False positives and staff shortages are inspiring a massive managed detection and response (MDR) services migration, research finds.

Organizations drowning in security tasks with too few analysts and resources to handle them are moving in droves away from legacy services from managed security service providers (MSSPs) to more automated managed detection and response options. 

According to a LogicHub survey of IT professionals out this week, 79% of respondents using MSSPs to aggregate alerts are planning an upgrade to MDR services. Nearly a third (30%) already use MDR, with another 42% actively planning an upgrade in the next 12 months, LogicHub said.   

The promise of MDR's ability to stretch strapped security teams and resources with automated response, better threat detection, cloud support, and around-the-clock operations is supercharging the surge, according to the survey's respondents. In fact, 60% of respondents told LogicHub they had false-positive rates above 25%, creating mountains of unnecessary work for analysts. 

"This study has found a significant change in how organizations plan to address today's security challenges," Michael Sampson, senior analyst at Osterman Research, said in a statement about the new MDR service research. "The perfect storm of too many security tools creating too many alerts for overstretched security teams has created an urgent need for many organizations to move to more advanced managed security services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

80% of Legacy MSSP Users Planning MDR Upgrade

The credential-phishing attack leverages social engineering and brand impersonation techniques to lead users to a spoofed MetaMask verification page.

Researchers have uncovered an email-based credential-phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is directed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted multiple organizations across the financial industry. It starts with a socially engineered email that looks like a MetaMask verification email, according to the Armorblox research team, containing a link.

Upon clicking the link, users are taken to a spoofed MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in limited access to their wallets.

The fake landing page uses MetaMask logos and branding to closely resemble the real log-in page, and it deploys a language of urgency to encourage compliance with the Know Your Customer (KYC) verification request.

"In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence," the Armorblox post notes.

The research team also pointed out that the attack leverages the curiosity effect, a cognitive bias that can be used to exploit the user's inherent urge to resolve doubt.

"Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand," the post continues.

**Attack Skates Past Microsoft Security**

Even though the email came from an invalid domain, the attackers were still able to slip through Microsoft's security controls, using a "gamut of techniques" to bypass secure email gateway (SEG) filters.

Armorblox CSO Brian Johnson notes while the company's research team does not have access to Microsoft threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are ephemeral in nature.

"With the advent of cloud services, it is easy to spin up and spin down malicious links in minutes," he explains. "These attacks can only be detected when you combine natural language understanding with artificial intelligence to go beyond static checks on known malicious links."

To protect against these types of attacks, Johnson says the basic steps include ensuring multifactor authentication (MFA) across all the organization's accounts — specifically, the ones that provide access to financial accounts.

The Armorblox post also recommends keeping an eye out for social-engineering cues, for example any logical inconsistencies within the email, and to augment native email security with additional controls.

**Cryptocurrency Attacks Evolving, Targeting Startups**

Johnson adds that crypto-wallet phishing has become more targeted and mainstream.

"As the use of cryptocurrency gains traction in both personal and business environments, it opens up another vector for malicious actors," Johnson warns.

Hackers' approaches to compromising cryptocurrency and digital asset exchanges continue to evolve, as a series of attacks against small and midsize businesses has led to major cryptocurrency losses for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat (APT) group that's part of the larger Lazarus Group associated with North Korea, which carried out the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is set to grow, as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, a November 2021 report from Intel 471 warned.

MetaMask Crypto-Wallet Theft Skates Past Microsoft 365 Security

Organizations may not frequently encounter malware targeting cloud systems or networking equipment, but the array of malware they do encounter just occasionally is no less disruptive or damaging. That is where the focus needs to be.

Enterprise defenders contend with a dizzying variety of threats as attackers regularly evolve their arsenals of attack tools. But a recent survey suggests that in many cases, tried-and-tested attacks remain more prevalent than more sophisticated ones.

According to Dark Reading's "The State of Malware Threats" report, security professionals encounter common viruses and phishing attacks delivering malware more than any other type of malware threat.

When asked which types of online attacks their organizations detected frequently or very frequently, half of IT security professionals pointed to common viruses, followed by 47% for phishing attacks delivering malware and 30% for malware designed to steal credentials. These statistics highlight just how big a security headache phishing and credential theft are for organizations.

