The FTK 7.6 portfolio promises better integration with other security and network resources, as well as unified analysis of mobile and computer evidence.

Digital forensics – the discipline of finding the traces that applications and processes leave behind in order to piece together events – has become vital to law enforcement agencies, lawyers, and researchers. Granted, combing through and analyzing even a single cell phone can be daunting in its sheer volume of data, but the knowledge gleaned can create a priceless "Perry Mason moment." 

Originating in 1984 with the US FBI's Computer Analysis and Response Team, the practice of digital forensics has expanded past government walls to create a marketplace of private service providers. Indeed, the worldwide digital forensics market is expected to grow from $10 billion in 2022 to almost $24 billion in 2030, according to Future Market Insights.

Digital forensics companies aim to make scanning for, collecting, and analyzing data easier and quicker. Toward that end, legal GRC software provider Exterro today announced an update to its FTK 7.6 set of products that the company says can make parsing mobile phone evidence from Android or iOS 10 times faster than previous generations of its products. Mobile evidence can be stored in the same database as computer evidence for unified analysis.

In addition, FTK Connect helps clients connect FTK tools with existing systems, including SIEM and SOAR/XSOAR, case management, e-discovery, and in-house applications. Besides allowing FTK users to collect and process data more quickly, the integration reduces the risk that moving data between systems creates, Exterro said.

While the company emphasized that its latest release is geared mainly for forensics for judicial use, it also improves incident response. Exterro pointed out that the FTK tool set allows enterprise cybersecurity staff to investigate potentially compromised endpoints, examining and collecting folders and files even when the endpoint is not connected to the corporate VPN.

Exterro counts among its customers dot-com businesses like DoorDash and Pinterest, big corporations like American Express and Nestle, and government entities such as the cities of Denver, Colorado and Sparks, Nevada; state offices in California, Massachusetts, and Maryland; and agencies such as the US General Services Administration and the Los Alamos National Lab.

New Exterro FTK Update Accelerates Mobile Digital Forensics

The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.

Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.

The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don't have, according to the researcher that discovered the flaw.

The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions. 

"This is the highest level of critical vulnerability — a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at risk," according to the bug report.

The firmware vulnerability was discovered in June 2021 and reported to the hardware vendor, which then issued a patch for it last September. However, close to a year later, tens of thousands of affected devices — whose users include at least some federal civilian agencies — remain unpatched against the vulnerability.

**Hikvision Camera Analysis**

Researchers from Cyfirma recently analyzed a sample of 285,000 Internet-facing Hikvision cameras and found some 80,000 of them that are still open to exploit via the vulnerability. 

The countries with the greatest number of vulnerable devices were China (12,690), the US (10,611), and Vietnam (7,394). Other countries with a sizeable number of vulnerable Hikvision cameras included the United Kingdom, Ukraine, Thailand, and South Africa. The cameras belong to more than 2,300 organizations scattered across these and other countries.

In its vulnerability disclosure last September, Hikvision listed dozens of its products as being impacted by the vulnerability — some going as far back as 2016. The company had urged organizations using affected Hikvision cameras to install updated firmware to patch the flaw and guard against potential attacks targeting the flaw. 

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-36260 to its catalog of known exploited vulnerabilities on Jan. 10 this year, and it required federal agencies using Hikvision cameras to install the firmware updates by Jan. 24.

According to Cyfirma, nearly a year after the flaw was disclosed, attacker interest in it remains high. The security vendor said it had observed multiple instances where threat actors sought to collaborate with each other to exploit the flaw.

"Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," Cyfirma said. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." Cyfirma noted it has reason to believe that a few Chinese threats actors, including APT41 and APT10, are also looking to exploit the vulnerability to breach target networks where possible.

In a blog post this week, security vendor Malwarebytes noted that adversaries have few obstacles to exploitation given several proofs-of-concept that have been published. These include a potential exploit for it that was published on Packet Storm last October; a Metasploit module based on CVE-2021-36260 that Packet Storm published this February; and reports of a Mira botnet variant called Moobot that was spreading via the Hikvision vulnerability. 

"Given the amount of available information, it is trivial even for a 'copy and paste criminal' to make use of the unpatched cameras," Malwarebytes warned.

The researcher who discovered the flaw — who goes by the handle "Watchful\_IP" — described the vulnerability as trivial to exploit, giving attackers the ability to take complete remote control of Hikvision cameras simply by accessing the camera's http(s) server port, which usually is 80/443.

"No username or password \[is\] needed, nor any actions need to be initiated by the camera owner," the security researcher observed in his initial vulnerability disclosure last year. "It will not be detectable by any logging on the camera itself."

Vulnerabilities in IoT devices — which can be anything from video cameras and building management systems to critical Internet-connected systems in medical, industrial control systems (ICS), and operational technology (OT) networks — present a growing challenge for enterprise organizations. A new report from Claroty this week noted a 57% year-over-year increase in vulnerability disclosures involving IoT products. 

The security vendor's study showed that for the first time the percentage of disclosed firmware vulnerabilities, like the one in Hikvision cameras, was nearly the same as the percentage of software vulnerabilities — 46% vs. 48%. In addition, the combined number of IoT vulnerabilities and vulnerabilities in medical IoT devices exceeded IT vulnerabilities for the first time as well. Claroty noted: "This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration."

Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse them to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Two weeks since its disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it's added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.

Exploitation of the issue can help attackers to cover their tracks and location, according to the original Palo Alto Networks advisory issued earlier this month.

"The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target," according to the firm.

"The good news is that this vulnerability does not provide attackers with access to the victim's internal network," says Phil Neray, vice president of cyber-defense strategy at CardinalOps. "The bad news is that it can halt business-critical operations \[at other targets\] such as taking orders and handling customer service requests."

He notes that DDoS attacks aren't just mounted by small-time nuisance actors, as is often assumed: "DDoS has been used in the past by adversary groups like APT28 against the World Anti-Doping Agency."

The bug arises thanks to a URL-filtering policy misconfiguration, so instances that use a non-standard configuration are at risk. To be exploited, the firewall configuration "must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," the advisory read.

**Exploited in the Wild**

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited.  

"The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks," he says. "Google's recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification."

The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors.

"Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS," Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. "Cybercriminals know this is how many companies handle their cybersecurity, so they've learned to take advantage of vulnerabilities seen as less critical to carry out their attacks."

But patch prioritization continues to be a challenge for organizations of all stripes and sizes thanks to the sheer number of patches that are disclosed in a given month — it totals hundreds of vulnerabilities that IT teams need to triage and assess, often without much guidance to go on. And furthermore Skybox Research Lab recently found that new vulnerabilities that went on to be exploited in the wild rose by 24% in 2022.

That said, "any vulnerability that CISA warns you about, if you have in your environment, you need to patch now," Roger Grimes, data-driven defense evangelist at KnowBe4, tells Dark Reading. "The \[KEV\] lists all the vulnerabilities that were used by any real-world attacker to attack any real-world target. Great service."

He notes that the list is exhaustive: "It isn't just full of Windows or Google Chrome exploits. I think the average computer security person would be surprised about what's on the list. It's full of devices, firmware patches, VPNs, DVRs, and a ton of stuff that isn't traditionally thought of as being highly targeted by hackers."

**Time to Patch & Monitor for Compromise**

For the newly exploited PAN-OS bug, patches are available in the following versions:

*   PAN-OS 8.1.23-h1
*   PAN-OS 9.0.16-h3
*   PAN-OS 9.1.14-h4
*   PAN-OS 10.0.11-h1
*   PAN-OS 10.1.6-h6
*   PAN-OS 10.2.2-h2
*   And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To determine if the damage is already done, "organizations should ensure they have solutions in place capable of quantifying the business impact of cyber-risks into economic impact," Olaes wrote.

He added, "This will also help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate."

Grimes notes that it's a good idea to subscribe to CISA's KEV emails as well.

"If you subscribe, you'll get at least an email a week, if not more, telling what the latest exploited vulnerabilities are," he says. "It isn't just a Palo Alto Networks problem. Not by any stretch of the imagination."

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.

The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.

Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.

Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.

According to Microsoft, MagicWeb is a better iteration of the previously used specialized FoggyWeb tool, which also establishes a difficult-to-shake foothold inside victim networks.

"MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly," Microsoft researchers explained. "It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML."

For now, MagicWeb use appears to be highly targeted, according to Microsoft's advisory.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Efficient 'MagicWeb' Malware Subverts AD FS Authentication, Microsoft Warns

Center Hospitalier Sud Francilien (CHSF), a hospital outside of Paris, has redirected incoming patients to other medical facilities in the wake of a ransomware attack that began on Aug. 21.

Ransomware has disrupted operations at the Center Hospitalier Sud Francilien (CHSF), a 1,000-bed hospital outside Paris, locking down the facility's main systems including patient admissions and medical imaging. CHSF was forced to redirect incoming patients to other medical facilities, and hospital staff reverted to pen and paper. 

According to a report in Le Monde, the attackers demanded $10 million to decrypt the systems; it's unclear though whether the hospital paid the attackers any of the ransom. French authorities are investigating the ongoing incident and the threat actors behind the attack, which began on Aug. 21. 

"This attack does not impact the operation and security of the hospital building" and its telecommunications system, CHSF said in a statement, which was translated from French. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Gang Demands $10M in Attack on French Hospital

An insider threat or remote attacker with initial access could exploit CVE-2022-31676 to steal sensitive data and scoop up user credentials for follow-on attacks.

An important-rated security vulnerability in VMware Tools could pave the way for local privilege escalation (LPE) and complete takeover of virtual machines that house important corporate data, user info and credentials, and applications.

VMware Tools is a set of services and modules that enable several features in VMware products used to manage user interactions with guest operating systems (Guest OS). Guest OS is the engine that powers a virtual machine.

"A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine," according to VMware's security advisory, issued this week, which noted that the bug, tracked as CVE-2022-31676, carries a rating of 7.0 out of 10 on the CVSS vulnerability-severity scale.

Exploitation paths could take many forms, according to Mike Parkin, senior technical engineer at Vulcan Cyber.

"It is unclear from the release whether it requires access through the VMware virtual console interface or whether a user with some form of remote access to the Guest OS, such as RDP on Windows or shell access for Linux, could exploit the vulnerability," he tells Dark Reading. "Access to Guest OS should be limited, but there are many use cases that require logging into a virtual machine as a local user."

The virtualization virtuoso has patched the issue, with patched-version details available in the security alert. There are no workarounds for the flaw, so admins should apply the update to avoid compromise.

The issue, while not critical, should still be patched as soon as practicable, Parkin warns: "Even with cloud migration, VMware remains a staple of virtualization in many enterprise environments, which makes any privilege escalation vulnerability problematic."

To monitor for compromise, John Bambenek, principal threat hunter at Netenrich, recommends deploying behavioral analytics to detect credential abuse, as well as an insider threat program to detect problem employees who may abuse their already legitimate access.

"VMWare (and related) systems manage the most privileged systems, and compromising them is a force multiplier for threat actors," he says.

The patch comes on the heels of the disclosure of a critical bug earlier this month that would allow authentication bypass for on-premises VMware implementations, to give attackers initial local access and the ability to exploit LPE vulnerabilities such as this one.

VMware LPE Bug Allows Cyberattackers to Feast on Virtual Machine Data

Organizations relying on multicloud or hybrid-cloud environments without ﻿a true understanding of their security vulnerabilities do so at their peril.

According to the Cloud Security Alliance's 2021 report, "State of Cloud Security Concerns, Challenges and Incidents," 41% of participants were "unsure" whether they had experienced a cloud security incident in the recent year.

And that percentage doubled since 2019.

Cloud security threats are on the rise, and more organizations are using two or more public cloud providers to meet organizational needs. These cloud environments typically host sensitive business and customer data, critical applications, and other high-risk information.

But these organizations are relying more on multicloud or hybrid-cloud environments without a true understanding of their security vulnerabilities, threats, or if an incident had occurred at all.

