The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command-and-control servers from Pyongyang.

Source: DC Studio via Shutterstock

An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure.

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

**Elaborate Operational Security**

Though the threat actor has implemented elaborate operational security measures to try and evade attribution, SecurityScorecard said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence.

"\[The\] analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide," SecurityScorecard said in a report this week. "The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang."

SecurityScorecard discovered "Phantom Circuit," the name by which it is tracking Lazarus group's newly discovered admin layer, while conducting followup investigations involving "Operation 99," a malicious campaign that it recently uncovered targeting the cryptocurrency industry and developers globally. In the campaign, members of the threat group have been posing as recruiters on LinkedIn and other online job forums to get software developers to engage in spurious project tests and code reviews.

Victims who fall for the scam are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus group's C2 infrastructure, which the threat actor has then been using to sneak data-stealing malware into the victim's environment. As part of the campaign, Lazarus group actors have been inserting obfuscated backdoors into legitimate software products — including authentication apps and cryptocurrency software — and trying to trick developers into running them in their environments. SecurityScorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korean threat actor's latest campaign.

**Dual Motivations**

"The motivation is twofold: cryptocurrency theft and infiltration of corporate networks," Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard says. More often than not, developers who fall victim to Lazarus group lures end up executing the cloned code on their corporate devices and in their work environments. "The payloads are designed to exfiltrate development secrets," he says.

SecurityScorecard uncovered the Phantom Circuit admin layer when trying to understand how Lazarus actors were managing the information they stole via Operation 99. What the company discovered was Lazarus members using what it described as a sophisticated network of Astrill VPNs and proxies to access Operation 99's C2 infrastructure in a highly concealed manner. Astrill, which has VPN servers in 142 cities and 56 countries, has a reputation for allowing users to browse the Web anonymously and bypass Internet restrictions in countries with heavy censorship.

SecurityScorecard researchers found Lazarus members using Astrill VPNs to connect to an intermediate proxy network registered with a freight company in Hasan, Russia. They then used the proxy network to connect to Operation 99's C2 infrastructure in an elaborate attempt to try and hide their tracks. The C2 servers themselves were hosted on infrastructure registered with a most likely fictional "Stark Industries, LLC."

"\[SecurityScorecard\] assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin," the company wrote in its report this week. "The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from." SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99's C2 network.

"Phantom Circuit \[is the\] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers to try and secure jobs at organizations they wanted to infiltrate.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

VulnCheck initially disclosed the critical command-injection vulnerability (CVE-2024-40891) six months ago, but Zyxel has yet to mention its existence or offer users a patch to mitigate threats.

Source: Timon Schneider via Alamy Stock Photo

NEWS BRIEF

A command-injection vulnerability in Zyxel CPE Series devices is being targeted by threat actors, and there's no patch available.

The bug, tracked as CVE-2024-40891, was first discovered by VulnCheck, a vulnerability intelligence firm, and disclosed to the vendor last July. Half a year later, Zyxel has yet to fix or even mention the vulnerability.

If successfully exploited, CVE-2024-40891 could allow threat actors to execute arbitrary commands on infected devices, ultimately potentially leading to system compromise, network infiltration, and data leaks, according to VulnCheck.

Researchers at GreyNoise meanwhile have been coordinating with the researchers at VulnCheck regarding exploitation of the vulnerability, and decided to disclose it publicly this week due to the "large number of attacks" they have been observing.

They also noted that CVE-2024-40891 is very similar to a known issue tracked as CVE-2024-40890, with the primary difference between the two being one is telnet-based and the other HTTP-based. Both, however, allow unauthenticated attackers to execute arbitrary commands using service accounts, whether in the "supervisor" or "zyuser" roles.

The lack of a patch could be a significant issue: Censys is reporting more than 1,500 vulnerable devices online, and it looks like some botnet operators have built exploits for the bug into their code, according to GreyNoise.

"After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains," the researchers noted.

Since there is no current fix, GreyNoise recommended that users filter traffic for unusual requests to Zyxel CPE management interfaces, monitor Zyxel's security updates to be aware if a patch is made available, restrict administrative interface access to trusted IPs, and disable unused remote management features.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Yet another spinoff of the infamous DDoS botnet is exploiting a known vulnerability in active attacks, while its threat actors are promoting it on Telegram for other attackers to use as well, in a DDoS-as-a-service model.

