Cybersecurity investigators found the leaked data to be information from a third party, not Ford itself, that is already accessible to the public and not sensitive in nature.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

On Nov. 17, hackers that go by the aliases IntelBroker and EnergyWeaponUser claimed to have breached Ford customer records, laying out their "success" in a post on BreachForums.

The hackers claimed that they had stolen 44,000 Ford customer records that included names, physical addresses, and acquisition information. In truth, after making the data sample public, it was found that the data only included physical addresses of car dealers from around the world, data that is likely already public and not considered sensitive.

The initial claims, however, prompted an investigation by Ford, which determined that there was no breach of its systems or compromised customer data involved. The leaked information actually originated from a third-party supplier, according to the automotive giant.

This isn't the first time IntelBroker has pulled a stunt such as this; though its victims do suffer from some type of breach, the hacker's claims of its attacks' magnitude are often exaggerated. Nonetheless, it's important to carefully vet any hacker claims, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

"Any stolen confidential information, like purchasing habits, is something that can be used in a targeted spear phishing attack to trick more potential victims,” he wrote in an emailed statement to Dark Reading. "So, you can't completely discount any data breach no matter how innocuous it first seems."

**About the Author**

Alleged Ford 'Breach' Encompasses Auto Dealer Info

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

If the US wants to maintain its lead in cybersecurity, it needs to make the tough funding decisions that are demanded of it.

Michael Daniel, President & CEO, Cyber Threat Alliance

November 20, 2024

5 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The term "government cybersecurity agency" probably conjures up a range of images, from men in dark suits to rooms filled with huge screens and people typing away at keyboards. It likely does not prompt people to think of a small underfunded agency in the Department of Commerce. Although organizations like the National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) receive the most attention regarding cybersecurity, many other government agencies perform critical cybersecurity functions and are chronically underfunded and short-staffed. 

The digital ecosystem can suffer far-reaching negative impacts if these agencies cannot perform their missions. If the US wants to maintain its cybersecurity edge, Congress must allocate appropriate funding for agencies across the cybersecurity ecosystem to protect networks and critical infrastructure. The Commerce Department's National Institute of Standards and Technology (NIST) and the National Vulnerabilities Database (NVD) provide an excellent case study for this problem. 

The NVD is a catalog of known IT software and hardware vulnerabilities that bad actors can exploit to carry out malicious activities, such as breaking into a network to steal data or accessing a control system to sabotage equipment. 

Software vendors, cybersecurity providers, and network operators want to know about vulnerabilities so they can patch them and prevent bad actors from exploiting them. The NVD serves as a foundation for almost all vulnerability analysis, assessment, management, or remediation activities in the US, the European Union, and throughout much of the world. 

The US government has operated the NVD since 1999 under NIST. A relatively small agency by US government standards, it has a well-deserved reputation for quality, industry collaboration, and integrity; its expertise in standards development is unparalleled. The agency plays an outsized role in the cybersecurity ecosystem due to the extensive use of its standards, guidelines, best practices, and other cybersecurity products. 

**How the NVD Started and Developed**

The NVD started as a research project. As the vulnerability management process evolved, NIST staff began adding certain data fields to the NVD entries, a process that became known as enrichment. As the number and importance of vulnerability tracking increased — and businesses and network operators increasingly relied on the data — maintaining the NVD and its enriched data became an essential operational requirement for cybersecurity across the entire ecosystem. NIST continued to manage the NVD, despite not being an operational agency.  

This status quo persisted until mid-February 2024, when NIST stopped enriching the NVD entries without much warning. 

While the reasons for the outage are not fully known, long-time observers assert that a lack of resources played into NIST's decision. This abrupt change created major problems across the cybersecurity ecosystem because so many organizations relied on the enriched NVD data for their vulnerability management systems. While the resulting outcry eventually forced the US government to cobble together a solution and restart the process, the decision to stop enriching vulnerabilities measurably increased global cyber-risk for several months. 

