The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.

Almost every company implements identity access management (IAM) techniques such as single sign-on (SSO) to secure users who access software-as-a-service (SaaS) offerings, and most supplement that with measures like firewalls and cloud access security brokers (CASBs).

That's according to the 2022 SaaS Visibility and Impact Report from SaaS security provider Torii, which surveyed 100 technology executives to see how the pandemic has affected their IT practices and strategies. Nine of out 10 respondents (90%) say they use IAM/SSO to protect their networks, with 70% adding firewalls, antivirus software, and related safeguards. More than 6 out of 10 (61%) implement CASB or other security access guardrails related to secure access service edge, while 16% use SaaS management tools.

SaaS has become an indispensable part of business, especially during the pandemic-impelled push toward remote working. In the recent Dark Reading survey State of the Cloud: A Security Perspective, for example, half of respondents reported having 2 to 9 cloud applications in their organization. This new reality creates a need for tools that protect network resources: A recent study from Reposify showed that almost two-thirds of cybersecurity vendors had their back-office networks directly accessible from the Internet, and half had at least one exposed database.

An extra challenge springs from the decentralized work environment. Employees have started to solve their own problems by writing or installing their own software tools outside of the control of the IT department, a phenomenon known as "shadow IT." These programs, while often useful for solving immediate challenges, can create security holes when IT doesn't even know the tool exists.

Both CASBs and SaaS management tools can plug up shadow IT holes, while IAM and firewalls tend to be blind to uncatalogued software. For more, read the full report here.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Good News! IAM Is Near-Universal With SaaS

QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.

Network attached storage (NAS) device vendors QNAP and Synology this week disclosed multiple critical vulnerabilities in an open source fileserver technology integrated into their products.

The vulnerabilities — several of which enable remote code execution (RCE) — exist in Netatalk, an open source version of Apple File Protocol fileserver for accessing network shares in multiple operating system environments. Both vendors are still working on updating all versions of their products that contain the vulnerability.

**Unpatched for Months**  
Security researchers working in coordination with the Zero Day Initiative (ZDI) reported a total of six vulnerabilities to the maintainers of Netatalk in December. Three of them are critical RCE bugs tied to buffer-overflow issues (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). Two of the flaws are medium-severity out-of-bounds information-disclosure vulnerabilities (CVE-2022-23124; CVE-2022-23123), and one is a critical RCE issue tied to improper handling of exceptional conditions (CVE-2022-23121).

Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, tells Dark Reading that all the Netatalk bugs were first discovered at Pwn2Own Austin in November 2021.

Another flaw, a high-severity buffer-overflow related RCE (CVE-2021-31439), was disclosed to Netatalk's maintainers all the way back in March 2021.

The development team at Netatalk released an updated version of the software (Netatalk 3.1.13) on March 23 that addressed all seven of the vulnerabilities. The updated version is available for all currently supported operating systems: FreeBSD, Linux, OpenBSD, NetBSD, and Solaris and derivates.

However, it's a longer timeline for some vendors to roll the patches into their products. ZDI's Gorenc says that because Netatalk is a third-party component used by many NAS vendors, the vendors are responsible for monitoring for releases of Netatalk and integrating these releases into their products. "We are glad to see the NAS vendors updating their Netatalk deployments to resolve the vulnerabilities that were disclosed and fixed at Pwn2Own Austin," he says.

Western Digital is another vendor whose products were impacted by the flaws in Netatalk. But unlike Synology and QNAP, Western Digital proactively removed Netatalk from its products on Jan. 10, 2022, citing concerns over multiple critical vulnerabilities in the technology.

"Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022," the company announced in March. "Users can continue to access local network shares and perform Time Machine backup via SMB."

**Affected Devices**  
Synology's advisory described the vulnerabilities as critical and allowing remote attackers to steal sensitive data. Bad actors could potentially execute arbitrary code on NAS devices via a vulnerable version of its DiskStation Manager (DSM) and Synology Router Manager (SRM) technologies.

QNAP identified multiple versions of its QTS operating system as being vulnerable and said it is currently investigating the flaws. The company said that it's working on releasing updates to all impacted products, and it urged customers to install the updates as soon as they become available.

The Taiwan-based NAS manufacturer also outlined steps that organizations can take to mitigate the risk posed by the vulnerabilities while it works on fixes. QNAP's advisory identified CVE-2021-31439 — the flaw from last March — as one of the issues that it still needs to address in its products even though it was disclosed more than one year ago.