Source: Kirill Ivanov via Alamy Stock Photo

Yet another Mirai botnet variant is making the rounds, this time offering distributed denial-of-service (DDoS) as-a-service by exploiting flaws in Mitel SIP phones. It also features a unique capability to communicate with attacker command-and-control (C2).

Researchers at the Akamai Security Intelligence and Response Team (SIRT) identified the variant of the infamous botnet, dubbed Aquabot, that actively exploits CVE-2024-41710, a command-injection vulnerability that affects various Mitel models that are used in corporate environments, they revealed in a blog post published Jan. 29. The vulnerability relies on an input sanitization flaw, and exploitation can lead to root access of the device, SIRT researchers Kyle Lefton and Larry Cashdollar wrote in the post.

The variant is the third version of Aquabot (Akamai calls it Aquabotv3) to appear on the scene; the first version was built off the Mirai framework with the ultimate goal of DDoS, discovered in November 2023, and it was first reported by Antiy Labs. The second version of the bot "tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart" that remain present in v3, the researchers wrote.

The new variant is distinct from the previous versions for a couple of reasons, the researchers said. One is a unique feature appearing first in Aquabotv3: a function named "report\_kill" that reports back to the C2 when a kill signal is caught on the infected device. So far, however, researchers have not seen any response to the function from the attacker C2.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Another notable aspect of v3 of Aquabot is that the threat actors behind it have been advertising the botnet as DDoS as-a-service through platforms such as Telegram. The bot is advertised under several different names — including Cursinq Firewall, The Eye Services, and The Eye Botnet — offering Layer 4 and Layer 7 DDoS, the researchers noted.

**Active Exploitation of Mitel Phone Security Flaw**

Akamai SIRT detected exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January using a payload almost identical to a proof-of-concept (PoC) developed and released on GitHub in mid-August by Packetlabs' researcher Kyle Burns.

Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, with multiple endpoints vulnerable to the flaw. His PoC demonstrated that an attacker could smuggle in entries otherwise blocked by the application's sanitization checks by sending a specially crafted HTTP POST request.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

The exploitation activity that Akamai SIRT observed delivered a payload that attempts to fetch and execute a shell script called :bin.sh, which will in turn fetch and execute Mirai malware on the target system, the researchers wrote. The malware has support for a variety of different architectures, including x86 and ARM.

"Based on our analysis of the malware samples, we determined that this is a version of the Aquabot Mirai variant," specifically the latest evolution of the malware, Aquabotv3, the researchers wrote in the post.

In addition to being used in DDoS attacks, threat actors also are hawking Aquabot for DDoS-as-a-service, though they are trying to disguise the activity as "purely testing" for DDoS mitigation. However, the same domain featured in the ad promoting testing is actively spreading Mirai malware, the researchers noted.

"Threat actors will claim it's just a \[proof of concept\] or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram," they wrote in the post.

**Mirai Botnet Remains Key Conduit for DDoS**

As the majority of botnets responsible for DDoS attacks are based on Mirai, "they predominantly target Internet of Things (IoT) devices, which makes spreading the malware relatively easy to do," the researchers noted in the post. Indeed, a recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers aiming to leverage Mirai show no signs of slowing down.

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

That's likely because "the \[return on investment\] of Mirai for an aspiring botnet author is high," because it's not only one of the most successful botnet families in the world, it's also one of the more simple ones to modify, the researchers noted.

Moreover, many IoT devices often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers, making them low-hanging fruit for Mirai and its variants, the researchers wrote.

No matter what an attacker's intentions are, the researchers recommended that organizations take action to secure IoT devices through discovery or changing default credentials to protect against DDoS threats.

"Many of these botnets rely on common password libraries for authentication," they wrote in the post. "Find out where your known IoT devices are, and check for rogue ones, too. Check the login credentials and change them if they are default or easy to guess."

Akamai SIRT also included a list of indicators of compromise (IoCs) as well as Snort and Yara rules in the post to aid defenders.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTRY

In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks.

Let's explore how organizations that rely heavily on SaaS apps can evolve their TPRM strategies to face modern security challenges head-on.