**The Problem: Widespread Underfunding of Government Security**

This process breakdown shows what happens when we rely on underfunded government organizations for critical Internet security functions. Unfortunately, the NVD is hardly an outlier. A review of executive orders, presidential guidance documents, and national strategies would show many new tasks for NIST, but decreased funding in the financial year 2025 budget. NIST isn't the only agency in this situation. The Environmental Protection Agency, the Coast Guard, and the Department of Agriculture all have cybersecurity missions and are critical players in increasing our cyber resilience. The State Department and the US Agency for International Development are also responsible for carrying out our cyber policies abroad. Yet the collective resource allocations for these agencies and programs don't reflect their contribution to our overall cybersecurity. The allocated resources are not commensurate with our national security, economic prosperity, and public health and safety needs. 

As a country, we should recognize the importance of these functions and resource them appropriately. We should also think critically about who performs these tasks; for example, in the case of the NVD, should a government research organization maintain a foundational operational capability, or should another agency take over the function? For that matter, we should consider whether a function should be moved out of the federal government to a private sector entity or nonprofit. 

The structures, policies, and resource allocations that worked when the Internet was a "nice-to-have" no longer suffice. Now that the Internet is a "critical function," underpinning public health, safety, and global economic prosperity, we need to invest in the cybersecurity capabilities needed to keep the Internet functioning. We must shoulder our responsibilities appropriately, including allocating sufficient resources to meet our collective needs. 

Unfortunately, the current approach to funding government agencies by continuing resolution simply compounds the resourcing problem. Continuing resolutions are better than a government shutdown, of course, but they are otherwise bad for cybersecurity. They keep agencies at the same funding level as previous years, making no changes for inflation or mission, and they do not permit agencies to start new programs. Their short duration creates uncertainty and effectively freezes the federal government in place. We need Congress to pass annual appropriations bills and provide the resources necessary for our cybersecurity. As the recent McCrary Institute Presidential Transition Task Force report states, "The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts." That's why the report dedicates an entire section to funding and resource recommendations — without adequate resources, the best policies will not achieve their intended effects. 

The US is still a cyber superpower, but that status is not guaranteed to last — we could squander it. If the US wants to maintain its lead in cybersecurity, we need to act like adults and make the tough funding decisions that are demanded of us. Growing up is hard to do — but the alternative is very unattractive.

**About the Author**

President & CEO, Cyber Threat Alliance

Michael Daniel is president of the Cyber Threat Alliance and oversees the organization's operations. Prior to joining CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. In this role, Michael led the development of national cybersecurity strategy and policy, and ensured that the US government effectively partnered with the private sector, non-governmental organizations, and other nations.

Small US Cyber Agencies Are Underfunded &amp; That's a Problem

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Source: CG Alex via Shutterstock

Every night for five years, computers and network appliances from the headquarters of the African Union in Ethiopia — a facility built by Chinese firms — reportedly reached out to China-based systems and uploaded sensitive data. The espionage through the technology supply chain, which China's government denies, undermined the security of the pan-African organization.

The incident and more recent supply-chain breaches have underscored that reliance on foreign technological supply chains carries with it significant risks. While using a technology supply chain anchored in China was seen as a less constrained option than US and European options, the truth is that African nations need to evaluate the security of all their supply chains across applications, consumer devices, infrastructure, and service providers, according to a report published by the Africa Center for Strategic Studies, a research and academic center funded by the US Department of Defense.

"I don't think there's an African country that doesn't have some kind of interest in fostering a more robust technology industry and finding various ways to exert more ownership and agency over various aspects of the technology sector," says Nate Allen, associate professor at the Africa Center for Strategic Studies and the author of the report. "You are seeing increasing African interest in having more ownership and say over their technology supply chains."

Supply-chain security has become a major issue worldwide following malicious events, such as the WannaCry and NotPetya worms and the compromise of SolarWinds, as well as IT supply-chain failures, like this summer's CrowdStrike outage. The US government has voiced concerns over the extent to which US maritime ports are reliant on Chinese equipment and investment, and China has begun creating its own operating system and software ecosystem.

Similarly, African nations have become wary of information technology supplied by any number of foreign countries, including China, Russia, the US, and Europe. While African nations need the technology and investment, they are pursuing initiatives to reduce their reliance, says Mark Walker, vice president of data and analytics for the Middle East, Turkey, and Africa for IDC South Africa.

"The reality is that we live in a multidimensional, globally interconnected world, \[where\] development is reliant on significant capital investment and R&D to develop technology — often this is in limited supply across Africa," he says. "That said, many African nations are focusing on developing local software and technology skills in their populations to offset reliance on global players and also ensure that solutions are relevant to local market condition and needs. Education plays a significant role in this."

**China, US Dominate Africa's Tech Market**

Those efforts are still nascent, with the reality that the top technology suppliers in Africa come from China and the US. In mobile applications, for example, 36 of 2023's top-100 applications are from Chinese companies, while 23 are from US companies, according to a report from DataSparkle, a provider of data and analytics for emerging markets. Africa-based developers only account for only seven applications, mostly focused on digital cash and payment applications.

The US dominates the operating-system supply chain with Microsoft's Windows, Google's Android, and Apple's iOS dominating the field.

"If you're not China and you're not the United States, you just have a lot of dependencies in your technology supply chain, and there's no way around it — even to some extent, if you are China and the United States," ACSS's Allen says.

Yet, the 54 nations on the content have options. While foreign firms provide much of the technology, the African market continues to grow and the domestic technology sector continues to have the most insight into nation-by-nation needs.

"\[A\] detailed view of Africa’s technology sector reveals that it is not under the control of any one actor, and there are plenty of opportunities for Africans to assert agency," the ACSS report stated. "By further fostering diversity and competition within the tech sector, African governments can help mitigate the vulnerabilities that come from external actor influence."

**Future of Technology Supply Chains in Africa**

Companies entering the market should find ways to address the cybersecurity concerns of African customers, because if they don't, someone else will, says IDC South Africa's Walker.

"Competition is strong, and vendors are judged on their ability to supply relevant technologies and services at a fair price with solid \[local\] support structures," he says, adding that companies should understand "the local market dynamics, including economic and political realities and the local regulatory environments. Security issues faced in the Horn of Africa around Somalia are different to those faced in northern Nigeria and the Magreb, which again, differ significantly from southeast Africa."

Among incidents in Africa, Chinese hackers targeted Kenyan officials following the nation's trouble paying back loans from China, according to news reports published in 2023, while another incident involved a state-sponsored group targeting foreign-affairs ministries, embassies, and military forces in Africa in an operation dubbed Diplomatic Specter, according to a threat analysis published in May.

In addition, African officials have warned that an important technology supply chain for the continent — open-source software (OSS) — needs to be better secured to prevent malicious attacks.

"I don't think that Africans are naive, or any government around the world is naive — I think they know that, if you are being sold a technology product that is not domestically produced, then there's always going to be some kind of security risk there," says ACSS's Allen. "I think the question is, how can you mitigate that security risk?"

Companies working in the markets need to have an answer to that question, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

DeepTempo's Tempo is a deep learning-based Snowflake native app that allows organizations to detect and respond to evolving threats directly within their Snowflake environments.

Soure: Zoonar GmbH via Alamy Stock Photo

Organizations are harnessing artificial intelligence (AI) to boost their security teams' productivity and detect potential threats. DeepTempo emerged from stealth on Nov. 12 with Tempo, a deep learning-based Snowflake native app. Tempo helps security teams maintain data privacy and compliance while boosting enterprise defenses, the company in a statement. DeepTempo is integrating AI-powered security capabilities into an established cloud environment, in this case, Snowflake.

Organizations benefit from faster detection of attack indicators, including new and and evolving threats, within their Snowflake environments, the company said. They can also optimize security spending by running Tempo on existing security data lakes.

DeepTempo built and trained a log language model (LLGM) to detects anomalies in network traffic and other services. The algorithm was pretrained on large amounts of log data to focus on the pattern of events, including relative and absolute time. Tempo has been optimized to work with Netflow data, and the company is recruiting teams with similar logs, such as VPC Flow, as design partners. Interested security teams can try out with Tempo with a sample data set from the Canadian Institute for Cybersecurity and view the output in Splunk.

Along with detecting anomalies, Tempo provides additional context that can be used for security triage and response, such as looking up similar patterns from the MITRE ATT&CK framework and listing potentially impacted entities. Tempo also allows "organizations to keep more of their logs within Snowflake and use their SIEMs primarily for incident response rather than log storage," the company said. DeepTempo said a large financial institution projected savings of "several million dollars, representing up to 45 percent of their existing SIEM spending" by using Snowflake as its system of record and not relying on a separate security information and event management (SIEM) system.

"Tempo has demonstrated a unique blend of accuracy and practicality, with false positive and false negative rates lower than one percent after adaptation to a new user’s domain," the company said, noting that Tempo doesn't need to know the different attack patterns. "It simply recognizes when activities deviate from the norm, triggering detection for any threat that emerges."

DeepTempo Launches AI-Based Security App for Snowflake

RIIG is a risk intelligence and cybersecurity solutions provider offering open source intelligence solutions designed for zero-trust environments.

Source: Olekcii Mach via Alamy Stock Photo

As cyber threats get more sophisticated and the volume of attacks increase, organizations are looking at how artificial intelligence (AI) can help beef up defenses. RIIG, a risk intelligence and cybersecurity solutions provider, combines AI And machine learning technologies with network threat detection to provide risk intelligence. With access to 17 intelligence agencies and collaborations with commercial partners, RIIG provides organizations with high-quality, verifiable data and advanced intelligence, the company said in a statement.

Charlottesville-Va.-based RIIG, which emerged from stealth today, specializes in "white hat data trust services" and offers open source risk intelligence for zero-trust environments, the company said. RIIG offers both risk intelligence offerings, such as open source intelligence, regulation, and forensics, as well as cybersecurity solutions, such as vulnerability assessments, strategic implementation, and tech validation. 

RIIG plans to partner with local academic institutions for access to industry-leading research and talent. 

The company also announced it raised $3 million in seed funding, led by the Felton Group. The funds will be used to accelerate product development and expand client support.

**About the Author**

RIIG Launches With Risk Intelligence Solutions

The secure coding curriculum, funded by a $2.5 million grant, is available for students and professionals at all stages of their careers.

Source: Simon Turner via Alamy Stock Photo

A coalition of universities, community colleges, and cybersecurity organizations has launched a new educational initiative to teach software developers how to code securely without sacrificing efficiency.

The Strengthen Workforce Education for Excellence in Programming Securely (SWEEPS) program offers one-day workshops, self-paced online courses, week-long intensive boot camps, and full certificate programs to help bridge the skills gap in software security by providing developers with the necessary application security knowledge and tools. Training will be available for students and professionals at all stages of their careers, from entry-level developers and career changers to experienced IT professionals. 

SWEEPS is funded by a $2.5 million grant from the National Centers for Academic Excellence in Cybersecurity (NCAE-C), a program administered by the National Security Agency's National Cryptologic School.

The curriculum highlights concepts, principles, and examples of secure programming, including common misconceptions and proactive practices for improving security. The course material will cover data security standards and how to reduce security vulnerabilities in software. Information about compliance and legal requirements in secure programming will also be presented. Students will have access to in-depth tutorials on analysis of vulnerabilities and exploits as well as advanced defense mechanisms. 

"The software that runs our country's infrastructure and computer systems is vulnerable to attack," said Matt Bishop, the SWEEPS program's principal investigator and a computer science professor at the University of California, Davis, in a statement. "We're trying to change that. By providing intensive, hands-on training in secure software development, SWEEPS helps programmers defend against cybercriminals and 'bad actors' who exploit vulnerabilities in our computer systems."

