The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Nokia: No Evidence So Far That Hackers Breached Company Data

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

Adam Meyers, Senior Vice President of Counter Adversary Operations, CrowdStrike

November 6, 2024

5 Min Read

Source: Andrey Khokhlov via Alamy Stock Photo

COMMENTARY

Throughout the past year, we've seen a sharp uptick in cross-domain threats. This activity spans multiple domains within an organization's IT architecture, including identity, cloud, and endpoint. These attacks leave minimal footprints in each domain, like separate puzzle pieces, making them harder to detect. 

While cross-domain intrusions vary in complexity, my team and I are increasingly observing attacks that leverage stolen credentials to breach cloud environments and move laterally across endpoints. This activity is fueled by sophisticated phishing techniques and the proliferation of infostealers. Once adversaries obtain or steal credentials, they can gain direct access to poorly configured cloud environments and bypass heavily defended endpoints. With this access, they often deploy remote monitoring and management (RMM) tools instead of malware, making these attacks particularly hard to detect and disrupt. 

**Scattered Spider: A Master of Cross-Domain Tradecraft**

One of the most proficient adversaries in cross-domain attacks is the prolific e-crime group Scattered Spider. Throughout 2023 and 2024, Scattered Spider demonstrated sophisticated cross-domain tradecraft within targeted cloud environments, frequently using spear-phishing, policy modification, and access to password managers. 

In May 2024, CrowdStrike observed Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. The adversary compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once inside, they established persistence.  

This attack spanned three operational domains: email, cloud management, and within the VM itself. As a result, the detectable footprint in any single domain was minimal and difficult to identify with traditional signature-based detection methods. Identifying this attack relied on extensive threat intelligence and prior knowledge of Scattered Spider's tactics. By correlating telemetry from the cloud control plane with detections within the virtual machine, threat hunters were able to recognize and stop the intrusion in progress. 

**A Massive Insider Scheme: DPRK's Famous Chollima**

North Korea-nexus adversary Famous Chollima presented a unique challenge to threat hunters with a highly sophisticated attack campaign expanding beyond technology boundaries. In this massive insider threat scheme, malicious actors obtained contract or full-time positions using falsified or stolen identity documents to bypass background checks. Their résumés often listed employment at prominent companies, with no gaps, making them appear legitimate.  

In April 2024, CrowdStrike responded to the first of several incidents where Famous Chollima targeted more than 30 US-based companies, including those in the aerospace, defense, retail, and technology sectors. Leveraging data from a single incident, threat hunters developed a scalable plan to hunt this emerging insider threat and identified over 30 additional affected customers within two days. 

In many cases, the adversary attempted to exfiltrate data and install RMM tools using company network credentials to facilitate unauthorized access. CrowdStrike threat hunters searched for RMM tools paired with suspicious network connections to uncover additional data and identify suspicious behaviors. By mid-2024, the US Department of Justice indicted several individuals involved in this scheme, which likely enabled North Korean nationals to raise funds for the DPRK government and its weapons programs. CrowdStrike's coordinated efforts with law enforcement and the intelligence community were instrumental in bringing these malicious activities to light and disrupting the massive threat. 

**Putting the Puzzle Pieces Together: Stopping Cross-Domain Attacks**

Countering sophisticated cross-domain threats requires constant awareness of behavioral and operational shifts, making intelligence-driven hunting essential. Stopping these novel attacks takes a multipronged approach involving people, process, and technology. For organizations to protect against these attacks they should adopt the following approaches:  

*   Full visibility: Unified visibility across the enterprise (cloud, endpoints, and identities) is essential to detect and correlate cross-domain attacks. This approach prevents adversaries from moving laterally through environments, improves response time, and reduces the likelihood of incidents escalating into breaches. 
    

*   Integrate cross-domain hunting: 24/7 real-time threat hunters can proactively search across security planes for malicious behavior. By continuously monitoring employee activity, they can detect deviations from normal behavior, such as abnormal use of RMM tools.  
    

*   Focus on identity: Identity is one of the fastest-growing threat vectors. To mitigate risks, businesses must implement advanced identity verification processes, such as multifactor authentication and biometric check. In addition to establishing strong authentication procedures, identity protection should be implemented to catch anomalous authentication events before they turn into a breach. 
    

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough. As these stealthy threats operate across identity, cloud, and endpoint, they require a blend of advanced technology, the irreplaceable insights of human expertise, and cutting-edge telemetry to inform proactive decision making. Threat hunters and intelligence analysts, working in tandem with cutting-edge tools, are essential for identifying, understanding, and neutralizing these ever-evolving dangers before they can cause harm. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Senior Vice President of Counter Adversary Operations, CrowdStrike

As CrowdStrike's senior vice president of counter adversary operations, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyber threat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups around the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity. 

Meyers works closely with other departments within CrowdStrike to ensure the smooth and speedy integration of intelligence into CrowdStrike’s entire lineup of products and services. His team brings unprecedented insights into the activities of cyber threat actors, providing strategic and technical guidance to Fortune 100 businesses, major financial institutions, key government agencies, and other CrowdStrike customers.

How to Outsmart Stealthy E-Crime and Nation-State Threats

When it comes to landing a job in cybersecurity, what does it take to stand out from the pack? Try playing games.

Source: Ekkaphan via Adobe Stock Photo

While having the right technical chops and certifications matter, having cyber-gaming experience, whether it's participating on a cyber games team or in online competitions, can help you stand out when potential hiring managers are reviewing your resume. It can also give you more confidence after you land the job.

From showing that they can perform well under pressure to demonstrating that they're a good team player, there are many reasons why playing on a cyber team could give a candidate a leg up, says US Cyber Games commissioner Jessica Gulick, who has often asked job candidates what they did in their free time to get a broader understanding of their technology capabilities. Gamers always stood out, and she found it beneficial to hire them, particularly in areas such as penetration testing and forensics. These candidates usually were good at entering unknown environments and figuring things out given limited information, as well as sticking it out to identify solutions if they initially fail, she says.

"They're the kind of people that walk into a room and are constantly looking around and looking beyond what they see," Gulick says. "Is there an Easter egg? They don't need instructions; they'll just figure it out. And to have that kind of employee, it means that it's a faster time to value for your corporation. You're bringing on somebody who doesn't need a lot of hand-holding, \[someone who is\] going to really take the ball and run with it."

**Demonstrate Technical Proficiency**

When it comes to technical skills, cyber games give players the chance to practice the kinds of skills that they'll use on the job but in a safe context — not connected to any active business or infrastructure network that would be harmed by an actual cyberattack. And it gives players exposure to a broader array of cybersecurity experience than they might get in a role with specific responsibilities.

"Players are gaining skills in areas that they may not be particularly focused on right now, and that's a huge thing to give them those extra skill sets to work on the workforce and have on their resume," says US Women's Cyber Team assistant coach Chelsie Cooper, also a senior intelligence analyst at CrowdStrike. "That's a huge boost. Having this skill set specifically is definitely going to help them push forward to stand out in an applicant pool."

Showing technical proficiency in a cyber game, like having experience playing with the National Cyber League (NCL), can help candidates stand out. The NCL, an organization that holds cyber competitions for students, issues report cards to participants that they can use to show how well they performed in subjects like forensics or Web security. That can give them an edge as job candidates.

"If you have two students or two early career professionals that are interviewing and you ask, 'What's your experience doing pen testing with this particular vector of an attack?' the one who doesn't have experience is going to say, 'I don't have experience. Why are you asking me this?' whereas the one who has experience playing a game can say, 'Well, I don't have on the job experience, but I saw something similar when I was playing this game. Here's what I did about it,'" Gulick says.

The person who played the game will likely get the job.

**Develop Soft Skills, Teamwork**

Being on a cyber team can also help you hone nontechnical skills that are valuable in the workplace, like collaboration, mentoring, and working well in groups.

"Cyber games allow us to really cultivate those skills, the situational awareness, the ability to work as a team, to be able to pass off or to ask for help, or to mentor," Gulick says. "These are all critical skills that create high-performing teams."

Sarah Ogden, a 19-year-old student at Northern Kentucky University and a junior member of the US Women's Cyber Team, says she's excited about participating in this year's competition, but it's with a bigger goal in mind: to be competitive when it's her turn on the job market.

"My end goal is to get into a large company as a security engineer and actually get to see how the code and systems are developed, and to make an actual difference in that company's security and see the payoff of that," she says.

**Exposure to Job Opportunities**

Playing on a cyber team can also give competitors exposure to job opportunities with corporate sponsors. According to Gulick, sponsors like Battelle have hired team members.

"Competing as part of the US Cyber Team continually exposes athletes to a wide range of skill sets — such as binary exploitation, reverse engineering, and red-versus-blue activities — that enable them to excel in an increasingly competitive early-career job market. This experience provides them with a distinct credential on their resumes that sets them apart from their peers," says Chase P. Schueler, division manager for Battelle's cyber business.

US Cyber Team athletes also demonstrate "remarkable self-motivation," he adds.

"The selection process demands both skill and dedication, which are critical in a field where formal academic training is still limited when compared to the physical sciences," Schueler says. "This strong display of commitment makes them especially attractive to employers, including here at Battelle, who can see them as known quantities with demonstrated proficiencies."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Playing Cyber Games Can Help You Get Hired

The suspect, tracked as UNC5537, allegedly bragged about hacking several Snowflake victims on Telegram, drawing attention to himself.

Source: GK Images via Alamy Stock Photo

Canadian authorities arrested Alexander "Connor" Moucka, whom they believe orchestrated a malicious campaign that compromised 165 Snowflake accounts.

Moucka was scheduled to appear in court today, though limited information has been shared regarding his arrest or potential extradition. Online, Moucka reportedly went by the aliases "Judische" and "Waifu."

Snowflake is an American cloud-based data storage company operating on Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Judische bragged about hacking several Snowflake victims on Telegram just before the attacks were confirmed, prompting suspicion.

In May, the storage vendor warned that a limited number of customer accounts were targeted by threat actors, none of which were protected by multifactor authentication.

Google Mandiant later investigated the breach and found that the attackers used previously compromised credentials from information-stealer infections to access these accounts.

The threat actor behind the attacks is tracked as UNC5537, with its campaign beginning in April and targeting organizations such as Ticketmaster, Advanced Auto Parts, Neiman Marcus, State Farm, AT&T, and others.

In the past, the threat actor has demanded ransom payments ranging from $300,000 to $5 million from organizations in exchange for deleting data it steals from their Snowflake accounts.  
Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Canadian Authorities Arrest Attacker Who Stole Snowflake Data

The CRON#TRAP campaign involves a novel technique for executing malicious commands on a compromised system.

Computer display with obfuscated codeSource: Grenar via Shutterstock

Among the many constantly evolving tactics that threat actors are using to target organizations is a new one involving emulated Linux environments to stage malware and conceal malicious activity.

Researchers at Securonix spotted an attacker using the novel approach to maintain a stealthy presence on target systems and harvest data from them undetected by conventional antivirus and malware detection systems.

**Novel Technique**

So far, the security vendor has not been able to identify the adversary or determine whom they might be targeting. But available evidence — including the campaign's verbiage and the fact that the command-and-control (C2) server is based in the US — suggest that organizations in North America are the primary focus, Securonix theorized in a report this week.

"While not all evidence points one way or the other, the technical sophistication and customization observed make it more likely that \[the campaign\] was crafted with specific targets or sectors in mind within North America and Europe," says Tim Peck, senior threat researcher at Securonix.

CRON#TRAP, as Securonix is tracking the campaign, is notable for the attacker's use of a custom emulated QEMU Linux environment to persist on endpoints and execute a variety of malicious activity on them. QEMU — for Quick EMUlater — is an open source, cross-platform virtualization tool that allows organizations to emulate systems based on x86, PowerPC, ARM, and other processor technologies. One of its primary use cases is to emulate hardware platforms for software testing across Linux, Windows, macOS, and other operating system environments.

"In the case of the CRON#TRAP campaign, the attackers opted to emulate a Linux installation of Tiny Core Linux," Securonix said in its blog. "As far as we can determine, this is the first time that this tool has been used by attackers for malicious purposes outside of cryptomining." Tiny Core Linux is a modular, lightweight Linux distribution with a footprint small enough for use in resource-constrained environments.

The attacks that Securonix observed as part of the CRON#TRAP campaign began with a phishing email containing a link to an unusually large zip file with a survey-themed name.

The zip file contained a similarly themed shortcut file, which, when clicked on, once again extracted the contents of the zip file and initiated a sequence of steps that ended with the QEMU virtual box getting deployed on the victim machine. Securonix found the emulated Linux instance to contain a preconfigured backdoor that during startup automatically connected the victim systems to a hardcoded C2 server in the US. The attackers implemented the backdoor using Chisel, a legitimate tool for creating secure, encrypted tunnels for transferring data, typically over WebSockets.

The security vendor's analysis of the QEMU image showed the attackers named it PivotBox. It contained a detailed history of the commands the threat actor had executed undetected within the emulated Linux environment. Among them were commands for network testing and initial reconnaissance, user enumeration, tool installation and preparation, SSH key manipulation, payload manipulation and execution, file and environment management, data exfiltration, privilege escalation, and persistence.

**Clearly Motivated Attacker**

"The commands executed by the threat actor reveal a clear intention to establish persistence, maintain covert access," Peck says. "They were highly focused on establishing a stable, reliable, and stealthy point of access within the target's network." The use of SSH key generation and subsequent uploads of the public key to a file-sharing service highlight an effort to ensure persistent remote access even after reboots, he notes.

The use of emulated Linux environment for malicious activity is the latest example of how attackers constantly find new ways and new techniques to bypass security mechanisms. As with any malicious campaign, the best protection against attacks like CRON#TRAP is to nip them in the bud, which in this case would be training users not to act on phishing emails, Peck says. For instance, the zip file associated with the campaign weighs in at a massive 285MB, which alone should be cause for suspicion.

Beyond that, measures such as application whitelisting and endpoint monitoring can also help organizations detect such campaigns. "As QEMU was executed through unconventional methods, this does present us with interesting detection opportunities," Peck says. One example is detecting the execution of QEMU outside the default Program Files directory. "Monitoring for network-based indicators such as persistent SSH connections from unexpected endpoints could also aid in detecting this campaign."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attacker Hides Malicious Activity in Emulated Linux Environment

Chinese-speaking adversaries are using a fresh Android banking Trojan to take over devices and initiate fraudulent money transfers from financial institutions across Latin America, Italy, Portugal, and Spain.

Source: Oneinchpunch via Alamy Stock Photo

Researchers have designated a new botnet on the scene — initially suspected to be a part of the Toxic banking Trojan family — as a whole new spinoff strain with its own moniker, ToxicPanda.

The ToxicPanda banking bot has turned up on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions, according to new findings from Cleafy. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over a targeted device and initiate scam money transfers, bypassing the banks' identity and authentication protections, the Cleafy team warned.

"Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique," the Cleafy report explained. "This consolidation of this technique has already been seen by other banking Trojans, such as Medusa, Copybara, and, recently, BingoMod."

This stripped-down, manual approach to the Android banking Trojan gives the threat actors the advantage of not having to use highly skilled developers, it opens up the potential to victimize a wider swath of banking customers, and it bypasses many cybersecurity protections used by financial services and banks, the researchers noted.

Importantly, code analysis uncovered that ToxicPanda is in the early stages of development. But that doesn't mean it doesn't already have an impressive set of features, including the ability to exploit Android's accessibility services to escalate permissions, and capturing data from applications, the Cleafy team noted.

Further, ToxicPanda allows the threat actor to gain remote control of the infected device and initiate actions like money transfers without the users' knowledge. The banking Trojan also intercepts one-time passwords sent either by text or authenticator app, completely dismantling multifactor authentication protections. Finally, ToxicPanda is loaded with code-hiding tricks to avoid detection.

The ramp up of ToxicPanda indicates Chinese-speaking threat actors are beefing up their operations to expand into new territory outside its traditional Southeast Asian roots, the report warns.

"This trend underscores the mobile security ecosystem's escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge," Cleafy's report said. "An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue."

**Google Patches Two Actively Exploited Android Flaws**

As Chinese-speaking groups look to gain initial access to devices, they often leverage Android vulnerabilities in wide-scale attacks.

Fittingly, on Nov. 4, Google released patches for dozens of Android vulnerabilities as part of November's update, among them, two that already have been exploited, CVE-2024-43047 and CVE-2024-43093. Although Google has not released details, the first was discovered by Amnesty International and Google's Threat Analysis Group, which are well known for tracking commercial spyware activities. The second is a high-severity privilege escalation flaw in Android's framework.

Beyond disclosing the flaws, which "may be under limited, targeted exploitation," Google has not provided additional details.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Android Botnet 'ToxicPanda' Bashes Banks Across Europe, Latin America

The cybercriminal group holding the stolen information is demanding the vendor admit to the breach and pay up.

Source: RATHEESH MALAPPADAVAN via Alamy Stock Photo

The threat actors known as "Hellcat" claim to have stolen sensitive data from Schneider Electric, and the French industrial company has begun an investigation without formally acknowledging any data theft.

The hackers claim to have breached the industrial company's Jira issue tracking system and are demanding a $125,000 ransom.

"This breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40GB compressed data," the threat actors wrote on their Tor website.

However, the cybercriminals note that the ransom will drop by half if Schneider Electric confirms the breach. If their demands are not met, they have threatened to make the data they stole from the vendor public. 

In addition, one of the hackers published evidence on social media platform X regarding how they gained access into the vendor's Jira system to steal the data.

Schneider Electric reported that the cybersecurity incident involved unauthorized access to one of its "internal project execution tracking platforms" and that its global incident response team has been mobilized to deal with the fallout.

This is the third breach in under two years that the manufacturer has faced; the first involved its sustainability business division in January at the hands of Cactus ransomware, and the second was connected to the MOVEit zero-day vulnerability.

**About the Author**

Schneider Electric Clawed by 'Hellcat' Ransomware Gang

Attackers are exploiting the "Envelopes: create API" of the enormously popular document-signing service to flood corporate inboxes with convincing phishing emails aimed at defrauding organizations. It's an unusual attack vector with a high success rate.

Source: Elena Uve via Alamy Stock Photo

Cybercriminals are abusing a Docusign API in a widescale, innovative phishing campaign to send fake invoices to corporate users that appear authentic and likely would not trigger typical security defenses or user suspicions, as many similar scams might.

The campaign to defraud organizations, observed over the last several months, involves attackers creating a legitimate, paid Docusign account using the software that allows them to change templates and use the API directly, researchers at security firm Wallarm revealed in a blog post published this week.

Attackers are taking advantage of Docusign's "API-friendly environment," which while beneficial for businesses, also "inadvertently provides a way for malicious actors to scale their operations," according to the post.

Specifically, the researchers observed abuse of Docusign's "Envelopes: create API" to send one of what turned out to be a significant volume of automated emails to multiple users and recipients directly from the platform, they said. The messages use specially crafted templates "mimicking requests to e-sign documents from well-known brands," which are mainly software companies such as Norton Antivirus, according to the post by Wallarm.

Fake invoices employed in the campaign also leverage an array of other tactics to lend authenticity to the scam. These include offering accurate pricing for a company's products; the addition of expected kinds of charges, such as an activation fee; the inclusion of direct wire instructions or purchase orders; and the sending of different invoices with different items.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

Ultimately, if a user e-signs the document, a threat actor can use it to request payment from organizations outside of Docusign or send the signed document through Docusign to the finance department for compensation, thus committing fraud.

The attack vector may not be limited to Docusign, Wallarm researchers warned; other e-signature and document services could be equally vulnerable to similar exploitation tactics.

**A New Type of Fake Invoice Scam**

Fake invoices are often a part of financially motivated phishing scams, and Docusign — which offers enormously popular software for digital signatures with more than 1.5 million paying customers and 1 billion users worldwide — is often a target for phishers. An API-based attack, however, can potentially be more effective than scams that simply use name recognition or impersonate the brand, for a number of reasons.

Chief among them is that because the emails come directly from Docusign, they "look legitimate to the email services and spam/phishing filters," according to Wallarm's post. "There are no malicious links or attachments; the danger lies in the authenticity of the request itself."

Related:City of Columbus Drops Case on Cyberattack Whistleblower

Indeed, because the attack uses an API exploit, "there probably won’t be many signs that would be easy to spot as in a spoofed email," Erich Kron, security awareness advocate at KnowBe4, observes. Moreover, the popularity of Docusign makes the service "a great target for this sort of attack" at a large scale due to the potential for automation by exploiting the API, he says, adding, "people put their trust in brands they recognize and know, especially those that are used often in legal or other official capacities."

