excellent food, or just have impromptu birds-of-a-feather sessions. People at all stages of their cybersecurity careers were present, from eager recent graduates making connections to industry leaders talent-spotting and team-building, as well as a good number of people who justify the descriptor "expert."

Multiple industry sectors were represented, including broadcast entertainment and cloud service providers. "I tell vendors that all they need to bring is a backdrop for their exhibitors table," Mahieu explained. "I don't want those big palatial booths taking up the communal space. I want everyone to feel free to talk together!"

The evening's entertainment included a security communications wargame designed and hosted by innovative game developers Stone Paper Scissors. Threat Condition simulated the problems and issues that ensue after a reputationally damaging cyberattack and highlighted the consequential organizational and communication challenges. SPS designed what I think may be the best tabletop disaster-recovery scenario wargame I have ever seen.

One thing that differentiates 44CON from other conferences is its COVID-19 precautions. 44CON installed high-powered air purifiers throughout the venue to provide clean, breathable air for attendees.

**Chatham House Chats**

Discussions were held under the Chatham House rule, allowing people to speak and share their research freely. In that capacity, I was able to have an in-depth conversation with one of the world's cloud security experts. We discussed the type of events he sees and which ones are the "fire-alarm" events.

"Identity is always first," he said. "Our CIRT responds in minutes to a credential leak on a public source-code repository." 

When considering identity-first security, the joiners, movers, and leavers problem gets writ large, as all the cloud service provider sees is a token. 

"We're faced with a choice when tuning the token lifetime — too short, and the user experience becomes sucky with overly frequent login challenges; too long, and the token becomes vulnerable in such cases as endpoint theft," he said. 

Risk-assessing every transaction from the endpoint is possible. But given the breadth of activity for any cloud service user, this quickly crashes into security's scalability barrier.

Always curious about how the insider problem is evolving, I took the opportunity to ask how leading cloud service providers are addressing traditionally tricky problems, such as data loss prevention, and how that migrates in a cloud environment. Many security practitioners still have trouble converting their legacy mindsets into a cloud-native one. 

My security expert was eager to illustrate: "We see a common problem where a business application user will exfiltrate information to personal AWS buckets. This means that the cloud log is in their personal bucket, and the business has no visibility of it. However, there is a simple answer — we advise business customers to create a service-aware policy that limits bucket access to corporation-owned buckets."

What this means is that many security practitioners are still limited to legacy thinking and architectural models, a key indicator of which is when practitioners try to filter based on IP address, basically trying to re-create their traditional data center in a cloud service environment. Cloud instances are ephemeral by nature, allowing savvy architects and devs to create and destroy instances on demand. IP addresses just don't matter in this context.

**Participating and Presenting**

Capture-the-flag (CTF) events are a staple for many cybersecurity conferences, but 44CON had its own spin. This year's CTF was organized by Trace Labs, a Canadian not-for-profit organization that partners with law enforcement agencies to leverage the power of crowdsourced OSINT collection to assist in ongoing missing persons investigations. Instead of hurling their exploit kits at a target, contestants were invited to "use their powers for good" and take real missing persons cases and hunt for missing pieces of open source intelligence, or flags. The more flags a team finds, the more points they get, all the while helping to make the missing-persons database more complete.

And saving the best for last — the talks! Headlined by James Forshaw of Google Project Zero, superb presentations allowed all of us to learn about the latest in vulnerabilities and exploitation, whether you are a red or blue teamer. Erlend Andreas Gjære, co-founder and CEO of security training adviser Secure Practice, talked about the need for a human touch in cybersecurity, and the mysterious stranger identified only as "cybergibbons" explained how he took control of cruise ships, oil rigs, and other merchant navy vessels in a talk called "I'm the captain now!"

Last but not least was an inspiring talk by Thinkst founder and CEO Haroon Meer, who closed the conference by exhorting attendees to unleash their innovation and create security products that the world needs. Meer observed how many of the products currently on the market are snake oil, peddled by people who you wouldn't leave alone in your home with your grandmother. He also pointed out that the path to a profitable software-as-a-security business is simply to find something that 1,000 people will want to use — possibly the best advice to budding entrepreneurs since Ron Gula's five-slide pitch deck.