**Not Yet Frequent, Thank Goodness**

Nowadays, the focus is on ransomware because of its destructiveness: Business operations are disrupted, technical remediation is difficult, organizations often have to shut down temporarily as they attempt to recover, and attacks are costly (regardless of whether the ransom has been paid). And recent research from Cybereason suggests that paying the ransom doesn’t protect organizations from being hit again, with many reporting a second ransomware attack within a month of the first.

Assuredly, just under a quarter of respondents in our survey said their organizations detect ransomware attacks frequently or very frequently.

That’s not to say defenders don’t have to worry about ransomware attacks – attackers are increasingly opting for ransomware over other attack methods. As the "2022 Verizon Data Breach Investigations Report" notes, a quarter of breaches last year involved ransomware. And ransomware is top of mind for IT security professionals: When asked which types of attacks worried them most, 61% cited ransomware, followed by 54% for phishing.

**Occasional/Rare Still Induces Headaches**

Even so, IT security teams can’t only pay attention to frequent attacks. Many threats – such as malware designed to infect routers or other networking equipment, or malware compromises that are the result of a security breach with a supplier – may occur less frequently, but they are no less calamitous when they hit. A quarter of respondents said they’ve occasionally detected malware targeting cloud systems, 24% occasionally detected malware targeting networking equipment, and 21% occasionally encountered malware that was triggered by a security incident or compromise on supplier networks and systems.

Many of the sophisticated malware attacks remain rare. Multivector malware that behaves differently depending on the system it infects is frequently used in targeted attacks, which explains why 28% of IT security professionals said their organizations have never detected this threat. Similarly, despite the lack of basic security controls in the Internet of Things (IoT), more than half of IT security professionals said their organizations rarely, or never, detected attacks targeting IoT and other non-traditional systems. Also rarely detected are fileless malware that resides in memory (44%) and cross-platform malware designed to target more than one platform or operating system (50%).

There is a lot of rumbling right now about how automation can help with security defense. That is particularly true in this case, as automating malware detection and remediation for the more commonly seen threats could free up defenders to focus on the “occasional” and “rare” attacks that can be just as problematic for the organization, if not more.

Organizations Battling Phishing Malware, Viruses the Most

A voicemail-themed phishing campaign is hitting specific industry verticals across the country, bent on scavenging credentials that can be used for a range of nefarious purposes.

Microsoft 365 and Outlook customers in the US are in the crosshairs of a successful credential-stealing campaign that uses voicemail-themed emails as phishing lures. The flood of malicious emails anchoring the threat is emblematic of the larger problem of securing Microsoft 365 environments, researchers say.

According to an analysis from Zscaler's ThreatLabz, a highly targeted offensive has been ongoing since May, aiming at specific verticals, including software security, the US military, security-solution providers, healthcare/pharmaceuticals, and the manufacturing supply chain.

The campaign has been successful in compromising swaths of credentials, which can be used for a variety of cybercrime endgames. These include taking over accounts in order to access documents and steal information, eavesdropping on correspondence, sending believable business email compromise (BEC) emails, implanting malware, and burrowing deeper into corporate networks. The user ID/password combos can also be added to credential-stuffing lists in hopes that victims have made the mistake of reusing passwords for other types of accounts (such as online banking).

"Microsoft 365 accounts are often a treasure trove of data, which can be downloaded en masse," says Robin Bell, CISO of Egress. "Furthermore, hackers can use compromised Microsoft 365 accounts to send phishing emails to the victim’s contacts, maximizing the effectiveness of their attacks.”

**Voicemail Phishing Attack Chain**

From a technical perspective, the attacks follow a classic phishing flow — with a couple of quirks that make them more successful.

The attacks start out with purported missed-voicemail notifications being sent via email, which contain HTML attachments.

HTML attachments often get past email gateway filters because they aren't in and of themselves malicious. They also don't tend to raise red flags for users in a voicemail notification setting, since that's how legitimate Office notifications are sent. And for added verisimilitude, the "From" fields in the emails are crafted specifically to align with the targeted organization's name, according to a recent Zscaler blog post.