**The Growing Complexity of SaaS Oversight**

SaaS adoption is growing rapidly, bringing organizations convenience and flexibility. According to B2BSaaS estimates, the SaaS market was valued at $273.5 billion in 2023 and is expected to grow to $1.2 trillion by 2032. However, this growth also comes with an expanded attack surface and more complex data flows. For organizations handling sensitive customer data and navigating strict regulations, these challenges are critical.

Two trends amplify these challenges:

*   Explosion of SaaS apps: Companies use hundreds of SaaS and cloud apps, many introduced without official approval, complicating security oversight. Shadow IT often results in blind spots, making it harder to assess overall security.
    
*   Evolving threat landscape: Attackers increasingly target third-party vendors. Generative AI (GenAI) has further complicated the landscape, enabling attackers to enhance tactics and exploit integration points, misconfigured cloud services, and stolen credentials. The Okta breach of 2023 demonstrated the potential scale of damage from a supply chain attack.
    

These challenges highlight the inadequacy of relying solely on traditional security questionnaires and annual SOC 2 reports. Continuous visibility into vendors' security practices is essential for effective risk management.

**The Problem With Traditional Third-Party Risk Reviews**

Traditional risk reviews involve substantial manual effort and fall short in addressing modern threats:

*   Inefficient manual processes: Manually sending, tracking, and analyzing vendor questionnaires consumes excessive time and energy and delays the resolution of security issues.
    
*   Superficial questions: Generic Yes/No queries (e.g., "Do your developers follow secure coding practices?") fail to assess the effectiveness of vendors' security measures. More specific questions, tied to real-world scenarios, often yield actionable insights.
    
*   Outdated reports: Reports like ISO 27001 and SOC 2 quickly become obsolete in evolving SaaS environments. The emergence of GenAI has further accelerated the pace of change, necessitating updated, dynamic assessments.
    

**Evolving TPRM to Handle Modern SaaS Challenges**

To tackle these issues, organizations must adopt agile, data-centric approaches to vendor security:

1.  Embrace real-time assurance through trust centers. SOC 2 reports are a starting point, but critical vendors should offer ongoing visibility through automated trust centers. Tools like Sprinto, Drata, and Vento provide real-time insights into security controls and compliance, enabling proactive decisions.
    

1.  Make questionnaires smarter. Replace generic questionnaires with tailored assessments that probe deeper. Focus on how controls are implemented and monitored. For example, shift from "Do you secure ABC?" to "How do you secure ABC, and how do you verify its effectiveness?" Questions that examine metrics and outcomes help uncover the true state of security.
    
2.  Address talent gaps and boost technical expertise. Invest in developing skills in cloud security, SaaS configuration, and API management. Training internal teams or partnering with specialized vendors can bridge expertise gaps. The SolarWinds breach of 2020 underscores the need for visibility into supply chain vulnerabilities. Workshops and certifications can enhance team capabilities, keeping them informed of evolving risks.
    
3.  Include shadow IT and "free" tools. Review unpaid apps, open source tools, and browser extensions — often overlooked but risky. Shadow IT tools, while offering productivity, introduce unknown risks. Assessing these apps before they integrate into workflows reduces unexpected exposure. Include them in audits to ensure they meet baseline security standards.
    
4.  Use modern tools, not spreadsheets. Transition from spreadsheets to SaaS security posture management (SSPM) tools, which monitor misconfigurations, excessive permissions, and suspicious activities. AI-powered tools can further analyze vendor responses and highlight inconsistencies. Leveraging these tools saves time and enhances accuracy.
    

**What Can You Do When Revamping Your TPRM Strategy**

Evolving TPRM processes isn't easy. Avoid common pitfalls:

*   Avoid risky inaction: Delaying updates to vendor management increases exposure. Start with small, impactful improvements and scale gradually.
    
*   Avoid overcommitting resources: Implement changes incrementally, prioritizing high-impact areas. This ensures resource efficiency without overwhelming teams.
    
*   Set realistic expectations for AI: Leverage AI where it adds value while recognizing its limitations. AI tools should complement, not replace, human oversight.
    
*   Ensure team alignment: Align team skills with new vendor security goals. Equip teams to manage technical assessments effectively. Feedback loops can ensure continuous improvement and alignment with organizational objectives.
    

**What We Can Take From This**

Managing third-party risk in the SaaS era demands a proactive, data-driven approach. Organizations must go beyond checkbox compliance by leveraging real-time assurance, tailored assessments, and automation. Modernizing TPRM is essential to address the complexities of SaaS security.

While challenging, particularly for smaller organizations, the benefits of preventing breaches and protecting reputations outweigh the costs. Organizations can manage expenses effectively by prioritizing critical vendors and adopting phased changes while enhancing third-party risk management. The commitment to proactive strategies ensures resilience against an ever-evolving threat landscape.

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

The Old Ways of Vendor Risk Management Are No Longer Good Enough

Cybersecurity can't always be "Department of No," but saying yes all the time is not the answer. Here is how to enable innovation gracefully without adding risk to the organization.

Source: Javier Sanchez Mingorance via Alamy Stock Photo

Question: There are times when cybersecurity teams need to say, "No" to business stakeholders. What is the best way to go about it?

Answer: Saying "yes" in business feels good, but, unfortunately, it's not always possible. And among security departments, saying no isn't happening often enough. In its effort to avoid roadblocks to innovation, security leaders are saying yes too often, according to Rami McCarthy, an industry veteran, leader, and security researcher who blogs on security leadership and management. Instead, a deliberate, strategic no is necessary to ensure security isn't too permissive. Avoiding these hard conversations can lead to delayed decisions, technical debt, and burned-out teams.

If you need to say no, here are seven tips for doing so in a strategic, clear, and constructive way.

1\. Provide context: A flat-out no without an explanation leaves teams frustrated and unclear about risks or alternatives. Security professionals should explain the reasoning behind their decisions and offer actionable next steps, says McCarthy in a recent blog post about saying no.

"Security should not own most risks, so conversations should be about advising a business owner rather than outright denial," he says.

2\. Say no early: The later security intervenes, the more disruptive it becomes. Address potential risks at the earliest stages to allow for smoother course corrections. Avoid "aggressive passivity," where security hesitates to voice concerns until it becomes too late to address them efficiently.

"Belated nos disrupt delivery, create technical debt, and lead to burned-out teams," McCarthy says.

3\. Offer secure alternatives: Saying no should never be a dead end. Providing secure, preapproved alternatives helps teams achieve their goals safely. Even if the perfect solution isn't available yet, pointing to a road map fosters goodwill. Offering alternatives helps prevent roadblocks and build collaboration, McCarthy says.

4\. Be consistent: Inconsistent decisions undermine trust and create confusion. Security teams should establish clear policies and standards that allow stakeholders to anticipate decisions. Consistency builds credibility and reinforces a sense of fairness across the organization.

"Inconsistency in saying no leads to stakeholders who don't know what to expect — and that'’s a fast way to lose trust,” McCarthy notes.

5\. Align with business goals: Security should not operate in a vacuum. When saying no, it's crucial to align the decision with business priorities and risk tolerance.

"Security doesn't just mitigate risk — it enables the company to take smarter, bolder risks,” McCarthy says.

6\. Foster open communication: Encouraging dialogue between security and other teams builds trust and lowers barriers. Hosting "ask-me-anything" sessions, lunch-and-learn events, or open office hours can create an environment where security is seen as a partner rather than a blocker.

"Security teams that listen actively and engage in dialogue build a sense of partnership with employees,” says cybersecurity adviser Tom Van de Wiele.

7\. Balance empathy with pragmatism: Empathy is key, but it must be balanced with practical decision-making, according to behavioral scientist and cybersecurity expert Jessica Barker, MBE Ph.D.

"Empathy is not about being nice and saying yes when we mean no," she says. "It’s about reflecting understanding and explaining decisions without being defensive."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

7 Tips for Strategically Saying 'No' in Cybersecurity

The impetus for CrowdStrike's new professional services came from last year's Famous Chollima threat actors, which used fake IT workers to infiltrate organizations and steal data.

Source: Andrea Danti via Shutterstock

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat-hunting service discovered endpoint telemetry indicating that the company might have at least one fake IT employee working for it, many were initially doubtful that they were among those affected.

Upon further investigation, though, it turned out that 40% of them were victims of a North Korean APT group that recruits people to apply for open tech jobs and, when hired, use their network access to deploy malware and steal data. The spike in activity by the group, known as Famous Chollima, was the impetus for last week's launch of CrowdStrike's Insider Risk Service, a set of professional services for detecting rogue IT workers and improving hiring practices.

Famous Chollima — threat actors from North Korea — used rogue IT workers to infiltrate over 300 companies, according to a May announcement by the US Department of Justice. Several perpetrators were charged with allegedly defrauding US companies using online job sites and payment platforms with locally hosted proxy computers. Victims discovered malicious IT employees installed malware, notably BeaverTail or InvisibleFerret, or exfiltrated data.

According to the Justice Department, it was the largest criminal act using IT workers, resulting in an estimated $6.8 million in losses.

"I think it's significantly higher than $6.8 million; I would say it's on the order of tens of millions of dollars," Adam Meyers, CrowdStrike's senior VP for counter adversary operations, told attendees at the company's annual Fal.Con customer event in September.

**Customers Initially Dubious**

CrowdStrike's chief global services officer, Thomas Etheridge, recalls customers' initial skepticism that they may have unwittingly hired fake IT workers.

"We had many organizations that absolutely said, 'Thank you, but we don't have that problem,' and then they later reached back out to us and said, 'We realize you were absolutely spot on,'" Etheridge tells Dark Reading.

According to 467 cybersecurity professionals surveyed for Securonix's "2024 Insider Threat Report," insider attacks rose from 66% of organizations in 2019 to 76% last year. Moreover, 90% said insider attacks are equally or more challenging to discover than external attacks.

CrowdStrike cites research from the Ponemon Institute, which found that 71% of organizations experienced between 21 and 41 insider incidents in 2023 — up from 67% over the previous year. The report also found that the annual cost of insider threats averaged $16.2 million per organization.

Data from 1,542 security decision-makers responding to Forrester Research's 2024 Security Survey indicated that 23% of data breaches resulted from internal incidents. Joseph Blankenship, VP and research director for Forrester's Security & Risk practice, says addressing insider risk is more complex than external threats.

"It's difficult to discern normal insider behavior from potentially malicious or accidentally harmful behavior," Blankenship says. "Insider risk services help to test the technology and processes organizations use to detect and respond to insider incidents."

**CrowdStrike's New Services Portfolio**

CrowdStrike's Insider Risk Service provides assessments to determine overall security gaps that enable both malicious and unintentional internal threats and HR hiring processes.

"We have some really rich telemetry around identity, around what threat actors are doing and the tooling they're using to remain persistent and undetectable in an environment, and we use those same techniques and tools to uncover insider activity," Etheridge says. "Putting a lot of these things together and bringing the people and process aspect to it really can help an organization up level and mature their insider-risk program."

The offering consists of a program in which CrowdStrike's consultants examine an organization's approach to insider risk and perform technical reviews to discover gaps and recommend improvements. The services also include tabletop exercises and red team simulations to test what defenses are in place and explore ways to discover vulnerabilities.

Not surprisingly, the services rely on threat intelligence and telemetry gathered from CrowdStrike's flagship Falcon platform and its OverWatch 24x7 threat-hunting service team. While major IT consulting firms like Accenture, EY, and smaller service providers offer risk assessment services, Etheridge touts CrowdStrike's platform as an advantage.

"These organizations are coming to us because we have a lot of the telemetry that they would need to understand the difference between normal activity occurring in the organization and non-normal activity," Etheridge says.

Meanwhile, activity from Famous Chollima is off from last year's peak, though Etheridge expects variations in this insider threat type to continue.

"It's not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," he says.

Forrester's Blankenship agrees.

"I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Highlights Magnitude of Insider Risk

The ransomware group provides everything an affiliate could want to breach and attack victims, including a quality controlled recruitment system to engage even more criminals.

Source: William Mullins via Alamy Stock Photo

NEWS BRIEF

The Lynx ransomware-as-a-service (RaaS) group has made a name for itself, standing out as a "highly organized platform" complete with a structured affiliate program and robust encryption methods.

Researchers at Group IB investigated Lynx's operations and detailed how the group orchestrates its ransomware attacks and manages its list of victims.