Sharing Knowledge at 44CON

Exploit allows unsigned and unnotarized macOS applications to bypass Gatekeeper and other security, without notifying the user.

New details about a known vulnerability in the macOS Archive Utility have emerged, showing that a cyberattacker armed with just the right specialty archive could exploit it to execute a malicious application while bypassing security checks — without the user ever being notified. 

The vulnerability, discovered by Jamf Threat Labs and tracked as CVE-2022-32910, affects the Archive Utility, an Apple tool that allows users to easily create and send archives. The team said it discovered the flaw during research into general archiving feature security. 

"Although our testing was done with Apple Archives, the same bypass can be achieved with other archive formats such as .ZIP archives, in which case the .ZIP file could be created while within the app directory," the disclosure noted. 

The Jamf team reported the macOS bug to Apple on May 31 and said Apple issued a patch on July 20 — but it's just now releasing technical details. Out-of-date end users should update to the latest macOS version to avoid compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks

Russian-speaking cyberattackers boast they are behind disruption of Colorado, Kentucky, and Mississippi government websites.

A hacktvist group with ties to the Russian government has claimed credit for cyberattacks on the government websites of three US states: Colorado, Kentucky, and Mississippi. 

The sites for Mississippi and Kentucky were functioning Thursday, following the Russian cyberattacks, while the Colorado State Official Web Portal was displaying a message that the "homepage is currently offline," earlier in the day. By Thursday afternoon, the homepage appeared back online. 

Reports of the compromise of state government systems by the so-called Killnet hacktivist group is particularly alarming in light of upcoming November US midterm elections, which rely on individual states to administer voting. 

"In the case of these state government websites, the disruption of service, while inconvenient, is far less of a problem than a data breach involving the theft of personally identifiable information," Erich Kron, security awareness advocate with KnowBe4, said in an emailed statement in reaction to news of the cyberattack. "Whether it's the defacement of websites, or taking them offline with attacks such as distributed denial-of-service (DDoS) attacks, it does erode public trust in the organizations that these websites represent."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Hackers Shut Down US State Government Websites

The trend, spotted by Consumer Reports, could mean good news for organizations struggling to contain remote work challenges.

A survey on US consumer attitudes toward online privacy and security holds some potentially good news for enterprise organizations in an era of work-from-home and hybrid work models.

The survey of 2,103 US adults, conducted by Consumer Reports (CR), showed substantial improvement in consumer cybersecurity and privacy practices over the past three years. Many more individuals appear aware of the security and privacy risks associated with their digital footprint, and have modified their behavior significantly to try and protect it better.

Some of the changes — such as a surge in the use of multifactor authentication (MFA) — appear tied to the fact that more and more organizations require it for accessing online accounts and services. That said, a lot of the behavioral changes are likely also being driven by a higher awareness of cyber-risks, several security experts say.

"The harsh reality is that the explosive growth in ransomware attacks and data breaches has raised awareness of cybersecurity to a level we’ve never seen before," says Darren Guccione, CEO and co-founder at Keeper Security. "When people are unable to get fuel at the gas pump or their bank data is leaked on the Dark Web, they immediately understand the tangible impact cyberattacks can have on their personal lives."

The trend has upside for enterprise organizations that are struggling to contain security challenges tied to the use of insecure home networks and devices by their work-from-home and remote employees. It could mean less of an uphill battle for them, says Brian Dunagan, vice president of engineering at Retrospect, a StorCentric company.

It suggests that people are taking communications regarding security directives seriously and are taking the time to read, learn, and ask questions if necessary — which is a notable shift. 

"Now is the time for security leaders to make the case for increased security budgets, whether it is added personnel or added security technology solutions," Dunagan says.

