The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

The increased sophistication of cyberattacks makes them more widely damaging and difficult to prevent.

The Russian-supported Conti group's recent attack against Costa Rica led the country to declare a national emergency. The attack impacted the country's Ministry of Finance and many other government institutions, affecting — at minimum — payroll schedules and the nation's foreign trade. Conti not only doubled its ransom demand but also stated its intention to overthrow the government by means of a cyberattack.

This incident has demonstrated the massive implications that attacking an entire nation can have. It's a stark example of the risks affecting critical infrastructure — and it must be a reminder of how essential it is to strengthen cybersecurity postures. But it also further underscores the importance of public-private partnership. When entire countries are affected by cyberattacks, it's a clear sign that no person (or nation) is an island — we must work together.

**Growth of Attacks Against Critical Infrastructure**

That is just the latest example of attacks against critical infrastructure. There have been a number of attacks — for example, against Ukraine and oil loading facilities in Europe. The US has also suffered, with the targeting of the Colonial Pipeline being just one prominent example. That's not to mention the countless hospitals, water treatment plants, and other critical infrastructure that have been hit by ransomware in the past year. Satellite communications, wind turbines, and even medical institutions have been targeted.

These attacks are being made possible by the increased sophistication of criminal technologies. In the public sector, there's a convergence of advanced persistent threats (APT) and cybercrime. Cybercriminals are investing more in the reconnaissance and weaponization phases of an attack.

Another worry for the public sector in 2022 is aggressive attack code. Ransomware is one example, and another is wiper malware, which is being added to ransomware campaigns. These attack strategies previously affected IT, but now they're also starting to affect OT and the public sector.

With today's IT/OT convergence, there's no longer an air gap between IT and OT — areas that were once inaccessible are now open to risk. Government organizations may think they don't have OT, but they need to consider devices like security cameras, sensors linked to the HVAC system, smart buildings, and other OT with an IoT footprint.

Cybercriminals also are going after critical infrastructure directly these days — more so than we've seen before — and we're seeing cybercriminals adopting the playbooks of nation-state actors, which means more sophisticated and destructive attacks.

**The Need for Public-Private Partnership**

Cybercrime is playing an increasing role in geopolitical conflict, and as attacks proliferate against critical infrastructure, it can put lives at risk. We cannot afford to wait and see.

Fighting cybercrime is a team effort, with law enforcement, cybersecurity specialists, and legislators collaborating with businesses and the general public to combat cybercrime using cyber threat intelligence.

Threat intelligence includes dynamic technology that uses data collection and analysis gathered from threat history to block and remediate cyberattacks. Threat intelligence is based on cybercriminals' tactics to develop crucial procedures for an organization's overall security architecture.

Working together is the only way to stay ahead of today's cyber threats, which are becoming more complex and aggressive — for example, ransomware attacks migrating to an affiliate-based, as-a-service model. Furthermore, the cybercrime supply chain has mushroomed, and there are so many moving parts and actors at each step that tracking them down and stopping them requires serious, worldwide, joint efforts.

One example is the World Economic Forum's Partnership against Cybercrime. This international, multistakeholder collaboration has united many leading organizations from numerous sectors, both private and public, to address the growing challenge of cybercrime.

**Signs of Success**

We've seen some great successes come from these collaborative efforts. The Department of Justice led a coordinated international law enforcement action to disrupt NetWalker ransomware, resulting in the arrest of a NetWalker affiliate who received a seven-year jail sentence. The DoJ also arrested two people for conspiring to launder at least $3.6 billion worth of cryptocurrency stolen from a virtual currency exchange.

Collaboration led to the takedown of Emotet, one of the most prolific malware operations in recent history. And Interpol's partnership with private sector companies led to the recent takedown of a business email compromise (BEC) scam ring in Nigeria that attacked thousands of companies around the world. These examples are just the beginning. More work and constant vigilance and innovation are needed.

**Act Together, Act Now**

In today's threat environment, where whole countries can be hamstrung by well-constructed cyberattacks, security cannot succeed if each entity hoards its cybersecurity information. Recent examples demonstrate the need for global threat intelligence — and that there's no time to waste. Shared data and partnership can lead to more effective responses and help partners more accurately predict future techniques to deter criminals' efforts. Now is the time to join with law enforcement and other entities to present a united defense to protect critical infrastructure against cybercrime.

