New federal cybersecurity rules will set timelines for critical infrastructure sector organizations — those in chemical, manufacturing, healthcare, defense contracting, energy, financial, nuclear, or transportation — to report ransomware payments and cyberattacks to CISA. All parties have to comply for it to work and help protect assets.

The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.

Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.

The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.

Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.

But to truly understand the magnitude of the act's potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation's benefits and limitations. Let's explore.

**Cyber Threats Show No Signs of Slowing Down  
**The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.

Shortly following these attacks, a new "wiper" malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.

One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.

Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.

**Need for Information Sharing and Ransomware Reporting  
**Upon reviewing the comprehensive piece of legislation, one aspect that stood out to me was a call for "the rapid centralized aggregation and dissemination of real-time attack data." Through the passing of the act, the government and security community at large publicly recognize that speed, collection, and sharing of real-time attack data is critical to properly protect private and public networks, especially as ransomware groups and attack methods mature and become more frequent. What is more important than ensuring the right people get the right information at the right time, especially when this type of information sharing is possibly the key to preventing the next cyberattack?

Another noteworthy aspect of the legislation is the process of ransomware attack reporting. Today, there are more than 250 ransomware families, and that figure only continues to grow. This, coupled with the rise in more sophisticated and targeted ransomware, exposes organizations to increased risk.

As such, it's essential to have the proper reporting tools and systems in place. The Cyber Incident Reporting Act, which is an act within the larger legislation, will ensure that all critical infrastructure attacks are reported in a timely manner. Traditionally, these types of events go unreported or underreported; through these new reporting protocols, security teams can better gauge the size and scope of the attacks potentially facing their own organization, and society at large.

**Too Good to Be True? Recognizing Potential Pitfalls  
**While the act brings immense benefits, it's also important to acknowledge several potential limitations exist within the legislation. For instance, while increased transparency is crucial to help prevent damaging attacks, many security teams may be hesitant to report attacks so openly. Increased attack reporting could potentially cause companies to face litigation, which could trigger significant reputational and financial losses as attacks are made public.

To eliminate some of this worry, organizations may consider an increased investment in cyber insurance. While once a fairly new concept, the cyber insurance market is growing exponentially, forecast to become a $20 billion industry by 2025. In the boardroom, CFOs should prioritize conversations on cyber insurance during planning and budgetary meetings. After all, if an organization isn't proactive and instead takes a laggard approach to cybersecurity, they are leaving their companies at risk of attack and lost corporate funds.

Additionally, the act will only be effective if all applicable parties work to ensure that the quality and timeliness of information collected, and the corresponding reporting processes, are taken seriously and done properly. This is not a one-time process; data sharing and incident reporting must be done continuously. The success of the new legislation is dependent on the cooperation of security teams within the public and private sectors it reaches. Simply put, a lax approach will equate to an ineffective bill.

The Strengthening American Cybersecurity Act's passing is a true acknowledgment from the public sector that the frequency and severity of cyberattacks cannot go unresolved. The onus is on both public and private organizations to uphold its principles as these incidents take place – regardless of the size or scale of the attack. Overall, the public sector should continue prioritizing security-related legislation, and the private sector must follow the guidelines provided to them. A concentrated effort from both parties is the best way to protect the nation's most sensitive assets.

Breaking Down the Strengthening American Cybersecurity Act

NYC-area cybersecurity expert shares the anatomy of a Quantum Ransomware attack and how to prevent, detect and recover from a ransomware attack, in a new article from eMazzanti Technologies.

HOBOKEN, N.J., May 11, 2022 /PRNewswire-PRWeb/ -- A NYC area cyber security consultant breaks down the recent cyber security threat, quantum ransomware, in a new article on the eMazzanti Technologies website. The informative article first relates how the threat first surfaced two years ago as MountLocker.

The author then explains the anatomy of a typical Quantum ransomware attack. He offers four strategies for preventing and detecting attacks followed by ransomware recovery tips, including having a well-documented incident response plan in place.