**Significant Security Improvements for Consumers**

When it comes to better consumer adoption of certain security practices, 88% of survey respondents, for instance, said they use what CR describes as strong passwords — eight characters or more, with upper and lowercase letters, numbers, and symbols — to protect access to their Wi-Fi networks. That's up from 74% in the last survey. Similarly, 85%, up from 69%, have implemented measures such as requiring a password, PIN, TouchID, or FaceID to unlock their smartphone.

The survey revealed a greater understanding among US consumers of the potential privacy and security implications of allowing mobile applications the unfettered ability to track their location and movements. Eighty-one percent of consumers now only allow an app to access their location when they are using the application. Eighty percent claimed they did not install applications that they perceived as collecting too much information about them, and 78% block apps from having access to the camera, location, or contacts if they think the app does not require that access.

The numbers in each instance were significantly higher compared with the 2019 survey. For example, just 60% blocked app access to their cameras and contacts three years ago, and 65% ensured a mobile app had access to their location only when the app was in use.

One of the most significant changes was in the use of multifactor authentication: 77% of survey respondents said they now use MFA, up from 50% in 2019. Security experts consider MFA to be a fundamental security best practice for protecting online accounts against takeover and compromise.

"Many products and companies have started to encourage consumers to enable better cyber hygiene," says Amira Dhalla, director of impact partnerships and programs at Consumer Reports. **"**It's common that when you log in to your bank or email account, they encourage or mandate \[that\] you have to use multifactor authentication."

**Consumers Are More in Control, but Work Needs to Be Done**

Dhalla says that CR's survey showed that consumers overall feel more in control of their personal data because of the steps they are taking to control and secure it. 

“As more security and privacy tools have become available and marketed to everyday consumers, they feel they have more at their disposal to combat the security of their data," she notes. "\[They\] are placing more responsibility on themselves to protect themselves.”

At the same time, they are less secure with how companies are handling and storing their data. At least 75% of the respondents in the CR survey expressed concern about the privacy of personal data that companies collected online. "We know consumers are holding themselves more accountable. They just need knowledge and tools to be able to protect themselves more."

Roger Grimes, data-driven defense evangelist at KnowBe4, perceives the improved consumer habits as the result of a trickle-down effect. "What's largely driving the change is businesses are now taking cybersecurity threats more seriously, which trickles down to consumers because they work for those businesses and are impacted as customers," he says. "If your employer is training you to be more cybersecurity aware on the job, those are also skills you can apply at home and teach to your family."

Grimes says while the trends in the CR survey are encouraging, it's also important to view them in the right perspective. He points to the survey's definition of what constitutes a strong password as one example. "Eight-character passwords, even with complexity, are no longer considered secure," he says. "For someone's password to be truly secure it must be 12 characters or longer and fully random or 20 characters or longer if made up out of someone's head."

Similarly, using MFA alone is not sufficient, if it is not also phishing resistant, he says. "Unfortunately, 90% to 95% of MFA is easily phish-able \[and\] no harder to steal or bypass than a password. Telling people to use any MFA is bad advice."

US Consumers Are Finally Becoming More Security & Privacy Conscious

Cybercriminals are focusing more and more on crafting special email attacks that evade Microsoft Defender and Office security.

Increasingly, cyberattackers are laser-focused on crafting attacks that are specialized to bypass Microsoft's default security, researchers say — which is going to require a shift in defense posture for organizations going forward.

"Many hackers think of email and Microsoft 365 as their initial points of compromise, \[so they\] will test and verify that they are able to bypass Microsoft’s default security," according to a new report from Avanan that flags an uptick in its customer telemetry of malicious emails landing in Microsoft-protected email boxes. "This does not mean that Microsoft's security got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security."

Some of the eye-catching numbers in the report, gleaned from analyzing 3 million corporate emails in the past year, include:

*   About 19% of phishing emails observed by Avanan bypassed Microsoft Exchange Online Protection (EOP) and Defender.
*   Since 2020, Defender's missed phishing rates among Avanan's customers have increased by 74%.
*   On average, Defender sends only 7% of phishing messages received by Avanan customers to the Junk folder.
*   In good news: Microsoft flagged and blocked 93% of business email compromise attempts.
*   Microsoft catches 90% of emails booby-trapped with malware-laden attachments.