Both Synology and QNAP did not immediately respond to requests for comment from Dark Reading.

Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

A DDoS-over-HTTPS attack targeting an unnamed crypto launchpad company clocked in at a whopping 15.3 million requests-per-second (rps) earlier this month — turning heads at Cloudflare.

It lasted just 15 seconds, but the HTTPS DDoS attack was the largest of its kind the company has ever observed, two analysts from Cloudflare explained in a new blog post.

Cloudflare's researchers noted that HTTPS DDoS attacks require the use of a transport layer security (TLS) encrypted connection, which isn't cheap. That suggests a well-funded operation.

"We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale," according to the post.

Crypto launchpads are platforms where new cryptocurrencies and decentralized finance (DeFi) projects can launch and attract early investors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

Encryption will break, so it's important to mix and layer different encryption methods.

Quantum computers may one day break encryption. So might stochastic magnetic tunnel junction machines, also known as spintronics. But we don't need next-generation computing power to break encryption. It’s successfully happening right here and now.

**Why Does Encryption Fail?  
**There are many factors that contribute to encryption weaknesses and create vulnerabilities ready for exploitation by cybercriminals or state-sponsored actors. Chief among them is poorly implemented cryptography – in terms of both the crypto libraries themselves and the way they are used. Bugs such as Heartbleed or the recent implementation error of the Elliptic Curve Digital Signature (ECDS) algorithm in Java versions 15 and above, undermine all programs based on them. The incorrect use of a library, insufficient entropy, or use of weak ciphers is a daily occurrence that impacts specific applications, making bugs even harder to find. Other encryption failings include weak passwords and certificates taken from compromised machines. Combine these techniques with “harvest-now-decrypt-later” attacks, and encryption technology is no longer what it used to be.

**Mathematics, the Cornerstone of Encryption  
**Extremely difficult mathematics underlie our encryption. RSA, the gold standard for public key encryption, is based on the complexity of breaking down a large number into its constituent primes. The forward problem is easy and quick to solve: Take some primes and multiply. But the reverse problem is much harder: Given an integer, which primes were multiplied to make it? Attempts to solve the problem of prime factorization dates back centuries, with Euclid of Alexandria working on specific properties of prime numbers more than 2,000 years ago.

Although no solutions have been found that work on conventional binary computers, that does not mean none exist. After more than 2,000 years of work, most mathematicians agree a prime-factorization algorithm used by a classic computer won’t be here anytime soon. Peter Shor proposed an algorithm that could do composite number decomposition in polynomial time on a quantum computer – breaking RSA and Diffie-Hellman ciphers – but a quantum computer of this kind has not been publicly demonstrated at sufficient scale. Yet.

To prepare for the day when Shor’s algorithm is in play, the National Institute for Standards and Technology (NIST) has sponsored a post-quantum cryptography (PQC) competition. Now in its sixth year, the competition that began with 82 submissions is expected to announce its four finalists this year.

The remaining candidates are asymmetric-key algorithms (similar in concept to RSA) believed to be capable of withstanding the computational power of a stochastic algorithm that might run on a scalable quantum computer. The mathematical problems upon which these newer algorithms are based are much younger and have not been studied extensively.

In the field of complex mathematics _centuries_ are common time frames. For example, Fermat’s last theorem took 358 years to be proven. By that logic, it’s no wonder we have already seen a previously unknown or unforeseen weakness revealed in Rainbow – what had been the most peer-reviewed quantum-resistant algorithm now deemed unsuitable for use by NIST. It’s only a matter of time, then, before new encryption standards are weakened or outright broken. This is why NIST is encouraging organizations to embrace crypto agility in their post-quantum preparedness planning.

What complicates this matter further is that we don't — and won't — know which methods are bearing fruit and which techniques are being used, and by whom, to break the encryption we rely on to secure our digital universe. For all we know, large-scale quantum computers are already in use. If you were a nation state or criminal mastermind and had the ability to factor large numbers into their primes, would you tell the world? This is the fundamental problem with modern encryption: We often don’t know which, when, or how ciphers are compromised. However, we can say with certainty that encryption is being broken – and will be broken.

**Look to Wall Street and Diversify  
**To harden IT environments and digital assets in the face of such uncertainty, we can look to Wall Street for strategic advice. To combat the uncertainties and risks associated with loans and stocks go bad, financial institutions embrace diversification. By diversifying investments across multiple asset classes, geographies, and industries, the risks of an entire portfolio imploding are minimized.

This approach can, and should, be applied by enterprise IT and SOC teams when it comes to encryption. Using and mixing/stacking multiple encryption techniques helps to keep data traveling securely even if a flaw is uncovered in one of the encryption layers. We won’t always know which part of a crypto stack has been defeated and how, but it won’t matter if the cryptography is sufficiently diversified.

As an industry, we need to support the simultaneous use of multiple approaches, anticipating that new crypto methods will come and go. We must mix asymmetric key technology with symmetric key technology, and transmit keys through out-of-band channels. Most importantly, we must develop agreed-on metrics and industrywide benchmarks to measure exactly how diversified our crypto strategy is.

Take a Diversified Approach to Encryption

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

A comprehensive cybersecurity strategy should include physical security. Adversaries don't need to worry about compromising a corporate device or breaching the network if they can just walk into the office and connect directly into the network.

CISOs are increasingly including physical security as part of their strategic investments, says Stephanie McReynolds, head of marketing at Ambient.ai. Organizations are spending a lot of money and effort to lock down cybersecurity, but all of those security controls are useless if the adversary can just enter a restricted space and leave with equipment.

"The last mile of cybersecurity is physical location," McReynolds says.

Ambient.ai uses computer vision technology to solve physical security problems, such as monitoring who is entering the building or a restricted area and monitoring all the video feeds coming from the camera network. Computer vision is a subcategory of artificial intelligence dealing with how computers can process images and videos and derive an understanding of what they are seeing. The idea behind computer vision is to provide computers with eyes to see the same things humans see, and training the algorithm to think about what the eyes saw.

In the case of Ambient.ai, the company's computer vision intelligence platform serves as "the brain" behind physical access control systems, such as security cameras and physical sensors (such as door locks and entry pads). This week, the company expanded the catalog of behaviors the computer vision platform can recognize with 25 threat signatures.

**Computers Help Humans See**  
Traditionally, physical security involves staff in the security center monitoring alerts from the sensors and watching video feeds to try to detect when something untoward is happening. They may receive alerts that a door is open, or that a person swiped the access card to get into the building after-hours. There might be camera footage of someone loitering for quite some time in the building lobby, or a person entering a restricted area carrying an unauthorized laptop. Humans are expected to detect and respond to security incidents, but between fatigue and too much information to process, things can get missed.

"One individual is trying to watch 50 camera feeds at once. This doesn't work," McReynolds notes.

There have been three waves in computer vision, McReynolds says. The first wave was basic detection — that there was an object there, but no insight into what it was. The second wave added recognition, so it knew what it was looking at, such as whether it was a person or a dog. But it was a limited form of recognition, and there was a lot that was still unknown about the object it was looking at. The third wave, the current one, takes in context clues from the broader scene to understand what is happening. Just as a human would look at details around the object to understand what is happening, such as whether the person is sitting or if the person is outside, computer vision technology is now capable of collecting those details.

Ambient.ai breaks down the image or video into "primitives" — which refers to components such as interactions, locations, and objects seen — and constructs a signature to understand what is happening. A signature may be something like a person standing in the lobby for a long time not interacting with anyone, for example.

The new threat signatures expand the platform's ability to catalog over 100 behaviors, McReynolds says.

**Recognizing What Is an Incident**  
The Ambient.ai Context Graph assesses three risk factors to determine next steps: the context of the location, the movements that create behavior signatures, and the type of objects interacting in a scene. Based on these factors, the platform can dispatch security personnel to handle the incident, validate risks, or trigger proactive alerts. With the Context Graph, analysts can also tell which alerts are not security incidents, such as a door that didn't latch properly, and close the ones that don't require any action.

"A person holding a knife running in the kitchen isn't a security incident," McReynolds says. "A person holding a knife running in the lobby, on the other hand, is a security incident."

VMware, an Ambient.ai customer, claims that 93% of its alerts each year were false positives. By integrating Ambient.ai's platform with its physical access control systems, VMware's security teams didn't have to deal with those alerts and were able to focus their attention on dealing with the remaining 7% of alerts to stop security incidents on its campus.

McReynolds described a potential workplace violence scenario, where a former employee tried to use their badge to enter the building. The invalid badge in and of itself is not a security threat, but paired with security footage of the former employees sitting in the lobby and not interacting with anyone, there are enough reasons to be concerned. The alert would then be prioritized to send a guard to approach the individual.

"Sometimes it takes just a conversation and the person will stand down," McReynolds says.

All that is accomplished without resorting to facial recognition, which brings a host of privacy implications. Ambient.ai uses machine learning, pattern-matching, and computer vision to make decisions about what is important.

**Computer Vision in Security**  
Computer vision technology is useful in several security contexts because it can be used to detect manipulations that are less visible to the human eye, says Fernando Montenegro, senior principal analyst at Omdia. For example, the technology can be used to identify spoofed logos and websites used in account takeovers and ecommerce fraud. Another interesting use case is to represent binary samples as images, and then using imaging classification techniques to classify them as malicious or not, he says.

One aspect of computer vision is the capability to analyze "datasets that are not originally 'images' themselves, but can be encoded as such," Montenegro says.

Humans have the capacity to say something doesn't look right, even if they can't specifically point to something that is wrong, says Gunter Ollmann, CSO of Devo. An intriguing application of computer vision research is to train the algorithm to be able to detect something is wrong because of the way it looks, he says. By turning source code into an image, the machine can analyze the structure and other patterns to detect potential issues without having to analyze the code line by line. This kind of analysis can be used for malware analysis, by color-coding different categories of function and analyzing the image to get an understanding of what the application is doing.

There are several computer vision startups tackling cybersecurity issues. Hummingbirds AI uses facial biometrics to authenticate users and grant access to the device. When the computer "sees" a person who is not authorized that is close to the screen, the tool blocks access. Pixm relies on computer vision to identify and stop spear-phishing attacks. The platform runs in the browser window and is available from the moment the user clicks on a link until the campaign is disrupted.

"We are now in an exciting era where \[the machine\] can collaborate with the human," Ambient.ai's McReynolds says, regarding advancements in computer vision.

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

Flaws gave attackers a way to access other cloud accounts and databases, security vendor says.

Microsoft has patched a dangerous pair of vulnerabilities in its Azure Database for PostgreSQL Flexible Server that gave attackers unauthorized cross-account access to databases in cloud hosted environments.

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine. The second is a bug that leverages the privilege escalation enabled by the former to give attackers cross-account access.

Threat actors could have used the flaws to bypass authentication mechanisms and gain full access to customer data across multiple databases in a region without leaving any trace of their presence, researchers from cloud security vendor Wiz Research recently discovered.

"An attacker could create a full copy of a target database in Azure PostgreSQL \[Flexible Server\], essentially exfiltrating all the information stored in the database," says Ami Luttwak, co-founder and CTO at Wiz. The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only. "But this is not the default configuration," Luttwak says.

In an advisory Thursday, Microsoft described the security issue as impacting organizations that had deployed their PostgreSQL Flexible Server instances using the public access networking option. The company said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the vulnerabilities to access customer data. Though organizations using the service need not take any action, Microsoft recommended they enable private network access for their Flexible Server instances to minimize exposure to similar issues.

Luttwak says vulnerabilities like these highlight why organizations need to have a defense in depth security model when deploying and running cloud workloads. He says, "Here, a simple developer mistake — a wrong prefix validation — led to a potential ability for attackers to gain access to customer data." The only way to mitigate such risks is to have multiple layers of protection so a single bug does not allow for a compromise, Luttwak says.

The Wiz researchers found the bugs as part of a wider research effort to find cross-account access vulnerabilities in cloud services. These are a class of vulnerabilities that essentially give attackers a way to break through tenant isolation mechanisms in cloud environments to access other customer accounts and data. Wiz's effort follows the company's discovery in August 2021 of a critical vulnerability — dubbed ChaosDB — in Microsoft's Azure Cosmos DB that gave the company unrestricted access to databases and accounts belonging to thousands of customers of the Azure service, many of whom were Fortune 500 companies.

"Following the ChaosDB vulnerability we disclosed last year, we specifically focused on cloud-managed databases as they pose the most risk holding sensitive customer data," Luttwak notes.

**Cross-Account Access Flaws in the Cloud**  
Wiz decided to focus on Azure PostgreSQL Flexible Server because it is a widely used cloud managed database service, where the database instances run in an internal cloud environment owned by the service provider. The researchers began by trying to figure out a way to escalate privileges within their own PostgreSQL Flexible Server instance and discovered a vulnerability in some modifications that Microsoft had made to the engine ostensibly to harden its privilege model.

"The privilege escalation bug is not a PostgreSQL vulnerability, but rather is a result of modifications Azure introduced to the PostgreSQL engine on their end," Luttwak says. "It's likely these modifications were introduced to help Azure better manage customers' instances and reduce friction."

Once the researchers gained code execution privileges on their PostgreSQL Flexible Server instance, they found they had network access to other accounts within the subnet via their internal network interface. To test whether the access would work, the researchers created another PostgreSQL Flexible instance using a separate account and tried accessing it from their first database. When that worked, they looked for a way to similarly use their instance to access other accounts without authenticating to them. This led to the discovery of a vulnerability that allowed them to do just that, using a forged certificate.

Luttwak explains the exploit as leveraging an Azure high availability function that uses PostgreSQL's replication feature to replicate databases between servers.

"The replication service connects to the database instance and has the permissions to replicate it to other nodes" via a shared network, he says. Wiz researchers found they could get complete copies of other databases by authenticating as the replication service to other PostgreSQL instances using a certificate issued to an arbitrary domain rather than Azure's replication service certificate.

"We didn't actually achieve access to the replication service certificate," Luttwak says. "But we found a way to bypass \[it\] since the PostgreSQL was only looking for a private key with a certain prefix."

That allowed Wiz to simply create a legitimate-looking certificate that passed the authentication, Luttwak notes.

He says the two — now patched — vulnerabilities would have needed to be chained to have significant impact. That's because the first vulnerability only provides local access to a database instance. But without it, an attacker would not have the privileges required for cross-account access.

Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL

Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.

Source: Dark Reading

When asked about their top cloud concerns, more than a quarter of IT decision-makers — 26% — said they are concerned about their staff's "skillset on dealing with cloud computing," according to new Dark Reading research.

The Dark Reading State of the Cloud report surveyed 339 IT employees of companies that use cloud computing. The respondents overwhelmingly (73%) identified security as their biggest worry, followed by cost (58%) and reliability (50%). Other top concerns included functionality limitations (10%), having too much core data on the cloud (10%), inadequate service agreements (6%), and vendors trying to sell them additional cloud services (6%).

These results reflect a current climate in which IT professionals are scrambling to find a way to secure entirely new cloud attack surfaces and make existential business decisions based on evolving technologies. They need something secure and cost-efficient, and they need it to actually work.

And having a team skilled up to manage it all would be nice, too.

Download the State of the Cloud: A Security Perspective for more details. The data used in the report comes from research jointly conducted with four other Informa Tech publications — InformationWeek, ITPro Today, Network Computing, and Data Center Knowledge.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

IT Teams Worry Staff Lack Cloud-Specific Skills

Blue-chip companies deepen commitment based on success of long-standing customer and partner relationships and conviction of Securonix’s vision and hypergrowth potential.

Capital One Ventures, Snowflake Ventures, Verizon Ventures, and Wipro Ventures Join Securonix $1B+ Growth Investment as Strategic Investors

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption. 

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established \[groups\] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report. 

Companies in the energy and manufacturing sectors each saw average ransoms of more than $2 million.

    

Two-thirds of companies saw ransomware attempts in 2021. Source: Sophos

The research team at Check Point Software Technologies saw an increase in ransomware attacks as well, noting that attempted attacks climbed 24% in 2021 compared with 2020. In an analysis of chat logs leaked from the Conti ransomware group, Check Point Research noted that the operators discussed how to set ransoms in some detail, but also stressed that ransoms often are not the most significant cost to businesses.

"\[T\]he extortion cost is marginal compared to other losses suffered by the victim," the researchers stated. "Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not."

In 2021, the mean ransom paid to cybercriminals rose to $812,000, from $170,000 in 2020, but that still fell far short of the average $1.4 million bill for remediating an attack, according to Sophos. Recovery also took time, with the average company needing about a month to recover from a ransomware attack, according to the report.

**Don't Expect Your Data Back**  
In addition, while ransom demands have risen dramatically, increases that other surveys have seen hints of as well, paying them does not mean full data recovery. In fact, data-recovery statistics from Sophos highlight the fact that that paying ransoms has a terrible return on investment. 

While 99% of companies recovered some of their data, they could only recover 61% of encrypted data on average, according to Sophos. And while 46% of companies paid a ransom, only 4% of those that did got all their data back, down from 8% in 2020. Such statistics have caused some cybersecurity experts to question whether companies should ever pay the ransom.

While healthcare organizations and state and local governments were among top ransomware targets before and during the pandemic, they also earned ransomware groups some of the lowest payouts. The average infected healthcare organization paid $197,000, while the average compromised state or local government agency paid a ransom of $214,000, the Sophos survey found.

**Cyber insurance Doesn't Solve Ransomware, but It Helps  
**Cyber insurance has changed along with the ransomware landscape. In 2021, insurance companies already had experienced problems with the expense of cybersecurity policies as companies sought to recover damages from ransomware incidents. The vast majority of companies (94%) have found it harder in the past year to qualify for cyber insurance, while almost all (97%) have had to make changes to their defenses to improve their ability to garner coverage, according to Sophos' survey.

While 98% of companies affected by ransomware received a payout under their cyber-insurance policies, only 77% collected for clean-up costs, and only 40% of the policies paid the ransoms, the survey found.

"It’s interesting to note that the sectors with the lowest rate of ransom payment are also the ones able to recover fastest from an incident, emphasizing the importance of disaster-recovery planning and preparation," the report stated. "It's worth remembering that while cyber insurance will help get you back to your previous state, it doesn’t cover 'betterment' — when you need to invest in better technologies and services to address weaknesses that led to the attack."

The Ransomware Crisis Deepens, While Data Recovery Stalls

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

At least three separate waves of cyberattacks are underway that feature a sophisticated new malware loader dubbed Bumblebee that fetches shell code and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter – possibly in a run-up to ransomware attacks.

As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint.

"Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain in a report issued on Thursday. "Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."

Further, Bumblebee appears to be a significantly upgraded replacement for the well-known BazaLoader tool that often presages ransomware attacks. 

"Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns," researchers note in the report. And "campaigns identified by Proofpoint overlap with activity detailed \[by Google\] as leading to Conti and Diavol ransomware."

**BazaLoader Replacement  
**Bumblebee first buzzed onto the scene in March, shortly after BazaLoader disappeared from Proofpoint’s telemetry, researchers said.

BazaLoader was up until then a common malware first seen in 2020, sharing the cybercrime spotlight with other favored initial-access baddies, such as Emotet, Trickbot, and IcedID. Notably, it was employed in several high-volume campaigns that led to Conti ransomware infections.

"BazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February, a Ukrainian researcher with access to Conti's internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked files," researchers explain in the report.

Now Bumblebee is cropping up in campaigns run by the same crimeware groups previously observed delivering BazaLoader, the report notes. Proofpoint added that the groups are likely initial-access brokers (IABs), which dovetails with the previously mentioned Google TAG research. IABs infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators as part of a thriving underground economy. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.

"Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee," Proofpoint researchers say. "Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial-access facilitators."

**Hive of Activity: Ongoing Cybercrime Campaigns**  
Starting in March, Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors.

“While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” according to the report. ISO files are used to store images of optical disks, DVDs, CDs, and other media.

In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT" in the body of the message, or they used HTML attachments.

“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim,” explain the researchers. “The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”

The ISO file contained a shortcut file named "ATTACHME.LNK," which, when clicked, executed "Attachments.dat" with the correct parameters to run the Bumblebee downloader.

In another case, a campaign used thread jacking (i.e., when cybercriminals reply to existing email exchanges, inserting themselves into legitimate conversations) to deliver emails with malicious zipped ISO attachments.

And in yet another case, emails were generated by submitting a message to a contact form on the target's website, while leaving public comments regarding the topic on the target's site. As a lure, the attackers made claims about stolen images on the website. These "complaints" contained a link to a landing page that directed the user to the download of a malicious ISO file.

    

A bogus 'complaint' about the use of stolen images.

_Source: Proofpoint_

"The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape," researchers conclude. "Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source."  

To protect themselves, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use – and also work with employees to instill awareness of email-borne threats and common social-engineering trickery.

**Malware Analysis: This Is No Bumbler  
**Bumblebee is new and still under active development, but it’s already a sophisticated threat that organizations should watch out for, Proofpoint warned.

Once installed, the loader gathers system information and generates a "client ID." It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.

Bumblebee supports the following commands:  

*   Shi: shellcode injection
*   Dij: DLL injection
*   Dex: Download executable
*   Sdl: uninstall loader
*   Ins: enable persistence on the bot

Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.

"The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift \[tactics, techniques, and procedures\] and adopt new malware," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. "Additionally, the malware is quite sophisticated and demonstrates being in ongoing, active development, introducing new methods of evading detection."

Source

DARKReading