"In one of the fastest ransomware attacks yet reported, attackers moved from initial attack to ransomware deployment in under four hours," stated Almi Dumi, CISO, eMazzanti Technologies.

"Understanding attack patterns can help organizations mount more effective cyber defenses."

Below are a few excerpts from the article, "Quantum Ransomware Strikes Quickly, How to Prepare and Recover."

**Familiar Ransomware Rebranded...With a Twist**

"While Quantum has made headlines in recent days, the ransomware actually surfaced two years ago. Known initially as MountLocker, it was rebranded as Quantum in August 2021 when the encryptor began adding .quantum file extensions. Like other ransomware operations, it takes over networks, compromising servers, encrypting files, and bringing work to a halt."

**Anatomy of a Typical Quantum Ransomware Attack**

"While Quantum attacks leave scant time to react, knowing how typical attacks occur helps organizations with both prevention and mitigation. For instance, in recent Quantum ransomware attacks, infection occurred through a phishing email. While seemingly from a legitimate source, the email included IcedID malware embedded into an attached ISO file."

**Strategies for Preventing and Detecting Attacks**

"Implement 24/7 security monitoring - Successful defense depends on catching suspicious activity immediately. Implement continuous, automated monitoring to identify anomalies and take appropriate action."

**Quantum Ransomware Recovery Tips**

"Another critical component of a recovery plan involves data backups. Without solid backups, organizations may have to choose between losing critical data and cooperating with threat actors. Implement automated backups, test them regularly and store a copy offline to keep it safe from attack."

**Ransomware Experts**

To successfully recover from ransomware, business leaders must involve the right players. Partner with security personnel who are well-versed in ransomware recovery and have the right tools at hand. They may also need to involve the FBI, cyber breach lawyers, communications personnel, and insurance providers.

The cyber security experts at eMazzanti provide the tools and experience needed to implement a comprehensive security strategy. From monitoring to email filtering and end user training, they help business leaders stop malware earlier and recover quickly in the event of infection.

**Have you read?**

Useful Microsoft Teams Features You Need to Know

Are Cyber Insurance Policies Part of our new Normal?

**About eMazzanti Technologies**

eMazzanti's team of trained, certified IT experts rapidly deliver increased revenue growth, data security and productivity for clients ranging from law firms to high-end global retailers, expertly providing advanced retail and payment technology, digital marketing services, cloud and mobile solutions, multi site implementations, 24×7 outsourced network management, remote monitoring, and support.

eMazzanti has made the Inc. 5000 list 9X, is a 4X Microsoft Partner of the Year, the #1 ranked NYC area MSP, NJ Business of the Year and 5X WatchGuard Partner of the Year! Contact: 1-866-362-9926, \[email protected\] or http://www.emazzanti.net Twitter: @emazzanti Facebook: Facebook.com/emazzantitechnologies.

Quantum Ransomware Strikes Quickly, How to Prepare and Recover

Founders Fund leads $100 million Series-C financing, gaining the email security startup unicorn status two years after its launch.

Redwood City, Calif., May 11, 2022 – Material Security, a company that can protect email accounts even after they have been compromised, today announced it has secured $100 million in Series-C funding at a valuation of $1.1 billion. The round is led by Founders Fund, with participation from previous backers Andreesen Horowitz, Silicon Valley solo capitalist Elad Gil and other high-profile individual tech investors, gaining the company unicorn status just two years after the official launch of its product suite. Material Security is also announcing new referenceable customers including Chubb, Compass, Roblox and Brex, to add to leading brands like Lyft, Mars, Databricks and DoorDash.

Founded by former Dropbox technologists in the wake of the 2016 Election Hack, Material Security is a pioneer of using “zero trust” security techniques to protect email. Its patented security technology is trusted by government agencies, media and manufacturing conglomerates, leading financial institutions, the most targeted companies in Silicon Valley, and high-profile personalities including billionaires and celebrities.