If a target clicks on the attachment, JavaScript code will redirect the victim to an attacker-controlled credential-harvesting website. Each of these URLs are custom-created to match the targeted company, according to the researchers.

"For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp\[.\]com/<base64\_encoded\_email>," they noted in the blog post, which detailed the attacks. "It is important to note that if the URL does not contain the base64-encoded email at the end; it instead redirects the user to the Wikipedia page of MS Office or to office.com."

Before the mark can access the page however, a Google reCAPTCHA check pops up — an increasingly popular technique for evading automated URL analysis tools.

CAPTCHAs are familiar to most Internet users as the challenges that are used to confirm that they're human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to weed out bots on e-commerce and online account sites — and they serve the same purpose for crooks.

Once the targets solve the CAPTCHAs successfully, they're sent onto the phishing page, where they're asked to enter their Microsoft 365 credentials — which, of course, are promptly captured by the bad guys on the other end of the URL.

"When faced with a login prompt that looks like a typical O365 login, the person is likely to feel comfortable entering their information without looking at the browser's URL bar to ensure they are at the real login website," Erich Kron, security awareness advocate with KnowBe4, tells Dark Reading. "This familiarity, and the high odds that an intended victim regularly uses O365 for something in their workday, makes this a great lure for attackers."

Using voicemail as a lure isn't a new technique — but it's a successful one. The current campaign is actually a resurgence of earlier activity seen in July 2020, the researchers noted, given significant overlap in the tactics, techniques, and procedures (TTPs) between the two phishing waves.

"These attacks target human nature, manipulating their victims using techniques that play on our psychology," Egress' Bell tells Dark Reading. "That's why, despite investing in security awareness training, many organizations still fall victim to phishing. In addition to this, threat actors are crafting increasingly sophisticated, highly convincing attacks that many people simply can’t distinguish from the 'real thing.' This is exacerbated by the increasing use of mobile devices, as users often can’t see details like the sender’s real information."

**Microsoft 365 Continues to Be a Popular Target**

The cloud version of Microsoft's productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by more than 1 million companies and more than 250 million users. As such, it acts as a siren song to cybercrooks.

According to a 2022 Egress report, "Fighting Phishing: The IT Leader’s View," 85% of organizations using Microsoft 365 reported being victims of phishing during the last 12 months, with 40% of organizations falling victim to credential theft.

"Microsoft O365 and Outlook are used by an estimated 1 million companies, so there’s a good chance that their victim, and the victim's organization, use these services," Bell says. "With such a high volume of accounts, the hackers have a better chance of reaching targets with a low level of tech awareness, who are more likely to fall for an attack."

Microsoft 365 phishes also are popular attack vectors because the blend in with normal workday activities, Kron notes.

"We spend a lot of our workday in a near autopilot mode, doing repeated tasks almost automatically, as long as the tasks are expected," he explains. "It’s only when something unexpected occurs that people tend to take notice and apply critical thinking. For many of us, the action of logging in to an O365 portal is not unusual enough to raise our suspicions. Many times, when people log in to these fake portals, the credential stealing software invisibly forwards the information to the legitimate login portal resulting in a successful login, and the victim is never aware that they were tricked.”

**How CISOs Can Defend Against Social Engineering**

There are significant challenges for CISOs in shutting down this type of threat vector, researchers say, mainly due to the fact that it's impossible to patch human nature. That said, user training to encourage employees to perform basic protections, like checking the URL before logging in, can go a long way.

"We have to face the fact that social-engineering attacks, which include phishing, vishing, and smishing, are here to stay," says Kron. "Phishing has been prevalent almost since email began, and the damage done and losses sustained are simply too high to ignore, while hoping for the best. CISOs need to understand these risks, and employees need to understand that in our modern world where everyone uses computers and processes information in some way, cybersecurity is a part of everyone’s job, and will be for the foreseeable future.”

Beyond this basic best practice, CISOs should also take back-end technology steps to fill in for when people make mistakes, as they inevitably will. And this should go beyond standard secure email gateway filters, according to Bell.