Lynx's affiliate panel is divided into sections, such as news, companies, chats, leaks, and more. This "user-friendly" interface allows affiliates to create victim profiles, generate ransomware samples, and even manage schedules, among a variety of other features. The group provides its affiliates with an "All-in-One Archive" that contains binaries for Windows, Linux, and ESXi environments. It also has a competitive recruitment-driven strategy that incentivizes affiliates with an 80% share of ransom proceeds and a leak site dedicated to posting stolen data publicly if a ransom goes unpaid. 

The group's recruitment operation requires a lengthy verification process for pen testers and skilled intrusion teams, detailing how the group emphasizes quality control, operational security, along with sufficient skills and experience before being able to join the business.

Using these strategies and more, Lynx has established itself as what the researchers consider to be a "formidable RaaS operator." By combining ransomware builds, a structured affiliate ecosystem, and a detailed management system, the group has created "an industrial-scale approach to cybercrime."

The researchers recommend that organizations take essential steps to protect their operations, especially if they are within a critical industrial sector, by implementing multifactor authentication and credential-based access, deploying advanced endpoint detection and response solutions, scheduling backups, prioritizing updates and security awareness programs, and more. Further details can be found in Group-IB's research blog post. 

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Lynx Ransomware Group 'Industrializes' Cybercrime With Affiliates

The now-fixed vulnerability involved a major travel services company that's integrated with dozens of airline websites worldwide.

Source: Ribkhan via Shutterstock

A vulnerability that exposed millions of airline customers to potential account takeovers has highlighted the significant risks organizations face from misconfigured OAuth authentication processes.

The vulnerability in this case involved a major provider of online travel services for hotels and car rentals. Many airlines have integrated this service into their websites, allowing customers to use their airline points to book not just flights, but also hotels and rental cars in one seamless process.

**OAuth Implementation Flaw**

Researchers at Salt Security, hunting for real-world examples of API supply chain attacks, stumbled upon a vulnerability in the travel company's process for authenticating users looking to access its services after making an initial airline booking. The flaw, which the travel services company has since fixed, basically gave attackers a way to redirect a user's OAuth credentials to a server of their choice.

The credentials would have allowed the attackers to obtain a valid session token from an airline's website and use it to log into the travel company's systems as the victim and book hotels and car rentals using airline loyalty points.

The discovered vulnerability enabled attackers to hijack victim accounts with a single click, Salt Security researcher Amit Elbirt wrote in a blog post this week, without revealing the identity of the travel services company.

While the takeover would have happened within the travel provider's service, it would have given an attacker full access to a victim's stored information on the airline company's site, including personally identifying information, mileage, and rewards data. "This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation," Elbirt wrote.

OAuth (Open Authentication) is a security protocol that allows users to grant websites or applications access to their information on other sites without sharing their passwords. A familiar example is logging into a website using Google or Facebook (by clicking "Sign in with Google" or "Login with Facebook" links). In the case of the travel services company, OAuth enabled users to login to the company's site using their airline credentials.

As Salt Security explains it, when a user clicks on the login button to access the travel company's site, they are automatically redirected to the requisite airline company's login page for authentication. Once complete, the airline site sends an authorization code back to the travel company site, which initiates a process whereby the travel site receives an access token. The travel site then uses the token to request user data from the airline site.

**A Failure to Verify**

What Salt Security discovered was a weakness in the travel company's authentication flow that gave them a way to redirect the equivalent of a user's login credentials to their own server. "The specific issue here is that the travel company did not correctly verify that the sensitive authentication credentials were sent to a valid domain," says Yaniv Balmas, vice president of research at Salt Security. "By manipulating this flaw, we could force the travel company to send these credentials to us instead of the airline company, thus allowing us — or or a malicious actor abusing this — to take over the airline user account and perform any actions on their behalf."

To exploit the flaw, an attacker would have sent a malicious link, which would appear to be a valid airline link, via email or text message to users of airline sites integrated with the travel service provider. According to Salt Security, once a user clicks the link and successfully authenticates to an official airline service, the attacker gains full access to the user’s account within the travel system. "From the victim's perspective, it would be almost impossible to understand the link is malicious since it genuinely belongs to the airline, and there is no easy way to understand its malicious nature without an expert-level understanding of OAuth and authentication flows," he says.

