The firmware threat offers ultimate stealth and persistence — and may be distributed via tainted firmware components in a supply chain play, researchers theorize.

A Windows firmware rootkit known as "CosmicStrand" has appeared in the cyberthreat firmament, targeting the Unified Extensible Firmware Interface (UEFI) to achieve stealth and persistence.

UEFI firmware is tasked with booting up Windows computers, including the loading of the operating system. As such, if the firmware is tainted with malicious code, that code will launch before the OS does — making it invisible to most security measures and OS-level defenses.

"This, along the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent," researchers from Kaspersky explained in a posting on Monday. "Regardless of how many times the operating system is reinstalled, the malware will stay on the device."

Once triggered, the code deploys a malicious component inside the Windows OS, after a long execution chain. This component connects to a command-and-control server (C2) and waits for instructions to download additional malicious code snippets, which the malware maps into kernel space and assembles into a shellcode.

One shellcode sample obtained by Kaspersky was used to create a new user on the victim's machine and add it to the local administrators group.

"We can infer from this that shellcodes received from the C2 server might be stagers for attacker-supplied PE executables, and it is very likely that many more exist," according to the writeup.

As the US Department of Homeland Security (DHS) and Department of Commerce said in a March report on firmware threats, rootkits present a tremendous amount of risk.

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the government agencies noted in a joint draft report (PDF).

This particular campaign appears highly targeted to specific individuals in China, with some cases seen in Iran and Vietnam, researchers noted. It's unclear what the ultimate endgame for Cosmic Strand is, but it's likely an espionage play; Kaspersky attributed the campaign to an as-yet-unknown Chinese-speaking advanced persistent threat (APT) with overlaps with the MyKings botnet gang.

**Supply Chain, 'Evil Maid' Concerns**

The researchers know very little about how the rootkit is making it onto peoples' machines. That said, supply chain weakness is a possibility, according to Kaspersky, with "unconfirmed accounts discovered online indicating that some users have received compromised devices while ordering hardware components online."

The modifications were specifically introduced to a specific driver by patching it to redirect to malicious code executed during system startup.

"We assess that the modifications \[to the driver\] may have been performed with an automated patcher," the Kaspersky researchers noted. "If so, it would follow that the attackers had prior access to the victim's computer in order to extract, modify and overwrite the motherboard's firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario)."

They added that in the attacks, the implant burrowed into Gigabyte and ASUS motherboards specifically, which share the H81 chipset. This offers up another possibility for initial compromise.

"This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image," according to the report.

**Circa 2016**

Very notably, CosmicStrand appears to have been used in the wild since the end of 2016, long before UEFI attacks were known to be a thing.

"Despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time," says Ivan Kwiatkowski, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky. "This indicates that some threat actors have had very advanced capabilities that they've managed to keep under the radar since 2017. We are left to wonder what new tools they have created in the meantime that we have yet to discover."

UEFI rootkits are still rarely seen in the wild, thanks to how complex and difficult they are to develop — but they're not mythical, either. The first one ever officially spotted was observed by Qihoo 360 to be used by a China-backed APT in 2017; Kaspersky believes CosmicStrand to be related to that threat, which was called the Spy Shadow Trojan.

Then, ESET discovered one in 2018 being used by Russian state-sponsored actor APT28 (aka Fancy Bear, Sednit, or Sofacy). It was dubbed LoJax because of its underlying code, which was a modified version of Absolute Software’s LoJack recovery software for laptops.

Since then, others have infrequently come to light, such as MosaicRegressor and MoonBounce, which Kaspersky found in 2020 and 2022, respectively.

Kaspersky researchers warned that these types of rootkits continue to provide mysteries and raise questions, and deserve more attention from the analyst community.

"CosmicStrand is a sophisticated UEFI firmware rootkit \[that\] appears to have been used in operation for several years, and yet many mysteries remain," they noted. "How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package 'interdiction'? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

The feds agree. The aforementioned DHS-led joint draft report noted that firmware presented "a large and ever-expanding attack surface." They added that firmware security is often overlooked, even though it's one of the stealthiest methods by which an attacker can compromise devices at scale.

Rare 'CosmicStrand' UEFI Rootkit Swings into Cybercrime Orbit

Several threat actors used Amadey Bot previously to steal information and distribute malware such as the GandCrab ransomware and the FlawedAmmy RAT.