"To truly mitigate the risk, organizations need the right technology," he advises. "CISOs need to evaluate their security stack, ensuring that they are augmenting their email platforms with additional layers of protection to ensure that their people and data are protected. Technology should partner with employees to help them to identify even the most sophisticated attacks, ensuring that credentials and email accounts cannot be compromised by threat actors.”

Kron recommends a commonsense defense approach that combines both technology and training.

"For CISOs that do not recognize this and attempt to counter these attacks with purely technical tools, the odds of success are quite low," he says. "For CISOs that understand that these attacks are exploiting human vulnerabilities and deploy a mix of technical controls as well as tackling the human issue through education and training, the results are often much better."

Microsoft 365 Users in US Face Raging Spate of Attacks

Addition of WhiteHat Security provides Synopsys with SaaS capabilities and dynamic application security testing (DAST) technology.

MOUNTAIN VIEW, Calif., June 22, 2022 /PRNewswire/ -- Synopsys, Inc. (NASDAQ: SNPS) today announced that it has completed the acquisition of WhiteHat Security, a leading provider of application security Software-as-a-Service (SaaS). The addition of WhiteHat Security provides Synopsys with significant SaaS capabilities and market-segment-leading dynamic application security testing (DAST) technology to strengthen what is considered one of the industry's broadest application security testing portfolios. Synopsys and WhiteHat Security, which was acquired by NTT Security Corporation in 2019, share a vision for delivering SaaS-based security testing solutions and building security into the software development lifecycle.

Synopsys paid $330 million in cash and expects the acquisition to be roughly neutral to FY2022 non-GAAP earnings per share.

"WhiteHat Security helped pioneer SaaS delivery of application security testing and brings powerful technology and expertise into our application security portfolio," said Jason Schmitt, general manager of the Synopsys Software Integrity Group. "WhiteHat Security's DAST capabilities complement our strengths in static analysis, interactive analysis and software composition analysis, while their expertise in SaaS will accelerate our security testing SaaS capabilities. We are excited about the value this will create for our customers and welcome the WhiteHat Security team as they join us in our mission to build trust in the software that businesses depend on."

**About the Synopsys Software Integrity Group**

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that's best for them. Only Synopsys offers everything you need to build trust in your software. Learn more at www.synopsys.com/software.

**About Synopsys**

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry's broadest portfolio of application security testing tools and services. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver innovative products. Learn more at www.synopsys.com

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Synopsys Completes Acquisition of WhiteHat Security

In addition, Aqua Security unveiled a new open source tool, Chain-Bench, for auditing the software supply chain to ensure compliance with the new CIS guidelines.

**BOSTON— June 22, 2022 —** Aqua Security, the leading pure-play cloud native security provider, and the Center for Internet Security (CIS), an independent, nonprofit organization with a mission to create confidence in the connected world, today released the industry’s first formal guidelines for software supply chain security. Developed through collaboration between the two organizations, the _CIS Software Supply Chain Security Guide_ provides more than 100 foundational recommendations that can be applied across a variety of commonly used technologies and platforms. In addition, Aqua Security unveiled a new open source tool, Chain-Bench, which is the first and only tool for auditing the software supply chain to ensure compliance with the new CIS guidelines.

**Establishing Best Practices for Software Supply Chain Security**

Although threats to the software supply chain continue to increase, studies show that security across development environments remains low. The new guidelines establish general best practices that support key emerging standards like Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF) while adding foundational recommendations for setting and auditing configurations on the Benchmark-supported platforms.

Within the guide, recommendations span five categories of the software supply chain, including Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment (link to blog with overview).

CIS intends to expand this guidance into more specific CIS Benchmarks to create consistent security recommendations across platforms. As with all CIS guidance, the guide will be published and reviewed globally. Feedback will help ensure that future platform-specific guidance is accurate and relevant.

“By publishing the CIS Software Supply Chain Security Guide, CIS and Aqua Security hope to build a

vibrant community interested in developing the platform-specific Benchmark guidance to come,” said Phil White, Benchmarks Development Team Manager for CIS. “Any subject matter experts that develop or work with the technologies and platforms that make up the software supply chain are encouraged to join the effort in building out additional benchmarks. Their expertise will be valuable to establishing critical best practices to advance software supply chain security for all.”

