Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Source: Dark Reading

When asked about their top cloud concerns, more than a quarter of IT decision-makers — 26% — said they are concerned about their staff's "skillset on dealing with cloud computing," according to new Dark Reading research.

The Dark Reading State of the Cloud report surveyed 339 IT employees of companies that use cloud computing. The respondents overwhelmingly (73%) identified security as their biggest worry, followed by cost (58%) and reliability (50%). Other top concerns included functionality limitations (10%), having too much core data on the cloud (10%), inadequate service agreements (6%), and vendors trying to sell them additional cloud services (6%).

These results reflect a current climate in which IT professionals are scrambling to find a way to secure entirely new cloud attack surfaces and make existential business decisions based on evolving technologies. They need something secure and cost-efficient, and they need it to actually work.

And having a team skilled up to manage it all would be nice, too.

Download the State of the Cloud: A Security Perspective for more details. The data used in the report comes from research jointly conducted with four other Informa Tech publications — InformationWeek, ITPro Today, Network Computing, and Data Center Knowledge.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

IT Teams Worry Staff Lack Cloud-Specific Skills

Blue-chip companies deepen commitment based on success of long-standing customer and partner relationships and conviction of Securonix’s vision and hypergrowth potential.

Capital One Ventures, Snowflake Ventures, Verizon Ventures, and Wipro Ventures Join Securonix $1B+ Growth Investment as Strategic Investors

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption. 

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established \[groups\] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report. 

Companies in the energy and manufacturing sectors each saw average ransoms of more than $2 million.

    

Two-thirds of companies saw ransomware attempts in 2021. Source: Sophos

The research team at Check Point Software Technologies saw an increase in ransomware attacks as well, noting that attempted attacks climbed 24% in 2021 compared with 2020. In an analysis of chat logs leaked from the Conti ransomware group, Check Point Research noted that the operators discussed how to set ransoms in some detail, but also stressed that ransoms often are not the most significant cost to businesses.

"\[T\]he extortion cost is marginal compared to other losses suffered by the victim," the researchers stated. "Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not."

In 2021, the mean ransom paid to cybercriminals rose to $812,000, from $170,000 in 2020, but that still fell far short of the average $1.4 million bill for remediating an attack, according to Sophos. Recovery also took time, with the average company needing about a month to recover from a ransomware attack, according to the report.

**Don't Expect Your Data Back**  
In addition, while ransom demands have risen dramatically, increases that other surveys have seen hints of as well, paying them does not mean full data recovery. In fact, data-recovery statistics from Sophos highlight the fact that that paying ransoms has a terrible return on investment. 

While 99% of companies recovered some of their data, they could only recover 61% of encrypted data on average, according to Sophos. And while 46% of companies paid a ransom, only 4% of those that did got all their data back, down from 8% in 2020. Such statistics have caused some cybersecurity experts to question whether companies should ever pay the ransom.

While healthcare organizations and state and local governments were among top ransomware targets before and during the pandemic, they also earned ransomware groups some of the lowest payouts. The average infected healthcare organization paid $197,000, while the average compromised state or local government agency paid a ransom of $214,000, the Sophos survey found.

**Cyber insurance Doesn't Solve Ransomware, but It Helps  
**Cyber insurance has changed along with the ransomware landscape. In 2021, insurance companies already had experienced problems with the expense of cybersecurity policies as companies sought to recover damages from ransomware incidents. The vast majority of companies (94%) have found it harder in the past year to qualify for cyber insurance, while almost all (97%) have had to make changes to their defenses to improve their ability to garner coverage, according to Sophos' survey.

While 98% of companies affected by ransomware received a payout under their cyber-insurance policies, only 77% collected for clean-up costs, and only 40% of the policies paid the ransoms, the survey found.

"It’s interesting to note that the sectors with the lowest rate of ransom payment are also the ones able to recover fastest from an incident, emphasizing the importance of disaster-recovery planning and preparation," the report stated. "It's worth remembering that while cyber insurance will help get you back to your previous state, it doesn’t cover 'betterment' — when you need to invest in better technologies and services to address weaknesses that led to the attack."

The Ransomware Crisis Deepens, While Data Recovery Stalls

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

At least three separate waves of cyberattacks are underway that feature a sophisticated new malware loader dubbed Bumblebee that fetches shell code and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter – possibly in a run-up to ransomware attacks.

As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint.

"Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain in a report issued on Thursday. "Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."

Further, Bumblebee appears to be a significantly upgraded replacement for the well-known BazaLoader tool that often presages ransomware attacks. 

"Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns," researchers note in the report. And "campaigns identified by Proofpoint overlap with activity detailed \[by Google\] as leading to Conti and Diavol ransomware."

**BazaLoader Replacement  
**Bumblebee first buzzed onto the scene in March, shortly after BazaLoader disappeared from Proofpoint’s telemetry, researchers said.

BazaLoader was up until then a common malware first seen in 2020, sharing the cybercrime spotlight with other favored initial-access baddies, such as Emotet, Trickbot, and IcedID. Notably, it was employed in several high-volume campaigns that led to Conti ransomware infections.

"BazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February, a Ukrainian researcher with access to Conti's internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked files," researchers explain in the report.

Now Bumblebee is cropping up in campaigns run by the same crimeware groups previously observed delivering BazaLoader, the report notes. Proofpoint added that the groups are likely initial-access brokers (IABs), which dovetails with the previously mentioned Google TAG research. IABs infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators as part of a thriving underground economy. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.

"Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee," Proofpoint researchers say. "Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial-access facilitators."

**Hive of Activity: Ongoing Cybercrime Campaigns**  
Starting in March, Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors.

“While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” according to the report. ISO files are used to store images of optical disks, DVDs, CDs, and other media.

In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT" in the body of the message, or they used HTML attachments.

“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim,” explain the researchers. “The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”

The ISO file contained a shortcut file named "ATTACHME.LNK," which, when clicked, executed "Attachments.dat" with the correct parameters to run the Bumblebee downloader.

In another case, a campaign used thread jacking (i.e., when cybercriminals reply to existing email exchanges, inserting themselves into legitimate conversations) to deliver emails with malicious zipped ISO attachments.

And in yet another case, emails were generated by submitting a message to a contact form on the target's website, while leaving public comments regarding the topic on the target's site. As a lure, the attackers made claims about stolen images on the website. These "complaints" contained a link to a landing page that directed the user to the download of a malicious ISO file.

    

A bogus 'complaint' about the use of stolen images.

_Source: Proofpoint_

"The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape," researchers conclude. "Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source."  

To protect themselves, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use – and also work with employees to instill awareness of email-borne threats and common social-engineering trickery.

**Malware Analysis: This Is No Bumbler  
**Bumblebee is new and still under active development, but it’s already a sophisticated threat that organizations should watch out for, Proofpoint warned.

Once installed, the loader gathers system information and generates a "client ID." It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.

Bumblebee supports the following commands:  

*   Shi: shellcode injection
*   Dij: DLL injection
*   Dex: Download executable
*   Sdl: uninstall loader
*   Ins: enable persistence on the bot

Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.

"The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift \[tactics, techniques, and procedures\] and adopt new malware," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. "Additionally, the malware is quite sophisticated and demonstrates being in ongoing, active development, introducing new methods of evading detection."

Bumblebee Malware Buzzes Into Cyberattack Fray

Six Russian state-backed threat actors have lunched 237 cyberattacks on Ukraine's infrastructure, new research from MIcrosoft shows.

In apparent orchestrated coordination with military operations against Ukraine, six Russian state-supported threat actors have targeted civilian infrastructure inside the country with more than 237 individual cyber operations, according to Microsoft.

Microsoft's latest research found that of the nearly 40 separate attacks observed, 32% targeted the Ukrainian government at various levels and 40% could have negatively affected the government, military, economy, and civilian population.

Tom Burt, Microsoft's corporate vice president of customer security and trust, explained that the company wanted to reveal the extent that cyber activities play a role in Russia's invasion of Ukraine so the international community can mount an appropriate response. 

"Since the Russian invasion of Ukraine began, Russian cyberattacks have been deployed to support the military’s strategic and tactical objectives," Burt wrote in his blog post about the report's findings. "It’s likely the attacks we’ve observed are only a fraction of activity targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft: Russia Using Cyberattacks in Coordination With Military Invasion of Ukraine

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

Artificial intelligence has evolved rapidly during the last few years and is being applied across industries for endless use cases as a powerful and innovative tool. However, great responsibility comes with great power. Thanks to AI and machine learning (ML), fraud prevention is now more accurate and evolving faster than ever. Real-time scoring technology allows business leaders to detect fraud instantly; however, the use of AI- and ML-driven decision-making has also drawn transparency concerns. Further, the need for explainability arises when ML models appear in high-risk environments.

Explainability and interpretability are getting more important, as the number of crucial decisions made by machines is increasing. "Interpretability is the degree to which a human can understand the cause of a decision," said tech researcher Tim Miller. Thus, evolving interpretability of ML models is crucial and leads to well-trusted automated solutions.

Developers, consumers, and leaders should be aware of the meaning and process of fraud prevention decision-making. Any ML model that exceeds a handful of parameters is complex for most people to understand. However, the explainable AI research community has repeatedly stated that black-box models are not black box anymore due to the development of interpretation tools. With the help of such tools, users are able to understand, and trust ML models more that make important decisions.

**The SHAP of Things**  
SHAP (SHapley Additive exPlanations) is one of the most used model-agnostic explanation tools today. It computes Shapley values from coalitional game theory, which evenly shares the impact of features. When we are fighting fraud based on tabular data and using tree ensemble methods, SHAP’s TreeExplainer algorithm provides the opportunity to get exact local explanations in polynomial time. This is a vast improvement compared to neural network-based explanations because only approximations are feasible with such tools.

With the term "white box," we are referring to the rule engine that calculates the fraud score. By their nature, the black-box and white-box models will not give the same results because the black box gives us results according to what the machine learned from the data, and the white box gives scores according to the predefined rules. We can use such discrepancies to develop both sides. For example, we can tune the rules according to the fraud rings spotted with the black-box model.

Combining black-box models with SHAP lets us understand the model's global behavior and reveals the main features that the model uses to detect fraudulent activities. It will also reveal undesirable bias in the model. For example, it may uncover that a model may be discriminating against specific demographics. It is possible to detect such cases and prevent unfair predictions by global model interpretation.

Additionally, it helps us understand individual predictions made by the model. During the debugging process of ML models, data scientists can observe each prediction independently and interpret it from there. Its feature contribution gives us great intuition about what the model is doing, and we can take action from these inputs for further development. With SHAP, end users are not just getting essential features of the model, they also get information about how (in which direction) each feature is contributing to the model's output, which yields fraud probability.

**The Confidence Factor**  
Finally, confidence is gained from customers by gaining trust in a successful model with the help of SHAP. In general, the faith in a product is higher if we understand what it is doing. People don't like things that they don't understand. With the help of explaining tools, we can look into the black box, understand it better, and start trusting it. And by understanding the model, we can improve it continuously.

An alternative to gradient boosting ML models with SHAP could be Explainable Boosting Machine (EBM), the flagship of InterpretML (Microsoft's AI framework), which is a so-called "glass box" model. The name glass box comes from the fact that it is interpretable by its nature due to its structure. According to the original documentation, "EBMs are often as accurate as state-of-the-art black box models while remaining completely interpretable. Although EBMs are often slower to train than other modern algorithms, EBMs are extremely compact and fast at prediction time." Local Interpretable Model-Agnostic Explanations (LIME) is also a great tool that could be used for black-box explainability; however, it is more popular with models functioning on unstructured data.

With these tools and transparent data points, organizations can confidently make decisions. All stakeholders must know how their tools work to get the best results. Being aware of black-box ML and the various techniques that combine with it can help organizations better understand how they are getting results to reach their business goals.

Explainable AI for Fraud Prevention

Visa has invested heavily in data analytics and artificial intelligence over the past five years to secure the movement of money and keep fraud rates low.

As more financial transactions move online, organizations are faced with the challenge of ensuring payment methods are safe, secure, and private, as well as being able to differentiate between legitimate customer behavior and fraudulent activities. For Visa, advanced analytics and artificial intelligence plays a significant role.  

The shift to digital commerce – driven partly by pandemic-related lockdowns and restrictions but also because organizations are introducing new offerings as part of their digital transformation initiatives – have transformed how money moves around the world, says Dustin White, chief risk data officer at Visa. Individuals increasingly rely on new tools to send money to other individuals or to pay for goods and services from retailers and other types of sellers. There are new payment schemes, such as buy-now-pay-later, tap-to-pay, and no-touch payments, and they bring different challenges and risks than traditional face-to-face transactions, he says.

"To say the task of securing the global movement of money is complex would be an understatement, particularly now," wrote Visa’s chief risk officer Paul Fabara in a recent blog post.

E-commerce volume on Visa’s network has grown by more than 50% since late 2019, and peer-to-peer payments on Visa’s network have more than doubled, the company says. Even as shoppers returned to stores in 2021, online trends held steady as shoppers "still shopped with fervor online," according to Digital Commerce 360’s analysis of Commerce Department data.

Criminals go where the money is; they have noticed the e-commerce shift and increased use of digital payments. However, even though the attack surface has increased, fraud rates on Visa’s networks remain at historic lows, White says. Fraud rates are currently at about 7 cents per $100 in transactions, despite over 2 million daily attempts by fraudsters. White credits Visa’s hefty investments in advanced analytics and artificial intelligence (AI) for keeping fraud low.

**Digging Deep in the Data Reservoir**  
Visa has invested $9 billion in cybersecurity over the past five years, with $500 million specifically on data analytics and AI capabilities. The company has 60 petabytes (1 petabyte is 1,000 terabytes) of data and has embedded AI and analytics in more than 60 different services to spot and block fraud on its networks.

*   The Visa Advanced Authorization (VAA) score uses AI and machine-learning techniques to determine whether a transaction is legitimate or fraudulent within 300 milliseconds, White says. VAA alone prevented $26 billion worth of fraud in 2021.
*   The company analyzes data to look for "common patterns" of behavior associated with legitimate transactions and to identify fraud. For example, insights such as a customer applying for credit copy and pasted in the Social Security number rather than typing in the digits could indicate that the personal data being used may be stolen.
*   Visa Behavioral Analytics has analyzed more than 400 million authentication requests against 12 million unique devices over the past two years to detect account takeovers and bot-based attacks, White says.
*   Visa Account Intelligence uses AI and machine learning to detect fraud before it starts. In one case, Visa Account Intelligence helped prevent $2.2 billion in potential client fraud.

**Enhancing Capabilities With AI**  
False declines, or when a transaction doesn’t go through because of a mistake, can also be costly. About 89% of customers will cut back on using that item – a credential or a particular payment method – after a false decline, which would result in lost revenue streams for providers and merchants, White says. Visa applies deep-learning techniques to reduce false declines by as much as 30%, the company says.

Security analysts use natural processing to uncover cyberattacks and insider threats and apply machine-learning models to predict and fix most likely points of network vulnerability. Vulnerability testing has saved approximately $31 million in prevented fraud in fiscal year 2021.

Visa’s investments in AI match overall activity in the financial-services sector. Financial institutions have spent more than $217 billion on AI applications to help prevent fraud and assess risk, according to the Preventing Financial Crimes Playbook. Those figures are from 2020, and the pace of investments has continued to grow since. Banks are aware of the benefits of using AI, as shown in a recent UBS Evidence Lab report, where 75% of respondents at banks with over $100 billion in assets said they’re implementing AI strategies.

White cautions against treating AI as the end-all to fix everything and advocates a multilayered approach. Visa still maintains Cyber Fusion Centers staffed with analysts to handle continuous security monitor, incident response investigation, and threat intelligence. Machine learning is the most beneficial when it is implemented to improve existing tools and processes or deployed to address a specific situation. 

"No one solution is going to thwart all of the attacks on infrastructure," White says.

A Peek into Visa's AI Tools Against Fraud

The startup is the latest company to try to solve the problem of organizing and sharing secrets.

Secrets management continues to be an ongoing challenge in application security, as developers struggle to organize secrets used in source code and manage distributed systems and infrastructure.

The latest startup to address this space is Doppler, whose platform helps developers securely store, transmit, and audit secrets. The Doppler platform syncs secrets across devices, environments, and team members so that developers don't wind up sharing secrets on insecure platforms (such as Slack or email) or including them within .git and .zip files. The platform can also handle secrets rotation, and it sends developers alerts over Slack and Microsoft Teams to inform them when the secrets are changed.

Secrets refer to sensitive pieces of data, such as tokens, encryption keys, API keys, and digital certificates. A survey by 1Password last year found that 65% of companies juggle more than 500 secrets, and 18% said they have "more than they can count."

The secrets are scattered across source code, container and infrastructure images, and configuration files. Over 6 million secrets were detected in scans of public GitHub repositories in 2021, according to GitGuardian's State of Secrets Sprawl 2022 report.

Adversaries routinely attempt to intercept these secrets in order to gain access to cloud environments, help with lateral movement, and access data in applications. Earlier this month, GitHub said adversaries were able to download private data from some organizations using Heroku and Travis-CI after stealing a handful of OAuth tokens used by those two platforms. Last year, attackers compromised Codecov and stole secrets belonging to Codecov's customers. Those secrets were then used to compromise the customers.

1Password estimates the cost of a company losing control of its secrets at $1.2 million per year.

**Security Management Is Key**  
Enterprises need processes in place to handle secrets management, such as inventorying what secrets they have, controlling access, sharing secrets safely with collaborators, and promptly revoking those secrets when they are exposed. It also needs to be scalable, considering the sheer number of secrets developers are using, and not time-intensive.

In the same 1Password survey, DevOps and IT workers said they spend an average of 25 minutes each day managing secrets – which the company estimated to add up to an annual payroll expense of roughly $8.5 billion.

Secrets management is shaping up to be a fairly crowded market. HashiCorp Vault offers a vault for teams to securely store tokens, passwords, certificates, and encryption keys. 1Password acquired SecretHub last year, which was the basis for its 1Password Secrets Automation service. Cloud giants Amazon Web Services and Google Cloud offer AWS Secrets Manager and Secrets Manager, respectively. GitHub, GitLab, and Atlassian all offer various levels of secrets-scanning tools for their code repositories.

Then there's Doppler, which recently raised $20 million as part of a series A funding round.

"The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results," said Murat Bicer, a general partner at CRV (which led the funding round), in a statement. "In a world where putting a single space in the wrong place can literally take down a company's entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach."

Doppler Takes on Secrets Management

The war in Ukraine appears to have triggered a change in mission for the APT known as Bronze President (aka Mustang Panda).

China's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from Secureworks' Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.

**Cyberespionage Campaign Delivers PlugX**  
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia's border with China). The file is designed so that default Windows settings do not display its .exe extension, Secureworks said.

Secureworks also explained that the executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia. The content also includes commentary on European Union sanctions against Belarus for its role in the war in Ukraine.

When executed, the file downloads three additional files from a staging server. One of them is a legitimate signed file from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze President.

"DLL search-order hijacking has been around for years," says Mike McLellan, director of intelligence at Secureworks. "It's a well-known technique by threat actors in which they maliciously use a legitimate executable file, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an encrypted malware payload."

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

"This technique has been a staple of several China-nexus threat groups for many years," McLellan says.

As part of the attack chain, the threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time lag while files are downloaded to the victim.

The staging server that Secureworks observed the threat actor using in the current campaign hosts a domain that Proofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe. The security vendor determined that campaign to be motivated by matters related to the war in Ukraine as well. The same domain has also been linked to Bronze President attacks in 2020 that Secureworks observed against the Vatican.

**A New Set of Victims for Bronze Panda**  
Bronze President is a threat group that has been active since at least 2018, according to the researchers. Secureworks and others have assessed the group as being China-based and likely sponsored by — or operating with the knowledge of — the Chinese government. The group has been associated with numerous attacks on nongovernmental organizations and others, mostly in Asia but to some extent in other countries. Last year, for example, researchers from McAfee spotted the threat actor conducting a major cyber espionage operation targeting telecommunication companies in the US, Asia, and Europe.

The latest campaign represents a departure from the usual for the group, since it targets Russian entities, according to McLellan: "This is substantially different to what we have seen over the past two years where Bronze President has been about 90% focused on Myanmar and Vietnam. We believe they still have a mission in the Asia region, but this has been a bit of a departure for them."

Chinese APT Bronze President Mounts Spy Campaign on Russian Military

Acquisition expands security software-as-a-service capabilities.

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

April 29, 2022

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

by Dark Reading Staff, Dark Reading

April 29, 2022

1 min read

Article

Explainable AI for Fraud Prevention

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

April 28, 2022

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

by David Utassy, Data Scientist, SEON

April 28, 2022

4 min read

Article

Tenable Acquires External Attack Surface Management Vendor for $44.5M

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

April 26, 2022

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

by Dark Reading Staff, Dark Reading

April 26, 2022

1 min read

Article

API Attacks Soar Amid the Growing Application Surface Area

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

April 26, 2022

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

by Robert Lemos, Contributing Writer

April 26, 2022

5 min read

Article

Ukraine Invasion Driving DDoS Attacks to All-Time Highs

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

April 25, 2022

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

by Dark Reading Staff, Dark Reading

April 25, 2022

2 min read

Article

Sophos Buys Alert-Monitoring Automation Vendor

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

April 22, 2022

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

by Dark Reading Staff, Dark Reading

April 22, 2022

1 min read

Article

Devo Acquires Threat Hunting Company Kognos

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

April 21, 2022

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

by Dark Reading Staff, Dark Reading

April 21, 2022

1 min read

Article

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

April 20, 2022

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

by Robert Lemos, Contributing Writer

April 20, 2022

5 min read

Article

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

April 18, 2022

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

by Robert Lemos, Contributing Writer

April 18, 2022

5 min read

Article

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

April 15, 2022

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

by Hollie Hennessy, Senior Analyst, IoT Cybersecurity, Omdia

April 15, 2022

3 min read

Article

How IP Data Can Help Security Professionals Protect Their Networks

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

April 05, 2022

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

by Jonathan Tomek, VP of Research and Development, Digital Envoy

April 05, 2022

5 min read

Article

Will the Biggest Clouds Win? Lessons From Google's Mandiant Buy

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

March 21, 2022

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

by Robert Lemos, Contributing Writer

March 21, 2022

5 min read

Article

Cut Down on Alert Overload and Leverage Layered Security Measures

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

March 17, 2022

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

by Jason Manar, Chief Information Security Officer, Kaseya

March 17, 2022

4 min read

Article

VPNs Give Russians an End Run Around Censorship

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

March 16, 2022

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

by Robert Lemos, Contributing Writer

March 16, 2022

4 min read

Article

How Enterprises Can Get Used to Deploying AI for Security

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

March 11, 2022

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

by Fahmida Y. Rashid, Features Editor, Dark Reading

March 11, 2022

4 min read

Article

Source

DARKReading