“The fundamental idea behind ‘zero trust’ is that it assumes a bad actor is going to find a way past the perimeter into your systems. But historically, email security has just focused on blocking suspicious messages,” said Ryan Noon, co-founder and CEO of Material Security. “Whether it’s a large global organization like News Corp. or a local health care provider, we are still seeing an overwhelming number of email and data security breaches occur on a regular basis. At Material, we begin with the assumption that a hacker is already in your email and limit the damage they can do.”

Material’s Leak Prevention feature, for example, automatically redacts sensitive content in email, keeping it safe in the event of a breach. Users can still access original messages via identity-protection apps that their company already uses. “Not all emails are created equal,” said Abhishek Agrawal, co-founder and CTO of Material Security. "Some messages are so critical that they deserve an extra layer of verification. But the way email works today is that it treats every message identically."

Bringing Material Security’s total investment to $166 million since its founding, this latest round of funding will be used to scale the company’s sales and marketing teams, extend the product into new areas (including a larger footprint in government) and expand internationally.

“As the U.S. government doubles down on ‘zero trust’ and organizations are increasingly vulnerable to cyber threats given geopolitical crises, Material Security is poised to minimize the risks associated with email hacks,” said Trae Stephens, partner at Founders Fund. “We are excited to partner with this innovative team at such a critical point in their growth trajectory.”

###

**About Material Security**

Material Security is taking a fresh approach to solving one of the most fundamental problems in security: protecting the data sitting in email. Material Security protects accounts even after they're compromised or harmful messages get through. It is entirely cloud-based, deploys in 30 minutes, and can be exclusively managed by the customer. Material Security was founded in 2017 and is headquartered in Redwood City. For more information visit www.material.security.

**About Founders Fund**

Founders Fund invests in the world’s most important and valuable companies across all geographies, sectors and stages. The firm’s partners have been founders and early funders of companies including PayPal, SpaceX, Palantir, Anduril, Airbnb, Stripe and Facebook. Founders Fund pursues a founder-friendly investment strategy, providing maximum support with minimum interference. More information is available at www.foundersfund.com.

Material Security Reaches $1.1 Billion Valuation for ‘Zero Trust’ Security on Microsoft and Google Email

Analysis finds 687 million exposed credentials and personally identifiable information (PII) among Fortune 1000 employees, and a 64% password reuse rate.

AUSTIN, Texas – May 10, 2022 – SpyCloud, the leader in account takeover and fraud prevention, today published its 2022 SpyCloud Fortune 1000 Identity Exposure Report, an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.

Drawing on SpyCloud’s database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.

Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyberattacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.

“In the last two years, most companies’ attack surfaces have expanded due to the new reality of a hybrid workforce.” said David Endler, co-founder and Chief Product Officer of SpyCloud. “Combined with facing a barrage of threats from malicious actors and the state of global affairs, there’s an urgent need for Fortune 1000 companies to shore up all threat vectors, starting with identifying and remediating compromised employee credentials and malware-infected devices.”

SpyCloud researchers identified credentials, PII and infected device data of 70,000 Fortune 1000 employees in recaptured botnet logs containing information siphoned using infostealer malware. An employee working from a malware-infected personal device creates risk for the enterprise, even with the use of complex passphrases and MFA. These high-severity exposures give criminals all the data they need to bypass authentication measures and impersonate employees, including passwords, system information, browser fingerprints, and web session cookies. Further, nearly 29 million malware-infected consumer devices were used to log into the consumer-facing sites of Fortune 1000 companies, exposing their credentials and PII to fraudsters.

“Malware infections on personal devices are the riskiest source of exposure because they are so difficult to detect and can drastically increase the attack surface for ransomware,” Endler said. “These attacks could not only lead to disastrous consequences for a company’s bottom line but could also significantly impact sectors such as critical infrastructure.”

**Critical Infrastructure and Technology Sectors Lag Behind**

The report showed that critical infrastructure companies were the worst offenders for bad password hygiene. Across four industries – aerospace and defense, chemical, industrial, and energy – elementary password hygiene issues were found, including the use of company names in the top three to five most used passwords.

While critical infrastructure employees exhibited the poorest password hygiene, the technology sector had the most severe exposure, with over 26 million breach records representing 139 million employee assets (credentials, PII, cookies, etc) –– comprising 21% of all exposed Fortune 1000 records (followed by financial services with 21 million records and nearly 120 million assets).

Technology companies also had the largest number of malware-infected devices across sectors, with nearly 70% of all infected consumer devices identified among the Fortune 1000 (20.6 million) and about 50% of all infected employee devices (approximately 34,000).

To defend against account takeover, malware, ransomware and other malicious cyberattacks, Fortune 1000 companies cannot bet solely on their employees to keep them safe and rather should think of users as consumers whose behavior expands the attack surface multi-fold.

To minimize exposure and safeguard data, enterprises need to enforce strong enterprise password policy with SSO where possible, create clear company policies on the use of business and personal devices, enforce multi factor authentication on critical accounts and mandate the use of password managers, as well as leverage continuous, actionable intelligence into their users’ exposure – especially in industries entrusted with a vast amount of sensitive consumer data such as technology, ecommerce, financial services, and critical infrastructure.

SpyCloud’s unique solutions, built on a foundation of recaptured data from breaches, malware-infected devices and other underground sources protect businesses and consumers from fraud and cyberattacks that stem from the use of stolen data by allowing companies to proactively monitor and remediate their exposures.

To download the full 2022 SpyCloud Fortune 1000 Breach Exposure Report, visit https://spycloud.com/resource/2022-fortune-1000-identity-exposure-report/.

To learn more about how SpyCloud helps organizations defend against fraudulent transactions, visit https://spycloud.com/.

**About SpyCloud**

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

SpyCloud Report: Fortune 1000 Employees Pose Elevated Cyber Risk to Companies

IceApple's 18 separate modules include those for data exfiltration, credential harvesting, and file and directory deletion, CrowdStrike warns.

A likely China-based, state-sponsored threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in the technology, academic, and government sectors across multiple regions since at least last fall.

The goal of the campaign appears to be intelligence gathering and is tied to a targeted state-sponsored campaign, according to researchers at CrowdStrike. The security vendor is tracking the framework as "IceApple" and described it in a report this week as made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.

CrowdStrike's analysis shows the modules are designed to run only in-memory to reduce the malware's footprint on an infected system — a tactic that adversaries often employ in long-running campaigns. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications. For instance, CrowdStrike observed one of the modules leveraging undocumented fields in IIS software that are not intended to be used by third-party developers.

Over the course of their investigation of the threat, CrowdStrike researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.

Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting services, says IceApple is different from other post-exploitation toolkits in that it is under constant ongoing development even as it is being actively deployed and used. "While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application," Singh says.

**Microsoft .NET Link  
**CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. MITRE defines reflective code loading as a technique that threat actors use to conceal malicious payloads. It involves allocating and executing payloads directly in the memory of a running process. Reflectively loaded payloads can include complied binaries, anonymous files, or just bits of fileless executables, according to MITRE. Reflective code loading is like process injection except that code is loaded into a process's own memory rather than that of another process, MITRE has noted.

**".**NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh says. "An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL."

CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company's investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.

**Active Cyberattack Campaign  
**IceApple's modular design gave the adversary a way to build each piece of functionality into its own .NET assembly and then reflectively load each function only as needed. "If not caught, this technique can leave security defenders completely blind to such attacks," Singh says. "For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection."

Singh says CrowdStrike found IceApple to be using a couple of unique tactics to evade detection. One of them is to use undocumented fields in IIS. The other is to blend into the environment by using assembly file names that appear to be normal IIS temporary files. "At closer inspection, the file names are not randomly generated, as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS," Singh says.

The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated, according to Singh.

"This campaign is currently active and effective," he warns. "But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods."

Cyber-Espionage Attack Drops Post-Exploit Malware Framework on Microsoft Exchange Servers

Enterprises should consider online data brokers as part of their risk exposure analysis if they don't already do so.

A few weeks ago, HBO's _Last Week Tonight with John Oliver_ brought the dangers of online data brokers from out of the shadows and into the mainstream spotlight. Perhaps the best at exposing the seriousness of a problem through levity, Oliver addressed the reality of data brokers' "sprawling, unregulated ecosystem, which can get really creepy, really fast."

Oliver isn't the first to speak out against online data brokers. Last year, Wired contributing reporter Justin Turner wrote a scathing article in which he called online data brokers a "threat to democracy." While Turner's article might have had the unintended consequence of being dismissed as too hyperbolic, his point about online data brokers' being a threat to civil rights and national security is fair and accurate.

**Online Data Brokers Are the Holy Grail for Hackers  
**Today, the goals of cybercriminals, fraudsters, and identity thieves are made infinitely easier to attain thanks in large part to social media and data brokers.

The treasure trove of personal data available on social platforms provides significant ammunition for adversaries to commit cybercrime both on and off of social platforms. According to Fraud Watch, "many attackers have seen this \[social media\] as the perfect way to gather personal information to fuel cyberattacks like phishing or brand impersonation."

But if social media is a treasure trove of data, then online data brokers are the holy grail of information. These perfectly legal data aggregators can maintain up-to-date records on everything from personal emails, phone numbers, familial associations, geolocations, and home addresses to business records, browsing and search history, financial assets, social media posts, voting records, and more.

Virtually everything that's needed to deploy an online scam, fraud, account takeover, or digital theft is readily available on more than 200 data brokers' websites, sometimes free of charge, and always easily hackable by those with the means and motivations.

**Data Brokers' Impact on the Enterprise  
**It's no shock that cybercrime, fraud, and identity theft continue to increase when so much personal information is so readily available. Unfortunately, this has major consequences for the enterprise, too.

At present, cybercriminals are increasingly attacking the personal digital lives of company leaders, such as executives, board members, and other key personnel, using information gained from data brokers, as a means to bypass enterprise security controls and move laterally into the organization that is their ultimate target. In March, Bleeping Computer reported that Chinese hackers were targeting the personal Gmail accounts of government employees rather than the agency itself.

Recent research by BlackCloak examined how at risk executives, and by extension their companies, are from online data brokers. A study of more than 750 enterprise senior leaders found that an astounding 99% of executives have their personal information available on more than three dozen online data broker websites.

In addition, 70% of executive profiles found on data broker websites contained social media information and photos, most commonly from LinkedIn or Facebook, while 40% of online data brokers had the IP address of an executive's home network. With this IP address data, an executive's home is front and center for being targeted.

Further, 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors. Any of this personal information can be used to launch a social engineering attack, email spoofing, or even network hijacking, putting both the individual and their company at risk.

**Will a Renewed Focus on Privacy Put Online Data Brokers out of Business?  
**A bipartisan bill is floating around Congress that would create a national opt-out list for data brokers. But legislation can take a long time to become law, and an even longer time to begin making an impact.

Meanwhile, enterprises should begin to weigh online data brokers as part of their risk exposure analysis if they don't already do so. And while the online data broker removal process can be lengthy and burdensome, and often needs to be repeated, failing to opt out executives at a minimum could prove more harmful to your organization than not in the long run.

At the very least, organizations must recognize data brokers as the adversary that they are. They need to help empower executives to minimize their digital footprint to reduce the risk of their personal information falling into the wrong hands.

The Danger of Online Data Brokers

Attackers could abuse the vanity subdomains of popular cloud services such as Box.com, Google, and Zoom to mask attacks in phishing campaigns.

Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers warn.

Cloud services that don't check whether subdomains have been modified could allow links that appear to be from "varonis.box.com" or "apple.zoom.us" — two examples used in an advisory from data-protection firm Varonis on Wednesday. In the case of Box.com, that could lead to a malicious document; in the case of Zoom, that could mean a webinar that collects information and is unrelated to the cited brand. The problems occurs when a cloud service allows a vanity subdomain, but does not validate the subdomain or use the subdomain to provide services.

Varonis notified Box.com and Zoom of the issue — along with Google, whose links to Google Docs could be spoofed — more than six months ago, and the problems are mostly fixed, the company stated. However, the problem likely exists for other services, says Or Emanuel, director of research and security for Varonis.

"We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers," he says.

Hiding malicious code and phishing sites behind what appears to be well-known brands is a key way for attackers to fool victims into trusting fraudulent e-mail messages and links to websites. In 2019, for example, three-quarters of companies discovered that lookalike domains had been established by a third party using a non-.COM top-level domain. Because of the expansion of top-level domains, phishers and fraudsters have a broader selection of potential domains, while companies have to consider purchasing a broad swath of domains to adequately protect their intellectual property and brand.

Varonis's research examines the problem from the other direction. Rather than looking at the top-level domains, the company's researchers investigated ways of abusing the subdomains that many cloud service providers allow their customers to use.

"Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

**Social Engineering With Zoom**  
A software-as-a-service (SaaS) application is vulnerable to the attack when a customer is allowed to use their brand as the subdomain, such as varonis.zoom.us, but at the point where the link is sent to a third party — such as participants in a conference call or webinar — the subdomain is no longer checked. In the case of Zoom's service, attackers could create a webinar that asks registrants a variety of questions useful for social engineering, rebrand the webinar as a popular company, and then change the resulting URL to the targeted company's brand. The original domain — attacker.zoom.us, for example — could be changed to varonis.zoom.us without any impact on the functionality of the link.

A properly branded page could fool a victim into giving information, especially when the subdomain indicates the host is a well-known company. In the case of Box.com, a link such as _app.box.com/f/abcd1234_ could be changed to _varonis.app.box.com/f/abcd1234_ to appear to be an official form collecting information, but actually send the information to the attacker.

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns."

Such social engineering becomes useful in phishing attacks, as well as for convincing people to click on links or download untrusted files. In 2021, losses from cybercrime including phishing attacks reached nearly $7 billion, according to the FBI's annual Internet Crime Complaint Center (IC3) report. Phishing accounted for about 38% of the more than 847,000 crimes reported to the IC3.

Cloud providers should ensure that any customization of the URL is validated by the encoding in the link, Emanuel says. Box.com and Google have both fixed the issues, although the bugs still exist for Google Forms and Google Docs, when using the "Publish to the web" feature, according to Varonis. Zoom will warn users when the subdomain has been changed. “We have addressed this issue by warning users if they are being redirected to a different subdomain," a company spokesperson said.

In addition, users should always be skeptical of links, especially if the linked page requests too much information or leads to other links or files.

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.

Vanity URLs Could Be Spoofed for Social Engineering Attacks

In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

Malicious emails with macro-enabled Word documents are spreading a never-before-seen remote-access Trojan, researchers say.

Phishing emails purporting to contain COVID-19 safety information from the World Health Organization (WHO) are instead phishing lures intended to spread a novel remote-access Trojan (RAT) called Nerbian.

A team of Proofpoint researchers have published a report noting that so far, the Nerbian RAT, first spotted on Apr. 26, has spread primarily throughout Italy, Spain, and the UK. Notably, Nerbian is written in the Go language, taking advantage of several open source libraries, the analysts added. 

The RAT leverages multiple anti-analysis components and has cyber espionage modules for keylogging and screen grabs, researchers said, in addition to typical backdooring functionality. 

Nerbian got its name directly from the malware code, the researchers explained, which references the name of a fictional place from the novel _Don Quixote_.

"Malware authors continue to operate at the intersection of open-source capability and criminal opportunity,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Dark Reading in an emailed statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Novel Nerbian RAT Lurks Behind Faked COVID Safety Emails

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

Source

DARKReading