**Mitigating E-Sign Cyberattacks, API Abuse**

Fortunately, there are a number of ways that organizations can protect themselves from being defrauded by such convincing attacks, as well as strategies that service providers like Docusign can take to avoid or detect API abuse, according to Wallarm.

Organizations should always double-check the sender's email address and any associated accounts for legitimacy, as well as implement strict internal procedures for approving purchases and financial transactions that involve multiple team members, if possible.

Related:EmeraldWhale's Massive Git Breach Highlights Config Gaps

"It's fascinating to see how sophisticated cybercriminals have become, leveraging legitimate tools like Docusign to craft realistic phishing attacks," says Randolph Barr, CISO at Cequence. "This highlights the importance of verifying the source of any document signing request, even if it appears to come from a trusted source. \[Organizations\] should emphasize the importance of pausing and verifying before taking any action, even if it seems urgent. Additionally, IT and security teams must stay informed about the latest attack methods and techniques to effectively protect their organizations."

Keeping a close eye on unexpected invoices or requests, especially those that include unusual charges or fees, also can help organizations avoid paying criminals rather than legitimate entities.

Service providers also can take responsibility for mitigating API-based attacks by understanding how APIs may be abused in phishing attacks by conducting regular threat modeling exercises to identify potential attack vectors. They also can apply rate limits to specific API endpoints to prevent attackers from scaling in cases of API abuse, according to the researchers.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Docusign API Abused in Widescale, Novel Invoice Attack

Government and industry want to jump-start the conversation around "human-centric cybersecurity" to boost the usability and effectiveness of security products and services.

Source: whiteMocca via Shutterstock

Many security teams view their nonsecurity coworkers as the potential weak point in any cybersecurity plan, so they bring in technology to mitigate their inevitable poor choices. The viewpoint is understandable: The "human element" contributed to 68% of breaches in 2023 and 74% of breaches in 2022, according to Verizon's "Data Breach Investigations Report."

Yet, the approach is failing companies that want to improve their cybersecurity, experts say. In a US government handout titled "Users Are Not Stupid," the National Institute of Standards and Technology (NIST) urges organizations to avoid creating insider threats through poor usability, layering on too much security, and failing to consider user feedback.

Instead, organizations should pursue a human-centric cybersecurity (HCC) approach, focusing on processes and products that account for users' needs and motivations and incentivize secure behaviors. An HCC program includes security-awareness and anti-phishing training, adds user feedback channels to security products, and aims to reduce the security responsibility placed on the average person. Tools that are critical for companies taking an HCC approach include security monitoring and user/entity behavior analytics (UEBA).

Yet HCC goes beyond just looking for user-centric or user-friendly security products, says Julie Haney, HCC program lead at NIST's Information Technology Lab.

Related:Time to Get Strict With DMARC

"It's really all about putting people at the forefront when we're designing and implementing security," Haney says. "If you don't have human-centered cybersecurity where you're considering that person, then you have unusable security solutions — so people are more prone to making errors or making risky decisions or implementing less secure work-arounds because they just need to get their jobs done."

Last month NIST launched its Human-Centered Cybersecurity Community of Interest (COI) to bring together practitioners, academics, and policymakers to discuss how to make security more effective and user-friendly.

**Cybersecurity Power to People**

The government agency isn't the only organization to focus on the human aspect of security. Increasingly, HCC has become a focus of enterprise security teams, with business intelligence firm Gartner expecting CISOs at half of large enterprises to adopt human-centric practices and designs for cybersecurity by 2027. In fact, Gartner listed human-centric security design as a top cybersecurity trend last year. The firm changed the name but continued to identify security behavior and culture programs (SBCPs) as a top cybersecurity trend in 2024.

Related:AI-Augmented Email Analysis Spots Latest Scams, Bad Content

Security teams need to stop talking at other workers and instead talk to them and work with them to build a cybersecurity-focused culture, says Victoria Cason, a senior principal analyst at Gartner.

"Taking a human-centric approach is recognizing that we're not dealing with an inanimate object," she says. "We're dealing with a human that has different behaviors, different actions, different needs, and really trying to address their wants, desires, and behaviors when it comes to best security practices, as opposed to just telling them what to do."

Among the steps that Gartner identifies as part of an SBCP are conducting threat simulations, adding automation and data analytics to aid users in making secure choices, rewarding workers for reporting potential security incidents, and tracking metrics to demonstrate SBCP impact. Nearly half of companies focused on SBCP are taking each of those steps, according to Gartner data.

Minimizing cybersecurity-induced friction will not only improve companies' security posture but will also reduce the stress that comes with a traditionally adversarial job. Gartner expects that half of cybersecurity leaders will change jobs between 2023 and 2025, with a quarter of those exiting their positions actually leaving the industry for good due to stress.

Related:Compliance Automation Pays Off for a Growing Company

**HCC: A Work in Progress**

Currently, there is no standard definition for HCC, which is partly why NIST is pushing for more research into how companies can better support the security growth of their workers. HCC broadly includes workers' attitudes about cybersecurity, their training, the usability of security products, and the creation of policies.

The latest "Federal Cybersecurity Research and Development Plan," published by the Biden administration in December 2023, identifies HCC as a priority for protecting the nation. Among the research areas espoused by the plan are finding models to determine the impacts of digital technologies and how their security properties can be validated.

"There is a need to reduce the burden of cybersecurity requirements on people, organizations, communities, and society, and to improve the usability and the user experience of digital technologies and systems," the plan states. "Research on human-centered computing aspects has indicated that including end users early in the process of design and development creates more usable systems and an improved user experience."

Gartner has come up with its own approach to implementing SBCPs, which it dubs the PIPE framework, short for practices, influences, platforms, and enablers.

"Most traditional awareness programs just rely on yearly or quarterly training, but that doesn't address the root cause of behavior," says Gartner's Cason. "So going beyond just the traditional computer-based training and phishing simulation, leveraging existing tools and capabilities like identity and access management (IAM) or security monitoring, to even emerging tools like AI can increase engagement and efficiency."

The most significant product category to encapsulate HCC may be human risk management, an evolution of the security-awareness and training market that adds adaptive human protection, according to business intelligence firm Forrester. As opposed to the checkbox compliance of many security-awareness training programs, human risk management focuses on positively educating workers while at the same time reducing the risk posed by their actions, according to a Forrester note published in February.

**Employees Do Worry Over Cybersecurity**

For the most part, workers are cognizant of the critical role in protecting the business. They are worried that they could be the cause of the next breach, with a third of workers (34%) concerned that they may take an action that leaves their organizations vulnerable, according to a survey of 1,000 workers by consultancy Ernst & Young.

Companies should work with those users and find ways to direct those concerns into productive action, rather than failing to support them and then blaming them when something goes wrong, says NIST's Haney.

"If someone clicks on that phishing link, organizations tend to put all the blame on the employee, but they're not actually looking up the chain to all of the procedural things, the process things, the people things that maybe went wrong in the organization before that," she says. "It's not just about the fault of the person at the end of the chain — there's often a lot of other things that have gone wrong before that."

Cybersecurity professionals should strive to develop a culture and mindset that does not label users as the enemy or the weakest link. Having conversations with users can uncover problems in the way security is being implemented, while empowering users to report issues can lead to earlier detection.

Finally, the advent of products — such as human risk analysis services — should be adopted carefully and with the right expectations. Tracking users who may make repeated mistakes can be useful but should not be punitive; rather, the approach should inform security teams about procedural problems or raise the possibility of additional training opportunities, Haney says.

"The data can be useful, but you have to be really careful to not, you know, start labeling people \[as\] a bad employee, or they're bad at security, and this is a person that's good at security," she says. "So there's that fine line that you have to walk."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Oh, the Humanity! How to Make Humans Part of Cybersecurity Design

Zero trust is a mature approach that will improve your organization's security.

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Knowing you would like to implement zero trust and actually implementing it are two different things. That's at least in part because zero trust is not a single solution one can install and walk away from. Rather, it's an approach to IT and security that emphasizes validating every connection, whether it's user to app, app to app, or process to process. The advantages are clear though: a reduced attack surface; lateral movement across a network by attackers is prevented; and each and every access to any corporate resource is granted on a per-request basis.

In short: Never trust, always verify.  

Many of the challenges associated with a large initiative like zero trust are not technical issues, but rather relate to driving change. There are significant interpersonal and organizational components to adopting this approach that must be carefully considered. Over the course of my career — most recently as chief technical officer (CTO) for GE and Synchrony Financial — I had the opportunity to work on many "big word projects," including AI, cloud, and of course, zero trust. What follows are some of my top tips for ensuring you win at cyber by influencing key stakeholders within your organization.  

**How to Win at Cyber in Five Easy Steps**

1\. Organizational Partnership 

Zero trust is a team sport. Successfully executing a zero-trust transformation requires understanding all the personas involved and aligning on intended outcomes.  

*   The CTO is focused on the infrastructure: design, maintenance, configuration, execution, and tech strategy. 
    

*   The chief information security officer (CISO) knows and owns the security strategy, security execution, and monitoring. 
    

*   The chief information officer (ClO) is focused on the technologies and applications of the organization, overseeing the people and process aspect of transformation and day-to-day operations. 
    

*   The risk leader confirms the technology group is covering all the risks to the organization and end consumer. 
    

Bringing the CTO and CISO together on a common goal of zero trust and then inviting the risk leader along on the journey is a huge step in your success. Establishing a rhythm of these leaders with the CIO brings it all together. These roles might be slightly different in your organization, but understanding each stakeholder's role and connecting them before the project begins is key. 

2\. Communication and Board-Level Metrics 

Once key leaders are aligned behind your zero-trust initiative, you need the backing of your board. This won't be accomplished by lengthy, wonky discussions of the underlying technology you hope to implement. Instead, boards want to understand your organization's risk exposure, and how you intend to manage it.  

The ability to demonstrate a comprehensive risk score is a powerful asset for establishing a baseline and reporting on progress over the course of what is likely to be a multistep, multipronged zero-trust deployment journey. Once you've established this score, continue to revisit it along each phase of your initiative to demonstrate maturity backed by real-world data from your environment. 

3\. Phased Deployment Plan 

It's no accident we speak about zero trust as a journey, one that rarely unfolds along a straight line. Transformation initiatives often begin in response to a stimulus — implementing a VPN replacement or incorporating a new acquisition into existing IT systems, for example — and then maturing over time.  

One thing is critical, though: Develop a plan that incorporates individual use cases into an overarching strategy for deployment. A phased deployment allows stakeholders to avoid the feeling of needing to "accomplish" zero trust overnight. The first project will doubtless be the most difficult; it gets easier from there. 

4\. Pragmatic Technical Deliverables 

Throughout my career I have encountered a number of CIOs with impeccable strategic instincts who nevertheless struggle to translate them into pragmatic deliverables. When we're dealing with complex, sometimes nebulous concepts like AI, the cloud, or zero trust, it's easy to get lost in the weeds.  

It's critical that tactical actions like a VPN replacement are framed in terms of the business problems they solve. I return to the VPN example because it is a perfect illustration of enhancing security and the user experience, making it a model IT solution for a business issue. Users become more productive and benefit from a smoother experience, the opportunity for lateral movement is reduced, and cost savings are likely to accrue. 

5\. Fix the Basics 

It may sound simple, but it's a critical point that I have often seen overlooked. Tackle the low-hanging fruit, or threat actors will do it for you. So, what are the basics? Phishing not only remains the number one threat vector facing most organizations, it's also only solvable by creating a culture of security within your organization. I don't mean in terms of high-tech solutions, but by fostering basic cybersecurity literacy organization wide. With the advent of AI-assisted pretext creation, this will only become more critical in the near future.  

Zero trust is a mature approach that will up-level your organization's security. If you haven't yet started out or if you are simply looking for a more complete implementation, I hope you find this advice useful. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Former CTO of GE & Former CTO of Synchrony Financial

Greg Simpson is an experienced technologist, having been CTO at numerous GE businesses, and GE overall. As CTO of Synchrony, Greg first launched the foundational infrastructure to support its IPO and then drove a transformation built on a strategic technology stack that was built on the cloud, a new data lake, application APIs, and AI, enabling faster solution delivery for Synchrony customers. He also was instrumental in its transformation to a work-from-home culture during the pandemic, Greg was named a Premier 100 Technology Leader by Computerworld in 2016. Greg recently published his first a techno-thriller novel called The Quantum Contingent. His follow-up novel, Quantum Time, is coming out later this year.

Source

DARKReading