When Countries Are Attacked:  Making the Case for More Private-Public Cooperation

A suspected Iranian threat actor known as UNC3890 is gathering intel that could be used for kinetic strikes against global shipping targets.

A Persian-speaking threat group has been discovered targeting industries ranging from healthcare to energy, with a particular focus on the shipping sector.  

According to a report from Mandiant, which named the group UNC3890, the campaign uses email-borne social-engineering lures and a watering hole hosted on a login page of a legitimate Israeli shipping company to disguise the activity. While it targets mainly Israeli victims, the report advised that targets also include multinational companies, suggesting that the threat could have a global impact.

Credential-stealing could allow the threat actor to gain initial access to a targeted organization for espionage purposes, according to the firm. For example, the credentials may allow the actor to connect to a victim’s Office 365 mailbox and steal all the victim’s email correspondence, thus gaining valuable insights about the victim and their organization’s activity.

"We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we believe was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components," the report notes.

Mandiant senior analyst Ofir Rozmann says the interest this actor shows in the shipping sector is most concerning, since the intelligence it gathers may be leveraged for more aggressive efforts, like kinetic warfare operations.

"While we don’t what exact data the attackers gained access to, compromising a shipping company’s website and gathering intel on its users may have provided the attackers with data about cargo’s contents, when it’s being sent and its location over time," he explains. "This sort of data is important if Iran wishes to conduct kinetic operations targeting these shipments."

Furthermore, this type of access may also be used to send phishing emails from within the organization, bolstering legitimacy and compromising more mailboxes and/or computers, or affecting downstream customers.

**A Taste for Custom Malware**

The group, which operates an interconnected network of command-and-control (C2) servers, spoofs legitimate services including Office 365, and social networks LinkedIn and Facebook, with phishing lures that include fake job offers and fake commercials for AI-based robotic dolls.

Once a victim is compromised, the group delivers two proprietary pieces of malware, which Mandiant dubbed Sugarush and Sugardump.

Sugarush is a backdoor that establishes a reverse shell over TCP to a hardcoded C2 address, according to the new analysis.

Sugardump meanwhile is used for harvesting credentials from Chrome, Opera, and Edge Chromium browsers, which can also exfiltrate stolen data via Gmail, Yahoo, and Yandex email services.

According to the report, several versions of Sugardump have been observed, with the first dating back to 2021, which stored credentials without exfiltrating them. Later versions use either SMTP or HTTP for C2 communications, and they have more advanced credential-harvesting functionality.

Other tools used by UNC3890 include Unicorn for PowerShell-type attacks, the Metasploit framework, and NorthStar C2, which is a publicly available open source C2 framework developed for penetration testing and red teaming.

"In addition, we identified an UNC3890 server that hosted several .ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals," the report says. "It is possible they were targeted by UNC3890, or used as lures in a social-engineering effort."

The group has been in operation since at least late 2020 and is currently perceived as an active threat.

**Espionage for Many Outcomes**

Rozmann adds intelligence collection is a key component of any state-sponsored activity since it can help keep the leadership and Iranian intelligence agencies informed when strategizing/making plans against their targets.

"While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," according to Mandiant's analysis.

Whether it remains covert or is leveraged for more overt operations, the intel opens up options for a threat actor. For example, targeting the government sector may provide access to sensitive strategic, political, or defense-related data that can be beneficial for future negotiations, exposed/sold, or leveraged against the victims.

**Attribution to Iran's Government?**

While UNC3890 is almost certainly based in Iran, "we don’t have enough evidence to determine whether this is a state-backed threat," Rozmann notes. "However, it is plausible, based on the actor’s geographical focus, the targeted sectors and the focus on intelligence collection."

He adds that a typical cybercrime gang that's financially motivated would probably be interested in other information, such as bank accounts, and use other methods, such as ransomware attacks.

"Furthermore, it would target a broader spectrum of sectors and geographies in an effort to maximize potential profit," he says.

The United States, United Kingdom, and Australia have all recently warned that attacks from Iran-linked cyberattack groups have been ramping up operations.

The Iranian state has been blamed for many prior efforts targeting civilians in Israel, including attacks on water infrastructure and on an insurance company.

In June, Microsoft disabled the Iran-linked Lebanese hacking group Polonium after it discovered the threat actors abusing its OneDrive personal storage service. Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says — all of which offered an avenue to carry out downstream supply chain attacks.

'Operation Sugarush' Mounts Concerning Spy Effort on Shipping, Healthcare Industries

The state-sponsored group particularly targets organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses, researchers say.

The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years.

That's the word from Recorded Future's the Insikt Group, which also found that the intelligence collection is likely used to support human rights abuses orchestrated by the Chinese Communist Party (CCP).

RedAlpha (aka Deepcliff or Red Dev 3) specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational at a "high tempo" since at least 2015, Insikt researchers note, though it didn't spark the notice of security researchers until 2018. And since 2019, the activity has ramped up even further, analysts say.

"Over the past three years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other … organizations," according to a blog post on Tuesday from Insikt.

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, analysts said. In many cases, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

In particular, the APT has been observed directly targeting ethnic and religious minorities such as the Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. In short, the targets align closely with Chinese interests. Thus, the idea is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

Casey Ellis, founder and CTO at Bugcrowd, says that the intel gleaned can be weaponized not just for guiding kinetic or physical strikes against the persons of interest but also for counter-messaging meant to undermine their activities.  

"China has an enormous population of very astute technologists, a vast security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D," he says. "Data stolen for nation-state espionage isn't, for example, likely to be used for fraud if the threat actor is Chinese. The main threat, as is true for most nation-state threat actors, is dis/misinformation, weaponized memes, and subversive propaganda through social networks and traditional media."

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including Yahoo (135 typosquatted domains), Google (91 typosquatted domains), and Microsoft (70 typosquatted domains).

"Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity," the researchers note. "This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning.  

**Sprawling Phishing Infrastructure**

According to Insikt's analysis, the group maintains large clusters of operational infrastructure, beyond the hundreds of phishing domains that imitate and spoof specific organizations.

The researchers say that other consistent characteristics of the group's efforts include the use of \*resellerclub\[.\]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.  

Phil Neray, vice president of cyber-defense strategy at CardinalOps, says that this kind of large footprint allows for significant espionage outcomes, which is one of the hallmarks of Chinese APTs.

"China has been a top nation-state threat for many years, given their strategic use of cyber-espionage to obtain expertise in key technologies such as biotech, semiconductors, defense, and energy, by stealing proprietary intellectual property from the West," he says. "They've also targeted PII in attacks against government organizations such as the Office of Personnel Management (OPM) and large health insurance organizations like Anthem, which were two of the largest data breaches in history."   

**Phishing Is Phishing Is Phishing**

The tactics in this case are tried and true, even if the perpetrators occupy "top-tier" status in the cybercrime pantheon.

"When it comes to phishing, threat actors at all levels generally rely on conventional aesthetic-based tactics to lure in their victims," Darren Guccione, CEO and co-founder at Keeper Security, tells Dark Reading. "Innocent people who are not trained on phishing prevention generally focus on the 'pinstripes' of the email. This means that the aesthetics they are familiar with, such as the logo and colors of a humanitarian, think tank, or government site, are used to lure them into a malicious link or form field."

It's important, however, not to underestimate the fallout from this familiar social-engineering approach. 

"Cybersecurity threats which ultimately result in breaches due to weak passwords, stolen credentials, or phishing emails are pervasive," Guccione says. "They can have devastating and long-term adverse consequences, particularly when a broad-scope espionage campaign is used to support human rights abuses."

Any organization should bolster user awareness and employ basic defenses to avoid being on the hook from phishing, Guccione adds.

"We tend to believe what we see, which is why aesthetics and a compelling user interface often trump awareness of a nefarious and incorrect URL," he notes. "The key to training is to ensure users are checking that the URL matches the authentic website. A password manager that can automatically identify when a site's URL doesn't match is a critical tool for preventing the most common password-related attacks, including phishing and credential stuffing."

CardinalOps' Neray adds that when it comes to civil-society targets specifically, "Organizations of all sizes must protect themselves by deploying continuous monitoring at all levels of their infrastructures — endpoints, network, cloud, identity — and ensuring they have SOC detection policies in place that match the latest adversary techniques employed by Chinese attackers, as documented in the MITRE ATT&CK framework."

China-Backed RedAlpha APT Builds Sprawling Cyber-Espionage Infrastructure

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

Private equity giant Thoma Bravo has now completed its purchase of enterprise identity security vendor SailPoint in an all-cash deal estimated at $6.9 billion that was initially announced on April 11 of this year.

Thoma Bravo struck a similar deal earlier this month with another identity security provider, Ping Identity, which it acquired for $2.8 billion in cash. Ping went from a publicly traded company to a privately held firm under the Thoma Bravo umbrella.

SailPoint, which offers a software-as-a-service (SaaS) identity-security platform called IdentityNow, also now goes from publicly listed on the New York Stock Exchange to a privately held entity under Thoma Bravo. SailPoint stockholders are eligible for $65.25 in cash per share of SailPoint common stock now that the company has been delisted.

"SailPoint is at the forefront of the growing identity-security market and is well-positioned to further capitalize on the increasing demand from enterprises for innovative and trusted solutions," Seth Boro, a managing partner at Thoma Bravo, said in a statement about the deal.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Thoma Bravo Closes $6.9B Acquisition of Identity-Security Vendor SailPoint

Funds will support product development and market expansion for ThreatX, which delivers real-time protection for APIs and Web apps against complex botnets, DDoS, and multimode attacks.

**Boston – August 17, 2022** - ThreatX, the leading API protection platform, today announced it has raised $30 million in Series B funding led by Harbert Growth Partners, with participation from Vistara Growth. Existing ThreatX investors .406 Ventures, Grotech Ventures and Access Venture Partners also participated in the round. With these funds, ThreatX will accelerate investments in platform development and scale their global sales and marketing initiatives as companies seek to block complex attacks targeting APIs and web applications.

As organizations undergo digital transformation efforts and deliver new capabilities to connect with customers and partners, APIs have emerged as a strategic priority. Coupled with growth in web applications, the enterprise attack surface has exploded and is under constant threat from botnets, DDoS attacks and complex, multi-mode offensive attack campaigns. In this context, customers need API and web application protection capabilities that can identify and respond to attacks in real time, even as perpetrators evolve their techniques.

ThreatX stands in stark contrast to other API security solutions by providing organizations the ability to discover and visualize their attack surface; block attacks in real-time; and have access to 24/7 managed services to support resource-constrained security teams.

Recently, ThreatX announced the company has been acknowledged twice as a Sample Vendor in the Gartner® Hype CycleTM for Application Security, 2022 report. ThreatX was listed within the API Threat Protection and Cloud WAAP categories.

“While APIs bring rich opportunities to companies across nearly every market, they can also quickly devolve into business threats if not secured,” said Gene Fay, CEO, ThreatX. “The ThreatX platform delivers the one-two punch that modern organizations seek in API and web application protection by incorporating behavioral analytics and multiple detection methods within a single analytics engine. This funding will enable us to accelerate development of our platform’s capabilities and expand our global go-to-market strategy.”

In addition to the Series B funding, ThreatX also announced that Tom Roberts, General Partner at Harbert Growth Partners, will join the company’s Board of Directors.

“The rapidly growing API security market is on the cusp of making an aggressive pivot,” said Roberts. “When we met with the ThreatX team and saw the technology in action, we knew they were positioned to lead the shift toward real-time attack protection across both APIs and web applications. We are pleased to partner with Gene and the ThreatX team to build upon their already leading platform and run fast at the API protection opportunity.”

“As CISOs and their teams prioritize API security, the opportunity to think more broadly about API and web application protection is growing. A consolidated approach makes sense given the fact that DDoS attacks and botnets are often targeting both types of assets at the same time,” said John O’Donoghue, Principal at Vistara Growth. “We see huge potential in ThreatX to deliver an integrated platform that protects both APIs and web apps against complex attacks in real time and look forward to supporting the company’s growth in the coming years.”

**About ThreatX**

ThreatX’s API protection platform makes the world safer by protecting APIs from all threats, including DDoS attempts, bot attacks, API abuse, exploitations of known vulnerabilities, and zero-day attacks. Its multi-layered detection capabilities accurately identify malicious actors and dynamically initiate appropriate action. ThreatX effectively and efficiently protects APIs for companies in every industry across the globe. For more information, visit: https://www.threatx.com/.

ThreatX Raises $30 Million in Series B Funding to Accelerate Growth in Global API Protection Market

Solution streamlines the assessment, monitoring, and remediation of third-party risk for information security, compliance, and risk teams.

**LOS ANGELES, CA — August 16, 2022 —** AuditBoard, the leading cloud-based platform transforming audit, risk, and compliance management, today announced the availability of its Third-Party Risk Management solution. This powerful new extension of AuditBoard’s connected risk platform breaks down silos and engages relevant stakeholders inside and outside the organization, enabling third-party risk management programs to scale more efficiently and meet the growing needs of their business.

Managing the downstream risks posed by a large network of third parties, including cloud vendors, has become increasingly challenging as the COVID-19 pandemic has accelerated the global economy’s digital transformation and companies have come to rely more heavily on IT-related vendors. In this new era of dynamic digital risk, third-party breaches are now estimated to cost U.S. companies an average of $9.5 million per incident.

Information security, risk management, and compliance teams need the right solution to efficiently evaluate and mitigate third-party risk while managing ever-expanding cybersecurity and compliance obligations. Working in conjunction with AuditBoard’s innovative and award-winning CrossComply solution, which allows organizations to manage their information security compliance programs at scale, AuditBoard’s Third-Party Risk Management solution empowers teams to manage their overall IT risk and compliance posture more effectively.

“A wave of digital risk is rising as the global economy becomes ever more interconnected,” said Rajiv Makhijani, SVP of Emerging Products at AuditBoard. “We’ve created this purpose-built solution to empower our customers to get ahead of this wave by more efficiently and comprehensively managing the expanding third-party risk landscape.”

AuditBoard’s Third-Party Risk Management solution enables teams to save time, be better partners to the business, and scale through automated and collaborative workflows that enable more effective management of third-party risk. This purpose-built solution supports customizable assessments, automated risk scoring, issue management, ongoing monitoring, and centralized reporting and tracking.

To learn more about this new solution, visit AuditBoard.com.

**About AuditBoard**

AuditBoard is the leading cloud-based platform transforming audit, risk, and compliance management. More than 35% of the Fortune 500 leverage AuditBoard to move their businesses forward with greater clarity and agility. AuditBoard is top-rated by customers on G2, Capterra, and Gartner Peer Insights, and was recently ranked for the third year in a row as one of the fastest-growing technology companies in North America by Deloitte. To learn more, visit AuditBoard.com.

AuditBoard Launches Third-Party Risk Management Solution, Empowering Enterprises to Tackle IT Vendor Risk at Scale

Especially if your e-commerce and CMS platforms are integrated, you risk multiple potential sources of intrusion, and the integration points themselves may be vulnerable to attack.

Chances are your business has both an e-commerce platform and a content management system. Perhaps they're one and the same. Together, these technologies drive your business, empowering customers, sales staff, and partners. The content management system (CMS) gives them information; the e-commerce platform handles transactions. Easy.

However, these technologies can also be a target, providing everything that a bad actor wants, from trade secrets (such as inventories and price discount sheets), lists of partners and suppliers, discount codes, and even sensitive information about customers.

Whether your e-commerce platforms and CMSes are combined in an all-in-one comprehensive suite, or are disparate systems integrated together, the risks and potential weak spots are mainly the same. If you have integrated e-commerce and CMS platforms, not only does your tech now have multiple potential sources of intrusion, but the integration points themselves may be vulnerable to attack, or at least to snooping. If you have an all-in-one system, a single exploited vulnerability or phishing-enabled breach could give cybercriminals everything in one fell swoop.

For this discussion, let's assume that your company follows well-established cybersecurity best practices, such as applying patches and fixes to operating systems, applications, drivers, and libraries. Failure to make these updates in a timely fashion is a leading cause of breaches. Also, let's assume you employ state-of-the-art encryption for data in transit, and change all default access and admin passwords for your servers, routers, and services.

With that as a baseline, let's talk about seven specific steps that are particularly well-suited to CMS and e-commerce platforms.

**Gather the Least Amount of Customer Information Possible**

Then be careful where (and how) you store that data. If you steal customer credit card numbers or medical information, the market impact, civil lawsuit penalties, and adverse publicity could put you out of business. Oh, don't forget HIPAA and GDPR fines, depending on what and where your data is stolen.

**Careful What You Store On Internet-Facing Servers**

Yes, your e-commerce platform needs to be aware of inventory levels and pricing discounts in order to facilitate e-commerce. What if competitors can retrieve that information in a tidy bundle? They might be able to use your business data against you.

**Monitor Lists of Zero-Day Threats and Other Vulnerabilities**

You can start with the one published by organizations like the Cybersecurity & Infrastructure Security Agency. It's not enough to receive threat-assessment reports, of course. They need to be read and acted upon. An issue with a very large impact appeared, for example, in the popular Log4j library not long ago. Every organization that uses Log4j needed to update to version 2.16 or later immediately. Is there someone in your organization responsible for knowing about that sort of incident? If not, there's a vulnerability right there.

**Use Penetration Testing Tools and Services**

No matter whether your software is off the shelf, tailored by consultants, or homegrown, you don't know how secure it is unless you test, test, test. Conduct pen tests regularly and thoroughly; not only do systems become less secure if not maintained properly (see the first point), also your service landscape changes and attackers are becoming more sophisticated as well. If you haven't pen tested recently, or used a white-hat firm to assess your defenses, you don't know what you don't know.

**Vet Software Suppliers, and Insist They Follow Secure Coding Practices**

If you are using cloud services, examine those carefully. Consider everything. For example, the CMS company I work for is certified at the highest level for its security practices, conforming to ISO 27001 security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing. You should expect nothing less from every supplier.

**Check With Banks, Payment Processors to Ensure You're Doing It Right**

There are many practices for working with ACH transfers and credit-card payments. Some of these appear obvious, such as using CVV values on credit cards, and verifying that shipping addresses match the bank account's address — but e-commerce platforms may not enable those extra levels of validation by default. I would also highly suggest using a service that specializes in payment transactions. These services will be certified according to PCI DSS requirements and you can focus on your core competencies.

**Log Everything and Analyze Those Logs for Anomalies, Attack Patterns**

Every transaction, every privileged login to the CMS or e-commerce platform, every error caused by someone entering a bad password, should be logged. Don't trust humans to be able to understand those logs, by the way; modern-day attacks can be both fast and subtle, and there's too much data to correlate for patterns. Use machine-learning tools to monitor events and logs, and as in the fourth point above, make sure someone is responsible for receiving, reading, and following up on those reports.

Follow these seven steps, and your CMS and e-commerce platforms will be more secure and more trustworthy than ever before. Are these steps reasonable? Yes. Are they easy? Once systems are in place to work safely and run securely, yes. Your customers, suppliers, and partners want your systems to be safe. Let's get to work.

7 Smart Ways to Secure Your E-Commerce Site

The new feature detects attempts to modify files and processes for Microsoft Defender for Endpoints on macOS.

Microsoft has announced general availability of tamper protection in Microsoft Defender for Endpoint on macOS. The feature, which has been in public preview since May, will be rolling out over the next few days.

Tamper protection allows administrators who deal with Apple hardware in their environments to block the unauthorized removal of Microsoft Defender for Endpoint on macOS systems, as well as prevent any attempts to tamper with Microsoft Defender for Endpoint files, processes, and configuration settings. The feature elevates the organization’s endpoint security posture, Microsoft said in a post on the Microsoft Tech Community.

“Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company said.

Tamper protection is a device-level setting, which means the protection will apply to all users on the device. Available settings are “disabled,” “audit,” and “block.” By default, Microsoft Defender for Endpoint on macOS will have Tamper protection set to “audit,” so actions to uninstall the agent, modify Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be logged automatically. However, administrators will not see any alerts in the Security Center – they will need to check either on-device logs or under the Advanced Hunting feature.

Tamper protection needs to be switched to “block” in order for administrators to see alerts and for tampering activities to be blocked. The company says a future rollout will automatically switch settings so that “block” becomes the default setting.

Administrators can enable the feature using a mobile device management platform, such as Endpoint Manager or Jamf. Tamper protection is available only for Microsoft Defender for Endpoint version 101.70.19 or above and on macOS versions Monterey, Big Sur, and Catalina.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Tamper Protection for Macs

"Seaborgium" is a highly persistent threat actor that has been targeting organizations and individuals of likely interest to the Russian government since at least 2017, company says.

Microsoft's Threat Intelligence Center (MSTIC) has taken steps to disrupt the operations of "Seaborgium," a Russia-based threat actor that has been involved in persistent spear-phishing and credential-theft campaigns aimed at organizations and individuals in NATO countries since at least 2017.

The threat actor's primary motivation appears to be cyber espionage. Its victims include numerous organizations in the defense and intelligence communities, nongovernmental organizations, think tanks, higher-education institutions, and intergovernmental organizations, mainly in the US and UK. Microsoft said it has identified some 30 organizations that have been targeted in Seaborgium campaigns so far this year alone.

"Seaborgium has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to Seaborgium activity being delivered to Microsoft consumer email accounts," Microsoft said in a blog post this week. Targeted individuals have included former intelligence officials, Russian experts, and Russian citizens outside the country that are of interest to Moscow. Available telemetry and tactics suggest overlaps between Seaborgium and threat groups that others are variously tracking as the Callisto Group, ColdRiver, and TA446, Microsoft said.

Seaborgium is just one of multiple Russia-based groups that are targeting US firms in cyber-espionage campaigns currently. Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russian actors systematically stealing sensitive, but not classified, data on US weapons development and technologies used by the US military and government. The warning followed one from January about the potential for more Russian attacks on US targets in retaliation for US-led sanctions over the war in Ukraine.

**Sophisticated Impersonation**

In its blog post, Microsoft described Seaborgium actors as using mostly the same social-engineering tactics over the years to try and gain an initial foothold in a target organization. Before launching a campaign, the threat actor has typically tended to conduct extensive research on targeted individuals to identify their social and business contacts. The research has often involved the threat actor using social media platforms — including fraudulent profiles on LinkedIn — and publicly available information gather intel on individuals of interest.

They then have used the information to impersonate individuals known to the target and contacted them using new email accounts with email addresses or aliases configured to match the names or aliases of the impersonated individuals, Microsoft said. The tone of the initial contact is usually different depending on whether an individual is a personal/consumer target or someone working in a targeted organization. In the case of the former, Seaborgium actors have typically started with a benign email that exchanges pleasantries on topics of interest to the target and references a nonexistent attachment. Microsoft surmised that the goal of taking this approach is likely to establish a rapport with a target. If the phishing email recipient replies, the threat actor responds with an email containing a link to their credential-stealing infrastructure.

Seaborgium's phishing emails have a more businesslike and organizational tone to them for individuals within a target organization. In these situations, the threat actors have shown a tendency to take a more authoritative approach in directing email recipients to the credential-stealing site — for example, by taking cybersecurity-themed lures. In most campaigns, Seaborgium actors have embedded the URL to their credential-stealing site directly in the email body itself, Microsoft said. But of late, the threat actor has also been using PDF files and attachments spoofing a document or file-hosting service — often OneDrive — to distribute the link.

**Using Stolen Credentials to Steal Emails and Attachments**

Microsoft said its researchers have observed Seaborgium using stolen credentials to directly log in to victims' email accounts and steal their emails and attachments. In a few instances, the threat actor has also been observed configuring victim email accounts to forward emails to attacker-controlled addresses. 

"There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialogue with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Microsoft said, adding that often these conversations have involved potentially sensitive information.

**Under Scrutiny**

As far as the disruption goes, the computing giant has now disabled accounts that Seaborgium actors have been using for victim reconnaissance, phishing, and other malicious activities. This includes multiple LinkedIn accounts. It has also developed detections for phishing domains associated with Seaborgium.

F-Secure, which refers to the threat actor as the Callisto Group, has been tracking its activities since 2015. In a 2017 report, the security vendor had described Callisto Group as a sophisticated actor targeting governments, journalists, and think tanks in the EU and parts of eastern Europe. F-Secure had described the group's campaigns as involving highly convincing spear-phishing emails often sent from legitimate email accounts to which the threat actor had previously gained access, using stolen credentials.

More recently, Google warned about the threat actor in a broader update on malicious cyber activity in eastern Europe since the start of the Ukraine war in February. The company said it had observed ColdRiver — its name for Seaborgium — continuing to use Gmail accounts to send credential-phishing emails to Google and non-Google email accounts belonging to politicians, defense and government officials, journalists, and think tanks. "The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive," Google said. The files have contained a link to a credential-phishing domain, according to Google.

Source

DARKReading