Again, the numbers speak to the evolution of phishing and the fact that attackers are increasingly using tactics like leveraging legitimate services to avoid including obviously malicious links in emails, using masking techniques like vanity URLs, and avoiding attachments altogether.

To defend themselves against these custom-built attacks, organizations can go to basic defense-in-depth approaches with four main prongs, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

Those prongs include: A better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education; patch software and firmware, especially any that are listed on CISA's Known Exploited Vulnerability Catalog; use phishing-resistant multifactor authentication (MFA); and using different, secure, passwords for every site and service where MFA cannot be used.

"There are no other defenses, besides these four, that would have the most impact on decreasing cybersecurity risk," Grimes says. "It is the world's lack of focus on these four defenses that has made hackers and malware so successful for so long."

Hackers Have It Out for Microsoft Email Defenses

The malware-as-a-service group Eternity is selling a one-stop shop for various malware modules it's been distributing individually via a subscription model on Telegram.

An emerging Russia-linked threat group is ramping up its malware-as-a-service operation by packaging several of its modules into a multifunctional malware offering, dubbed LilithBot, that it's peddling via Telegram.

The Eternity group — aka EternityTeam or Eternity Project — has been active since at least January and uses an "as-a-service" subscription model to distribute different Eternity-branded malware modules in underground forums. Its individual malicious offerings include a stealer, miner, botnet, ransomware, worm with a dropper, and distributed denial-of-service (DDoS) bot, researchers from Zscaler ThreatLabz revealed in a blog post published this week.

In a recently observed campaign, Eternity put a number of those modules together into "one-stop shopping for these various payloads," Zscaler security researcher Shatak Jain and senior program manager Aditya Sharma wrote in the post. The threat actor is distributing the multifunctional LilithBot malware through its dedicated Telegram group and a Tor link.

"In addition to its primary botnet functionality, it also had built-in stealer, clipper, and miner capabilities," the researchers wrote of the LilithBot campaign, which appears to have multiple variants.

**Who Is EternityTeam?**

The EternityTeam has links to the Russian Jester Group and offers a malware toolkit sold through a malware-as-a-service subscription service advertised via a dedicated Telegram channel, named @EternityDeveloper.

Other security companies have also studied the group. Security firm Cyberint in January identified the group and its various malware modules as an emerging force to be reckoned with on the underground cybercrime industry. In May, research from security firm Sekoia.IO identified the group as a new "prominent malware seller" and provided analysis on the various tools in its arsenal.

Typically, EternityTeam offers different services individually — including a stealer, miner, clipper, ransomware, worm plus dropper, and DDoS Bot — and accepts payment through various cryptocurrencies, including Bitcoin, Ethereum, Monero, and Tether/USDT, among others.

Eternity also offers customized viruses and will create viruses with add-on features upon customer request. The price of the various malware the group sells ranges from US$90 to $470, with its ransomware product priced the highest.

The cybercrime group runs a tight ship: Its business is extremely "user-friendly" for a number of reasons, the Zscaler researchers noted. It's easy for cybercriminals to purchase and operate via Tor, and the service accepts crypto as payment; it's customizable to fit clients' needs; and it's regularly updated at no additional charge, they said. The group also offers add-on discounts and referral rewards to its customers.

**LilithBot Campaign**

As legitimate businesses often see the value in bundling services together, so do cybercrime operators. LilithBot is an example of this practice, with Eternity selling the multifunctional malware as a subscription, similar to how it distributes its individual malware-as-a-service modules.

There are plenty of other examples of attackers distributing malware that relies not on one core competency but a combined range of malicious functionality in one package. The Chaos malware is one example of this, having evolved recently from its original ransomware builder into a DDoS and cryptomining tool.

Though LilithBot is different in that it is starting out as a combination of a threat group's existing services rather than evolving into a new type of malware, it's similar in that it packs a malicious, multifunctional punch.

