Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Artificial intelligence technology can detect the latest wave of Trickbot ransomware and block the attack before it causes damage.

When malware strains disappear, it is often by choice of their creators and threat actors, rather than as a result of outside efforts to shut them down. The actions governments and organizations take to combat these threats directly have often proved short-term and limited in scope — a pattern that the resurrection of Trickbot last year unfortunately demonstrated.

An effort led by Microsoft and its partners to shut down Trickbot malware was conducted in the lead-up to the 2020 US election in an attempt to reduce the risk of election tampering. In the end, 94% of Trickbot's infrastructure was effectively eliminated, massively reducing its influence in late 2020.

Despite taking such substantial losses, however, Trickbot soon saw a resurrection of incredible proportions. Rather than dying off as some hoped it might, the strain grew back at such a rate that by June 2021 it had again become the most prevalent malware in the world.

One of the numerous businesses that Trickbot targeted that month was a European public administration organization. Unaware that one of its internal domain controllers had been compromised by Trickbot, the organization happened to begin a trial of Darktrace's artificial intelligence (AI)-driven cybersecurity technology, which shined a light on the malicious attack taking place within their network.

**AI Catches an Emerging Trickbot Ransomware Attack**

Darktrace employs AI-powered behavior-based detection, which can differentiate between benign and malicious activity within an organization. When the compromised domain controller began uploading DLL files to other devices, Darktrace's technology immediately detected the activity and suggested an appropriate response. However, it was configured in "human confirmation" mode — meaning it required a human operator to confirm the action.

As it waited for the human team to approve its actions, Darktrace continued to monitor the progression of the threat. It detected the compromised domain controller uploading Trickbot over SMB to almost 300 devices across the organization, and then utilizing Windows Management Instrumentation (WMI) to execute it.

Trickbot may be old and well-documented malware, but its modular nature makes it endlessly adaptable and therefore difficult for security tools to pin down. At this stage in the attack, traditional tools within the organization's network had still failed to spot the threat. When the nature of the attack changes with every new instance and modular configuration, intelligence-based security systems will always struggle to keep up.

The difficulty of relying on OSINT to address Trickbot was demonstrated in this attack when 160 of the 280 compromised devices were detected connecting to new C2 endpoints. Microsoft and its partners had specifically targeted C2 servers in 2020, but Trickbot's turnaround in the aftermath of that action showed how quickly new servers and endpoints can be established. In this case, OSINT did not associate any of the endpoints the 160 company devices connected to with malicious activity; however, Darktrace recognized the behavior as unusual nonetheless, and issued a high-severity threat notification to the organization.

For over a month, the attackers laid low. Darktrace then detected compromised devices scanning the network and downloading suspicious executable files — most likely Ryuk ransomware payloads. With several stages of the attack now months apart, it would have been hard for a human team to piece together its full scope.

**Targeted Action Before Encryption**

With AI constantly investigating threats across the entire digital environment, however, Darktrace pieced together this attack into a distinct lifecycle and presented it to the security team. It was at this stage that the organization took notice of the threat and turned Darktrace to "autonomous" mode, enabling the AI to take action.

While the automated tool can often stop ransomware attacks at the first signs of a compromise, it can engage at any stage of an attack. Thus, when it was activated at a very late stage by this organization, it still calculated a precise and effective response.

Several malicious actions were blocked by the AI, including SMB enumeration, network scanning, and suspicious outbound connections. Because it targeted these actions rather than the overall devices, the 280 compromised devices were able to continue with their normal business operations as the attack was brought to a halt.

Now that they could no longer complete command-and-control (C2) communications or move laterally, the attackers were unable to execute Ryuk and the attack came to an end. And not a moment too soon. If the attackers had been allowed to execute the ransomware, they likely would have exfiltrated and then encrypted data from across the company. Even if a ransom is paid, ransomware victims often incur numerous other costs, including network shutdowns and remediation, as well as PR fallout.

**Staying Ahead of Malware Trends**

It's clear that Trickbot is as strong and evasive as it ever was and that relying on rules or intelligence-based tools alone is no longer an option for organizations trying to avoid falling victim. Rather than waiting for companies and governments to launch offensives against the endlessly regenerating infrastructure of attackers, organizations should take matters into their own hands and bolster their own infrastructures with AI.

