For the first time, CyberCatch's SMBVR detected significant vulnerability to 'session riding' attacks among North American SMBs.

CyberCatch today announced the publication of its quarterly Small and Medium-Sized Businesses Vulnerabilities Report (SMBVR) for Q1 2022 to alert small and medium-sized businesses (SMBs) to an alarming rise in vulnerabilities detected in Internet-facing websites, servers and applications. Of greatest concern,

CyberCatch's SMBVR has detected - for the first time in the report's history — substantial levels of vulnerability among both U.S. and Canadian SMBs to "session riding" attacks, an insidious tactic that forces authenticated users to unknowingly submit malicious requests that can have drastic consequences.

The high levels of vulnerabilities detected - across all ten segments both in the U.S. and Canada - is very concerning.

The SMBVR is a quarterly research study focused on SMBs in North America to detect vulnerabilities that a cyber attacker can identify and exploit to break into a business, steal data and or infect its systems with ransomware. The Q1 2022 SMBVR was comprised of scans of a random sample of 12,050 SMBs (10,878 in U.S. and 1,172 in Canada) in ten high-value target segments. Key findings of the Q1 2022 study include:

\-- 82% of U.S. and 78% of Canadian SMBs have spoofing vulnerabilities that attackers can easily exploit.

  
\-- CyberCatch's report detected significant levels of session riding vulnerability among SMBs, with 50% of such businesses in the U.S. demonstrating this vulnerability and 49% in Canada. This is the first time this vulnerability has reached such critical levels in the research report.

  
\-- Spoofing, clickjacking, session riding and sniffing are the four key vulnerabilities that SMBs are susceptible to in the U.S. and Canada.

  
\-- Spoofing, clickjacking and sniffing vulnerabilities levels more than doubled in the U.S. when compared to Q4 2021.

\-- Defense contractors, manufacturers, managed service providers (MSPs), technology companies, colleges and universities, legal and accounting firms and medical practices have significantly higher rates of vulnerabilities both in the U.S. and Canada.

"The Q1 2022 SMBVR should be a wake-up call for all types of SMBs. The high levels of vulnerabilities detected - across all ten segments both in the U.S. and Canada - is very concerning. It indicates that large numbers of SMBs have security holes that can be easily exploited remotely to steal data and install  
ransomware. This is an existential threat to SMBs - and to the overall economies of the U.S. and Canada," said Sai Huda, founder, chairman and CEO, CyberCatch. Mr. Huda is a globally recognized risk and cybersecurity expert and author of the best-selling book, "Next Level Cybersecurity."

"Given its size, limited knowledge about cybersecurity and resources, an SMB may never be able to recover from a cyberattack. Foreign adversaries and criminal gangs view SMBs as the weakest link in the chain and are increasingly targeting SMBs for the initial payout but also to get to the eventual larger target who the SMB may be a supplier to (upstream risk), or to the SMB's customers (downstream risk) and in the process, they don't care a bit about any collateral damage caused or if the SMB survives or not," continued Mr. Huda.

"In fact, two Joint Advisories issued in May 2022 from International Cyber Authorities, confirm the risk identified by CyberCatch. The May 11 Joint Advisory from the U.S. CISA, NSA, FBI and International Cyber Authorities (Canada, UK, Australia and New Zealand)warns of expected increased attacks targeting MSPs focusing on their customers (downstream risk). The majority of MSPs are themselves SMBs and CyberCatch's SMBVR identified MSPs as one of ten segments with significant vulnerabilities that could be exploited. The May 17 Joint Advisory from U.S. CISA, NSA, FBI and International Cyber Authorities (Canada, UK, New Zealand and Netherlands) warns of missing or ineffective cybersecurity controls that are commonly exploited by attackers, which includes failing to scan for vulnerabilities and failing to perform ongoing testing of controls, so SMBs need to take enhanced risk mitigation action as recommended in the Joint Advisories and in the SMBVR," said Mr. Huda.

To download a copy of the SMBVR, please visit CyberCatch's website.

**About CyberCatch**

CyberCatch is a unique cybersecurity Software-as-a-Service (SaaS) company that protects small and medium-sized businesses (SMBs) from cyberattacks by focusing on the root cause why SMBs fall victim: security holes. It provides an innovative cloud-based SaaS platform coupled with deep subject matter expertise to help SMBs implement just the right type and amount of cybersecurity controls. The platform then performs automated testing of controls from three dimensions: outside-in, inside-out and social engineering. It generates the Cyber Breach Score to continuously measure cyber risk, and finds security holes and guides the SMB to fix them promptly, so attackers can't exploit any missing or broken controls to break in and steal data or infect ransomware. CyberCatch's continuous value proposition: Test. Fix. Secure.

Learn more at: https://www.cybercatch.com

New CyberCatch Research Discovers Alarming Increase in Cyber Vulnerabilities for Small and Medium Sized Businesses in US and Canada

Digital supply chains are more vulnerable than ever; here's what you need to do to secure them.

The digital supply chain is under attack like never before. Listed among the top seven security concerns for 2022 by Gartner, digital supply chain security is now top of mind for cybersecurity teams, CISOs, and the entire C-suite. For the first time, digital supply chain attacks are threatening business continuity for large-scale enterprises.

**Why the Digital Supply Chain and Why Now?**

Digital supply chains are connected to almost every mission-critical service in an organization. All Internet-facing services are built on a tiered ecosystem of third-party services and infrastructures. In turn, every third party has its own third parties, which have their own third parties, and so on down the line. This means that the vulnerabilities of your vendors and your vendors' vendors (and so on) often become _your_ vulnerabilities.

There are several reasons why digital supply chains are especially vulnerable now, including:

*   **Digital supply chain attacks are worth the investment for hackers.** Owing to the nature of the digital supply chain, replicating a single exploit can cast a very wide attack net. This exponentially increases the potential attack payoff and the ROI of exploit development.

*   **Developers of Web-based applications and services accelerate development with external code packages**. These development paradigms carry their own inherent vulnerabilities, the dangers of which are passed up the digital supply chain.

*   **Cloud service security often falls into a digital no-man's-land.** SaaS or PaaS managed cloud services operate in a shared responsibility model. This creates a gray area among vendors, making it hard for traditional cybersecurity solutions to identify if a third-party component has been tampered with.

Threat actors know that it's easier to exploit a vulnerability deep within the digital supply chain than to attack an enterprise head-on. This is why digital supply chains are now the fastest-growing attack surface for most enterprises: By our estimates, 50% to 60% of all cyberattacks are perpetrated via third parties.

**The Action Items**

To mitigate the risk of attack via digital supply chain vectors, enterprises need to adopt a proactive threat prevention strategy and remediate vulnerabilities before they become catastrophic breaches. Here's a list of how that breaks down and what needs to happen _yesterday_:

*   **Automate asset discovery:** You can't protect what you don't see, so proactively discover what's out there. Find and map known, unknown, and orphaned externally facing assets, including those introduced through shadow IT implementations. Take into consideration the uncontrolled assets that form your digital supply chain, no matter how far downstream they may be.  
    
*   **Assess vulnerability:** Once you know what you have, you still need to understand which (if any) external assets are vulnerable, how they can be exploited, and the severity of the risk they pose. In addition, "follow the connections" by conducting an in-depth and extensive connection-oriented assessment — discovering how assets downstream are vulnerable, and how that vulnerability may be propagated back up the digital supply chain and become a security risk.  
    
*   **Continuously monitor:** What was secure yesterday may not be secure tomorrow. Make sure you’re continuously scanning to identify new assets in your external attack surface or supply chain (for example, a new third-party vendor or a change in third-party cloud storage providers). Then, reassess each third-party asset, externally facing Internet asset, and distributed cloud infrastructure. Check closely for signs of digital supply chain misconfigurations and vulnerabilities.  
    
*   **Prioritize risk and plan remediation:** What should your team mitigate first? Do you have an actionable, timely mitigation and remediation plan and workflow based on vulnerability prioritization — for both your external attack surface and digital supply chain?

It's important to apply these strategies not only to your direct Internet-facing assets, but also to key areas including:

*   **Cloud-based services:** The keys to your castle are literally in the cloud. Their security is crucial to business continuity. Yet cloud misconfigurations are the leading cause of vulnerabilities. Create an end-to-end inventory of cloud assets across all cloud providers. Use this dynamic inventory as the basis for ongoing monitoring and risk management planning.

*   **Subsidiaries:** Digital assets that belong to your subsidiaries but are connected to your primary business may pose risk. It's important to assess and remediate that risk.

*   **M&As:** Even after mergers, acquisitions, and divestitures, networks may still contain connected assets. It's critical to get a handle on the risk signature of newly acquired or newly relinquished digital assets as part of any merger, acquisition, or divestiture.

**The Bottom Line**

Recent attacks have crystalized what hackers have understood for years — a breach anywhere along the digital supply chain can easily lead to a compromise of services, users, customers, and your brand reputation. To beat digital supply chain attacks, companies need to take a proactive approach to resolving the vulnerabilities within _their entire external attack surface_ — including third parties and beyond.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How to Keep Your Enterprise Safe From Digital Supply Chain Attacks

To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.

The frequency and severity of cyber threats are escalating and will continue to get stronger as cybercriminals pivot from one target to the next to maximize profit potential. Sooner or later, an attack will be successful. This presents a huge risk for businesses that lack sufficient cyber-resiliency preparation to stop the spread and recover quickly.

Cybercriminals are becoming experts in deception, which makes them increasingly difficult to detect. When they infiltrate an organization’s system, the door remains open for them to recode and encrypt a business's data. Once this happens, cybercriminals gain control (of data and systems) and can hold a business's information for ransom.

In addition to the ransom cost, additional costs are incurred following a ransom attack. Of those companies falling victim, 74% report business disruption lasting more than a day, with 28% taking a week or longer to recover from a ransom attack. For many, especially small and midsize companies, the financial and reputational repercussions of recovering from the occurrence can be devastating.

**Cyber-Resilience Framework**

To minimize the impact of cyber incidents, organizations must become pragmatic and develop a cyber-resilience strategy for dealing with the ramifications of cyber incidents. While reducing cyber-risk doesn’t guarantee there will never be a creaky backdoor for cybercriminals to slip in, it decreases the opportunities for attack and can accelerate an organization's recovery rate.

A cyber-resilience framework must include numerous elements of prevention and the ability to recover (if an attack is successful). There are six steps organizations can leverage when creating a multipronged cyber framework to achieve cyber resiliency.

**1\. Identify**

Organizations cannot protect what they have not identified. IT teams must regularly scan the organization's entire IT footprint including endpoints, servers, and cloud applications. This ensures assets as well as potential vulnerabilities are identified before cybercriminals can exploit them.

**2\. Protect**

With the hybrid work model here to stay, employees' remote devices are often the first target for cybercriminals. To mitigate this risk, organizations must ensure employee devices have endpoint protection solutions enabled to ensure cyber intrusions are automatically blocked while still allowing their work routines to be left undisturbed.

**3\. Detect**

While prevention is key to reducing cyber-risks, one thing can be said about cybercriminals: They are persistent. If they meet a closed door, they will try another. Threat intelligence and experience-based detection are essential to prevent a cyberattack attempt from evolving into a major cybersecurity breach.

**4\. Respond**

If a threat is detected in the third step, organizations can find themselves in a harmful spot when considering business continuity. To lessen the impact of a cyber breach, organizations should have a predefined playbook in times of crisis. This step can reduce the period of panic and allow for IT teams and the entire organization to act timely and efficiently when a breach is detected.

**5\. Recover**

In many cases, a cybercriminal will create their own backdoor as they infiltrate an organization's system. This allows cybercriminals to return and continue to collect the information needed to hold a business for ransom. To enable an easy return, organizations need to back up critical servers and endpoints. This allows organizations to recover damaged devices and use their backup file recovery as a lifeline.

**6\. Educate**

This step comes back to cyber protection being only as strong as each remote employee. Cyber awareness is essential when establishing cyber resilience so IT teams need to take the time to educate employees about cybercrime tactics such as phishing and business email compromise. By consistently implementing periodic, easy-to-understand awareness and response training, organizations are one step closer to ensuring cyber resilience and mitigating human risk.

**From Framework to Action**

Unless implemented, a framework is just a blueprint. Organizations must convert a cyber-resilience plan into their cybersecurity infrastructure to ensure effectiveness. Furthermore, leveraging a cyber-resilience framework can act as a confidence assessment guide. Business leaders and IT teams alike must revaluate their action plans to achieve practical cyber-prevention methods for the next time cybercriminals knock at the backdoor.

6 Steps to Ensure Cyber Resilience

The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says.

A pair of critical flaws in industrial Internet of Things data platform vendor Open Automation Software (OAS) are threatening industrial control systems (ICS), according to Cisco Talos.

