This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

A DDoS-over-HTTPS attack targeting an unnamed crypto launchpad company clocked in at a whopping 15.3 million requests-per-second (rps) earlier this month — turning heads at Cloudflare.

It lasted just 15 seconds, but the HTTPS DDoS attack was the largest of its kind the company has ever observed, two analysts from Cloudflare explained in a new blog post.

Cloudflare's researchers noted that HTTPS DDoS attacks require the use of a transport layer security (TLS) encrypted connection, which isn't cheap. That suggests a well-funded operation.

"We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale," according to the post.

Crypto launchpads are platforms where new cryptocurrencies and decentralized finance (DeFi) projects can launch and attract early investors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

Encryption will break, so it's important to mix and layer different encryption methods.

Quantum computers may one day break encryption. So might stochastic magnetic tunnel junction machines, also known as spintronics. But we don't need next-generation computing power to break encryption. It’s successfully happening right here and now.

**Why Does Encryption Fail?  
**There are many factors that contribute to encryption weaknesses and create vulnerabilities ready for exploitation by cybercriminals or state-sponsored actors. Chief among them is poorly implemented cryptography – in terms of both the crypto libraries themselves and the way they are used. Bugs such as Heartbleed or the recent implementation error of the Elliptic Curve Digital Signature (ECDS) algorithm in Java versions 15 and above, undermine all programs based on them. The incorrect use of a library, insufficient entropy, or use of weak ciphers is a daily occurrence that impacts specific applications, making bugs even harder to find. Other encryption failings include weak passwords and certificates taken from compromised machines. Combine these techniques with “harvest-now-decrypt-later” attacks, and encryption technology is no longer what it used to be.

**Mathematics, the Cornerstone of Encryption  
**Extremely difficult mathematics underlie our encryption. RSA, the gold standard for public key encryption, is based on the complexity of breaking down a large number into its constituent primes. The forward problem is easy and quick to solve: Take some primes and multiply. But the reverse problem is much harder: Given an integer, which primes were multiplied to make it? Attempts to solve the problem of prime factorization dates back centuries, with Euclid of Alexandria working on specific properties of prime numbers more than 2,000 years ago.

Although no solutions have been found that work on conventional binary computers, that does not mean none exist. After more than 2,000 years of work, most mathematicians agree a prime-factorization algorithm used by a classic computer won’t be here anytime soon. Peter Shor proposed an algorithm that could do composite number decomposition in polynomial time on a quantum computer – breaking RSA and Diffie-Hellman ciphers – but a quantum computer of this kind has not been publicly demonstrated at sufficient scale. Yet.

To prepare for the day when Shor’s algorithm is in play, the National Institute for Standards and Technology (NIST) has sponsored a post-quantum cryptography (PQC) competition. Now in its sixth year, the competition that began with 82 submissions is expected to announce its four finalists this year.

The remaining candidates are asymmetric-key algorithms (similar in concept to RSA) believed to be capable of withstanding the computational power of a stochastic algorithm that might run on a scalable quantum computer. The mathematical problems upon which these newer algorithms are based are much younger and have not been studied extensively.

In the field of complex mathematics _centuries_ are common time frames. For example, Fermat’s last theorem took 358 years to be proven. By that logic, it’s no wonder we have already seen a previously unknown or unforeseen weakness revealed in Rainbow – what had been the most peer-reviewed quantum-resistant algorithm now deemed unsuitable for use by NIST. It’s only a matter of time, then, before new encryption standards are weakened or outright broken. This is why NIST is encouraging organizations to embrace crypto agility in their post-quantum preparedness planning.

What complicates this matter further is that we don't — and won't — know which methods are bearing fruit and which techniques are being used, and by whom, to break the encryption we rely on to secure our digital universe. For all we know, large-scale quantum computers are already in use. If you were a nation state or criminal mastermind and had the ability to factor large numbers into their primes, would you tell the world? This is the fundamental problem with modern encryption: We often don’t know which, when, or how ciphers are compromised. However, we can say with certainty that encryption is being broken – and will be broken.

**Look to Wall Street and Diversify  
**To harden IT environments and digital assets in the face of such uncertainty, we can look to Wall Street for strategic advice. To combat the uncertainties and risks associated with loans and stocks go bad, financial institutions embrace diversification. By diversifying investments across multiple asset classes, geographies, and industries, the risks of an entire portfolio imploding are minimized.