By recognizing how the business usually behaves, rather than worrying about identifying the attacker, Darktrace's AI can stop completely novel threats without rules or OSINT and won't be fooled by reconfigurations and rebrands. Protecting organizations against novel attacks in this way is the surefire way to start hitting Trickbot and other threat actors where it hurts.

Neutralizing Novel Trickbot Attacks With AI

In this Tech Talk, Darktrace's Brianna Leddy and Dark Reading's Terry Sweeney discuss ways ransomware groups adapt their activities as enterprise security teams evolve their defenses and controls.

Ransomware groups are difficult to shut down because they are constantly adapting their techniques to evade newer security defenses and controls. In this Tech Talk, Brianna Leddy, director of analysis at Darktrace, says that just because an attack group ceases operations doesn't mean they won't re-emerge in a different form.

For example, researchers believe that the DarkSide group behind the ransomware attack against Colonial Pipeline returned as Blackmatter, a ransomware-as-a-service group. DarkSide shut down its operations, presumably because of investigations by law enforcement and the US federal government clawing back the ransom payments.

This past year, several affiliate groups working with the group behind REvil ransomware were arrested. Even so, the fact that a site affiliated with REvil recently started redirecting to a new site seems like an indicator that the group is back in operation.

"I don't think it's the last that we've heard of this name," Leddy says.

Re-branding can also reflect a shift in tactics, Leddy says. As more organizations are scanning networks to look for malicious traffic, more attackers are beginning to "live off the land," Leddy says. Living off the land refers to abusing legitimate administrator tools and services to blend in their malicious activities among all other normal, day-to-day network traffic. Attackers are also increasingly targeting cloud services and backup servers to make it more difficult for organizations to recover their encrypted files from the attack group.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Darktrace's Brianna Leddy on How Ransomware Groups Adapt to New Defenses

Supply chain woes have dominated headlines, but there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Supply chain woes have dominated headlines, from raw material and labor shortages, to shipping delays and manufacturing problems. But there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. Over the last 18 months, 79% of companies have experienced at least one cloud data breach, and 43% have reported 10 or more breaches in that time. And any company, in any industry, is vulnerable.

Though recent breaches have elevated awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, the threats may increase. So, what's at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siloed operations, and lack of insight into software assets, all of which boil down to poor risk management.

But there's good news: gaining a clearer understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development life cycle can reduce the risks and challenges.

**Understanding Threats and Attack Types**

Recent studies into the supply chain have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extended operating environment makes it extremely hard to manage, let alone pinpoint vulnerabilities and insecure configurations.

So, what does it look like when your cloud supply chain is under attack? Some attacks will compromise source code. In last year's PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that were not detected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, meanwhile, happen when attackers prey on vulnerable dependencies, also injecting them with malware.

Build pipeline threats are perhaps the most damaging types of attacks, since compromised code is turned into an executable format. During the SolarWinds attack, for example, a cybercriminal compromised the build process to insert corrupt Sunspot malware into update packages. SolarWinds did not detect the malware until much later. Though the nature of these attacks may differ, an overarching strategy can prevent them: a better understanding of what's under the hood of your cloud.

**Three Phases of Protection: Assessment, Standardization, and Partnership**

Organizations can reduce their cloud supply chain risks by developing a keen understanding of every piece of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number conduct weekly evaluations, and a concerning 58% evaluate their posture once a month or less frequently. This leaves the door open for bad actors.

To protect themselves, it's essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all components in the tech stack. By doing so, companies can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attack.

Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology's (NIST) framework for vetting cloud vendors can serve as a starting point, but companies should tailor the steps that NIST lays out to their development workflows and processes.

The right partner can also play a key role in risk management, especially for smaller businesses. While mega cloud vendors provide a solid foundation for developers to build secure products, alternative cloud providers can offer something additional: a concierge-style partnership that ensures companies aren't on their own when it comes to security.

For example, Akamai partners with the HackerOne bug bounty program, which has thousands of ethical hackers performing penetration testing against their operating environment and products. Additionally, Akamai offers security controls and protection against supply chain risk by scanning our tech stack.

**Creating a Culture of Security**

As an industry, we are currently in reaction mode. Attacks are on the rise, and organizations aren't taking enough proactive measures to prevent disaster. But as the dependency on cloud continues to grow, no company, big or small, can afford to take this gamble.

Security starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes multiple departments — purchasing, IT, software engineering, development, release, change management, operations. It really is everyone's job to get it right.

**About the Author**

    

As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai's cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.

Managing Extended Software Supply Chain Risks

SeclarityIO's NetworkSage platform analyzes network traffic data to identify attacks before they become real problems.

The point of enterprise threat hunting is to give organizations a chance to find potential attacks and take corrective action before the attacks can cause damage and become a security crisis. But there is a lot of network data to scrutinize, a set number of hours in a day, and only so many analysts to do the work.

Enter NetworkSage, a cloud platform from SeclarityIO, which aims to analyze network traffic flow, focus triage alerts, and provide analysts with insights on potential problems that need to be addressed. With NetworkSage, managed service providers, security operations centers, and threat researchers can offload their entire triage workflow and get "expert analysis at machine speed," says David Pearson, co-founder and CEO of SeclarityIO.

Network data can be an "exceptionally strong source of truth," Pearson wrote in a blog post describing how threat hunters could use NetworkSage to identify phishing attacks. Threat hunters can look for traffic that could indicate a phishing attack, such as a user visiting sites and entering information, near an active email session. Or there might be sessions and communications that may indicate command-and-control activity.

In network security, anomaly detection depends on identifying "bad" activity in a network, but to do so requires establishing a meaningful baseline of "good" behavior. That is difficult in an enterprise environment because users are doing all kinds of different things and communicating with different people and systems on a daily basis. All of this contributes to high volumes of security alerts, because analysts have to track down every single deviation from so-called-normal activity. The problem is compounded by the fact that organizations are working with multiple security tools, Pearson says.

Alert fatigue is a major problem for enterprises as security practitioners receive hundreds of unprioritized alerts every day. Understanding which alerts are actually indicators of a problem is critical to security defense, but can be tedious and time-consuming. In a recent Orca Security study, 59% of respondents say they receive more than 500 public cloud security alerts per day. In the same survey, 55% said that critical alerts were being missed, often on a weekly and even daily basis.  

By using NetworkSage to automate the correlation and analysis, there is less likelihood of an analyst overlooking something or not getting to the real issues in a timely manner because they are distracted by less-important alerts.

**Finding Bad Patterns**

Pearson refers to NetworkSage as "network interpreter technology," as it analyzes network traffic to identify attack vectors, not specific payloads or individual URLs. The network flow is categorized across different categories. Analysts can find commonalities to identify traffic that is part of a malicious pattern. For example, the platform categorizes communications to any port on any site, which helps identify malicious activity associated with command-and-control servers, Pearson says.

Security analysts can load the organization's network flows into NetworkSage using an API and visualize who communicated with whom on the network, how a user interacted with a malicious site, and how many packets were sent and received, among other metrics. The platform also analyzes the flows and informs analysts if the interaction is actually problematic and requires remediation.

For example, security tools would raise an alert if the user (or multiple users) accessed a known phishing site, but they wouldn't say whether the user actually entered credentials. Without that knowledge, the analyst has to investigate and follow up with each user in order to find the ones who did fall for the phishing attack. NetworkSage looks at the organization's network data, so it can see how the user interacted with the site and identify which user entered credentials. The analyst now knows which of the potential issues resulted in an actual compromise and can respond accordingly.

In the past, security analysts would have to look at alerts and dig into the associated network logs to suss out whether a user accidentally entered the wrong credentials in a site, or if it was a malicious login attempt. NetworkSage automates that analysis to determine that the user did actually put their credentials in a phishing site, or opened a malicious executable.

**Common Use Cases**

Analysts can use NetworkSage in a number of ways, including as a tool to automatically triage alerts, review results from threat hunting exercises, and threat hunt using crowdsourced information, Pearson says. Automated triage is perhaps the most common. In that scenario, the platform captures the network activity that triggered an alert as well as activity just before and after. NetworkSage provides a high-level overview of what happened and whether it was interesting, as well as associated details that would be needing during the investigation.

Uploading the results from threat hunts to NetworkSage provides teams with an understanding of whether the activity is something that requires remediation. This could be useful if the threat hunt uncovers activity that could indicate a widespread phishing attack, for example.

There is also a community aspect, as well, Pearson says. NetworkSage can display the labelled information to all users without exposing sensitive details for each organization. This makes crowdsource threat hunting possible because everyone can see different parts of the threat landscape, and not just their own personal network view. Analysts can add details about what they are seeing and the platform shows metadata such as how long a particular flow to a specific destination has been in NetworkSage's data set. The broader perspective provides threat hunting teams with more information about places they should be looking for potential attacker activity. 

Pearson says NetworkSage is attempting to do for threat hunting and network traffic data what GreyNoiseIO does for analyzing Internet traffic to identify malicious traffic.

Hunting for Threats Using Network Traffic Flows

Security researchers have described the malware as among the fastest-spreading mobile threats in recent years.

An international team of law-enforcement officials has successfully disrupted infrastructure associated with FluBot, an especially pernicious malware tool that threat actors have been using since at least December 2020 to steal passwords, bank account details, and other sensitive data from Android users.

Europol announced the takedown Wednesday, noting that FluBot's infrastructure was now under the control of law enforcement.

"An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date," Europol noted. "The investigation is ongoing to identify the individuals behind this global malware campaign."

Researchers first spotted FluBot (at that time referred to as Cabassous) targeting Android users in Spain in December 2020. Over the course of the next year, the malware spread like wildfire to what Europol described as a "huge number" of Android devices in multiple countries, including Germany, the UK, France, Finland, Australia, and New Zealand.

**A Fast-Spreading Viral Threat**

FluBot spreads via SMS phishing messages (smishing) that use various pretexts to try and get recipients to click on a link for downloading the malware to their smartphones. In the early days of the malware, the SMS messages purported to be from delivery companies such as FedEx and DHL attempting to drop off a package. Users who were tricked into clicking on the link — ostensibly to reschedule delivery — ended up with the malware, disguised as a mobile app from the delivery company, downloaded to their Android devices.

Once installed, the malware seeks specific access privileges on the device that, if granted, it would use to steal payment-card data, bank account information, and other sensitive data. The malware was also designed to intercept and read text messages, open pages, disable Google Play Protect, and uninstall various apps from an infected device.

In addition, FluBot copies the infected device owner's contact list and sent SMS messages with infected links to all the numbers — a factor that likely contributed to its rapid spread, according to security vendor Bitdefender. The authors of the malware likely sold it as a service to different threat actors, too, contributing to its viral spread.

Over the course of 2021, threat actors used different SMS messages to try and trick users to click on the malicious link, including one that purported to be from a friend wanting to share a photo and another that tried to get users to listen to a fake voicemail message. Researchers from Bitdefender even observed attackers sending SMS phishing messages that ironically enough warned recipients about their devices being infected with FluBot and to take remedial action by clicking on the message link. In a report this January, Bitdefender identified Australia as the country most hit by FluBot, followed by Germany, Poland, Spain, and Austria.

Researchers from Proofpoint who tracked FluBot last year reported observing FluBot SMS messages in both English and German. The vendor said it had identified more than 700 unique domains that FluBot actors used for the English-language campaign alone.

**Android Threats Continue to Surge**

The FluBot takedown eliminates — temporarily — one of the biggest threats to Android device users in recent years. However, numerous other similar malware tools in the wild continue to present a serious threat. A recent report from ThreatFabric identified a continued increase in Android malware families such as Joker that enable fraudulent transactions being initiated from an infected device. Other examples include Alien, Cerberus, Hydra, and Octo.

The increase in Android malware families has also been accompanied by an increase in the number of malware droppers disguised as legitimate apps on Google's official Play mobile app store, ThreatFabric said. Among them is an app called NanoCleaner, which has been downloaded more than 10,000 times. In actuality, NanoCleaner is a dropper for Hydra.

Similarly, another app called Pocket Screencaster, with more than 10,000 installs, is a dropper for Octo, and another called Fast Cleaner, with more than 50,000 installs, is really a dropper for Alien and Octo.

"Threat actors continue to consider droppers on Google Play as one of the most effective ways to deliver malware to victims," ThreatFabric said.

FluBot Android Malware Operation Disrupted, Infrastructure Seized

Organizations leverage the platform-driven, human-delivered service to measure and continuously improve the efficacy of detective controls and MSSP coverage.

MINNEAPOLIS, June 1, 2022 /PRNewswire/ -- NetSPI, the leader in penetration testing and attack surface management, today announced new Breach and Attack Simulation (BAS) enhancements to meet increased market demand for improved threat detection. With the combination of the AttackSim cloud-native technology platform _and_ hands-on counsel from NetSPI's expert penetration testing team, organizations can continuously test their detective controls against real-world attack tactics, techniques, and procedures (TTPs).

According to NetSPI data, only 20% of common attack behaviors are caught by out-of-the-box detective controls (EDR, SIEM, MSSPs) – leaving organizations with a false sense of security. The updates to NetSPI's Breach and Attack Simulation allow detection engineers to measure their ability to detect common adversary behaviors and ultimately prioritize detection development as well as investments.

Following the initial collaborative assessment with NetSPI's experts, the AttackSim technology platform is provided to organizations for continuous testing and improvement. The platform features many new updates including:

*   **Seamless use, regardless of skill level:** An enhanced user experience (UX) and a refined user interface (UI) can be used by experts and novices alike.
*   **New automated plays and playbooks:** Detailed manual procedures for reproducing attacker behavior, as well as consistently updated security playbooks, allow organizations to better strengthen their security posture. With the latest updates, NetSPI has nearly 300 attack plays that can be used to test detective controls.
*   **Enhanced reporting:** Security teams now have additional data and metrics to work with, such as peer comparison, year-over-year reporting, and telemetry flow analysis. New reports that support programmatic, tactic, technique, and procedure (TTP) summary metrics are also now available.

"Indicators of Compromise have become less useful as the threat landscape evolves at a breakneck speed," said Cody Chamberlain, Head of Product at NetSPI. "To stay ahead of malicious actors, organizations must shift their gaze to detect attackers _before_ something bad happens. The NetSPI AttackSim platform, combined with the power of our skilled team of penetration testers, lets organizations continuously simulate real attack behavior, providing better insight into the efficacy of their detective controls."

"Small and medium-sized organizations with limited personnel often rely on MSSPs to implement detections and operate similarly to a security operations center (SOC)," said Scott Sutherland, Senior Director, Adversary Simulation and Infrastructure Testing at NetSPI. "We built Breach and Attack Simulation not only to improve detections, but also to enable organizations to validate MSSP coverage and better understand the scope of their agreements."

NetSPI will be demoing the AttackSim platform and its new capabilities during RSA Conference 2022 at booth #4605 in the North Expo Exhibit Hall. Schedule a meeting with the team.

To learn more about Breach and Attack Simulation, email \[email protected\] or visit https://www.netspi.com/security-testing/breach-and-attack-simulation/.

**About NetSPI**

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world's five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.

NetSPI's New Breach and Attack Simulation Enhancements Help Organizations Achieve Behavior-Based Threat Detection

New operational analytics and AI/ML platform drives contextual intelligence and prioritized actions to anticipate risky behaviors, disrupt threats and insure business resilience.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Netenrich, a leading security and operations analytics SaaS company, today announced that the company will showcase its new Resolution Intelligence platform® at the 2022 RSA Conference on June 6-9 at the Moscone Center in San Francisco. Netenrich will feature product demos and present platform details in the Google Cloud Security Booth #1943, South Expo Hall.

**Netenrich at RSA 2022  
**Netenrich invites security professionals and conference attendees to learn how they can optimize their security operations with analytics leveraging Google Chronicle. Managed service providers (MSSPs, MSPs, GSIs) benefit by plugging into the data analytics platform to quickly build innovative services and transform their business at service-provider scale.

Netenrich will share the latest advances in security operations, as well as the strategies and solutions security professionals need to secure their data against the most critical issues and behaviors. Visit booth #1943 during the times listed below:

*   Tuesday, June 7 from 10:00 AM – 12:00 PM PDT
*   Wednesday, June 8 from 4:00 PM – 6:00 PM PDT
*   Thursday, June 9 from 10:00 AM – 12:00 PM PDT

**Theater Presentation in booth**

*   Thursday, June 9 at 11:45 AM PDT

**Netenrich + Chronicle Happy Hour**

RSA attendees are invited to the Netenrich + Chronicle Happy Hour at the Monarch club on Wednesday, June 8, from 6 – 9 pm PDT. Come enjoy music, drinks, and live entertainment.

*   RSVP to secure your invite and bring your ID and RSA badge
*   **Monarch, 101 6th Street, San Francisco, CA 94114**

Follow Netenrich on Twitter , LinkedIn, and YouTube

SOURCE Netenrich

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Netenrich Debuts Resolution Intelligence Secure Digital Operations Platform at RSA 2022

The cloud instances were left open to the public Internet with no authentication, allowing attackers to wipe the data.

Cyberattackers are targeting misconfigured Elasticsearch cloud buckets exposed on the public Internet and stealing the wide-open data, then replacing it with a ransom note.

According to Secureworks Counter Threat Unit (CTU) researchers, more than 1,200 indexes have already been affected, with the attackers issuing 450 requests for Bitcoin payment in exchange for the return of the data. However, the ransom amounts are relatively low, researchers have pointed out: Taken together, all of the demands total just $280,000.

"The average ransom request was approximately $620 payable to one of two Bitcoin wallets," they noted in a Wednesday analysis. "As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms."

Despite the lackluster follow-through on the part of attackers thus far, the situation highlights a serious issue: Misconfiguration of databases placed in the public cloud has reached epidemic proportions, with large numbers of enterprises mistakenly leaving storage buckets from Amazon Web Services, Google Cloud, and Microsoft Azure accessible with no authentication to read or write the data.

Often, these open instances are discovered by security researchers and locked down without incident — but system misconfigurations still drove an estimated 13% of overall malicious system breaches recorded in the recent Verizon's 2022 "Data Breach Investigations Report" (DBIR), with misconfigured cloud storage instances making up the bulk of those.

"Unsecured Elasticsearch instances are trivially easy to identify using the Shodan search engine," the CTU researchers noted. "The threat actor probably used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note."

They added, "the cost of storing data from 1,200 databases would be prohibitively expensive. It is therefore likely that the data was not backed up and that paying the ransom would not restore it."

In 2020, ESET researchers uncovered a similar attack that affected half of all exposed MongoDB instances, which were wiped and replaced with a ransom note.

12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists

In this Tech Talk, Darktrace's David Masson and Dark Reading's Terry Sweeney discuss the rise of destructive attacks against critical infrastructure.

For years government regulators and security experts have been sounding the alarm about attacks that could cripple critical infrastructure — the assets and systems that support the functioning of a modern society and economy — but it took the attack against Colonial Pipeline for people to really pay attention, says David Masson, director of enterprise security with Darktrace.

That ransomware attack showed people firsthand how a cyber threat actually stopped gas from coming out of the pump, says Masson in this Tech Talk conversation with Dark Reading's Terry Sweeney. It doesn't even matter that the attackers behind Colonial Pipeline likely did not intend that outcome.

Since then, several other critical infrastructure organizations have been hit by ransomware and other attacks. There is also a worrisome trend toward more destructive attacks, Masson said. As an example, he points to the Russians trying to take down the telecommunications network in Ukraine to disrupt communications within the country. When their attempts failed, the Russians shot missiles directly at the cell towers and destroyed them, Masson notes.

About 85% of critical national infrastructure is under private control in North America, Masson says, which makes regulating critical infrastructure a bit of a challenge. The shift to public-private partnership, where infrastructure operators share threat information and intelligence with government agencies, is essential to understand the scale of the threat, he says.

President Dwight D. Eisenhower famously said that plans are worthless, but planning is indispensable. That mindset should drive security preparations: Deploy technology that gives visibility into the network, train people to recognize attacks, and maintain good backups so you can rebuild the infrastructure when needed.

"Start practicing and get ready so you don't end up being a rabbit stuck in the headlights," Masson says.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading