Despite a law enforcement sweep last May, the sophisticated downloader malware is re-emerging.

Source: Antony Cooper via Alamy Stock Photo

Just a few months after Europol launched a full-scale disruption effort against malware botnets, one of its primary targets — a downloader malware called Bumblebee — seems to have staged a revival.

The sophisticated piece of malware has been widely used by cybercriminals to break into corporate networks, and its effectiveness is precisely what drew law enforcement's attention. In May, Europol launched full-scale takedowns of a variety of botnets, including IcedID, Trickbot, Smokeloader, SystemBC and Pickabot, as well as Bumblebee. The multipronged effort, dubbed Operation Endgame, was a splashy and highly publicized action to hunt down and stop cybercriminals hiding in their jurisdiction.

In addition to May's botnet bust-up, Operation Endgame added eight Russian nationals to Europe's list of most wanted fugitives for their alleged roles as developers of the Emotet botnet. By mid-June, Operation Endgame made an arrest: a 28-year-old Ukrainian man accused of working as a developer for Russian ransomware groups Conti and LockBit.

**Bumblebee Takes Flight Again**

The botnet was first identified and named by the Google Threat Analysis Group in March 2022. Since its takedown in May, there hadn't been any sign of Bumblebee, until now. Researchers at Netskope found a new instance of Bumblebee being used in combination with a payload not typically associated with the botnet, indicating this is a new iteration of the malware downloader.

Related:Dark Reading News Desk Live From Black Hat USA 2024

"The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee," the Netskope researchers wrote in a recent blog post. "These activities might indicate the resurfacing of Bumblebee in the threat landscape."

Its re-emergence would hardly come as a surprise. Other valuable botnet strains like Emotet have likewise risen from the dead. Though disrupted for a time by law enforcement in 2021, Emotet returned with a vengeance and new functionality.

Bumblebee is known for spreading through a variety of methods, including phishing, malicious advertising, and SEO poisoning, explains Patrick Tiquet, vice president of security and architecture for Keeper Security.

And Bumblebee's latest attack chain is even more difficult for defenders to spot than previous versions, according to Tamir Passi, senior product director at DoControl. "What makes this version particularly concerning is its sophistication," Passi says. "Instead of the noisy, obvious attacks we've seen before, it's using a stealthier approach that makes it harder to detect. The attackers are leveraging legitimate tools like MSI installers — it's basically hiding in plain sight."

Related:Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Scarier still is what happens after Bumblebee gets inside a corporate network, he adds.

"But here's the real kicker — this isn't just about compromising individual machines," Passi says. "Once attackers gain access, they can potentially harvest credentials and access all sorts of corporate resources, including SaaS applications. Think about it — one successful phishing email could lead to widespread access across your entire cloud environment."

With stakes that high, cybersecurity teams need to rely on a healthy combination of user awareness training, a zero-trust cybersecurity model, strong password security, and more, Tiquet advises.

Law enforcement organizations will continue to do what they can to tamp down the effectiveness of large cybercrime operations, but along with enterprise cybersecurity teams, they are up against formidable, highly motivated adversaries.

"The re-emergence of Bumblebee after Operation Endgame demonstrates the adaptability of the group believed to be responsible for its development," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "Despite law enforcement efforts to disrupt their activities, the actors quickly reintroduced Bumblebee, indicating well-prepared contingency plans."

Related:Anonymous Sudan Unmasked as Leader Faces Life in Prison

Bumblebee Malware Is Buzzing Back to Life

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

PRESS RELEASE

CHARLOTTE, N.C. and SUNNYVALE, Calif., Oct. 21, 2024 /PRNewswire/ -- Honeywell (NASDAQ: HON) and Google Cloud announced a unique collaboration connecting artificial intelligence (AI) agents with assets, people and processes to accelerate safer, autonomous operations for the industrial sector.

This partnership will bring together the multimodality and natural language capabilities of Gemini on Vertex AI – Google Cloud's AI platform – and the massive data set on Honeywell Forge, a leading Internet of Things (IoT) platform for industrials. This will unleash easy-to-understand, enterprise-wide insights across a multitude of use cases. Honeywell's customers across the industrial sector will benefit from opportunities to reduce maintenance costs, increase operational productivity and upskill employees. The first solutions built with Google Cloud AI will be available to Honeywell's customers in 2025.

"The path to autonomy requires assets working harder, people working smarter and processes working more efficiently," said Vimal Kapur, Chairman and CEO of Honeywell. "By combining Google Cloud's AI technology with our deep domain expertise--including valuable data on our Honeywell Forge platform--customers will receive unparalleled, actionable insights bridging the physical and digital worlds to accelerate autonomous operations, a key driver of Honeywell's growth."

"Our partnership with Honeywell represents a significant step forward in bringing the transformative power of AI to industrial operations," said Thomas Kurian, CEO of Google Cloud. "With Gemini on Vertex AI, combined with Honeywell's industrial data and expertise, we're creating new opportunities to optimize processes, empower workforces and drive meaningful business outcomes for industrial organizations worldwide."

With the mass retirement of workers from the baby boomer generation, the industrial sector faces both labor and skills shortages, and AI can be part of the solution – as a revenue generator, not job eliminator. More than two-thirds (82%) of Industrial AI leaders believe their companies are early adopters of AI, but only 17% have fully launched their initial AI plans, according to Honeywell's 2024 Industrial AI Insights report. This partnership will provide AI agents that augment the existing operations and workforce to help drive AI adoption and enable companies across the sector to benefit from expanding automation.

Honeywell and Google Cloud will co-innovate solutions around:

Purpose-Built, Industrial AI Agents   
Built on Google Cloud's Vertex AI Search and tailored to engineers' specific needs, a new AI-powered agent will help automate tasks and reduce project design cycles, enabling users to focus on driving innovation and delivering exceptional customer experiences.

Additional agents will utilize Google's large language models (LLMs) to help technicians to more quickly resolve maintenance issues (e.g., "How did a unit perform last night?" "How do I replace the input/output module?" or "Why is my system making this sound?"). By leveraging Gemini's multimodality capabilities, users will be able to process various data types such as images, videos, text and sensor readings, which will help its engineers get the answers they need quickly – going beyond simple chat and predictions.

Enhanced Cybersecurity  
Google Threat Intelligence – featuring frontline insight from Mandiant – will be integrated into current Honeywell cybersecurity products, including Global Analysis, Research and Defense (GARD) Threat Intelligence and Secure Media Exchange (SMX), to help enhance threat detection and protect global infrastructure for industrial customers. 

On-the-Edge Device Advances   
Looking ahead, Honeywell will explore using Google's Gemini Nano model to enhance Honeywell edge AI devices' intelligence multiple use cases across verticals, ranging from scanning performance to voice-based guided workflow, maintenance, operational and alarm assist without the need to connect to the internet and cloud. This is the beginning of a new wave of more intelligent devices and solutions, which will be the subject of future Honeywell announcements.

By leveraging AI to enable growth and productivity, the integration of Google Cloud technology also further supports Honeywell's alignment of its portfolio to three compelling megatrends, including automation.

About Honeywell  
Honeywell is an integrated operating company serving a broad range of industries and geographies around the world. Our business is aligned with three powerful megatrends – automation, the future of aviation and energy transition – underpinned by our Honeywell Accelerator operating system and Honeywell Forge IoT platform. As a trusted partner, we help organizations solve the world's toughest, most complex challenges, providing actionable solutions and innovations through our Aerospace Technologies, Industrial Automation, Building Automation and Energy and Sustainability Solutions business segments that help make the world smarter and safer as well as more secure and sustainable. For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

About Google Cloud  
Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models, and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner.

Honeywell and Google Cloud to Accelerate Auto Operations With AI Agents for the Industrial Sector

The vulnerability affects all versions prior to v0.68.0 and highlights the risks organizations assume when consuming open source software and code.

Source: adison pangchai via Shutterstock

Organizations using Open Policy Agent (OPA) for Windows should consider updating to v0.68.0 or later to protect against an authentication hash leakage vulnerability identified in all earlier versions of the open source policy enforcement engine.

The vulnerability designated the identifier CVE-2024-8260, stems from improper input validation, and allows attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This can result in credential leakage and the potential exposure of sensitive system information.

