The threat actor — whose techniques and procedures do not match known groups — has created custom attack tools, including a program that hides scripts in .PNG images.

A relatively new cyber-espionage group is using an intriguing custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations.

According to an analysis published on Tuesday by cybersecurity firm ESET, the hallmark of the group, which is dubbed Worok, is its use of custom tools not seen in other attacks, a focus on targets in Southeast Asia, and operational similarities to the China-linked TA428 group.

In 2020, the group attacked telecommunications companies, government agencies, and maritime firms in the region before taking a months-long break. It restarted operations at the beginning of 2022.

ESET issued the advisory on the group because the company's researchers have not seen many of the tools used by any other group, says Thibaut Passilly, a malware researcher with ESET and author of the analysis.

"Worok is a group that uses exclusive and new tools to steal data — their targets are worldwide and include private companies, public entities, as well as governmental institutions," he says. "Their usage of various obfuscation techniques, especially steganography, makes them really unique."

**Worok's Custom Toolset**

Worok bucks the more recent trend of attackers using cybercriminal services and commodity attack tools as these offerings have blossomed on the Dark Web. The proxy-as-a-service offering EvilProxy, for example, allows phishing attacks to bypass two-factor authentication methods by capturing and modifying content on the fly. Other groups have specialized in specific services such as initial access brokers, which allow state-sponsored groups and cybercriminals to deliver payloads to already-compromised systems.

Worok's toolset instead consists of an in-house kit. It includes the CLRLoad C++ loader; the PowHeartBeat PowerShell backdoor; and a second-stage C# loader, PNGLoad, that hides code in image files using steganography (although researchers have not yet captured an encoded image).

For command and control, PowHeartBeat currently uses ICMP packets to issue commands to compromised systems, including running commands, saving files, and uploading data.

While the targeting of the malware and the use of some common exploits — such as the ProxyShell exploit, which has been actively used for more than a year — are similar to existing groups, other aspects of the attack are unique, Passilly says.

"We have not seen any code similarity with already known malware for now," he says. "This means they have exclusivity over malicious software, either because they make it themselves or they buy it from a closed source; hence, they have the ability to change and improve their tools. Considering their appetite for stealthiness and their targeting, their activity must be tracked."

**Few Links to Other Groups**

While the Worok group has aspects that resemble TA428, a Chinese group that has run cyber-operations against nations in the Asia-Pacific region, the evidence is not strong enough to attribute the attacks to the same group, ESET says. The two groups may share tools and have common goals, but they are distinct enough that their operators are likely different, Passilly says.

"\[W\]e have observed a few common points with TA428, especially the usage of ShadowPad, similarities in the targeting, and their activity times," he says. "These similarities are not that significant; therefore we link the two groups with low confidence."

For companies, the advisory is a warning that attackers continue to innovate, Passilly says. Companies should track the behavior of cyber-espionage groups to understand when their industry might be targeted by attackers.

"The first and most important rule to protect against cyberattacks is to keep software updated in order to reduce the attack surface, and use multiple layers of protections to prevent intrusions," Passilly says.

Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools

What under-the-hood details of newly discovered attack control panel tells us about how the Evil Corp threat group manages its ServHelper backdoor malware campaigns.

A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns.  

Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.

There has been a continued expansion of the ServHelper backdoor malware, a long-running and constantly updated package that's been kicking around since at least 2019. It began picking up steam once again in the second half of 2021, according to a report from Cisco Talos, spurred by mechanisms like fake installers and associated installer malware like Raccoon and Amadey. 

Most recently, threat intelligence from Trellix last month reported that the ServHelper backdoor has recently been found dropping hidden cryptominers on systems.

The PTI report, issued Tuesday, delves into the technical specifics behind TeslaGun, and offers some details and tips that can help enterprises move forward with important countermeasures to some of the prevailing backdoor cyberattack trends today.

Backdoor attacks that circumvent authentication mechanisms and quietly establish persistence on enterprise systems are some of the most disconcerting for cybersecurity defenders. That's because these attacks are notoriously difficult to detect or prevent with standard security controls. 