A dangerous malware variant called "Amadey Bot" that has been largely dormant for the past two years has surfaced again with new features that make it stealthier, more persistent, and much more dangerous than previous versions — including antivirus bypasses.

Amadey Bot first appeared in 2018 and is primarily designed to steal data from infected systems. However, various threat actors — such as Russia's infamous TA505 advanced persistent threat (APT) group — have also used it to distribute other malicious payloads, including GandCrab ransomware and the FlawedAmmy remote access Trojan (RAT), making it a threat for enterprise organizations.

Previously, threat actors used the Fallout and RIG exploit kits, as well as the AZORult infostealer, to distribute Amadey. But researchers at South Korea's AhnLab recently spotted the new variant being installed on systems via SmokeLoader, a malware dropper that attackers have been using since at least 2011.

**Smoke & Mirrors**

Researchers at AhnLab found that the operators of the new Amadey variant have disguised SmokeLoader in software cracks and fake keys for commercial software that people often use to try and activate pirated software. When users download the malware assuming it is a cracked (pirated) version or a key generator, SmokeLoader injects its malicious payload into the currently running Windows Explorer process (explorer.exe) and then proceeds to download Amadey on the infected system, the researchers at AhnLab discovered.

Once the malware is executed, Amadey lodges itself in the TEMP folder as a startup folder, ensuring the malware will persist even after a system reboot. As an additional persistence measure, Amadey also registers itself as a scheduled task in Task Scheduler, according to AhnLab.

After the malware completes its initial setup processes, it contacts a remote, attacker-controlled command-and-control server (C2) and downloads a plug-in to collect environment information. This includes details such as the computer and username, operating system information, a list of applications on the system, and a list of all anti-malware tools on it. 

The sample of the new Amadey variant that researchers at AhnLab analyzed was also designed to take periodic screenshots of the current screen and send them back in a .JPG format to the attacker controlled C2 server.

**Bypassing AV Protections**

AhnLab found that the malware is configured to look for and bypass antivirus tools from 14 vendors, including Avast, Avira, BitDefender, Kaspersky, Sophos, and Microsoft's Windows Defender.

"The new and improved version of the malware flaunts even more features compared to its predecessor," security vendor Heimdal said in a blog post. This includes features "such as scheduled tasks for persistence, advanced reconnaissance, UAC bypassing, and defense evasion strategies tailored for 14 known antivirus products," it noted.

Once Amadey relays system information to the C2 server, the threat actor knows exactly how to bypass protection for the specific AV tools that might be present on the system. "On top of that, once Amadey gets ahold of your AV’s profile, all future payloads or DLLs will be executed with elevated privileges," Heimdal warned in the blog post. 

**A More Dangerous Version of Amadey**

The information that Amadey relays to the C2 server allows the attackers to take a variety of follow-up actions, including installing additional malware. The sample that AhnLab analyzed, for instance, downloaded a plug-in for stealing Outlook emails and information about FTPs and VPN clients on the infected system. 

It also installs an additional information stealer called RedLine on the victim system. RedLine is a prolific information stealer that first surfaced in 2020 and has been distributed via various mechanisms, including COVID-19 themed phishing emails, fake Google ads and in targeted campaigns. Researchers from Qualys recently observed the malware being distributed via fake cracked software on Discord.  

Researchers from BlackBerry Cylance who analyzed the earlier version of Amadey determined at the time that the malware does not install any additional payloads if it assesses the victim to be in Russia.

Dmitry Bestuzhev, threat researcher at BlackBerry says SmokeLoader has been actively tricking victims via cracked software and so-called “software activation” programs from the beginning of this year. 

"We saw several brands being abused by cybercriminals spreading malicious cracks for the most popular software houses," he says. 

Amadey's botnet too has been very active, impersonating popular private and secure email vendors to infect targets. "According to our telemetry, most of them are in the US, followed by Japan, Mexico and Brazil," Bestuzhev says.

Supercharged Version of Amadey Infostealer & Malware Dropper Bypasses AVs

After leaking 80 million US customer data records in a cyberattack last summer, T-Mobile offers to settle a wide-ranging class action suit for just $350 million.

Names, driver's licenses, and even Social Security numbers of more than 80 million T-Mobile customers in the US were compromised in a cyberattack last summer. Now T-Mobile is offering the victims a settlement in a class-action lawsuit stemming from the breach. It's cold comfort to victims, though — the compensation works out to just over $4 per person.

In a filing with the US Securities and Exchange Commission (SEC), the company said it would pay $350 million to fund customer claims, and pick up the attorneys' fees and administrative costs of handling the payouts. The mobile carrier also pledged to invest an additional $150 million in cybersecurity through 2023.

Altogether the company said the settlement offer would cost T-Mobile $400 million in the second quarter of 2022. To put that in perspective, T-Mobile's US revenue for the 12 months ending March 31 was $80.5 billion, a 4.46% increase year-over-year.

The T-Mobile SEC filing added that the settlement doesn't come with any admission of liability, wrongdoing, or responsibility on the part of the company, and added that T-Mobile expects to receive court approval of the settlement terms by as early as December.

The proposed penalty is in line with similar data breach settlements, like the $190 million settlement Capital One reached for leaking 100 million credit card applications from the US and another 6 million from Canada in a 2019 cyberattack — less than $2 per victim.

As a financial institution, Capital One was also ordered to pay an $80 million fine to Federal Reserve regulators. Both sums are a drop in the bucket for the corporate giant. Capital One's annual net income for 2021 was $12 billion, a 403.79% increase from 2020.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

T-Mobile Pitches $4-Per-Customer Settlement for Data Leak Impacting 80M People

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

For many years, security monitoring relied on gathering data from layer 4 of the OSI model through such data types as NetFlow. Because layer 4 data dealt with the transport layer, it isn't the most informative — though for a period of time, it was what security teams could reliably get access to and efficiently query. Then, as technology improved, security teams found themselves with access to a much richer data set: layer 7 data. Proxy logs, DNS logs, packet capture (PCAP), and other layer 7 data sources became available, and it was a game-changer for security teams.

Layer 7 data allows us to interrogate the application layer. Specifically, as it relates to digital channels such as Web and mobile, layer 7 data lets us understand what is happening within the end-user application session. This gives us essential context around the end user's activity. Unfortunately, layer 7 data does not allow us to understand the "how" behind what is happening. Questions such as "How is the end user behaving?", "What is the end user's intent?", and "Is this legitimate end-user activity?" can only be answered by looking beyond layer 7.

To understand intent — the "how" behind the "what" — we need to closely examine the behavior of the end user in the session. This additional behavioral insight is critical to an enterprise's ability to separate legitimate traffic from fraud. In other words, the difference between the legitimate use of an application and abuse of that application (i.e., fraud) is the intent of the end user responsible for the activity. When we look at the concept of fraud in this manner, it is easy to see that visibility into "what" the end user is doing inside the application session isn't enough. We also need visibility into "how" they are doing it.

**Behaviors That Could Signal Fraudulent Use**

Some people refer to this end-user layer above layer 7 of the OSI model as layer 8. And as the Sesame Street song says, eight is great. Let's take a look at some of the ways in which layer 8 data can help us better detect fraud.

**Optimized mouse movements.** Legitimate users tend to have very random mouse movements when interacting with an application. The reason is simple: Legitimate users aren't interacting with the application "professionally" and thus don't have any need or incentive to optimize their mouse movements. Fraudsters, on the other hand, who may be trying to access tens, hundreds, or thousands of accounts fraudulently, have every motivation to optimize their mouse movements to save time.

**Pasting.** I don't know about you, but I don't often cut and paste my username and password or first name and last name from a text file. As it turns out, most legitimate users don't either. Fraudsters, as you might imagine, do this quite frequently, particularly when it comes to account takeover (ATO).

**Strange keys.** If you are a legitimate user, chances are that you use a fairly standard set of letters, numbers, and special characters when interacting with an application. It is fairly unlikely that you would use function keys, keyboard shortcuts, or other unusual combinations. Fraudsters who are looking to save time, however, often do exactly that.

**A signature device.** Fraudsters typically have one or a few favorite devices that they have configured exactly as they want them. Fraudsters will often use these same devices to log in to a relatively large number of accounts on the same application. Because of this, if we invest in accurate and reliable device identification and track logins by device, we can often use that knowledge to understand when we might be dealing with a fraudulent session.

**Other tricks.** Fraudsters often rely on environment spoofing, VPN, and other tricks to try to appear to be legitimate users. Legitimate users do this far less frequently, though it does still happen.

The above user behaviors are a few examples of the differences in behavior between legitimate users and fraudsters. None of these behaviors in and of themselves can tell us with 100% certainty whether a given session is legitimate or fraudulent. They can, however, provide us valuable insight into the "how" behind the "what." That, in turn, can help us make far more accurate assessments around what is fraud. Understanding end-user behavior (layer 8 data) allows us to increase our detection rates, while at the same time lowering our false positive rates.

Why Layer 8 Is Great

In the latest iteration, Qakbot operators are using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.

Known for its constant evolution, Qakbot malware has returned with a new twist — the use of .DLL sideloading to execute the malicious file.

Researchers from Cyble recently warned that the threat group behind Qakbot (aka QBot) is after system credentials it can use to steal money through fraud, identity theft, and more. They added that Qakbot is very active at the moment.

Qakbot attacks rely on email phishing lures for initial access, the analysts said. But its latest iteration leverages DLL sideloading as a way to hide malware from detection. By including benign applications alongside malicious .DLL library files, the attackers are able to execute and deliver the malware payload undetected.

"The threat actors behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact," the Cyble team said in its latest report on Qakbot's activities. "Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Qakbot Is Back With a New Trick: DLL Sideloading

Security professionals can now achieve real-time protection for their workloads in minutes.

**BOSTON — July 25, 2022** — Aqua Security, the leading pure-play cloud native security provider, today announced the launch of out-of-the-box runtime protection with minimal configuration to stop attacks in real time on running workloads. Protection is composed of new curated and optimized default security controls, as well as advanced threat intel from observations of real attacks on cloud native environments. Both the controls and threat intel are the result of knowledge gained through years of securing customers’ live production environments. Customers can now apply this knowledge to achieve trusted and advanced runtime protection in minutes without requiring in-depth knowledge of their applications and environments.

Using eBPF technology and threat intel from cyber research team Aqua Nautilus to identify advanced threats, Aqua surfaces the most critical issues in real time while also implementing a set of controls to protect running workloads immediately, without disrupting the business.

“Aqua is transforming the runtime security paradigm,” said Amir Jerbi, CTO and co-founder, Aqua Security. “Traditional runtime security requires security teams to have a great deal of cloud native knowledge, and as a result has been slow to adopt. Aqua is removing this barrier to adoption by making cloud workload threat protection immediately effective and easy for security professionals.”

**Stopping Attacks in Real Time with Runtime Security  
**  
Recent data from Nautilus shows that one in three live attacks could be missed when relying exclusively on snapshot scanning of running workload images. Nautilus also found tens of thousands of instances of in-memory attacks and fileless attacks in a one-month period—attacks that would not be seen or stopped without kernel-level visibility.

Aqua’s detection of anomalous behavior goes beyond point-in-time snapshots and catches malicious behavior of known and unknown threats in real time—this includes both known CVEs and zero-day exploits that have yet to be discovered. The new default runtime controls are based on ongoing recommendations from Aqua Nautilus, who detect and analyze 80,000 attacks a month using Aqua’s open source eBPF-based threat detection engine, Aqua Tracee. The result is real-time visibility at the kernel level that alerts customers the moment an attacker breaches a running workload, reducing attackers’ dwell time from months to milliseconds.

The importance of runtime security in a platform is highlighted in Gartner’s Market Guide for Cloud Workload Protection Platforms (CWPP). According to Gartner, “CWPP offerings should start by scanning for known vulnerabilities and risks in development. At runtime, they should protect workloads from attack, typically using a combination of system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.”

Aqua’s Runtime Protection solution is part of Aqua’s fully integrated Cloud Native Application Protection Platform (CNAPP), the Aqua Platform. Customers of the Aqua Platform also have access to the entire, full set of customizable, advanced runtime capabilities if and when they decide to define and implement more stringent policies.

Key benefits of Aqua Runtime Protection include:

*   **Discover attacks immediately** with continuously updated kernel-level behavioral detection. Updates are based on cloud native threat research from Aqua Nautilus along with years of experience securing customer workloads in production.
*   **Respond faster and reduce attacker dwell time** by stopping attacks with pattern-based anti-malware in production and the option to block or delete malware on access.
*   **Simplify incident investigation** and rapidly determine the impact and attack path of a security incident with a detailed incident timeline including rich contextual information.

“Unlike overly complex runtime solutions, legacy solutions not designed for cloud-native applications, or solutions that can’t detect in real time, our goal with this release is to provide runtime security that is simple to deploy, giving you effective real-time security out-of-the-box,” said Jerbi. “What this boils down to is that, unlike alternative solutions, Aqua’s Platform will both detect sophisticated attacks and stop them in real time.”

Aqua’s out-of-the-box Runtime Protection is now available and will make an industry debut at AWS re:Inforce on July 26-27 in Boston at Booth 104. To learn more, visit Aqua’s YouTube.

**\*Gartner, “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 12 July 2021.**

**GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.**

**Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.**

**About Aqua Security**   
Aqua Security stops cloud native attacks and is the only company with a $1 Million Cloud Native Protection Warranty to guarantee it. As the pioneer and largest pure-play cloud native security company, Aqua helps customers unlock innovation and build the future of their business. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP), prioritizing risk and automating prevention, detection and response across the lifecycle. Founded in 2015, Aqua is headquartered in Boston and Ramat Gan, Israel, with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com.

Aqua Launches Out-of-the-Box Runtime Security with Advanced Protection against the Most Sophisticated Threats

Attackers are willing to replicate entire networks, purchase domains, and persist for months, not to mention spend significantly to make these campaigns successful.

The one-year anniversary of the Kaseya attack this month marks an appropriate time to look back at supply chain threats and what has — and has not — changed.

Let's start with what _has_ changed: more checklists. Oversight across code that's loaded across customer sites now involves far more paperwork, especially for managed service providers (MSPs). Leadership teams now realize the amount and complexity of code going in and out of their organizations and hope to get more eyes on it. Sadly, much of the new processes involve checking a box, rather than implementing technical cybersecurity steps that could make a difference in threat prevention. But we'll get to solutions for that in a moment.

What also has changed is the noted sophistication level of adversaries. A willingness to set up an entire replicated network, purchase domains, and persist for months and possibly years represents a significant increase in investment in concerted campaigns. Kaseya reminded us that everyone in the ecosystem is a target. We have always had cyberwarfare. Now we have more heavily funded, more vastly staffed attackers pounding on our supply chains (and everything else).

What has _not_ changed? The idea of using legitimate distribution of code to distribute illegitimate backdoors. As far back as at least 2002, attackers used Trojan-horse techniques to backdoor security tools and email servers. Hackers have always sniffed and surveyed customer and supplier environments to look for the mundane, the routine, the usual. It's there that they find unguarded corners to slip in malicious code, as humans are lulled into daily routines. Kaseya and especially SolarWinds show more complex, persistent techniques and they are very widely used enterprise apps, yet the supply chain attack idea has been around for decades.

Security techniques have not changed enough, which is why security focus is moving to more response and remediation. This leads to talking about solutions and where we go from here. Pointing to challenges is not meant to be disheartening. It's meant to be realistic, knowing we're all in this together.

I suggest three major avenues to explore that can be useful to address the security issues Kaseya made more noticeable.

**Change Your Technical Environment**

Move away from allowance of third-party actions without associated monitoring, most notably by adopting zero trust. Anyone touching an enterprise resource is untrusted. Period. Vendors, contractors, employees need the same level of multifactor authentication (MFA) and other security treatments.

In addition, monitor third parties more than you would anyone else. They have the privileged accounts. Yet you know far less about when your European automation company partner pushes out code in your environment than when Brian in Seattle releases your product to customers. Super-high alerting on these accounts is warranted to pick up anything suspicious, as early as possible.

On the code creation side, understanding that business still needs to move quickly despite heightened security, it's okay to keep working on small bursts of code (sprints) and move at a reasonable pace (biweekly releases). Yet know when it's smarter to pause for a security cross-check rather than push and ignore. Specific tactics could include time-boxing exactly when code may be pushed, from where and by whom. That alone can uncover suspicious code. The OWASP top 10 will identify the easier security issues. But for Kaseya-style attacks, you'll need to look for who or what is running a command on a server, for example, which is why more defined developer processes and roles can help.

And don't forget about trusted devices. Know which physical machines have the greatest access rights and consider pairing them with physical presence. The combination of zero trust, MFA, and device trust, together with tactics that keep developers safe, can all be beneficial.

**Change Your Legal Safeguards**

Rather than checkbox that a vendor filled out a risk questionnaire, revisit your master services agreements (MSAs) with third parties. Clauses such as woeful misconduct, negligence, and unlimited liability are the source of fruitful conversations. These help walk through who can cover what, and where the gaps are, allowing necessary safeguards to occur somewhere (rather than nowhere). Align these agreements with your cybersecurity policy. The worst time to review your MSA is in the deadline-driven moments after an attack is discovered.

**Change Your Mentality**

Accept that even the most well-funded, advanced security organizations in the world are regularly attacked and breached. It's not if, it's when, which means it's how quickly can you recover. If you have no staff available for recovery, it's as bad as having no security monitoring in place.

Plan ahead with the mentality you will need people to sift and act and move on attack remediation. This makes it far less painful when you experience the next Kaseya. Vendor response approaches have improved, with customers giving Kaseya positive feedback on their transparency, communication, and sense of urgency in handling the threat discovery. This came after SolarWinds had to struggle through a far more sophisticated and multistage attack. SolarWinds opened a new line of vendor communications and other topics of discussion that later vendors could turn to as precedent.

For a simple starting point on all this, consider choosing one supplier providing the most amount of code updates. Practice the three steps above and hone to your unique environment and business requirements. Once you see gaps in your staff or solutions, take action, whether onboarding security specialists in-house or externally. After all, we're all in this together.

Getting Ahead of Supply Chain Attacks

Two previously unknown critical vulnerabilities within FileWave’s multiplatform MDM system could grant malicious actors access to the platform's most privileged user account.

Two vulnerabilities in FileWave's multiplatform mobile device management (MDM) system would have allowed malicious actors to bypass authentication mechanisms, taking control of the platform and the devices linked to it.

FileWave's MDM platform allows admins to push software updates to devices, lock them or even remotely wipe devices.

A report from Claroty's Team82 takes a closer look at CVE-2022-34907, an authentication bypass flaw, and CVE-2022-34906, a hard-coded cryptographic key — vulnerabilities that Filewave addressed with a recent update.

According to the report, the researchers discovered more than 1,100 different instances of vulnerable Internet-facing FileWave MDM servers across multiple industries, including in large enterprises, education, and government agencies.

**Buggy MDM Admin Web Server**

The platform's MDM Web server, written in Python, is a key component that allows the admin to interact with the devices and receive information from them.

"Since this service should be accessible to mobile devices at all times, it is usually exposed to the Internet, and handles both clients’ and admins’ requests," according to the report. "Its connectivity makes it a primary target in our research on this platform."

One of the back-end services on the server, the scheduler service, which schedules and executes specific tasks required by the MDM platform, uses a hard-coded shared secret function to grant access to the "super\_user" account — the platform’s most privileged user.

"If we know the shared secret and supply it in the request, we do not need to supply a valid user's token or know the user's username and password," the report says.

Also, by exploiting the authentication-bypass vulnerability, the team was able to achieve super\_user access and take full control over any Internet-connected MDM instance.

In a proof-of-concept exploit, the team was able to push a malicious package to all the devices in the system and then execute remote code to install fake ransomware across all of them.

"This exploit, if used maliciously, could allow remote attackers to easily attack and infect all Internet-accessible instances managed by the FileWave MDM, ... allowing attackers to control all managed devices, gaining access to users' personal home networks, organizations' internal networks, and much more," according to the Monday report.

Users should apply the patches as soon as possible to avoid becoming a victim of an attack, researchers warn.

**Attacks on Endpoints Rise**

There has been a rise in attacks against endpoint management products in recent years, including one of the more high-profile attacks targeting the Kaseya VSA.

In that attack, automation allowed a REvil ransomware gang affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream customers faster than most defenders could react.  

While mobile attacks have been occurring for years, the threat is rapidly evolving into sophisticated malware families with novel features, with attackers deploying malware with full remote access capabilities, modular design, and worm-like characteristics posing significant threats to users and their organizations.

Meanwhile, a survey released earlier this month by Adaptiva and and Ponemon Institute revealed the average enterprise now manages approximately 135,000 endpoint devices — a rapidly proliferating attack surface.

**Zero Trust Bolsters Endpoint Protection**

Organizations can improve endpoint management by implementing zero-trust policies for greater control, and using bring-your-own device (BYOD) security and MDM tools. But they must also take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

In addition, Claroty notes that creating temporary keys that are not stored in central repositories and that time out automatically could improve endpoint and MDM security, even for small businesses.

Critical Filewave MDM Vulnerabilities Allow Attackers Full Mobile Device Control

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

Environmental, social, and governance (ESG) considerations are hardly new topics when it comes to compliance reporting for financial services firms, but the impact of cybersecurity breaches on the governance component soon will gain a much higher profile for financial and non-financial organizations alike. Whether addressing privacy issues, the financial losses of ransomware, or business continuity from a governance perspective, cyber threats are putting ESG discussions at the forefront of board meetings and C-suite discussions around the globe.

The reporting changes US companies face could expand significantly due to recent rule modifications from the Securities and Exchange Commission's Chairman Gary Gensler. Cybersecurity governance reporting requirements similar to those for auditing and financial reporting found in the Sarbanes-Oxley Act of 2002 (SOX) would be a key component of the new regulations.

SOX governance requirements focus on helping protect investors from fraudulent financial reporting by corporations, while cybersecurity governance is designed to improve reporting on new and past cyberbreaches. Existing corporate governance, risk, and compliance (GRC) policies and procedures will not be sufficient to address these rules.

Alla Valente, a senior analyst at Forrester, characterizes the proposed SEC regulation modifications as "Sarbanes-Oxley light." The proposed rules state that companies need to report _material_ cybersecurity incidents within four days of identification, she notes. The problem is that "material" is not defined and varies by industry, so companies are left guessing when the clock starts to report incidents. This could lead to both over-reporting and under-reporting of cyber incidents, she says.

**Pressure Drives Cybersecurity Measures**

Complying with the proposed rules also could have a direct impact on an enterprise's ability to obtain cyber insurance, Valente notes. Despite the current chaos in the cyber insurance market that is driving prices up and coverage down while cyber insurers reduce inventory, these rule changes potentially can further increase pressure on companies to implement cybersecurity controls that they otherwise might not have instituted at this time. It also would require far more information on past breaches and how they are being managed and mitigated.

"Management's new role in reporting and cyber governance, and the boards' new responsibility to shed light on their expertise and oversight, will drive extra scrutiny on enterprise security programs," says Jason Hicks, field CISO at the cybersecurity consulting firm Coalfire.

"This puts the CISO on the hot seat," he continues. "It's also likely to drive boards to try and add executives with cybersecurity experience to their team. Given the small number of qualified people available, I could also see boards hiring their own consultants to advise them on cybersecurity risk and the adequacy of the company's security program.

"All of these areas will need to be factored into the governance portion of your ESG approach," Hicks adds. "Management is already responsible for managing cybersecurity risk, so this is not creating an entirely new class of responsibility, although it is making several changes to the burden and complexity."

**Transnationals Take Initiative**

Hicks notes that the way organizations view transparency and the cultural norms of a company's operating environments can play into how they respond. "The multinationals need to balance their approach given the different approaches globally."

Valente agrees. Europeans tend to be more proactive in defending against data breaches than American companies. The rules change could force domestic organizations to be more proactive, particularly when it comes to third-party risk management, a key security control.

"Once this becomes final, we will see an effort to be proactive. Some \[organizations\] will follow the letter of the law, and might be successful in the short term, but marginally," Valente says. "Others will follow the spirit of the law and use that as a means to improve, diversify, and make that proactive \[third-party\] risk management part of who they are. It'll be ingrained in their corporate DNA. Those are the organizations that are really going to thrive from this."

**Companies Can Get Started**

Steven Yadegari, CEO of the investment consulting firm FiSolve and former general counsel at the law firm Cramer Rosenthal McGlynn, says board members will look for specific reporting on cybersecurity. This will include quarterly reports focused on cybersecurity and meetings with individuals charged with oversight of the area, such as the CISO, leading the effort.

"The new rules would require formal risk assessments, specific controls, monitoring measures, and a reporting system of incidents. To the extent some of these areas are not addressed in existing programs, boards will want to understand how managers intend to comply with these potential requirements. Those conversations should be underway and should not wait for adoption of new rules," Yadegari says.

Many companies today are more carefully managing their vendors and overseeing their policies and procedures, he notes. This is particularly true of third-party service providers and suppliers that might have contact with an enterprise's sensitive information.

"It behooves companies to ensure they have a robust cybersecurity program and third-party risk management (TPRM) program, which will in turn provide comfort to companies who rely on their services," Yadegari says.

While the final language of the proposed SEC rule changes has yet to be made public, the proposed language can be found here.

Understanding Proposed SEC Rules Through an ESG Lens

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

Source

DARKReading