This approach can, and should, be applied by enterprise IT and SOC teams when it comes to encryption. Using and mixing/stacking multiple encryption techniques helps to keep data traveling securely even if a flaw is uncovered in one of the encryption layers. We won’t always know which part of a crypto stack has been defeated and how, but it won’t matter if the cryptography is sufficiently diversified.

As an industry, we need to support the simultaneous use of multiple approaches, anticipating that new crypto methods will come and go. We must mix asymmetric key technology with symmetric key technology, and transmit keys through out-of-band channels. Most importantly, we must develop agreed-on metrics and industrywide benchmarks to measure exactly how diversified our crypto strategy is.

Take a Diversified Approach to Encryption

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

A comprehensive cybersecurity strategy should include physical security. Adversaries don't need to worry about compromising a corporate device or breaching the network if they can just walk into the office and connect directly into the network.

CISOs are increasingly including physical security as part of their strategic investments, says Stephanie McReynolds, head of marketing at Ambient.ai. Organizations are spending a lot of money and effort to lock down cybersecurity, but all of those security controls are useless if the adversary can just enter a restricted space and leave with equipment.

"The last mile of cybersecurity is physical location," McReynolds says.

Ambient.ai uses computer vision technology to solve physical security problems, such as monitoring who is entering the building or a restricted area and monitoring all the video feeds coming from the camera network. Computer vision is a subcategory of artificial intelligence dealing with how computers can process images and videos and derive an understanding of what they are seeing. The idea behind computer vision is to provide computers with eyes to see the same things humans see, and training the algorithm to think about what the eyes saw.

In the case of Ambient.ai, the company's computer vision intelligence platform serves as "the brain" behind physical access control systems, such as security cameras and physical sensors (such as door locks and entry pads). This week, the company expanded the catalog of behaviors the computer vision platform can recognize with 25 threat signatures.

**Computers Help Humans See**  
Traditionally, physical security involves staff in the security center monitoring alerts from the sensors and watching video feeds to try to detect when something untoward is happening. They may receive alerts that a door is open, or that a person swiped the access card to get into the building after-hours. There might be camera footage of someone loitering for quite some time in the building lobby, or a person entering a restricted area carrying an unauthorized laptop. Humans are expected to detect and respond to security incidents, but between fatigue and too much information to process, things can get missed.

"One individual is trying to watch 50 camera feeds at once. This doesn't work," McReynolds notes.

There have been three waves in computer vision, McReynolds says. The first wave was basic detection — that there was an object there, but no insight into what it was. The second wave added recognition, so it knew what it was looking at, such as whether it was a person or a dog. But it was a limited form of recognition, and there was a lot that was still unknown about the object it was looking at. The third wave, the current one, takes in context clues from the broader scene to understand what is happening. Just as a human would look at details around the object to understand what is happening, such as whether the person is sitting or if the person is outside, computer vision technology is now capable of collecting those details.

Ambient.ai breaks down the image or video into "primitives" — which refers to components such as interactions, locations, and objects seen — and constructs a signature to understand what is happening. A signature may be something like a person standing in the lobby for a long time not interacting with anyone, for example.

The new threat signatures expand the platform's ability to catalog over 100 behaviors, McReynolds says.

**Recognizing What Is an Incident**  
The Ambient.ai Context Graph assesses three risk factors to determine next steps: the context of the location, the movements that create behavior signatures, and the type of objects interacting in a scene. Based on these factors, the platform can dispatch security personnel to handle the incident, validate risks, or trigger proactive alerts. With the Context Graph, analysts can also tell which alerts are not security incidents, such as a door that didn't latch properly, and close the ones that don't require any action.

"A person holding a knife running in the kitchen isn't a security incident," McReynolds says. "A person holding a knife running in the lobby, on the other hand, is a security incident."

VMware, an Ambient.ai customer, claims that 93% of its alerts each year were false positives. By integrating Ambient.ai's platform with its physical access control systems, VMware's security teams didn't have to deal with those alerts and were able to focus their attention on dealing with the remaining 7% of alerts to stop security incidents on its campus.

McReynolds described a potential workplace violence scenario, where a former employee tried to use their badge to enter the building. The invalid badge in and of itself is not a security threat, but paired with security footage of the former employees sitting in the lobby and not interacting with anyone, there are enough reasons to be concerned. The alert would then be prioritized to send a guard to approach the individual.

"Sometimes it takes just a conversation and the person will stand down," McReynolds says.

All that is accomplished without resorting to facial recognition, which brings a host of privacy implications. Ambient.ai uses machine learning, pattern-matching, and computer vision to make decisions about what is important.