They're part of a group of eight vulnerabilities in OAS software that the vendor patched this week.  

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its functioning; another (CVE-2022-26833) enables unauthenticated use of a REST application programming interface (API) for configuration and viewing data on systems. 

In its advisory, Cisco Talos described the remote code execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9.4.

The remaining flaws exist in different components of OAS Platform V16.00.0112. They were assessed as being less severe (with vulnerability-severity ratings that range from 4.9 to 7.5), and included information disclosure issues, a denial-of-service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications on vulnerable systems.   

"Cisco Talos worked with Open Automation Software to ensure that these issues are resolved, and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy," its advisory noted. The company recommended that organizations using the vulnerable software ensure that proper network segmentation is in place to minimize the access that an attacker, who exploited the vulnerabilities, would have on the compromised network.

OAS's Open Automation Software Platform is primarily designed to let organizations in industrial IoT environments move data between different platforms — for instance, from an Allen Bradley programmable logic controller (PLC) to a Siemens PLC. Central to the platform is a technology the company calls Universal Data Connect that enables data to flow from and between IoT devices, PLCs, applications, and databases. OAS describes its technology as also being useful for logging data in ICS environments and putting then in open formats, and for aggregating data from disparate sources. OAS has customers from across multiple industry verticals including power and utilities, chemical, construction, transportation, and oil and gas.

**Critical Flaws**

The RCE execution vulnerability (CVE-2022-26082) that Cisco Talos discovered exists in a secure file transfer functionality in the OAS Platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS Platform to upload an arbitrary file. Cisco said the issue had to do with missing authentication for a critical function. 

"The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform," Cisco Talos said.

The REST API-related vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in OAS Platform V16.00.0121 and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software. 

To mitigate the risk from this flaw, Cisco recommended that organizations create custom security groups and user accounts with only the needed permissions and then restrict access to these accounts.   

Researchers have been discovering a steadily growing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity vendor Claroty released earlier this year showed vulnerabilities impacting these environments increased 52% in 2021 to 1,439, compared to 942 in 2020. About 63% of the flaws were remotely exploitable. 

The number of vulnerabilities reported last year was some 110% more than the 683 flaws reported in ICS technologies in 2018. Vulnerabilities were reported for the first time in products from 21 of the 82 ICS vendors that were affected by flaws last year.

Critical OAS Bugs Open Industrial Systems to Takeover

Organizations must ensure their kubelets and related APIs aren’t inadvertently exposed or lack proper access control, offering an easy access point for malicious actors.

Kubernetes clusters provide a scalable and resilient backbone to many modern Internet-facing applications. However, if adversaries can access the nodes in those clusters, they essentially take over your infrastructure. They can compromise the integrity of your systems and hijack the infrastructure and use it for their own purposes.

Recent data from Shodan shows 243,469 Kubernetes clusters that are publicly exposed. These clusters also exposed port 10250, used by the kubelet (the agent that runs on each node and ensures that all containers are running in a pod) as a default setting. Attackers could potentially use the kubelet API as an entry point in targeting Kubernetes clusters to mine for cryptocurrency.

Trend Micro researcher Magno Logan looked at how cybercriminals could abuse these clusters and exposed kubelet ports.

First, there is the problem of sensitive information leakage by returning data on the running pods on the node.

In addition, since the kubelet API is exposed, there is another endpoint _/run_ that would allow an attacker to execute commands inside the running pods of the cluster just by sending a _POST_ request to the specific pods and using the parameter _cmd_ to execute the desired shell commands. Trend Micro says threat actor TeamTNT performed multiple _/run_ commands in just this manner to compromise multiple clusters last year. This technique can make things easier for attackers to take over clusters, Logan says in the report.

Logan called it "very concerning" that hackers could use the kubelet API as an entry point when targeting Kubernetes clusters.

"Those 600 kubelets we've found to be completely exposed and without authentication or authorization could easily be compromised via simple API requests," he said. "That would allow an attacker to execute commands on the pods running inside that node, most of the time to mine cryptocurrencies."

**Exposed Kubelets Leave Door Open to Malicious Actors**

According to Michael Isbitski, director of cybersecurity strategy for Sysdig, when Kubernetes clusters or kubelets are improperly exposed or don't enforce proper access control, it leaves the door open for a wide range of malicious activity.