**Enabling Credential Leaks**

"Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash — or in lay terms, the credentials — of the user currently logged into the Windows device running the OPA application," said researchers at Tenable, who discovered the bug and issued a report this week. "Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password."

Many organizations use OPA for Windows to implement and enforce authorization and resource access policies across their software stack, including cloud native applications, microservices, and APIs. The technology gives organizations a way to ensure consistent policy automation and compliance across mixed Linux and Windows environments.

The vulnerability that Tenable discovered essentially allows attackers to force a vulnerable system to authenticate to an attacker's server and thereby share user credentials in the process. The problem had to do with older versions of OPA for Windows not properly verifying the kind of files it received. Ordinarily, OPA should only use what are known as Rego files for rules and policies around decision making. What Tenable discovered was that because of improper validation, an attacker could pass an arbitrary SMB share instead of a Rego file to the OPA Command Line Interface or one of its Go library functions. An attacker could inject a path to their own server in the SMB share and force the system running the vulnerable OPA instance to authenticate to it.

"This can result in credential leaks or the execution of malicious logic, posing serious risks to system integrity and security," Tenable said. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 could use the hash in a variety of ways, including authenticating to other systems and services, moving laterally, connecting to file shares, and attempting to extract the password.

NTLM (New Technology LAN Manager) is a suite of authentication protocols from Microsoft that many organizations use to enable single sign-on to enterprise applications and services. Attackers have often exploited NTLM in so-called pass-the-hash attacks and NTLM relay attacks, where they essentially reuse a captured hash to authenticate to different applications and services without actually knowing the password.

**A Reminder of Open Source Risks**

Tenable described the vulnerability it discovered as highlighting the risks organizations assume when consuming open source software and code. In research that Black Duck described in its "2024 Open Source Security and Risk Analysis Report," the vendor found some 96% of code bases it reviewed to contain open source components. On average, 77% of all code in these codebases originated from open source. Some 84% codebases that underwent a risk assessment contained one or more security vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A surprising 14% of the code bases that Black Duck assessed had unpatched open source vulnerabilities in them that were 10 or more years old.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," said Ari Eitan, director of Tenable Cloud Security Research, in a statement. "This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OPA for Windows Vulnerability Exposes NTLM Hashes

PRESS RELEASE

Kuala Lumpur, Malaysia – 22 Oct. 2024 –  SoftwareOne Holding AG, a leading global software and cloud solutions provider, has launched a SoftwareOne Cloud Competency Centre in collaboration with Amazon Web Services (AWS) in Kuala Lumpur, Malaysia. 

Serving businesses across Southeast Asia, this new centre will provide clients with local expertise and support in AWS cloud services, including generative artificial intelligence (AI) tools Amazon Bedrock, a fully managed service that provides a single API to access and utilise high-performing foundation model from leading AI companies, and Amazon Q, a generative AI-powered assistant for business and developers, to drive digital transformation. By establishing the SoftwareOne Cloud Competency Centre in Malaysia, SoftwareOne further expands its global delivery network across fast-growing technology markets to help local businesses innovate with the latest technology advancements. The SoftwareOne Cloud Competency Centre opening follows AWS’s own recent announcement of cloud infrastructure expansion in Malaysia.  

"As an AWS Premier Tier Services Partner, we are thrilled to continue our collaboration with AWS through the opening of our new SoftwareOne Cloud Competency Centre in Malaysia,” said David Tan, Regional Services Leader, APAC at SoftwareOne. "This is strategically aligned with AWS's commitment to Asia and will make SoftwareOne’s global expertise and resources readily accessible to local clients. Businesses of all types will be able to accelerate their digital journeys more efficiently, benefiting from on-the-ground support in cloud migration, application modernisation, end-user computing, and FinOps.” 

“AWS is committed to enabling global organisations across industries with the world’s most comprehensive and broadly adopted cloud, and AI technologies to innovate, scale, and achieve their business and digital transformation objectives with efficiency and resilience. The recent launch of our AWS Region in Malaysia deepens that resolve,” said Peter Murray, Country Manager, AWS Malaysia. “As a Premier Tier AWS Partner, SoftwareOne is well-positioned to help businesses adopt and optimise their AWS use. Establishing the SoftwareOne Cloud Competency Centre in Malaysia aligns our goals of expanding cloud accessibility and compliance capabilities locally for customers.” 

The SoftwareOne Cloud Competency Centre experts will guide clients in implementing the SoftwareOne Landing Zone for AWS, a comprehensive pre-configured and automated framework that provides a foundation for building a secure, multi-account AWS environment. Featuring cloud infrastructure, policies, and guardrails, including centrally managed services, it is designed to help organisations quickly set up a secure and scalable environment with a consistent set of AWS best practices.  

Leveraging industry-leading infrastructure as code tool Terraform, SoftwareOne’s Landing Zone for AWS gets clients up and running from a zero footprint to AWS workload deployment within days. It also helps clients improve the operational efficiency of their AWS environments with SoftwareOne’s ongoing management and expertise in implementing patching and updates. 

“Our cloud journey involves migrating and modernising complicated and legacy workloads with stringent timelines, and we need a partner who is agile, understands such complex environments and can work closely with our internal team,” said Daniel Anand, Head of Technology Infrastructure and Architecture, Sun Life Malaysia. “SoftwareOne is helping us implement best-in-class solutions tailored to our needs, ensuring a seamless transition to the cloud while maintaining compliance with us in building the detailed business case for board approval and aligning with Sun Life global cloud framework and compliance.” 

“The launch of the regional SoftwareOne Cloud Competency Centre demonstrates SoftwareOne’s continued dedication to empowering digital transformation globally,” said Sean Pope, Global Leader, SoftwareOne Centre of Excellence for AWS. “This Centre will be a cornerstone in our global portfolio development, enhancing our ability to deliver cutting-edge solutions and support to businesses in SEA. The innovations and best practices we establish here will also be pillars upon which to build, benefitting other regions by enhancing our global AWS service offerings.” 

For more information about the SoftwareOne Cloud Competency Centre in SEA and its support of digital transformation initiatives, please visit www.softwareone.com. 

About SoftwareOne  

SoftwareOne is a leading global software and cloud solutions provider that is redefining how organizations build, buy and manage everything in the cloud. By helping clients to migrate and modernize their workloads and applications – and in parallel, to navigate and optimize the resulting software and cloud changes – SoftwareOne unlocks the value of technology. The company’s ~9,300 employees are driven to deliver a portfolio of 7,500 software brands with sales and delivery capabilities in over 60 countries. Headquartered in Switzerland, SoftwareOne is listed on the SIX Swiss Exchange under the ticker symbol SWON. Visit us at www.softwareone.com.

SoftwareOne Launches Cloud Competency Centre in Malaysia

PRESS RELEASE

VIENNA, VA (October 22, 2024) – The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) announced the launch of LinkSECURE, a new program to help mature the cybersecurity capabilities of vendors and address the growing concern of supply chain cybersecurity vulnerabilities.  

The program aims to reduce third-party risk for RH-ISAC member companies by strengthening the cybersecurity of their suppliers. This initiative demonstrates RH-ISAC's commitment to improving cybersecurity across the entire retail and hospitality ecosystem.  

LinkSECURE program participants will work closely with dedicated support managers to implement critical security controls. In addition, the organization will hold virtual meetings, educational sessions on the essentials of cybersecurity, and topical briefings on major sector incidents one-on-one and in group settings. 

A few key points showcasing the significance of the new program include:  

*   Offers a guided path to implementing a prioritized set of safeguards to mitigate the most prevalent cyberattacks  
    

*   Guides these businesses to maturity in their cybersecurity programs 
    

*   Provides users with access to a vast array of RH-ISAC resources relevant to their sectors including threat intelligence, research/reporting, the work of member groups, and resources from partner organizations
    

“The LinkSECURE program is setting a new standard to help our industry become better prepared to combat ever-growing cybersecurity threats,” said Luke Vander Linden, RH-ISAC's Vice President of Membership and Marketing.  

The program will primarily be offered to RH-ISAC's Core Members’ vendors. Should other small to mid-sized retailers be interested, RH-ISAC will consider their participation too. 