**Computer Vision in Security**  
Computer vision technology is useful in several security contexts because it can be used to detect manipulations that are less visible to the human eye, says Fernando Montenegro, senior principal analyst at Omdia. For example, the technology can be used to identify spoofed logos and websites used in account takeovers and ecommerce fraud. Another interesting use case is to represent binary samples as images, and then using imaging classification techniques to classify them as malicious or not, he says.

One aspect of computer vision is the capability to analyze "datasets that are not originally 'images' themselves, but can be encoded as such," Montenegro says.

Humans have the capacity to say something doesn't look right, even if they can't specifically point to something that is wrong, says Gunter Ollmann, CSO of Devo. An intriguing application of computer vision research is to train the algorithm to be able to detect something is wrong because of the way it looks, he says. By turning source code into an image, the machine can analyze the structure and other patterns to detect potential issues without having to analyze the code line by line. This kind of analysis can be used for malware analysis, by color-coding different categories of function and analyzing the image to get an understanding of what the application is doing.

There are several computer vision startups tackling cybersecurity issues. Hummingbirds AI uses facial biometrics to authenticate users and grant access to the device. When the computer "sees" a person who is not authorized that is close to the screen, the tool blocks access. Pixm relies on computer vision to identify and stop spear-phishing attacks. The platform runs in the browser window and is available from the moment the user clicks on a link until the campaign is disrupted.

"We are now in an exciting era where \[the machine\] can collaborate with the human," Ambient.ai's McReynolds says, regarding advancements in computer vision.

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

Flaws gave attackers a way to access other cloud accounts and databases, security vendor says.

Microsoft has patched a dangerous pair of vulnerabilities in its Azure Database for PostgreSQL Flexible Server that gave attackers unauthorized cross-account access to databases in cloud hosted environments.

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine. The second is a bug that leverages the privilege escalation enabled by the former to give attackers cross-account access.

Threat actors could have used the flaws to bypass authentication mechanisms and gain full access to customer data across multiple databases in a region without leaving any trace of their presence, researchers from cloud security vendor Wiz Research recently discovered.

"An attacker could create a full copy of a target database in Azure PostgreSQL \[Flexible Server\], essentially exfiltrating all the information stored in the database," says Ami Luttwak, co-founder and CTO at Wiz. The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only. "But this is not the default configuration," Luttwak says.

In an advisory Thursday, Microsoft described the security issue as impacting organizations that had deployed their PostgreSQL Flexible Server instances using the public access networking option. The company said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the vulnerabilities to access customer data. Though organizations using the service need not take any action, Microsoft recommended they enable private network access for their Flexible Server instances to minimize exposure to similar issues.

Luttwak says vulnerabilities like these highlight why organizations need to have a defense in depth security model when deploying and running cloud workloads. He says, "Here, a simple developer mistake — a wrong prefix validation — led to a potential ability for attackers to gain access to customer data." The only way to mitigate such risks is to have multiple layers of protection so a single bug does not allow for a compromise, Luttwak says.

The Wiz researchers found the bugs as part of a wider research effort to find cross-account access vulnerabilities in cloud services. These are a class of vulnerabilities that essentially give attackers a way to break through tenant isolation mechanisms in cloud environments to access other customer accounts and data. Wiz's effort follows the company's discovery in August 2021 of a critical vulnerability — dubbed ChaosDB — in Microsoft's Azure Cosmos DB that gave the company unrestricted access to databases and accounts belonging to thousands of customers of the Azure service, many of whom were Fortune 500 companies.

"Following the ChaosDB vulnerability we disclosed last year, we specifically focused on cloud-managed databases as they pose the most risk holding sensitive customer data," Luttwak notes.

**Cross-Account Access Flaws in the Cloud**  
Wiz decided to focus on Azure PostgreSQL Flexible Server because it is a widely used cloud managed database service, where the database instances run in an internal cloud environment owned by the service provider. The researchers began by trying to figure out a way to escalate privileges within their own PostgreSQL Flexible Server instance and discovered a vulnerability in some modifications that Microsoft had made to the engine ostensibly to harden its privilege model.

"The privilege escalation bug is not a PostgreSQL vulnerability, but rather is a result of modifications Azure introduced to the PostgreSQL engine on their end," Luttwak says. "It's likely these modifications were introduced to help Azure better manage customers' instances and reduce friction."

Once the researchers gained code execution privileges on their PostgreSQL Flexible Server instance, they found they had network access to other accounts within the subnet via their internal network interface. To test whether the access would work, the researchers created another PostgreSQL Flexible instance using a separate account and tried accessing it from their first database. When that worked, they looked for a way to similarly use their instance to access other accounts without authenticating to them. This led to the discovery of a vulnerability that allowed them to do just that, using a forged certificate.

Luttwak explains the exploit as leveraging an Azure high availability function that uses PostgreSQL's replication feature to replicate databases between servers.

"The replication service connects to the database instance and has the permissions to replicate it to other nodes" via a shared network, he says. Wiz researchers found they could get complete copies of other databases by authenticating as the replication service to other PostgreSQL instances using a certificate issued to an arbitrary domain rather than Azure's replication service certificate.

"We didn't actually achieve access to the replication service certificate," Luttwak says. "But we found a way to bypass \[it\] since the PostgreSQL was only looking for a private key with a certain prefix."

That allowed Wiz to simply create a legitimate-looking certificate that passed the authentication, Luttwak notes.

He says the two — now patched — vulnerabilities would have needed to be chained to have significant impact. That's because the first vulnerability only provides local access to a database instance. But without it, an attacker would not have the privileges required for cross-account access.

Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL

Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Source: Dark Reading

When asked about their top cloud concerns, more than a quarter of IT decision-makers — 26% — said they are concerned about their staff's "skillset on dealing with cloud computing," according to new Dark Reading research.

The Dark Reading State of the Cloud report surveyed 339 IT employees of companies that use cloud computing. The respondents overwhelmingly (73%) identified security as their biggest worry, followed by cost (58%) and reliability (50%). Other top concerns included functionality limitations (10%), having too much core data on the cloud (10%), inadequate service agreements (6%), and vendors trying to sell them additional cloud services (6%).

These results reflect a current climate in which IT professionals are scrambling to find a way to secure entirely new cloud attack surfaces and make existential business decisions based on evolving technologies. They need something secure and cost-efficient, and they need it to actually work.

And having a team skilled up to manage it all would be nice, too.

Download the State of the Cloud: A Security Perspective for more details. The data used in the report comes from research jointly conducted with four other Informa Tech publications — InformationWeek, ITPro Today, Network Computing, and Data Center Knowledge.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

IT Teams Worry Staff Lack Cloud-Specific Skills

Blue-chip companies deepen commitment based on success of long-standing customer and partner relationships and conviction of Securonix’s vision and hypergrowth potential.

Capital One Ventures, Snowflake Ventures, Verizon Ventures, and Wipro Ventures Join Securonix $1B+ Growth Investment as Strategic Investors

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption. 

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established \[groups\] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report. 

Companies in the energy and manufacturing sectors each saw average ransoms of more than $2 million.

    

Two-thirds of companies saw ransomware attempts in 2021. Source: Sophos

The research team at Check Point Software Technologies saw an increase in ransomware attacks as well, noting that attempted attacks climbed 24% in 2021 compared with 2020. In an analysis of chat logs leaked from the Conti ransomware group, Check Point Research noted that the operators discussed how to set ransoms in some detail, but also stressed that ransoms often are not the most significant cost to businesses.

"\[T\]he extortion cost is marginal compared to other losses suffered by the victim," the researchers stated. "Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not."

In 2021, the mean ransom paid to cybercriminals rose to $812,000, from $170,000 in 2020, but that still fell far short of the average $1.4 million bill for remediating an attack, according to Sophos. Recovery also took time, with the average company needing about a month to recover from a ransomware attack, according to the report.

**Don't Expect Your Data Back**  
In addition, while ransom demands have risen dramatically, increases that other surveys have seen hints of as well, paying them does not mean full data recovery. In fact, data-recovery statistics from Sophos highlight the fact that that paying ransoms has a terrible return on investment. 

While 99% of companies recovered some of their data, they could only recover 61% of encrypted data on average, according to Sophos. And while 46% of companies paid a ransom, only 4% of those that did got all their data back, down from 8% in 2020. Such statistics have caused some cybersecurity experts to question whether companies should ever pay the ransom.

While healthcare organizations and state and local governments were among top ransomware targets before and during the pandemic, they also earned ransomware groups some of the lowest payouts. The average infected healthcare organization paid $197,000, while the average compromised state or local government agency paid a ransom of $214,000, the Sophos survey found.

**Cyber insurance Doesn't Solve Ransomware, but It Helps  
**Cyber insurance has changed along with the ransomware landscape. In 2021, insurance companies already had experienced problems with the expense of cybersecurity policies as companies sought to recover damages from ransomware incidents. The vast majority of companies (94%) have found it harder in the past year to qualify for cyber insurance, while almost all (97%) have had to make changes to their defenses to improve their ability to garner coverage, according to Sophos' survey.

While 98% of companies affected by ransomware received a payout under their cyber-insurance policies, only 77% collected for clean-up costs, and only 40% of the policies paid the ransoms, the survey found.

"It’s interesting to note that the sectors with the lowest rate of ransom payment are also the ones able to recover fastest from an incident, emphasizing the importance of disaster-recovery planning and preparation," the report stated. "It's worth remembering that while cyber insurance will help get you back to your previous state, it doesn’t cover 'betterment' — when you need to invest in better technologies and services to address weaknesses that led to the attack."

The Ransomware Crisis Deepens, While Data Recovery Stalls

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

At least three separate waves of cyberattacks are underway that feature a sophisticated new malware loader dubbed Bumblebee that fetches shell code and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter – possibly in a run-up to ransomware attacks.

As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint.

"Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain in a report issued on Thursday. "Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."

Further, Bumblebee appears to be a significantly upgraded replacement for the well-known BazaLoader tool that often presages ransomware attacks. 

"Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns," researchers note in the report. And "campaigns identified by Proofpoint overlap with activity detailed \[by Google\] as leading to Conti and Diavol ransomware."

**BazaLoader Replacement  
**Bumblebee first buzzed onto the scene in March, shortly after BazaLoader disappeared from Proofpoint’s telemetry, researchers said.

BazaLoader was up until then a common malware first seen in 2020, sharing the cybercrime spotlight with other favored initial-access baddies, such as Emotet, Trickbot, and IcedID. Notably, it was employed in several high-volume campaigns that led to Conti ransomware infections.

"BazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February, a Ukrainian researcher with access to Conti's internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked files," researchers explain in the report.

Now Bumblebee is cropping up in campaigns run by the same crimeware groups previously observed delivering BazaLoader, the report notes. Proofpoint added that the groups are likely initial-access brokers (IABs), which dovetails with the previously mentioned Google TAG research. IABs infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators as part of a thriving underground economy. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.

"Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee," Proofpoint researchers say. "Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial-access facilitators."

**Hive of Activity: Ongoing Cybercrime Campaigns**  
Starting in March, Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors.

“While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” according to the report. ISO files are used to store images of optical disks, DVDs, CDs, and other media.

In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT" in the body of the message, or they used HTML attachments.

“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim,” explain the researchers. “The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”

The ISO file contained a shortcut file named "ATTACHME.LNK," which, when clicked, executed "Attachments.dat" with the correct parameters to run the Bumblebee downloader.

In another case, a campaign used thread jacking (i.e., when cybercriminals reply to existing email exchanges, inserting themselves into legitimate conversations) to deliver emails with malicious zipped ISO attachments.

And in yet another case, emails were generated by submitting a message to a contact form on the target's website, while leaving public comments regarding the topic on the target's site. As a lure, the attackers made claims about stolen images on the website. These "complaints" contained a link to a landing page that directed the user to the download of a malicious ISO file.

    

A bogus 'complaint' about the use of stolen images.

_Source: Proofpoint_

"The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape," researchers conclude. "Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source."  

To protect themselves, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use – and also work with employees to instill awareness of email-borne threats and common social-engineering trickery.

**Malware Analysis: This Is No Bumbler  
**Bumblebee is new and still under active development, but it’s already a sophisticated threat that organizations should watch out for, Proofpoint warned.

Once installed, the loader gathers system information and generates a "client ID." It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.

Bumblebee supports the following commands:  

*   Shi: shellcode injection
*   Dij: DLL injection
*   Dex: Download executable
*   Sdl: uninstall loader
*   Ins: enable persistence on the bot

Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.

"The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift \[tactics, techniques, and procedures\] and adopt new malware," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. "Additionally, the malware is quite sophisticated and demonstrates being in ongoing, active development, introducing new methods of evading detection."

Bumblebee Malware Buzzes Into Cyberattack Fray

Six Russian state-backed threat actors have lunched 237 cyberattacks on Ukraine's infrastructure, new research from MIcrosoft shows.

In apparent orchestrated coordination with military operations against Ukraine, six Russian state-supported threat actors have targeted civilian infrastructure inside the country with more than 237 individual cyber operations, according to Microsoft.

Microsoft's latest research found that of the nearly 40 separate attacks observed, 32% targeted the Ukrainian government at various levels and 40% could have negatively affected the government, military, economy, and civilian population.

Tom Burt, Microsoft's corporate vice president of customer security and trust, explained that the company wanted to reveal the extent that cyber activities play a role in Russia's invasion of Ukraine so the international community can mount an appropriate response. 

"Since the Russian invasion of Ukraine began, Russian cyberattacks have been deployed to support the military’s strategic and tactical objectives," Burt wrote in his blog post about the report's findings. "It’s likely the attacks we’ve observed are only a fraction of activity targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft: Russia Using Cyberattacks in Coordination With Military Invasion of Ukraine

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

Artificial intelligence has evolved rapidly during the last few years and is being applied across industries for endless use cases as a powerful and innovative tool. However, great responsibility comes with great power. Thanks to AI and machine learning (ML), fraud prevention is now more accurate and evolving faster than ever. Real-time scoring technology allows business leaders to detect fraud instantly; however, the use of AI- and ML-driven decision-making has also drawn transparency concerns. Further, the need for explainability arises when ML models appear in high-risk environments.

Explainability and interpretability are getting more important, as the number of crucial decisions made by machines is increasing. "Interpretability is the degree to which a human can understand the cause of a decision," said tech researcher Tim Miller. Thus, evolving interpretability of ML models is crucial and leads to well-trusted automated solutions.

Developers, consumers, and leaders should be aware of the meaning and process of fraud prevention decision-making. Any ML model that exceeds a handful of parameters is complex for most people to understand. However, the explainable AI research community has repeatedly stated that black-box models are not black box anymore due to the development of interpretation tools. With the help of such tools, users are able to understand, and trust ML models more that make important decisions.

**The SHAP of Things**  
SHAP (SHapley Additive exPlanations) is one of the most used model-agnostic explanation tools today. It computes Shapley values from coalitional game theory, which evenly shares the impact of features. When we are fighting fraud based on tabular data and using tree ensemble methods, SHAP’s TreeExplainer algorithm provides the opportunity to get exact local explanations in polynomial time. This is a vast improvement compared to neural network-based explanations because only approximations are feasible with such tools.

With the term "white box," we are referring to the rule engine that calculates the fraud score. By their nature, the black-box and white-box models will not give the same results because the black box gives us results according to what the machine learned from the data, and the white box gives scores according to the predefined rules. We can use such discrepancies to develop both sides. For example, we can tune the rules according to the fraud rings spotted with the black-box model.

Combining black-box models with SHAP lets us understand the model's global behavior and reveals the main features that the model uses to detect fraudulent activities. It will also reveal undesirable bias in the model. For example, it may uncover that a model may be discriminating against specific demographics. It is possible to detect such cases and prevent unfair predictions by global model interpretation.

Additionally, it helps us understand individual predictions made by the model. During the debugging process of ML models, data scientists can observe each prediction independently and interpret it from there. Its feature contribution gives us great intuition about what the model is doing, and we can take action from these inputs for further development. With SHAP, end users are not just getting essential features of the model, they also get information about how (in which direction) each feature is contributing to the model's output, which yields fraud probability.

**The Confidence Factor**  
Finally, confidence is gained from customers by gaining trust in a successful model with the help of SHAP. In general, the faith in a product is higher if we understand what it is doing. People don't like things that they don't understand. With the help of explaining tools, we can look into the black box, understand it better, and start trusting it. And by understanding the model, we can improve it continuously.

An alternative to gradient boosting ML models with SHAP could be Explainable Boosting Machine (EBM), the flagship of InterpretML (Microsoft's AI framework), which is a so-called "glass box" model. The name glass box comes from the fact that it is interpretable by its nature due to its structure. According to the original documentation, "EBMs are often as accurate as state-of-the-art black box models while remaining completely interpretable. Although EBMs are often slower to train than other modern algorithms, EBMs are extremely compact and fast at prediction time." Local Interpretable Model-Agnostic Explanations (LIME) is also a great tool that could be used for black-box explainability; however, it is more popular with models functioning on unstructured data.

With these tools and transparent data points, organizations can confidently make decisions. All stakeholders must know how their tools work to get the best results. Being aware of black-box ML and the various techniques that combine with it can help organizations better understand how they are getting results to reach their business goals.

Source

DARKReading