"Attackers can potentially harvest sensitive data being transmitted within the cluster, spin-up new workloads, reconfigure elements of a node, disable access controls, erase audit trails, add vulnerable dependencies, bootstrap malicious cryptominers, and more," he says.

Isbitski notes that many Kubernetes configurations are secure by default with current platform offerings, but some organizations may be sitting on old or misconfigured deployments.

He points out organizations also sometimes inadvertently override secure defaults to get a cluster to an operational state without understanding the potential security risks.

"We've seen issues with vulnerabilities in runtime components, which can result in container escapes and lateral movement within networks if attackers are successful in their exploitation attempts," he says.

**Practice Defense In-Depth, Zero Trust**

Matt Dupre, director of software engineering at Tigera, a provider of security and observability for containers, Kubernetes, and cloud, points out that sufficiently privileged access to the kubelet amounts to a complete compromise of that host and potentially any other workloads running on it.

Access to the Kubernetes API has the same potential impact: Admin access essentially provides complete control of the cluster and everything in it.

He notes that while the security risk is significant, an overwhelming majority of the clusters that accepted connections from the Internet rejected the requests due to lack of authentication or authorization.

"Given that, there are two concerns: firstly, that you fall in that misconfigured 613 clusters, or that a new critical vulnerability that bypasses authn or authz is found, and this would be a very significant vulnerability," Dupre says. "Organizations' internal APIs are probably a bigger worry in practice."

He advises practicing defense in depth by following zero-trust principles and not allowing connections to your kubelets from unknown sources, such as the Internet.

"Additionally, you could port-scan your infrastructure and investigate any responses," he adds. "Keeping careful control of access tokens is always important — they should never be published, and you should have processes in place to ensure that they and other secrets are stored properly."

**Avoid Exposing the Kubelet Default Port**

As a basic kubelet security practice, Logan says organizations shouldn’t expose their kubelet port (10250 by default) to the Internet.

"If you need to do that, at least enable kubelet authentication and authorization on the kubelet API to avoid attackers being able to perform requests to the API and receive the 401 – Unauthorized response," he adds.

Mark Lambert, vice president of products at ArmorCode, an application security provider, says when deploying these types of systems, take a "zero-trust mindset" and remember that the default configurations are usually set up for ease of use, not security.

"This means you need to pay close attention to configuration files, disable features you are not using, change default ports, and minimize information leakage so that hackers cannot gain insight that could provide them another point of attack," he says.

Finally, all this needs to be operationalized as part of your application security program, and development teams must be engaged early, as they play a key role in building security into the design of the application from the start.

Besides enabling the kubelet authentication and authorization on the kubelet API, Logan advises restricting the kubelet permissions via the least privilege principle and periodically rotating the kubelet certificates to reduce the attack surface.

"Organizations should also investigate tools for runtime protection such as Falco to prevent and alert when there are suspicious execution happening inside their containers," he says.

**Constantly Analyze IaaC, Monitor Clusters in Runtime**

Isbitski says native capabilities and tooling from cloud providers and Kubernetes platform providers can provide a starting point for keeping kubelets protected.

He adds that security teams must continuously analyze the infrastructure-as-code used to configure and operate clusters, scan dependencies used by workloads, and monitor clusters in runtime to detect malicious activity, such as when an attacker attempts unauthorized access to the Kubernetes APIs.

"Appropriate access control should also be implemented at multiple points of a cluster," he says. "Native capabilities like Kubernetes network policy also help with restricting communication within a cluster and enforce zero trust principles."

Isbitski points out the Kubernetes control plane is also multilayered when working with managed Kubernetes.

In those scenarios, security teams should also continuously validate the cloud tenant configurations, along with IAM policies, for misconfigurations and excessive permissions.

Exposed Kubernetes Clusters, Kubelet Ports Can Be Abused in Cyberattacks

Space Force's Delta 6 cyber-defense group adds squadrons, updates legacy Satellite Control Network.

Space Force's Delta 6 mission, responsible for thy cyber defense of US military satellites, is adding four squadrons to boost cybersecurity throughout the military branch, as well as oversee the modernization of the aging Satellite Control Network.

Each operational mission within Space Force, from missile warning systems to navigations and communications, is organized into one of nine "Deltas," Breaking Defense explained in a report about the move. 

Delta 6 is the "cyber operations" group and will expand to embed a cyber-defense squadron of personnel called "Cyber Protection Teams" within other wings, Space Operations Command announced. 

Delta 6 will need also need additional help as it tackles upgrading the aging Satellite Control Network, which is a series of 19 antennas positioned around the world and relied upon by the military, NASA, the National Oceanic and Atmospheric Administration, and the National Reconnaissance Office, Breaking Defense reported. 

The system dates back to 1958, according to Delta 6 Commander Roy Rockwell. 

"Our scheduling system still operates on DOS — so, 1990s technology," Rockwell told Breaking Defense. “We are working through an upgrade that should be complete by the end of this year that’ll bring us up to a Windows-level type scheduling capability. So we're still far behind." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Space Force Expands Cyber Defense Operations

The 14th defendant behind The Infraud Organization contraband marketplace has been sentenced, this time for one count of racketeering.

Stolen identities, compromised credit-card data, computer malware, and more were collected and sold by The Infraud Organization, a transnational cybercrime syndicate — and the Department of Justice estimates the activity cost victims more than $568 million. 

Now a member of the cybercrime group has been sentenced to four years in prison for his role in Infraud: a 37-year-old Brooklyn, NY, resident named John Telusma, who pleaded guilty to one count of racketeering. He's the 14th defendant sentenced in the case.

The DoJ said Telsuma joined the Infraud Organization in August 2011 and over the subsequent five-and-a-half years became one of the "most prolific and active members of the Infraud organization, purchasing and fraudulently using compromised credit-card numbers for his own personal gain," the DoJ announcement of the sentencing said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Scammer Behind $568M International Cybercrime Syndicate Gets 4 Years

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.  

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

**Inside the Chaos**

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read\_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode
*   Change the victim’s desktop wallpaper
*   Customizable file-extension lists
*   Better encryption compatibility
*   Run on startup
*   Drop the malware as a different process
*   Sleep prior to execution
*   Disrupt recovery systems
*   Propagate the malware over network connections
*   Choose a custom encryption file-extension
*   Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

**Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper**

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group \[infiltrates\] a victim organization's network, \[steals\] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies \[targeted with the Onyx wiper\] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

**Chaos Wiper Reined in With Yashma**

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service \[MaaS\] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

*   Antivirus (AV) solutions
*   Vault services
*   Backup services
*   Storage services
*   Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

**Every Business Is a Target**

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

New Chaos Malware Variant Ditches Wiper for Encryption

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.  

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”  

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.  

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

**Infecting the Browser Helps Bypass Security Measures**

Parkin adds that with so many applications being now browser-based, it’s a logical place for cybercriminal to put their malicious code.

In addition, the browser is an application that is not monitored by most security programs, and extensions are usually not scanned by most endpoint protection solutions to determine whether they are malicious.

“By infecting the browser, the attacker gets around a number of security measures, such as traffic encryption, that would otherwise impede their attack,” Parkin says. “It’s like adding a malicious hard drive to your system.”

Having access to a browser provides attackers access to victim data and could, in some cases, provide the opportunity to perform actions on the compromised person's behalf. With such easy access and high-value information inside browsers, malware operators can achieve big results for minimal effort.

To boot, ChromeLoader's capabilities do not end with installing malicious extensions — it could carry out more advanced attacks as well.

“Most security tools don't detect it,” says Talon's Bobrov. “The fact that ChromeLoader abuses PowerShell makes it incredibly dangerous, since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections.”

He adds that ISO files can hold a lot of data, so there's plenty of room for malware to hide. In addition, these files are confusing for end users and have some automatic actions that the operating system might perform.

**Cyber Hygiene, User Education Needed to Stop Malicious ISO Files**

Bobrov says that to prevent exposure to malicious ISO files, the first step is related to basic cyber hygiene: You need to understand and trust the data you download and where you download it from.

“Do not launch ISO files that are not from trusted sources, and never run files inside ISO without verifying their safety,” he advises. “When browsing the Internet, make sure you have security controls in place to help monitor the websites you browse and help protect you from malicious content.”

From Parkin’s perspective, user education is a good first step to prevent exposure to malicious ISO files, which includes teaching users to be wary of downloading suspect files. (Any cracked software falls into this bucket.)

“Beyond user education, admins can deploy tools and enforce policies that restrict mounting ISO files, though that may be a challenge in \[bring-your-own-device\] BYOD environments,” he says.

A step beyond that is using remote desktop environments such as VNC, Citrix, or Windows Remote Desktop, which can shift policy enforcement back into the IT admin’s hands.

ChromeLoader Malware Hijacks Browsers With ISO Files

Here's how physical security teams can integrate with the business to identify better solutions to security problems.

The responsibilities of physical security teams have expanded well beyond traditional security roles. However, these security teams all too often are seen only as a cost center instead of being recognized as risk management professionals who can help move the business forward in areas far beyond "guns, guards, gates, and locks."

The same knowledge, skills, and abilities that help your security team excel when dealing with high-stress, high-anxiety physical security risks and threats can be focused to help confront other risks your business is facing. In fact, your team may already have significant knowledge and skills to handle risks that may not fall directly within the physical security realm, such as insider threats, third-party risks, cybersecurity risks, operational risks, and personnel issues.

Here are some tips to help security leaders reimagine how physical security teams can integrate with other business areas to find better solutions to the security problems their organizations are facing.

**Connect With the Business to See the Big Picture  
**Expanding collaboration with counterparts in other business divisions — specifically, HR, legal, information technology, compliance, and risk management — can help security teams connect their day-to-day contributions to the larger goals and successes of the organization. It's pretty clear that when we connect security to the organization’s larger risk management strategy, the organization will be able to leverage the unique perspective of physical security risk managers to find effective solutions to other problems. It starts, as with many major improvements, with conversations across the organization among multiple stakeholders.

Indeed, it’s crucial for the engagement between security and its counterparts to be a two-way dialogue. When there is mutual understanding between the physical security team and other counterparts in the organization, that knowledge can motivate all sides to find more common-sense solutions and compromises that everyone can get behind.

**Learn Something New  
**How much does your team know about other areas of the business or about the industry? In some cases, having additional knowledge and skills could be the difference between managing risks with a business-as-usual mindset and creating an innovative solution that could save your team time and resources. Encourage your teams to learn new skills, get training to accomplish a goal, or explore new tools helps keep everyone engaged and looking at their work with fresh eyes. Even a few hours spent learning a new skill in an online learning platform like LinkedIn Learning or Udemy can create enormous time and resource savings. Where possible, create opportunities for individuals to share their knowledge with others to reinforce their own learning and help motivate more growth throughout the team.

**Use Technology More Effectively  
**Physical security teams are investing more resources in technology solutions that help identify and monitor threats, streamline and automate workflows, and protect personnel and resources. These solutions should ultimately make your team more efficient and effective, but that's possible only if team members understand a tool's features and know how to use them correctly. The right technology can provide a tactical advantage and instill greater confidence in times of uncertainty.

Encourage your team to spend time learning about the technology products they use, as well as the most efficient and effective ways to use them. In addition, use these opportunities to consider how the information and data your team is collecting could assist others within the organization. Many security-focused tools and platforms contain useful data and features that other departments would find valuable as they work to manage similar threats or investigate emerging problems. Ensuring that data and tools are shared with the appropriate stakeholders could save your organization money and your team time.

**Demonstrate Value  
**As security teams have taken on more responsibility and managed a more comprehensive threat landscape, they have increasingly sought a seat at the executive decision-making table. While those in executive protection may naturally have greater access and be received more readily by those at the top, at too many organizations, the physical security team is still viewed through the antiquated lens of a cost center, solely focused on physical safety and security threats.

While upskilling the staff and integrating the security team into broader risk management functions will help the security team get its seat at the table, It's critical for security teams to create metrics that measure their activities, develop baselines, and document improvements over time. This can be challenging for physical security teams that successfully prevent problems — after all, it’s difficult to prove your team is effective and valuable if nothing happens — but it is possible.

I'll give you an example that came up in a recent discussion of security professionals hosted by Ontic. A security team initiated a conversation with its real estate and risk management team and found that they tracked metrics on the financial impact to the organization when and if specific buildings saw their operations disrupted. What’s more, a few buildings suffered from a disproportionate number of false fire alarms that disrupted operations. The security team worked with others to swap smoke detectors for heat sensors, resulting in a drastic reduction in false alarms. This resulted in a documentable reduction in costs to the organization.

**Conclusion**  
Physical security teams can (and should) be much more than a cost center. By focusing efforts on training, collaboration, and value demonstration, physical security teams' reach and impact will help move the organization forward.

Source

DARKReading