**Data Protection and Privacy**

Consistent data protection and privacy is difficult to achieve in diverse environments with their own built-in security tools. Many organizations struggle to protect data properly in multicloud environments in compliance with policy and regulatory requirements.

Disjointed environments have different security controls and tools, which makes consistent, ironclad protection a major hurdle.

Cloud management platforms (CMPs) are a viable solution to cloud management and security. With a CMP, administrators don't need to understand the differences between public clouds, but may use a consistent interface to manage both effectively.

This has significant advantages for improving cloud security. IT teams can implement a common security layer within a multicloud environment and then apply the same identity and access

**Visibility and Control**

Achieving visibility and control is difficult under the shared responsibility model and vendor-controlled infrastructure. With this model, the security is divided between the cloud provider and the customer – the cloud provider is responsible for security of the cloud, while the customer is responsible for security of what's in the cloud.

For many companies, this is a considerable challenge for multicloud environments. They don't have visibility and control at the lower layers of their stack and can't deploy traditional solutions, leaving significant gaps in their visibility.

There are several solutions to this problem.

**Enforce policies and data governance:** Companies are responsible for putting policies in place for cloud data ownership and responsibility. Data must be classified to ensure the appropriate security measures are in place.

**Manage Identity and access controls**: Identity and access management in the cloud is more complex than closed environments. Providers typically offer best practices and managed services to help companies with IAM, but the responsibility to use them effectively falls entirely on the company.

**Leverage data security management tools**: These tools are essential to protecting the ever-growing cloud. Scaling increases the complexity and creates hurdles with visibility, and a data security management tool offers a centralized option to manage data and users.

**Prepare for Cloud Adoption**

Multicloud infrastructure comes with incredible benefits for an organization, including reduced costs, greater flexibility and scalability, and management from a cloud provider.

The rapid adoption of the cloud creates vulnerabilities along with opportunities, however. Mitigating threats and risk with innovative security approaches can help organizations achieve security and compliance in multicloud and hybrid-cloud environments.

Facing the New Security Challenges That Come With Cloud

Every organization is on a zero-trust journey. Learn about how critical identity is to your security evolution, and how your organization can move forward.

In the face of never-ending threats and continued technology evolution, zero trust has quickly progressed from an intriguing idea and buzzword to a critical business imperative. Regardless of how advanced or how early their implementations are, all organizations are on this journey.

At the core of this zero-trust journey is identity, which serves as the front door to every user interaction, the heart of the remote work security challenge, and the foundation to making zero trust a reality. Recent survey data from Okta backs up that belief, with 80% of all security leaders calling out identity as an important component to their overall zero trust security strategy, with an additional 19% going so far as to call identity "business critical."

**Understanding Zero-Trust Evolution**

The "Okta State of Zero Trust Security Report" introduces an identity adoption model that provides clarity and direction for security practitioners trying to understand where they are in their zero-trust journey. This five-phase model provides companies with a way to understand how their peers are prioritizing identity projects today, and which initiatives they plan to prioritize and focus on over the coming months.

**Phase One: Traditional**

Organizations in the first phase typically are at the beginning of their cloud transformation journey: They're either trying to anticipate the challenges of cloud adoption or they're already experiencing them. These are organizations seeking to add multiple layers of security to their authentication processes to ensure they're giving the right people access to the right resources, including multifactor authentication (MFA) for employees, or connecting the employee directory to business-critical cloud apps.

Okta's report highlights how almost every organization has either begun or is shortly planning to begin this critical step in their evolution, with 95% of respondents stating they plan to complete the first phase of their zero-trust initiatives over the next 12**–**18 months.

**Phase Two: Emerging**

In phase two, organizations typically are leaning more heavily on the cloud while securing and simplifying user access to increase security and productivity. They may adopt new tooling such as MFA for external users, enable self-service factor resets to reduce help desk costs, or automate provisioning and deprovisioning for applications.

Zero-trust and identity-first strategies illustrate the critical need to extend authorization policies and standards throughout an organization's supply and partner ecosystem, and it's here that organizations showed the need for continued progress. The Okta research found that while nearly 80% of respondents have extended SSO for their employees, only 38% of respondents said their companies have extended MFA to external users.

**Phase Three: Maturing**

Maturing organizations experience more complex challenges such as increased compliance and regulatory requirements, a hybrid infrastructure, and the need to support a large, dynamic workforce.

Meeting these challenges means extending and expanding identity and access management (IAM) efforts beyond their employees and legacy network to accommodate a growing world of external users, as well as an expanding cloud or multicloud infrastructure. Organizations are recognizing the priority, with MFA and SSO for infrastructure set to make a significant leap in the next 12**–**18 months, jumping from 31% to 67%, by 2023.

**Phase Four: Elevated**

In the elevated phase, organizations are intelligently consolidating or deprecating any outdated tech and protecting key custom applications they find to be potential security weak points. In their bids to complete their digital transformation, they may add secure access to APIs, deploy proxy tools to modernize legacy technologies, or implement context-based access policies. Progress in this phase has become less streamlined as these projects are prioritized by companies at a disproportionate rate. For instance, roughly half of worldwide respondents already have implemented MFA across user groups (49%) and secured access to APIs (54%), but only 6% have implemented context-based access policies.

**Phase Five: Evolved**

By phase five, organizations have reached the stage where they can shift their focus away from implementing core zero-trust projects toward optimizing user life-cycle management, applying security access to servers, and implementing passwordless access.

Projects in this phase include deploying secure passwordless access across the board or making access decisions at the data layer based on user and device posture. Okta report data shows that nearly 22% of respondents from financial services companies plan to adopt passwordless access options within the coming 12**–**18 months, with 16% of healthcare and software companies not far behind. However, only 7% of government institutions either already have passwordless access in place or are planning to do so.

**The Future of Zero Trust**

The path to zero trust is both evolving and simultaneously continuous, and maturity models like the one details in the Okta report will themselves evolve. What's critical for security practitioners and leaders alike is to work across the IT and security landscape to take stock of business goals and context to prioritize the areas that not only minimizes risk, but drive productivity and efficiency for the organization.

**About the Author**

    

Amanda Rogerson is a change agent who wants to disrupt the way you think about digital security and identity. Having worked with organizations globally across industries in various roles throughout her 20-year career, she is mindful of the impact new security practices have across organizations. As a self-proclaimed nerd, she likes to weave pop-culture references into her discussions to make topics relatable.

New Zero-Trust Maturity Data: Charting Your Own Organization

In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.

An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.  

Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.

The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.

Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.

“In April of this year, we began to see a significant volume of phishing emails using embedded ncv\[.\]microsoft\[.\]com survey links of the sort used in this campaign,” he tells Dark Reading.

**Combination of Tactics**

The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC's Nathaniel Sagibanda explained in the Wednesday post.

The recipient most likely will open the message expecting it's related to a document that needs a signature. "However, that isn't what we see as you read the message body," he wrote.

Instead, the email includes what seems like an attached, unnamed PDF file that's been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.

"While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it's less common to see an embedded link posing as an attachment," he wrote.

The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.

**Mimicking a Customer Survey**

When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that's been compromised by attackers, researchers said.

This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.

To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact "@eFaxdynamic365" with any inquiries, researchers said.

The "Submit" button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.

The attackers then modified the template with "spurious eFax information to entice the recipient into clicking the link," which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.

**Fooling a Trained Eye**

While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.

Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.

"Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt," Gallop says.

Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.

In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.

**Phishing Game Remains Strong**

Researchers at this time have not identified who might be behind the scam, nor attackers' specific motives for stealing credentials, Gallop says.

Phishing overall remains one of the easiest and most oft-used ways for threat actors to compromise victims, not only to steal credentials but also spread malicious software, as email-borne malware is significantly easier to distribute than remote attacks, according to the Vade report.

Indeed, this type of attack saw month-over-month increases through the second quarter of the year and then another boost in June that pushed "emails back to the alarming volumes not seen since January 2022," when Vade saw upwards of 100-plus million phishing emails in distribution.

"The relative ease with which hackers can deliver punishing cyberattacks via email makes email one of the top vectors for attack and a constant menace for businesses and end users," Vade's Natalie Petitto wrote in the report. "Phishing emails impersonate the brands you trust the most, offering a wide net of potential victims and a cloak of legitimacy for the phishers masquerading as brands."

Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking "all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability." It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.

More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company's system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.

Let's face it: The enterprise is constantly under threat — either from malicious actors who attack for financial gains or hardened cybercriminals who extract and weaponize data crown jewels in nation-state attacks. However, supply chain attacks are becoming more common today, as threat actors continue to exploit third-party systems and agents to target organizations and break through their security guardrails. Gartner predicts that by 2025, "45% of organizations worldwide will have experienced attacks on their software supply chains," a prediction that has created a ripple across the cybersecurity world and led more companies to start prioritizing digital supply chain risk management.

While this is the right direction for enterprises, the question still lingers: What lessons have organizations learned from a cyberattack that went across the aisle to take out large corporations and key government agencies with far-reaching consequences even in countries beyond the United States?

To better understand what happened with the attack and how organizations can prepare for eventualities like the SolarWinds hack, Dark Reading connected with SolarWinds CISO Tim Brown for a deeper dive into the incident and lessons learned three years on.

    

Tim Brown, CISO at SolarWinds

**1\. Collaboration Is Critical to Cybersecurity**

Brown admits that the very name SolarWinds serves as a reminder for others to do better, fix vulnerabilities, and strengthen their entire security architecture. Knowing that all systems are vulnerable, collaboration is an integral part of the cybersecurity effort.

"If you look at the supply chain conversations that have come up, they're now focusing on the regulations we should be putting in place and how public and private actors can better collaborate to stall adversaries," he says. "Our incident shows the research community could come together because there's so much going on there."

After standing at the frontlines of perhaps the biggest security breach in recent years, Brown understands that collaboration is critical to all cybersecurity efforts.

"A lot of conversations have been ongoing around trust between individuals, government, and others," he says. "Our adversaries share information — and we need to do the same."

**2\. Measure Risk and Invest in Controls**

No organization is 100% secure 100% of the time, as the SolarWinds incident demonstrated. To bolster security and defend their perimeters, Brown advises organizations to adopt a new approach that sees the CISO role move beyond being a business partner to becoming a risk officer. The CISO must measure risk in a way that's "honest, trustworthy, and open" and be able to talk about the risks they face and how they are compensating for them.

Organizations can become more proactive and defeat traps before they are sprung by using artificial intelligence (AI), machine learning (ML), and data mining, Brown explains. However, while organizations can leverage AI to automate detection, Brown warns there's a need to properly contextualize AI.

"Some of the projects out there are failing because they are trying to be too big," he says. "They're trying to go without context and aren't asking the right questions: What are we doing manually and how can we do it better? Rather, they're saying, 'Oh, we could do all of that with the data' — and it's not what you necessarily need."

Leaders must understand the details of the problem, what outcome they are hoping for, and see if they can prove it right, according to Brown.

"We just have to get to that point where we can utilize the models on the right day to get us somewhere we haven't been before," he says.

**3\. Remain Battle-Ready**

IT leaders must stay a step ahead of adversaries. However, it's not all doom and gloom. The SolarWinds hack was a catalyst for so much great work happening across the cybersecurity board, Brown says.

"There are many applications being built in the supply chain right now that can keep a catalog of all your assets so that if a vulnerability occurs in a part of the building block, you will know, enabling you to assess if you were impacted or not," he says.

This awareness, Brown adds, can help in building a system that tends toward perfection, where organizations can identify vulnerabilities faster and deal with them decisively before malicious actors can exploit them. It's also an important metric as enterprises edge closer to the zero-trust maturity model prescribed by the Cybersecurity and Infrastructure Security Agency (CISA).

Brown says he is hopeful these lessons from the SolarWinds hack will aid enterprise leaders in their quest to secure their pipelines and remain battle-ready in the ever-evolving cybersecurity war.

Source

DARKReading