To date, the guide has been reviewed by experts at CIS, Aqua Security, Axonius, PayPal, CyberArk, Red Hat, and other leading technology firms.

Ofir Shapira, Cyber Security Product Manager, Axonius: “The work Aqua is doing around software supply chain security, not only as a company but for the wider community, is paving the way for more secure software releases.”

Erez Dasa, Cyber & Application Security Architect, leading digital payment organization: “Implementing these guidelines over development processes gives us much more confidence in the security of releases.”

**The Industry’s First Open Source Tool for Software Supply Chain Security**

To support organizations adopting the CIS guidance, Aqua released Chain-Bench. Chain-Bench scans the DevOps stack from source code to deployment and simplifies compliance with security regulations, standards, and internal policies to ensure teams can consistently implement software security controls and best practices.

“Building software at scale requires strong governance of the software supply chain, and strong governance requires effective tools. This is where we saw an opportunity to add value,” said Eylam Milner, Director Argon Technology, Aqua Security. “We wanted to leverage our expertise in software supply chain security to help build critical guidance for one of industry’s most pressing challenges, as well as a free, accessible tool to help other organizations adhere to it. The work doesn’t stop here. We will continue working with CIS to refine this guidance, so that organizations worldwide can benefit from stronger security practices.”

To learn more about the CIS Software Supply Chain Security Guide, visit the CIS WorkBench. To download Chain-Bench, visit GitHub.

**About Center for Internet Security, Inc. (CIS®)**

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on- demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.

**About Aqua Security**

Aqua Security stops cloud native attacks. As the pioneer and largest pure-play cloud native security company, Aqua helps customers unlock innovation and build the future of their business. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP) securing the entire application lifecycle through prevention, detection and response. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. For more information, visit www.aquasec.com.

Aqua Security Collaborates With Center for Internet Security to Create Guide for Software Supply Chain Security

Open service generates free report detailing potential gaps in compliance, configuration, and security for a user’s multiple domain names.

**STERLING, Va. – June 22, 2022** – Neustar Security Services, a leading provider of cloud-oriented security services that enable global businesses to thrive online, has launched an open and abridged version of its UltraDNS Health Check site at ultradnshealthcheck.com. Until now, UltraDNS Health Check had been reserved for customers subscribing to the company’s UltraDNS line of products, which delivers an enterprise-grade, cloud-based authoritative DNS service to securely deliver fast and accurate query responses to websites and vital online assets. Making this public-facing version of UltraDNS Health Check generally available enables any organization to leverage a powerful tool in assessing the hygiene of their domains and keep them safe, secure, optimized and in compliance.

The external UltraDNS Health Check site was designed with hundreds of industry standards and best practices in mind to help identify potential configuration and security issues. It runs more than 20 validations, enabling users to ensure that their domains are RFC-compliant and adhere to best practices. On-demand checks include those for Domains to validate core configurations for appropriate routing and security as well as Name Servers (NS) to flag misconfigurations that could impact security, performance, or query resolution. Additional checks are run for mail exchanges (MX), start of authority (SOA) and DNS Security (DNSSEC).

“Securing your DNS is easy to overlook and difficult to stay on top of, and we are excited to make a resource that has been invaluable to UltraDNS customers available to all,” said Enrique Somoza, Director of Product Management for DNS at Neustar Security Services. “With this external DNS Health Check site, future customers can now see a subset of the full functionality that current customers benefit from every day to assess the hygiene of their DNS and take appropriate action to maintain performance. It is just one of Neustar Security Services’ comprehensive offerings that contribute to the 95% customer satisfaction ratings we have achieved in recent periods.”

Taking advantage of the external UltraDNS Health Check site is simple. Users provide their domain names for analysis, alongside contact information to receive their personalized health check reports. The reports offer immediate results and standards-based recommendations on the state of various zones, providing feedback on whether zones are in good standing, in error, may have an issue or do not conform to best practices. The site is free to use regardless of who your DNS providers are.