SWEEPS offers trainings in a variety of formats and lengths. The one-day virtual workshops are offered by the University of California, Davis; University of Maryland, Baltimore County; and Worcester Polytechnic Institute. Early-career software engineers can work through a self-paced 45-hour online course. Software engineers, graduate students, college educators, and IT and cybersecurity professionals can opt for a one-week intensive virtual bootcamp to gain an in-depth understanding of secure programming. And a one-year virtual advanced certification program is open for mid- to senior-level software engineers, cybersecurity and IT professionals, and graduate students.

"The increasing frequency of large-scale cyberattacks reinforces the need for more experts in secure programming," said Xiaoyan Sun, a computer science professor at WPI and administrator of the program. "After developers go through the SWEEPS program, they will be more capable of implementing security best practices in every aspect of their coding practice."

Enrollment is open to students who are US citizens or permanent residents, with priority given to those with military or first-responder backgrounds. Application requirements and deadlines for each program differ, and some require specific prerequisite courses and programming abilities. About 700 students are projected to take part in the program.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

SWEEPS Educational Initiative Offers Application Security Training

Since surfacing in August, the likely LockBit variant has claimed more than two dozen victims and appears poised to strike many more.

Source: Nicolas Bentancor via Shutterstock

The purveyor of a rapidly emerging ransomware family being tracked as "Helldown" introduced a new Linux variant, targeting organizations across multiple sectors using VMware ESXi servers.

Several of the victims had Zyxel firewalls deployed as IPSec VPN access points at the time of breach, suggesting the attackers exploited a vulnerability or vulnerabilities in the technology to gain initial access, security researchers at Sekoia reported this week. Since surfacing in August, the group behind Helldown has quickly notched 31 victims, many of them US-based.

**Undocumented Zyxel Vulnerabilities?**

Available telemetry suggests the Zyxel flaw that the attackers are exploiting is undocumented, Seokia said. But Zyxel has issued fixes for multiple vulnerabilities in its firewalls after Helldown actors breached the company's network, also in August, and then leaked some 250GB worth of data. As of mid-November, no exploit code for any of these vulnerabilities appears to be publicly available, Sekoia said, while leaving open the possibility that the Helldown attackers could be exploiting any one of the vulnerabilities.

"Helldown is a notably active new intrusion set, as shown by its large number of victims," Sekoia researcher Jeremy Scion wrote this week. "Available data indicates that the group mainly targets Zyxel firewalls by exploiting undocumented vulnerabilities." Though the ransomware itself is standard fare, what makes the group dangerous is its apparent access to and effective use of undocumented vulnerability code, Scion noted.

Zyxel firewalls, like many other network and edge technologies, are a popular attacker target. Threat actors have been quick to exploit flaws in the company's products in various campaigns in the past, including one dubbed IZ1H9 that targeted Internet-of-Things (IoT) networks; another involving a Mirai variant; and another that hit Danish critical infrastructure.  

**A Troubling Shift**

Patrick Tiquet, vice president security and architecture at Keeper Security, viewed Helldown as a troubling shift in ransomware actor tactics. "While ransomware targeting Linux isn't unprecedented, Helldown's focus on VMware systems shows its operators are evolving to disrupt the virtualized infrastructures many businesses rely on," he said via email. "The message to security teams is clear: patch known vulnerabilities, monitor for unusual activity, and treat virtualized environments with the same vigilance as traditional ones."

Multiple security vendors have reported attacks involving Helldown since early August. Most of its victims have been small and medium sized businesses across different sectors, including transportation, manufacturing, healthcare, telecommunications, and IT services. Halycon, one of the first to spot Helldown, described the group as "highly aggressive" and capable of causing substantial disruption and financial losses to victims. According to Halycon, Helldown actors have a penchant for stealing large volumes of data from victims and threatening to leak the data unless it receives a ransom.

In a report earlier this month, Truesec perceived the threat actor as being more sophisticated in its initial compromise techniques compared to better known ransomware operators, such as the one behind Akira. In the attacks that Truesec analyzed, Helldown threat actors leveraged legitimate tools and other living-off-the-land techniques to execute their mission on a compromised network.

**Dangerous Adversary**

"Recent incidents showed that the group will thoroughly remove tools utilized during a compromise, as well as override the free disk space on the hard drive of different machines, in attempts to hinder the recovery process and reduce the effectiveness of file carving," Trusec observed. Helldown actors likely accessed victim environments directly from their Internet-facing Zyxel firewall, the security vendor posited. Once on a victim network, the threat actor used either TeamViewer or the default Windows RDP client for lateral movement, PowerShell for remote code execution, and Mimikatz to search for and retrieve credentials.

According to Sekoia, reports from multiple Helldown victims indicate that the attacker compromised Zyxel firewalls running firmware version 5.38. "Specifically, a file named zzz1.conf was uploaded, and a user account called OKSDW82A was created" on compromised systems, Scion noted. The attacker then used the temporary account to create an SSL VPN tunnel for accessing and pivoting further into the victim network.  

The attack chain included attempts by the threat actor to disable endpoint detection mechanisms using a tool called HRSword; leverage the domain controller's LDAP credentials to burrow deeper into the network; use certutil to download Advanced Port Scanner; use RDP or TeamViewer for remote access and lateral movement; and use PSExec for remote code execution.

Scion said Sekoia's analysis of the files that Helldown actors have published on their data leak site showed many of them to be unusually large and averaging around 70GB. The biggest file, in fact, weighed in at a hefty 431GB, which is noteworthy because ransomware actors typically tend to be more selective in the files they steal and use for extortion. The contents of the stolen files also tended to be more variable and random than usual for a ransomware operation. "The large volume and variety of data suggest that the attacker does not selectively choose which documents to steal," Scion said. "Instead, they appear to target data sources that store administrative files, such as PDFs and document scans, which typically contain sensitive information (personal, financial, etc.), thereby intensifying the pressure on victims."

Helldown's behavior itself is similar to that of Darkrace, a LockBit variant that first surfaced in August 2023 and may have been rebranded as Donex in February of this year. Though the links between the ransomware strains are not conclusive, there is a possibility that Helldown is a rebrand of Donex, Sekoia said.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Linux Variant of Helldown Ransomware Targets VMware ESXi Systems

In further proof of the professionalization of Russian cybercriminal groups, ransomware gangs have been posting job ads for security positions such as pen testers, looking to boost their ransomware deployment operations.

Source: Panther Media GmbH via Alamy Stock Photo

Ransomware gangs such as Apos, Lynx, and Rabbit Hole are seeking pen testers to join their ransomware affiliate programs and assist in their malicious operations.

Penetration testing, i.e., simulating an attack in order to identify gaps and vulnerabilities within a system, is an essential cyber practice to gauge the strength of a system, program, or operation. Now, according to researchers at Cato Networks in its "Q3 2024 Cato CTRL SASE Threat Report," multiple Russian job listings have sprung up detailing requirements for the same skill set, preferably pen testers with experience in Russian language forums. It is the latest example of the professionalization of Russian cybercriminal groups.

"Ransomware is one of the most pervasive threats in the cybersecurity landscape," Etay Maor, chief security strategist at Cato Networks, wrote in a statement. "It impacts everyone — businesses and consumers — and threat actors are constantly trying to find new ways to make their ransomware attacks more effective."

Other findings in the Cato cyber-threat report include rising threats from Shadow AI, i.e., unauthorized artificial intelligence programs; and the lack of utilization of Transport Layer Security (TLS), a tool that allows organizations to decrypt, inspect, and re-encrypt traffic, but which poses some risks that prompt organizations to forgo it altogether.

**About the Author**

Source

DARKReading