LilithBot initiates its nefarious activity by registering as a botnet on an affected system and then decrypts itself step by step to drop its configuration file, the researchers said. It goes on to steal files and user information, which it then uploads via a zip file to a command-and-control (C2) server using the Tor network. LilithBot also uses fake certificates to bypass detections and deliver its various functionality as a stealer, cryptominer, and clipper.

Zscaler researchers observed two variants of LilithBot being distributed by Eternity, with slight differences in the main functions of each release, they said. Specifically, some commands that were present in earlier variants were absent from the newest variant that researchers analyzed.

The latest version of LilithBot no longer checks for the presence of various DLLs related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO Avs, nor for the Win32\_PortConnector that represents physical connection ports such as DB-25 pin male, Centronics, or PS/2 to ensure the malware is running on a physical machine rather than a virtual one.

"It is likely that the group is still performing these functions," the researchers wrote, "but doing so in more sophisticated ways: such as performing it dynamically, encrypting the functions like other regions of code, or using other advanced tactics."

Russia-Linked Cybercrime Group Hawks Combo of Malicious Services With LilithBot

While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.

Microsoft has confirmed two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) are being exploited in "limited, targeted attacks." In the absence of an official patch, organizations should check their environments for signs of exploitation and then apply the emergency mitigation steps.

*   CVE-2022-41040 — Server-side request forgery, allowing authenticated attackers to make requests posing as the affected machine
*   CVE-2022-41082 — Remote Code Execution, allowing authenticated attackers to execute arbitrary PowerShell.

"Currently, there are no known proof-of-concept scripts or exploitation tooling available in the wild," wrote John Hammond, a threat hunter with Huntress. However, that just means the clock is ticking. With renewed focus on the vulnerability it is just a matter of time before new exploits or proof-of-concept scripts become available.

**Steps to Detect Exploitation**

The first vulnerability — the server-side request forgery flaw — can be used to achieve the second — the remote code execution vulnerability — but the attack vector requires the adversary to already be authentication on the server.

Per GTSC, organizations can check if their Exchange Servers have already been exploited by running the following PowerShell command:

Get-ChildItem -Recurse -Path <Path\_IIS\_Logs> -Filter "\*.log" | Select-String -Pattern 'powershell.\*Autodiscover\\.json.\*\\@.\*200

GTSC has also developed a tool to search for signs of exploitation and released it on GitHub. _This list will be updated as other companies release their tools._

**Microsoft-Specific Tools**

*   According to Microsoft, there are queries in Microsoft Sentinel that could be used to hunt for this specific threat. One such query is the Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell. The new Exchange Server Suspicious File Downloads query specifically looks for suspicious downloads in IIS logs.
*   Alerts from Microsoft Defender for Endpoint regarding possible web shell installation, possible IIS web shell, suspicious Exchange Process Execution, possible exploitation of Exchange Server vulnerabilities, suspicious processes indicative of a web shell, and possible IIS compromise can also be signs the Exchange Server has been compromised via the two vulnerabilities.
*   Microsoft Defender will detect the post-exploitation attempts as _Backdoor:ASP/Webshell.Y_ and _Backdoor:Win32/RewriteHttp.A_.

Several security vendors have announced updates to their products to detect exploitation, as well.

Huntress said it monitors approximately 4,500 Exchange servers and is currently investigating those servers for potential signs of exploitation in these servers. "At the moment, Huntress has not seen any signs of exploitation or indicators of compromise on our partners' devices," Hammond wrote.

**Mitigation Steps to Take**

Microsoft promised that it is fast-tracking a fix. Until then, organizations should apply the following mitigations to Exchange Server to protect their networks.

Per Microsoft, on-premises Microsoft Exchange customers should apply new rules through the URL Rewrite Rule module on IIS server.

*   In IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions, select Request Blocking and add the following string to the URL Path:

.\*autodiscover\\.json.\*\\@.\*Powershell.\*

The condition input should be set to {REQUEST\_URI}

*   Block ports 5985 (HTTP) and 5986 (HTTPS) as they are used for Remote PowerShell.

_**If you are using Exchange Online:**_

Microsoft said Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-prem and cloud systems. They should follow the above guidance to protect the on-prem servers.

Source

DARKReading