For more information on RH-ISAC and the LinkSECURE offering, please visit rhisac.org/linkSECURE.  

ABOUT RH-ISAC 

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org. 

You May Also Like

Retail &amp; Hospitality ISAC Launches Program Aimed at Securing Supply Chains

Cybersecurity is not "one size fits all." Employers, recruiters, and managers need to embrace neurodiversity through inclusive hiring practices, tailored training programs, and adaptive management styles.

Source: Tomertu via Adobe Stock Photo

Megan Roddie-Fonseca, a senior security engineer at Datadog, recalls a pivotal moment during her job interview that swayed her decision to join the company.

"During the interview process, the manager asked me, 'How can I manage you? What's your ideal way of working?'" Roddie-Fonseca says. "'What can I do in order to make you the employee that you need to be and that you want to be?'"

For Roddie-Fonseca, a neurodivergent individual, this willingness to adapt management styles based on individual needs was a key factor in her decision to accept Datadog's offer.

"That's a big thing for me, instead of a manager saying, 'This is my management style,'" she says, noting that a tailored management approach can create an environment where neurodiverse workers feel understood and supported.

Roddie-Fonseca was diagnosed with autism when she was 12 years old and with ADHD later in life. While she has personally had overall positive experiences in the cybersecurity industry, she's also aware — by networking with other neurodivergent individuals — of the challenges that many face in their careers.

Neurodiversity includes individuals with conditions such as autism, ADHD, and dyslexia. While neurodivergent individuals can bring a wealth of unique skills to the workplace, they often face unnecessary challenges in the hiring process, training, and overall workplace environment.

**Align the Interview With the Job**

One issue is the current structure of the hiring process in many organizations. Rigid interviews, vague expectations, and unaccommodating environments can create barriers for neurodivergent candidates. Roddie-Fonseca says that typical interview setups, where candidates sit in front of a hiring manager or panel to answer rapid-fire questions, are not designed for those who may struggle with social anxiety or sensory-processing issues.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," she says. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

Performance-based interviews, where candidates demonstrate their skills in a simulated work environment, are a better alternative. Dr. Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM, says it is essential to allow candidates to show their abilities under conditions they’re comfortable with.

“Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team,” she says.

Rather than focusing on quick thinking under pressure, performance-based assessments allow candidates to demonstrate their problem-solving talents without the added stress of rigid, high-pressure conditions.

**Supporting Neurodivergent Employees on the Job**

Hiring neurodivergent candidates is just the first step; ensuring they are supported once on the job is equally important. Neurodivergent professionals often thrive in environments where accommodations are made to help them succeed, from flexible working conditions to individualized communication styles.

Universal design principles — where workplace accommodations are made available to everyone, regardless of whether they disclose a neurodivergent condition — can make a big difference, says Liz Green, an occupational therapist and business consultant who specializes in neurodiversity and inclusive design and often works with cybersecurity.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," she says.

Creating employee manuals, where workers outline their preferred communication and work styles, is a simple and inclusive solution that can benefit all employees, neurodivergent or not, Green adds.

Once neurodivergent employees are onboarded, providing appropriate training is essential. The traditional approach to training, where all new hires undergo the same program without considering individual learning needs, can leave neurodivergent employees struggling. Asbell-Clarke points out that giving neurodivergent employees space for "autonomy of thought" during training can be beneficial. For example, instead of bombarding new hires with information in a classroom setting, consider self-paced training modules that allow individuals to learn at their own speed.

Meghan Maneval, senior director of product marketing at LogicGate and also a neurodivergent individual, says clear communication — in multiple formats — during both interviewing and training is essential for her.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," she says.

Employers can also create mentorship opportunities, pairing neurodivergent hires with more experienced employees who understand their challenges. These mentors can offer guidance and help them navigate the nuances of company culture and expectations.

**Creating a Culture of Inclusion**

Building an inclusive culture goes beyond just offering accommodations. It requires a shift in mindset across the organization.

"It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," says Roddie-Fonseca.

Green emphasizes the need for open dialogue and the willingness to learn.

"Opening up the conversation is the first step. Silence doesn't help,” she says. By engaging in conversations about neurodiversity, employers can begin to dismantle the biases that prevent neurodivergent individuals from succeeding.

Another key component is establishing employee resource groups (ERGs) for neurodivergent individuals, says Green. These groups can provide a platform for employees to voice their needs and advocate for changes that improve the workplace for everyone.

“The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

An opportunity exists to rethink traditional hiring practices and embrace a more inclusive approach in cybersecurity hiring. As Datadog's Roddie-Fonseca points out, neurodivergent individuals often possess unique problem-solving abilities and strong attention to detail — skills that are highly valuable in technical fields. Yet the current hiring landscape remains inaccessible for many. By adopting flexible, inclusive hiring and training practices, cybersecurity employers can not only tap into the neurodiverse talent pool but also create a more dynamic and innovative workforce.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Breaking Barriers: Making Cybersecurity Accessible for Neurodiverse Professionals

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Source: Saphiens via Alamy Stock Photo

Nearly 75% of US Senate campaign websites are lacking when it comes to DMARC protections, otherwise known as Domain-based Message Authentication, Reporting, and Conformance safeguards.

DMARC tools are used to prevent phishing and spoofing attacks by ensuring that the domains from which emails are sent get authenticated.

Without these protections, campaign websites are left vulnerable to cyberattacks, a critical issue given that these campaigns are emailing voters, donors, and staff frequently.

This could lead to compromised voter information, donor data, strategic campaign plans, and other sensitive data, furthering a lack of public trust in US elections, an issue that has become increasingly prominent in the past few years. In 2016, Russian state actors tried to influence the presidential election by disrupting the election process and hacking emails. 

According to the study, conducted by Red Sift, campaigns will remain highly susceptible to phishing, domain spoofing, and impersonation attacks without DMARC, ultimately leading to slower campaign operations, leaks in confidential information, and worse.

The report calls for immediate prioritization of DMARC implementation across US Senate and presidential campaigns, and insuring that these implementations are properly configured.

**About the Author**

Most US Political Campaigns Lack DMARC Email Protection

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

The persistent infostealer's latest campaign inserts fake CAPTCHA pages into legitimate applications, fooling users into executing the malicious payload, researchers find.

Source: Oleksandr Hruts via Alamy Stock Photo

Lumma Stealer stars in a new campaign that uses malicious CAPTCHA pages to scam targets into clicking through the "verification" process — triggering the initial malware download.

Malware-as-a-service (MaaS) Lumma Stealer is commonly used by threat actors to steal sensitive information like passwords and crypto-wallet data, researchers at Qualys, who recently detailed the latest attack chain, explained.

"When the user clicks the 'I'm not a robot' button, verification steps are presented," Qualys threat researcher Vishwajeet Kumar wrote in a blog post detailing the latest Lumma Stealer find. "Completing these steps triggers the execution of a PowerShell command that initiates the download of an initial stager (malware downloader) on the target machine."

**Lumma Stealer's Easy Adaptability**

This latest CAPTCHA-based tactic is new, Kumar added in the Lumma Stealer campaign analysis. Previous campaigns have relied on a wide array of cybercrimes to spread the infostealer, ranging from basic phishing to far more exotic gambits.

Just a handful of examples from just this year include a Lumma Stealer campaign from January 2024 that used YouTube channels disguised as content to offer workarounds for eluding Web filters and cracking popular applications.

By the summer, another Lumma Stealer effort popped up on Facebook, this time trying to lure victims into downloading a legitimate artificial intelligence (AI) photo editor. Even Hamster Kombat wasn't spared. The more than 250 million estimated players of the game were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams, it was discovered last July.

"The investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection," Kumar wrote. "It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams."

Protecting from ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams, according to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start.

"Given the rapid evolution of threats like Lumma Stealer, security teams must adopt a stance of continuous monitoring and adaptation, regularly updating detection rules, indicators of compromise, and security controls," Jones says. "This campaign exemplifies the sophisticated threats organizations face today, requiring a multilayered defense approach that combines advanced technical controls with proactive threat hunting and ongoing adaptation to effectively combat evolving malware campaigns."

Source

DARKReading