DNS is a mission critical service responsible for keeping businesses accessible and available, and because it is foundational, it has likely evolved over time along with a company’s strategies, staff and systems. It can be one of the simplest ways into an organization, and cybercriminals doing reconnaissance find DNS a rich source of information. With DNS, bad actors can gather a domain’s subdomains to accurately map a target, and easily available tools can find hidden servers and reveal a host of different prospective targets. With UltraDNS Health Check, users have an effective platform at their disposal for identifying misconfigurations and potential security issues, gleaning valuable information for taking action to restore DNS hygiene and integrity. Access and more information are available at ultradnshealthcheck.com.

Neustar Security Services Launches Public UltraDNS Health Check Site

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Researchers from Malwarebytes this week observed the threat actor — aka Fancy Bear and Sofacy — sending out a malicious document with an exploit for the now-patched flaw (CVE-2022-30190) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf" and appeared designed to prey on fears about the war in Ukraine spiraling into a nuclear holocaust. 

Malwarebytes identified the contents of the document as a May 10 article from the Atlantic Council on the potential for Russian President Vladimir Putin to use nuclear weapons in Ukraine.

Users who opened the document ended up having a new version of a previously known .Net credential stealer loaded on their systems via the Follina exploit, which made headlines as a zero-day earlier this month. The malware is designed to steal usernames, passwords, and URLs from Chrome and Microsoft Edge browsers. It can also grab all stored cookies in Chrome, Malwarebytes researchers say.

Ukraine’s Computer Emergency Response Team (CERT-UA) separately warned of the same threat. In an advisory, it said it had spotted APT28 using the same malicious document that Malwarebytes reported to try and distribute the CredoMap credential-stealing malware to users in Ukraine. 

Available telemetry suggests that the adversary has been using the document since at least June 10, CERT-UA says.

“The target, and the involvement of APT28, (a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state,” states Malwarebytes in a report Tuesday on the new activity.

**The Follina Feeding Frenzy**

The Follina bug in MSDT exists in all current versions of Windows and can be exploited via malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the flaw to gain remote control of vulnerable systems and take a variety of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts. 

Microsoft disclosed the flaw in late May amid widespread zero-day exploit activity. The company finally issued a fix for the vulnerability in its Patch Tuesday set of monthly security updates for June.

Malwarebytes describes the Ukrainian campaign as the first time it had observed APT28 exploiting Follina. But numerous other groups, including other state-backed actors, have been actively exploiting the vulnerability in recent weeks.

Many of the attacks have targeted Ukrainian entities. Earlier this month, for instance, CERT-UA warned about a threat actor — likely Russia’s Sandworm APT group — using a Follina exploit in a “massive cyberattack” targeting media organizations in Ukraine. 

And just this week, CERT-UA warned about a threat group it is tracking as UAC-0098, which is targeting critical infrastructure facilities in Ukraine with a tax-themed document carrying a Follina exploit. According to the CERT-UA, the attackers in this campaign are exploiting Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.

Other reports of Follina-related activity have emerged as well, suggesting the flaw is of high interest to attackers and needs to be addressed quickly. Earlier this month, Proofpoint reported that it had blocked a likely stated-backed phishing campaign involving a Follina exploit that targeted a handful of its customers. The phishing email masqueraded as a document about a salary increase, which if opened would have resulted in a PowerShell script being downloaded to the system.

Symantec, too, has reported observing a variety of threat actors exploiting Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Don't sleep on Magecart attacks, which security teams could miss by relying solely on automated crawlers and sandboxes, experts warn.

Although observed Magecart skimmer attacks have been less frequently reported in recent months, analysts have discovered fresh infrastructure they were able to trace to malicious domains behind an ongoing campaign.

The Malwarebytes Labs team connected the skimmers to activity dating back to May 2020. 

The attackers hid the skimmer behind three JavaScript library themes, the report said: 

*   hal-data\[.\]org/gre/code.js (Angular JS)
*   hal-data\[.\]org/data/ (Logger)
*   js.g-livestatic\[.\]com/theme/main.js (Modernizr)

The team added that a recent drop in Magecart activity could be because many threat actors may be pivoting from stealing credit-card numbers to more profitable targets.

"Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them," the team wrote.

But worryingly, the disappearance of Magecart from the radar could also be because the attacks have moved server-side and become harder to detect with simple scanners, the analysts said. 

"Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level," the team said about waning detections of Magecart skimmer attacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Fresh Magecart Skimmer Attack Infrastructure Flagged by Analysts

Treat identity management as a first-priority problem, not something to figure out later while you get your business up and running in the cloud.

Realizing the vast potential of the cloud enables organizations to innovate and undergo digital transformations. The last two years have demonstrated the importance of ensuring sound cybersecurity, especially as many enterprises have migrated to the cloud. A key part of the cloud, however, is ensuring that enterprises utilize proper identity management. Increased cloud adoption has resulted in a deluge of new human, and even non-human, identities that threat actors can compromise. Enterprises that don’t take this seriously can find themselves the latest victims of a breach.

One should look no further than Okta, a popular identity management platform used by many enterprises. Earlier this year, the Lapsus$ criminal organization claimed to be in possession of a super-user account at Okta. While the full extent of the breach isn't yet known, having these high-level credentials potentially means the criminal organization has the figurative "keys to the kingdom" regarding access, along with the ability to obtain the data of users who rely on the Okta platform. When an identity and access management (IAM) provider is the victim of an identity-based attack, you know that threat actors are playing hard.

That said, IAM isn't a new issue and will certainly become more important in the foreseeable future. A report from Cider Security ranked IAM as the second biggest problem in continuous integration/continuous delivery environments. These concerns relate to both the permissions granted to identities across an enterprise and ensuring that permissions are deprovisioned in a timely manner.

**Difficulties of Managing Identities in the Cloud**

Managing identities in the cloud is difficult due to a confluence of factors. Often the structure of a cloud provider's notions of projects and organizations don't map well to how an enterprise structures itself. This can lead to things like a single enterprise user trying to manage multiple "identities" within the cloud in order to do their job. Downstream, this results in few, if any, people having any real visibility into who has access to what within the cloud.

As problems like this grow, they're further exacerbated as the company hires employees and then experiences turnover. Also, moving from on-premises to the cloud can create similar challenges. Enterprises spend years operating in one way that works for them with their own hardware, and then as they move to the cloud, they need to adjust that older way of working to the cloud provider's structures.

**Consequences of Improperly Managed Identities**

From a security perspective, failure to properly manage IDs in the cloud opens up enterprises to a lack of command and control of who can do what within their infrastructure. It also makes it very difficult to recognize when something is askew with IDs or permissions for those identities.

From a non-security perspective, poorly managed identities can lead to friction in an enterprise's processes and then may lead to undesirable outcomes. These outcomes could include employees having to log in to cloud assets using multiple identities, or employees continually finding that they must request new permissions that they should have had from the outset. Ultimately, this slows down an enterprise's processes.

**Two Common IAM Missteps**

Customers regularly fail to build out cloud-based solutions where identity management is concerned. Ultimately, the cloud resources being accessed by identity holders don't care if you're a person, a machine, or a dog. If you have the right credentials, you're authenticated and authorized. Before they know it, a mission-critical service is running 24/7/365, and some key piece of that service is talking to other critical services via a human employee's identity. What happens when that employee leaves? Ensuring the continuity of services is imperative for enterprises and their identity and access management in the cloud.

Another potential pitfall comes with users sharing credentials. It doesn't take long for that key to get used without anyone having any capability to track down exactly who is really accessing the cloud resources. This lack of accountability can lead to big problems, including security concerns, for enterprises.

**How Organizations Can Mitigate Security Concerns**

First and foremost, treat identity management as a first-priority problem, not something to figure out later while you get your business up and running in the cloud. Create your own well defined policies on identity management with an eye toward ensuring the principle of least privilege, in which identities can only access what they need.

Don't let the tools from cloud providers determine how you run your business. A great way to ensure that your enterprise is in the driver's seat is to find people that know the cloud and know it well. Bringing in outside assistance from those who know it best not only puts it in the hands of those who are the most qualified to do so, but it can also help to mitigate common IAM problems that you may not even have on your radar. Additionally, it's important to gain organizationwide visibility into your cloud infrastructure. This valuable insight into your cloud infrastructure provides numerous benefits, not just for IAM but for compliance and financial management as well.

Source

DARKReading