**Common Issue**

The vulnerability with the unnamed travel company is more common that one might assume, Balmas says. In 2023, for instance, Salt Security discovered a similar vulnerability in Booking.com's OAuth implementation process that gave attackers a way to take over user accounts when using their Facebook accounts to log into the hotel reservation site. Another time, researchers from the company found OAuth implementation flaws involving Grammarly, Vidio, and Indonesian e-commerce site Bukalapak that gave attackers potential access to hundreds of millions of user accounts across multiple websites.

"The biggest issue here is that from the airline's perspective, there is absolutely no visibility in case an attack occurs, and in fact, an attack request will look completely identical to a legitimate one," Balmas notes. "This basically means that the third party — the travel company in this case—is the one responsible for the security and safety of its customer users." Often, he adds, there's no certainty that a third party will hold to the same security standards as its customer.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

In their discovery, researchers found 31 PDF files linking to these phishing websites, none of which have been yet submitted to VirusTotal.

Source: Web Pix via Alamy Stock Photo

NEWS BRIEF

Researchers are highlighting the rise of a new phishing tactic: a campaign that uses PDF documents to trick victims by announcing expired Amazon Prime memberships.

Users are targeted by email and, after clicking on the PDFs, are taken to pages that impersonate Amazon, where they are urged to input their personal details and credit card information.

The researchers at Palo Alto Networks Unit42 who discovered the campaign have collected 31 PDF files with links to these phishing sites, none of which had been submitted to VirusTotal.

The chain of events in the phishing attack begins with the email containing the PDF attachment. Once clicking on the link from the PDF, the victim is redirected from the initial URL to subdomains of duckdns\[.\]org that host the phishing website.

"These phishing websites use cloaking to redirect scans and other analysis attempts to benign domains," the researchers wrote. These domains for most of the initial and intermediate staging URLs are hosted on the same IP address.

There are four initial links used in the campaign that potential victims should be wary of:

*   hxxps\[:\]//redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns\[.\]org/XOZLaMh
    
*   hxxps\[:\]//redixajcdkashdufzxcsfgfasd.duckdns\[.\]org/CCq8SKn
    
*   hxxps\[:\]//zmehiasdhg7uw.redirectme\[.\]net/xn28lGa
    
*   hxxps\[:\]//rediahxjasdusgasdzxcsdefwgasdgasdasdzxdz.duckdns\[.\]org/agungggg1298w862847
    

"The initial attack vector, where users are beguiled into opening an email attachment containing a PDF file, is a stark reminder of the importance of remaining vigilant of emails," Javvad Malik, lead security awareness advocate at KnowBe4, wrote in an emailed statement. "Emails still remain the most popular attack avenue for phishing, so it's important that people have the right education and tools at their disposal to be able to effectively identify and report any suspicious activity."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Phishing Campaign Baits Hook With Malicious Amazon PDFs

Concerns include everything from ransomware, malware, and phishing attacks on the game's infrastructure to those targeting event sponsors and fans.

Source: Steve Cukrov via Shutterstock

Sporting events like the upcoming Super Bowl LIX in New Orleans are prime targets for cyberattacks due to their massive audiences, extensive digital infrastructure, and the potential for high financial and reputational impact. Experts say organizers should be prepared for an onslaught of attacks leading up to and on game day, which is Feb. 9 this year.

Securing such events can be particularly challenging due to the vast array of potential attack surfaces, including ticketing systems, livestreaming platforms, in-stadium Internet of Things (IoT) devices, and valuable fan data. The New Year's Day terrorist attack in the city has only added to the concerns, and has prompted greater physical security measures in the form of increased surveillance, a significantly larger police presence than initially planned, and the use of drones and extra cameras to monitor for threats.

**High-Stakes Cybersecurity Playbook for the Big Game**

James DeMeo, faculty member with Tulane University's School of Professional Advancement, is an expert in sport event security, facilities, and venue risk assessment. The Super Bowl, he reminds, is a mega event that the Department of Homeland Security has designated as a Special Event Assessment Rating 1 (SEAR 1), which is the highest rating from a threat assessment standpoint. Following the Jan. 1 vehicle ramming incident in New Orleans' French Quarter, event security concerns are sure to have only heightened, he says.