**Backdoor Attackers Diversify Their Attack Assets**

PTI researchers said they observed a wide range of different victim profiles and campaigns during their investigations, supporting previous research that showed ServHelper attacks are trawling for victims in a variety of simultaneous campaigns. This is a trademark attack pattern of casting a wide net for opportunistic hits.

"A single instance of the TeslaGun control panel contains multiple campaign records representing different delivery methods and attack data," the report explained. "Newer versions of the malware encode these different campaigns as campaign IDs."

**But Cyberattackers Will Actively Profile Victims**

At the same time, TeslaGun contains plenty of evidence that attackers are profiling victims, taking copious notes at some points, and conducting targeted backdoor attacks.

"The PTI team observed that the main dashboard of the TeslaGun panel includes comments attached to victim records. These records show victim device data such as CPU, GPU, RAM size and internet connection speed," the report said, explaining this indicates targeting for cryptomining opportunities. "On the other hand, according to victim comments, it is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts."

The report said that most victims appear to operate in the financial sector but that this targeting is not exclusive.

**Resale Is an Important Part of Backdoor Monetization**

The way that the control panel's user options are set up offered researchers a lot of information about the group's "workflow and commercial strategy," the report said. For example, some filtering options were labeled "Sell" and "Sell 2" with victims in these groups having remote desktop protocols (RDP) temporarily disabled through the panel.

"This probably means that TA505 can not immediately earn a profit from exploiting those particular victims," according to the report. "Instead of letting them go, the group has tagged those victim’s RDP connections for the resale to other cybercriminals."

The PTI report said that based on the researchers' observations, the group's internal structure was "surprisingly disorganized" but that its members still "carefully monitor their victims and can demonstrate remarkable patience, especially with high-value victims in the finance sector."

The analysis further notes that the strength of the group is its agility, which makes it hard to predict activity and detect over time.

Nevertheless, the backdoor attackers aren't perfect, and this can offer some clues for cybersecurity pros looking to thwart their efforts.

"The group does exhibit some telltale weaknesses, however. While TA505 can maintain hidden connections on victims’ devices for months, its members are often unusually noisy," the report said. "After installing ServHelper, TA505 threat actors may manually connect to victim devices through RDP tunneling. Security technologies capable of detecting these tunnels may prove vital for catching and mitigating TA505's backdoor attacks."

The Russian-linked (and sanctioned) Evil Corp has been one of the most prolific groups of the last five years. According to the US government, the group is the brain trust behind the financial Trojan Dridex and has associations with campaigns using ransomware variants like WastedLocker. It continues to hone a raft of weapons for its arsenal as well; last week, it came to light that it's associated with Raspberry Robin infections.

TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks

Hours after Los Angeles Unified School District hit with ransomware attack, CISA issued an alert that threat actors are actively targeting the education sector.

As the school year kicks off across the country, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to districts that threat actor group Vice Society is targeting their systems.

The notice comes just hours after the Los Angeles Unified School District confirmed it was the target of a successful ransomware attack over the weekend. The K-12 school district, the second-largest in the US, has not yet recovered its systems fully, with its main student portal login page out of service, according to local parents speaking to Dark Reading. A district voicemail instructed parents to reset their students' passwords in person or via calling a telephone line, which was seeing hold times of greater than half an hour this morning, parents reported.

"Since the identification of the incident, which is likely criminal in nature, we continue to assess the situation with law enforcement agencies," the LAUSD said in a statement.

CISA explained school districts are attractive targets for ransomware operators because of their vast troves of personal student data stored in their systems.

The advisory added that Vice Society activity can be traced back to summer 2021, and that the group uses a variety of ransomware variants including Hello Kitty/Five Hands, Zeppelin, and others.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Actions speak louder than words, especially when you're dealing with a mime. So what's going on here? We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Sept. 28, 2022:

*   Email _\[email protected\]_ with the subject line "The Edge September 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

**Last Month's Winner**

Congratulations, Rachel Rawlings, system administrator at Penn Medicine, for winning last month's "Up a Tree" cartoon contest. Rachel's clever caption appears below.  
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Mime's the Word

The founder of Let's Encrypt and an EFF technologist, Eckersley devoted his life's work to making the Internet safer and more secure.

Peter Eckersley, beloved technologist with the Electronic Frontier Foundation (EFF), was a groundbreaking cybersecurity force for online privacy and fairness; he passed Sept. 2 following a brief illness.

Notably, Eckersley founded Let's Encrypt, an organization responsible for the internet's shift from insecure HTTP connections to HTTPS to protect users from threats at the network level. The EFF estimates about 90% of total webpage visits currently use HTTPS.

Eckersley's contributions to the field also include building a tool called Switzerland, which alerts users when their ISP is interfering with Web traffic; net neutrality advocacy; and much more, the EFF announcement explained.

Most recently, he founded a firm called AI Objectives Institute to monitor the malicious use of artificial intelligence (AI) and machine learning (ML).

"The impact of Peter's work on encrypting the web cannot be understated," the EFF announcement said. "Peter's vision, audacity, and commitment made the web, and the world, a better place. We will miss him."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Internet Security & Encryption Pioneer Peter Eckersley Passes at 43

This is the fourth DeadBolt campaign this year against QNAP customers, but it differs from previous attacks in exploiting an unpatched bug instead of a known vulnerability.

A critical zero-day security vulnerability in QNAP's network-attached storage (NAS) devices has been actively exploited in the wild to deliver the DeadBolt ransomware variant.

The vendor warned that the exploitation was first spotted over the weekend, and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." Photo Station allows users to centrally store and manage full resolution photos across devices via QNAP NAS.

QNAP is keeping the details of the bug under wraps for now, but it did recommend in its advisory that users disable the port forwarding function on the router to help mitigate their risk (along with applying strong passwords and performing regular data backups).

The discovery also prompted the company to push out an emergency firmware fix. The updated versions are:

*   QTS 5.0.1: Photo Station 6.1.2 and later
*   QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
*   QTS 4.3.6: Photo Station 5.7.18 and later
*   QTS 4.3.3: Photo Station 5.4.15 and later
*   QTS 4.2.6: Photo Station 5.2.14 and later

The DeadBolt gang has been hammering QNAP NAS hard this year; this is only the latest campaign using bugs in the system to infect devices. Previous waves of exploitation were seen in May using known vulnerabilities, and twice in June.

DeadBolt stands apart from other NAS-focused ransomware families, researchers noted earlier this year, because it deploys a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical QNAP NAS Zero-Day Bug Exploited to Deliver DeadBolt Ransomware

The high stakes and unique priorities for Internet of Medical Things devices require specialized cybersecurity strategies.

The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).

Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.

There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.

**1\. Pick Your Battles**

On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities _every month_. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.

Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an _environment-specific_ exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.

Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.

**2\. Introduce Security at Adoption**

Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.

In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device _acquisition_ processes enable better ongoing security and risk remediation outcomes.

**3\. Form Collaborative Teams of Experts**

Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.

While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.

**Make IoMT Security an Organizational Priority**

Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.

The 3 Fundamentals of Building an Effective IoMT Security Strategy

Investor participation from prior round demonstrates confidence in the company's current and future performance.

**NEW YORK and TEL AVIV, Israel, Sept. 6, 2022 /PRNewswire** — Cymulate, the market leader in Extended Security Posture Management (XSPM), today announced a $70 million Series D investment led by existing investors One Peak, together with Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth, and Dell Technologies Capital. Cymulate has raised $141M to date.

The latest investment, which is among the largest for continuous security testing vendors, doubles Cymulate's funding raised to date and accelerates the Company's global expansion and pace of innovation.

In a recent report on Continuous Threat Exposure Management (CTEM) GartnerⓇ analysts observed, "_Previous approaches to managing the attack surface are no longer keeping up with digital velocity — in an age where organizations can't fix everything, nor can they be completely sure what vulnerability remediation can be safely postponed. CTEM is a pragmatic and effective systemic approach to continuously refine priorities, walking the tightrope between those two impossible extremes._"\* The global shortage of 2.72 million cybersecurity professionals, and overstretched in-house security resources further exacerbates the need for Cymulate's real-world solutions which closes security gaps quickly and efficiently, rationalizes technology, helps upskill staff and improves processes.

"We are thrilled to lead this round of investment in Cymulate," said David Klein, Managing Partner of One Peak. "Cyber posture management and continuous security validation have dramatically increased in popularity in response to the onslaught of ransomware and cyber warfare for businesses across all size ranges. Cymulate is the clear leader in the sector, and we look forward to continuing to support the Company in further accelerating its already strong growth trajectory."

Cymulate sets the industry standard for organizations to use automation to continuously validate their threat exposure and cyber posture, by testing their cloud and on-premise networks against the latest threats in the wild. The Company's Extended Security Posture Management platform leverages its native offensive security technology and capabilities to widely support customers' security and business needs. XSPM incorporates four fundamental pillars tied together with analytics to provide actionable security posture insights: Attack Surface Management, Continuous Automated Red Teaming, Breach & Attack Simulation, and Advanced Purple Teaming. Cymulate's customers see their cyber risk reduced by nearly 50% during the first three months of use. Running daily risk assessments, the cyber risk of Cymulate's customers continues to decrease in the first year without any security drift.

The Series D funding will be used to extend Cymulate's technological capabilities and further accelerate its global growth. The Company more than doubled its ARR in 2021 and grew more than 200% in North America alone. Cymulate has more than 500 customers globally, including Fortune 500 companies and strategic partners such as Optiv and Wipro. By the end of this year, Cymulate plans to further expand its staff by 75% to continue supporting its go-to-market efforts.

"In a market where every business must be prepared to fight advanced threats, I am proud of our team's ability to innovate and respond quickly to the constant turbulence of cybersecurity," said Eyal Wachsman, CEO and Co-Founder of Cymulate. "Our funding from existing investors is a further testament to their confidence in our company, direction, and continued vision. We look forward to reaching our next innovation milestones and expanding into new markets across the globe."

Alongside their Series D funding, Cymulate also recently announced two C-level executive appointments to bolster the company's leadership, namely the appointment of Maria Mastakas as Chief Operating Officer and Carolyn Crandall as Chief Marketing Officer and Chief Security Advocate of Cymulate.

_\*Gartner, Implement a Continuous Threat Exposure Management (CTEM) Program, July 2022.  
__GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved_.

**About Cymulate**

Cymulate's SaaS-based Extended Security Posture Management (XSPM) provides security professionals with the ability to continuously challenge, validate and optimize their on-premises and cloud cyber-security posture with visualization end-to-end across the MITRE ATT&CK® framework. The platform provides automated, expert and threat intelligence led risk assessments that are simple to deploy and use for organizations of all cybersecurity maturity levels. It also provides an open framework to create and automate red and purple teaming by generating penetration scenarios and advanced attack campaigns tailored to their unique environments and security policies.

For more information, visit www.cymulate.com.

Register here for a free trial.

**About One Peak**

One Peak is a leading growth equity firm investing in technology companies in the scale-up phase. One Peak provides growth capital, operating expertise and access to its extensive network to exceptional entrepreneurs, with a view to help transform innovative and rapidly growing businesses into lasting, category-defining leaders. In addition to Cymulate, One Peak's investments include Neo4j, DocPlanner, Spryker Systems, PandaDoc, Keepit, Paysend, Ardoq, Quentic, HighQ, Coople, DataGuard, Brightflag and many more.

To learn more, visit www.onepeak.tech.

SOURCE: Cymulate

Cymulate Raises $70M Series D Funding for Continuous Security Posture Testing

Here are some strategies for protecting the business against botnets poised to take advantage of remote-work vulnerabilities.

Cyberattacks launched or controlled via botnet are nothing new, but they are on the rise and pose an ever-growing threat.

A recent Russian botnet masquerading as a proxy service compromised millions of devices across the globe, giving cybercriminals access to stolen online accounts until the Feds shut it down. Attacks that happen at a large scale in this manner can have devastating effects. Indeed, botnets represent one of the top techniques attackers use to gain access to networks and systems, which is why it's vital to take steps to mitigate botnet attacks from wherever your employees are working.

The economics of botnets have greatly affected the volume of attacks, as well. Large networks of compromised computers and devices across the Internet can be used to carry out multiple attacks against a broad range of targets. Our research shows that DDoS botnet attacks are on the rise, with a 14% increase in attacks since 2019. Overall, 69% of Comcast Business DDoS customers experienced attacks, a 41% increase over 2020, while 99% experienced repeat attacks.

Botnet attacks are a major threat because they deploy in large numbers and are constantly evolving. The underlying host computing systems are spread across thousands of different owners, and shutting down botnets requires careful coordination across law enforcement, hosting providers, and network carriers.

In addition, botnet resources can be repurposed, which has led to the creation of an indirect black marketplace. Cybercriminals trade botnet assets and use them for different cyberattack types based on where they can make the most money. Essentially, botnets have become a fungible asset for organized crime.

**Botnet DDoS Attacks Present a Challenge for Security Teams**

The rapid shift to remote work provided convenience and efficiency, but it also created new opportunities for threat actors to exploit. Corporate networks are more vulnerable when accessed using unsecured work-from-home environments; personal computing devices are not always protected; and the use of video-conferencing software by remote workers makes an easy target, according to the FBI's "Internet Crime Report 2021."

DDoS attacks are sudden and can penetrate business systems even when protected by firewalls. Endpoint defenses like antivirus cannot protect against DDoS attacks, which are tricky for security experts to identify even after a complete outage. On-premises DDoS prevention equipment is expensive and still leaves upstream connectivity vulnerable to network saturation.

Once these attacks happen, consequences include server crashes, unresponsive applications, and network outages that take businesses offline for legitimate users. Simply put, DDoS attacks cost victims significant time, money, and brand reputation.

**Mitigating and Defending Against Botnet Attacks**

Protecting against botnets requires a layered, defense-in-depth approach. The first line of defense involves network security controls that maintain a global IP reputation database of known malicious IPs and domains, as well as compromised systems belonging to botnets.

Ask your security vendors how they block network connections using IP reputation. On average, 10% to 15% of global malicious IPs change daily, so confirming that your vendor provides frequent updates is critical to ensuring effective botnet protection. Assess the size and reputation of your security vendors' threat intelligence research team, as well as the sources and size of their IP and domain reputation databases.

The second line of defense requires the detection of network traffic based on protocol behavior and session flow. Modern detection techniques use a combination of machine learning algorithms and threshold-based countermeasures.

The challenge for defenders is that botnets can launch multiple types of attacks. The network behavior shown by ransomware exploits is different from brute-force credential stuffing or the click fraud perpetuated against e-commerce Web servers. So, the layered defense required to prevent botnet attacks will vary based on the risks for each individual business.

For example, modern DDoS botnet attack patterns have multiple vectors, are short in duration, and high in intensity, as highlighted by the 2021 Comcast DDoS Threat Report. This makes DDoS extremely challenging to detect for security personnel who must identify issues in minutes but have only seconds to react before an outage occurs.

**Building a Layered Cybersecurity Plan**

Basic cybersecurity hygiene is critical to defending against the threat of botnets. Frequent and continuous vulnerability scanning, configuration hardening, and an organized patch management policy are basic steps in preventing your host systems from becoming botnet victims.

Next, organizations should implement network access controls, multifactor authentication, and a zero-trust policy for users, all of which make it harder for bad actors to access your network or host computers. Lastly, continually training employees on how to identify suspicious activity such as phishing attempts and what steps to take when compromised can mitigate botnet attacks.

Botnet attacks are here to stay, so it is important that users and businesses evaluate their systems, partner with the right vendors and service providers, and implement a cybersecurity program with executive sponsorship to protect themselves against attacks.

Botnets in the Age of Remote Work

The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.

A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.  

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

**EvilProxy: An Evolution**

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

**Acquiring the Service**

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John\_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

**Connections to Recent Supply Chain Cyberattacks**

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.

Source

DARKReading