The top cybersecurity concerns will include those around ransomware, malware, and phishing threats directed at critical infrastructure for the games and communication networks. "Command center controls will be tasked with averting bad actors from infiltrating CCTV, access controls, and wireless networks while ensuring a seamless fan experience," DeMeo says.

Other focus areas for the security team at the Super Bowl will include protecting fan payment data and monitoring social media networks for signs of potential physical threat activity. "Law enforcement will be sharing relative and timely information with governmental stakeholders like the JTTF and the Secret Service," DeMeo says. Expect the DHS to monitor posts on social media platforms in real time before and during the games for conversations that indicate a threat to the event.

DeMeo expects drones will play a key role on the physical security side of things as well. "Drones are an effective risk mitigation tool for key Super Bowl security stakeholders," he says. "This technology can be implemented for properly monitoring crowds, crowd management, crowd ingress/egress, and reconnaissance for potential nefarious bad actors on the exterior perimeters of the venue."  

Additionally, such technologies as biometrics and iris scans can be utilized as an effective risk mitigation tool by event security leads, he says.

**A Collaborative Defensive Effort**

Mike Storm, distinguished engineer at Cisco, says preparation for an event like the Super Bowl actually begins years in advance, with collaboration between a number of entities, including the host venue, the local city, a wide network of tech vendors, and government entities like the FBI. "In the years, months and weeks leading up to the event, the cross-functional team engages in a wide variety of scenario and role-playing exercises so that should any issues arise during the event, responses are swift, coordinated, and ideally resolve the problem before it can impact the game or the fan experience."

As the primary network provider for the Super Bowl, Cisco has partnered with the NFL in a collaborative approach to manage threats to the game. "This playbook," he says, "is built on a few core attributes that are essential to successfully protecting an event of this magnitude — simplicity, visibility, reliability, and protection." As part of the effort, Cisco has deployed a range of technologies to secure the game network, including Cisco Secure Firewall, Cisco Umbrella, Cisco Security Malware Analytics, Cisco XDR with Meraki, and Splunk Enterprise.

The NFL is also tapping Cisco's Talos threat intelligence service for real-time intelligence pertinent to the event. The goal is to safeguard game day operations and respond to potential threats during the event to prevent disruptions, Storm says. "When it comes to large sporting events, we are looking for all types of attacks, at volume," he says. Many attacks are often focused on trying to degrade the experience of fans or on the misuse of data of viewers, guests, or participants of the game. "These events are targeted by a variety of different actors, which can include ideologically or politically motivated hacktivists and state-sponsored threat actors." These actors employ a variety of tactics, which can include targeting sponsors to disrupt the game or misusing branding to lure viewers to click something on something malicious.  

Storm points to the rising use of artificial intelligence as impacting Cisco's approach to protecting high-profile events like the Super Bowl. For instance, it adds complexity, he says: "The stakes of something going wrong with AI are incredibly high. On the other hand, it unlocks opportunities for faster, smarter security."

**The Threat from Unmonitored Service Accounts & APIs**

Meanwhile. the proliferation of automated systems and services like "just walk out" payment methods and frictionless checkout systems at events like the Super Bowl present a new attack vector that security teams need to guard against. The growing digitization has enabled faster retail transactions and a host of other benefits for fans. But it also led to an explosion of non-human identities (NHIs) and shared multiuse service accounts, APIs, tokens, and access keys that are often poorly monitored or completely unmonitored, says Tim Eades, CEO and co-founder of Anetac.

"Anetac's research indicates that large-scale events like the Super Bowl represent a perfect storm for NHI vulnerabilities," Eades says. "The combination of reliance on automated systems, rapid deployment, and the expansive network of NHIs required to support modern stadiums \[has\] significantly \[increased\] the attack surface," at events like the Super Bowl.

Eades perceives the targeting of NHIs as presenting a threat for event organizers in New Orleans and remote locations, "Bad actors recognize that automated accounts are gateways to critical infrastructure and sensitive data such as customer information, employee data, and more," he says. Securing such accounts, Eades notes, is important because they enable attackers to potentially gain control over stadium systems, from payment processing to manipulating environmental controls and emergency systems.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading