It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

Several of the flaws enable remote code execution and denial-of-service attacks while others enable data theft, session hijacking, and other malicious activity.

Source: PeterPhoto123 via Shutterstock

Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities.

Several of the flaws enable denial-of-service and remote code execution (RCE) attacks, while others allow threat actors to inject and execute malicious code into webpages and the browsers of users who visit compromised websites.

**A Wide Range of Flaws**

Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. The vulnerabilities are present in 24 DrayTek router models.

Researchers at Forescout's Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology.

They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities.

"Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe," Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. "A successful attack could lead to significant downtime, loss of customer trust, and regulatory penalties, all of which fall squarely on a CISO's shoulders."

**Patching May Not Be Enough**

DrayTek has issued patches for all the vulnerabilities via different firmware updates. However, organizations should not stop with just applying the patches, says Daniel dos Santos, the head of security research at Forescout Vedere Labs. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. "Our report shows there's a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware," he says. "Taking a proactive security approach ensures that even when new vulnerabilities are found, the risk to an organization will be low."

Attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys, dos Santos says. But "exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities," he adds. "If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past."

The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS. Forescout also recommends that DrayTek customers ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks.

**A Popular Attack Target**

The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.

In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. "The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted US networks," the advisory warned. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. In 2022, a critical RCE in DrayTek's Vigor brand of routers put numerous small and medium-size businesses at risk of zero-click attacks.

The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. The security vendor's report highlighted 18 vulnerabilities going back to 2020, most of which have near maximum severity scores of 9.8 on the CVSS scale. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn't have patches for disclosed vulnerabilities from two years ago.

"Many organizations don't have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks," dos Santos says. "They rely on endpoint telemetry and security agents to provide information about software versions and apply patches. But when it comes to firmware — which doesn't support agents — they might not know that vulnerabilities exist in their network or may not have manually applied the patches."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

Ivanti reports that the bug is being actively exploited in the wild for select customers.

Source: Kristoffer Tripplaar via Alamy Stock Photo

One of the latest vulnerabilities that the Cybersecurity and Infrastructure Security Agency has added to the Known Exploited Vulnerabilities Catalog is CVE-2024-29824, found in the Ivanti Endpoint Manager.

The vulnerability is described as an SQL Injection vulnerability in the core server of Ivanti EPM 2022 SU5 and its prior models. It allows an unauthenticated attacker within the network to execute arbitrary code. 

Because of its high risk, its CVSS score is a critical 9.6.

On Oct. 1, Ivanti updated its security advisory to reflect that the vulnerability had been exploited in the wild.  "At the time of this update, we are aware of a limited number of customers who have been exploited," according to Ivanti's advisory.

Ivanti released security updates to patch this flaw in May, alongside several other bugs found in EPM's core server.

"Exploiting this flaw could have serious consequences, such as data breaches, disruption of business operations, and further compromise of internal systems," Eric Schwake, director of cybersecurity strategy at Salt Security, wrote in an emailed statement. "Organizations using Ivanti EPM should prioritize patching their systems immediately and conduct thorough security assessments to detect and mitigate potential compromise. This situation emphasizes the critical importance of proactive vulnerability management and timely patching to protect against evolving threats."

Customers can find information to patch the vulnerability on Ivanti’s website.

**About the Author**

CISA Adds High-Severity Ivanti Vulnerability to KEV Catalog

"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.

Source: Daniren vua Alamy Stock Photo

As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel.

The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram.

Russian-aligned cyber actors, including advanced persistent threat (APT) groups like Gamaredon, have intensified their attacks since Russia's 2022 invasion of Ukraine.

Despite Ukrainian efforts to bolster cybersecurity, Russian hackers continue to refine their tools, and Russian cyber warfare tactics are varied and persistent, according to Ukraine's State Service of Special Communications and Information Protection (SSSCIP) September report.

These are just a few of the latest examples of cyberwarfare between the two states, though other additional malware perpetrators and cyberattack units, including Sandworm (aka APT44), continue to proliferate. 

**Messaging Apps Target Service Members**

One recent campaign involves the Russia-aligned UAC-0184 group targeting Ukrainian military personnel through messaging apps, including Signal. 

Hackers impersonate familiar contacts, sending malicious files disguised as combat footage or recruitment material to infect devices with malware.

Dan Black, manager, Mandiant Cyber Espionage Analysis, Google Cloud, says common technologies like smartphones and tablets have become essential tools for military personnel on the front lines, providing real-time intelligence and other critical support capabilities.

"But their utility cuts both ways," he cautions.

Because they provide such valuable capability, penetrating these devices can provide an adversary a surreptitious lens into various types of sensitive battlefield information that can have grave, even lethal, consequences for targets if compromised. 

Abu Qureshi, head of threat research for BforeAI, explains targeted cyberattacks aimed at military personnel through messaging apps can severely compromise operational security.

"By intercepting communications or distributing malware through trusted communication channels, attackers can extract sensitive data on the physical locations of personnel," Qureshi says. "This can lead to real-world consequences."

Malachi Walker, security adviser for DomainTools, adds a targeted cyberattack such as what’s being seen in the Russian/Ukrainian war is like pig-butchering attacks the team has observed in the financial service sector, where an attacker builds a personal relationship with their victim, gaining their trust over a period to gain a payout.

"Seeing this tactic used in warfare, rather than for financial gain, impacts the operational security of a military unit," Walker explains.

He says while a financially motivated pig-butchering attack can only leave one victim, using this technique in a war setting could place an entire group of soldiers in danger.

Adam Gavish, co-founder and CEO at DoControl, says what's particularly concerning is that many of these troops have access to sensitive intelligence and critical systems.

"A successful attack could potentially compromise not just individual soldiers, but entire military operations or strategies," he says.

The ripple effects of a single breach could harm many, making these personalized attacks especially dangerous.

"All of this can significantly impact combat effectiveness, readiness, and overall military capabilities," Gavish says.

**Russian-Speaking Users Targeted**

Meanwhile, the DCRat Trojan has been deployed through HTML smuggling, marking a shift in delivery methods to target Russian-speaking users. 

HTML smuggling techniques can bypass traditional security measures by nesting attacks within obfuscation layers like files, posing a significant threat to critical industries during conflicts.

Walker explains the use of HTML smuggling may not be the sole cause for change in the threat landscape, but it is indicative of an ongoing change that his team has observed in the past two years.

"The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says.

DCRat and other similar malware can infiltrate systems controlling power grids, oil pipelines, and even nuclear facilities, which could severely disrupt the safety of any nation. "In the context of targeting Russian-speaking users and Russian companies, such attacks could have an impact that extends to other countries and companies and leads to further distrust," Walker adds.

He notes not all Russian companies are sanctioned by NATO-allied countries and those not sanctioned could be the most appealing targets as it would allow these threat actors to extend their reach.

These impacts can have a global impact including the delay of delivery for essential goods and the compromise of critical industries like energy, healthcare, financial services, and transportation.

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, says this method of attack highlights the need for more sophisticated defense strategies that go beyond conventional antivirus solutions. 

"When looking at this phishing technique you need live analysis of malicious content within the file and that is why you cannot rely on signature-based, feeds-based phishing protection alone," he explains. 

He adds securing industrial control systems is paramount in preventing disruptions that could amplify physical attacks.

"A comprehensive approach involving regular security audits, network segmentation, and robust access controls can help safeguard energy infrastructure against supply chain attacks," Kowski says. 

**Game on for Gamaredon **

An ESET report released last month focused on the 2022 and 2023 campaigns of Gamaredon, one of the most active groups in Ukraine.

The group has been conducting spear-phishing campaigns and using custom malware to breach Ukrainian government institutions, with the attacks undergoing constant evolution — for example, shifting to PowerShell and VBScript-based attacks.

DoControl's Gavish says Gamaredon's persistent approach, while less stealthy, can be highly effective in overwhelming Ukraine's defenses through sheer volume. 

"This constant barrage of attacks ties up cybersecurity resources and increases the chances of a successful breach simply through persistence," he says. The real-world impact forces Ukraine to constantly divert resources to cyber defense. "Gamaredon's attempts to target NATO countries have significant implications for international cybersecurity cooperation," Gavish adds.

From his perspective, these types of threats highlight the need for increased information sharing and joint defense strategies among allied nations. "The situation in Ukraine serves as a stark reminder that cybersecurity is not just an IT issue — it's a matter of national security with very real-world consequences," Gavish says. 

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Ukraine-Russia Cyber Battles Tip Over Into the Real World

Although the veto was a setback, it highlights key debates in the emerging field of AI governance and the potential for California to shape the future of AI regulation.

Debrup Ghosh, Principal Product Manager, F5 Inc.

October 3, 2024

4 Min Read

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

On Sept. 29, California Gov. Gavin Newsom vetoed Senate Bill 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. This bill aimed to create a comprehensive regulatory framework for AI models, seeking to balance public safety with innovation. Although the veto was a setback for the bill, it highlights key debates in the emerging field of AI governance and the potential for California to shape the future of AI regulation.

**California's Influence on Tech Legislation**

As the home of Silicon Valley, California has long been a leader in technology regulation, with its policies often setting the precedent for other states. For example, the California Consumer Privacy Act (CCPA) inspired similar data protection laws in Virginia and Colorado. With the rapid advancement of AI technology, California's efforts in AI governance could have a lasting impact on both national and international regulatory frameworks, while also catalyzing federal lawmakers to consider nationwide AI regulations, similar to how California's auto emissions standards influenced federal policies.

**What's at Stake**

Gov. Newsom's veto highlights several critical issues. First, the bill solely focused on large-scale models that might overlook the dangers posed by smaller, specialized AI systems. The governor emphasized the need for regulations based on empirical evidence of actual risks rather than the size or cost of AI models. Second, he cautioned that stringent regulations could stifle innovation, particularly if they did not keep pace with the rapidly evolving AI landscape. The governor advocated for a flexible approach that could adapt to new developments. Third, Newsom stressed the importance of considering whether AI systems are deployed in high-risk environments or involve critical decision-making with sensitive data, areas the bill did not specifically address.

**Looking Ahead**

Although this might seem like a setback to some, the veto allows California to continue its thought leadership in shaping modern technology policy. To move forward and reconcile differences, the California legislature and Governor's office can undertake several collaborative efforts:

*   Establish a joint task force comprising representatives from the governor's office, legislators, AI experts, industry leaders, and AI ethics experts. This group can facilitate open discussions to understand each other's concerns and priorities.
    
*   Incorporate insights from academia, research organizations, and the public. Transparency in the legislative process can build trust and ensure diverse perspectives are considered.
    
*   Shift the regulatory focus from the size and computational resources of AI models to the actual risks associated with specific applications. This aligns with the governor's call for evidence-based policymaking.
    
*   Draft legislation that includes provisions for regular review and updates, allowing the regulatory framework to evolve alongside rapid technological advancements in AI.
    

**European Union: AI Act**

California legislators can benchmark existing AI legislation such as the EU Artificial Intelligence Act. The EU's AI Act is a pioneering, comprehensive legal framework designed to foster trustworthy AI while supporting innovation. It adopts a risk-based approach, categorizing AI systems into four levels: unacceptable, high, limited, and minimal risk. Unacceptable risk practices are prohibited, while high-risk AI applications in areas like education, employment, and law enforcement face stringent requirements. The act mandates transparency, requiring users to be informed when interacting with AI systems such as chatbots. It also introduces obligations for general-purpose models, focusing on risk management and transparency.

The AI Act's strengths include comprehensive coverage, ensuring all forms of AI are regulated uniformly, and its emphasis on protecting fundamental rights by categorizing AI based on risk levels. It encourages innovation by reducing regulatory burdens for low-risk AI applications, thus fostering technological development. However, the act's complexity and cost may be burdensome for small and midsize enterprises, and there's a potential risk of regulatory overreach, possibly hindering innovation.

**Conclusion**

California is at the forefront of tackling the challenges and opportunities posed by advanced AI models. Collaboration between government and industry stakeholders is essential in shaping a regulatory framework that keeps pace with the rapid evolution of AI technology. By working together with industry and other thought leaders, legislators can craft a flexible, evidence-based framework that ensures public safety while encouraging innovation. Like past tech regulations, California can set a strong precedent for responsible AI governance, with its influence likely extending beyond state lines. As AI continues to evolve, the world will closely monitor California's efforts, and true success will depend on protecting the public without stifling AI's transformative potential.

**About the Author**

Principal Product Manager, F5 Inc.

Debrup Ghosh is a seasoned product management leader with extensive experience in cybersecurity, SaaS, and AI-driven solutions. Currently a principal product manager at F5 Networks, he leads the development of cutting-edge Web application and API protection (WAAP) products with a focus on AI/ML innovations. Debrup has a proven track record of driving product success at major companies including Synopsys, Verizon, and Michelin. His leadership has earned him multiple global awards, including the 2024 Stevie Awards. A recognized thought leader, his insights have been featured in media outlets such as CNN and Forbes. Debrup holds an MBA from the University of California, Irvine, and a bachelor of technology from the National Institute of Technology, Tiruchirappalli.

The Future of AI Safety: California's Vetoed Bill &amp; What Comes Next

Businesses that successfully manage the complexities of multicloud management will be best positioned to thrive in an increasingly digital and interconnected world.

Source: John Williams RF via Alamy Stock Photo

COMMENTARY

Improper cloud security has cost organizations millions — sometimes even billions — in revenue in the past decade alone. A significant example is Japanese automaker Toyota, which suffered a data breach due to cloud misconfiguration, exposing the personal data of more than 2 million customers. Another example is Accenture, which in August 2021 fell victim to the LockBit ransomware group. Due to cloud misconfigurations, hackers gained access to and stole 6TB of proprietary client data, demanding a ransom of $50 million. These incidents highlight the catastrophic impact that cloud security failures can have. 

As organizations increasingly adopt multicloud strategies, managing multiple cloud environments can lead to cloud misconfigurations and improper handling of cloud resources. Each cloud provider offers different tools, settings, and protocols, making it challenging to ensure consistent security configurations across all platforms. These misconfigurations often are the root cause of significant security breaches, as seen in the examples above. The lack of visibility and control over multiple clouds exacerbates these risks, making it imperative for organizations to adopt robust cloud security practices.

The shift to multicloud environments offers enhanced reliability, reduced vendor lock-in risks, and greater business capabilities. However, this transition is fraught with complexities that require careful planning and strategic management to ensure success. Let's look at the critical aspects of managing multicloud environments, focusing on governance, security, and operational challenges. 

**Evolution and Risks of Multicloud Environments**

The cloud landscape has evolved from traditional on-premises virtualization to a complex array of cloud platforms operating simultaneously. This shift has introduced significant security challenges for enterprises. One of the primary drivers for adopting a multicloud strategy is the need to mitigate risks such as: 

*   Security vulnerabilities/zero-days 
    

However, these benefits come with inherent risks. Organizations must navigate the challenges of the following: 

*   Shared security controls: Implementing consistent security measures across different platforms can be challenging. 
    

*   Governance across multiple platforms: Ensuring compliance with various regulatory requirements can be complex. 
    

*   Varying compatibility: Third-party tools and services may not be compatible across all cloud environments. 
    

For example, companies that previously operated in a single cloud environment must now contend with the complexities of integrating and securing multiple cloud platforms, each with its own unique set of tools and protocols. The lack of coordination and governance in operations and deployments can lead to increased vulnerabilities and operational inefficiencies. Moreover, the scarcity of skilled professionals proficient in multiple cloud platforms exacerbates these challenges, making it crucial for organizations to invest in cross-functional training and development. 

**The Strategic Imperative of Governance and Security**

Effective governance is at the heart of a successful multicloud strategy. Organizations must establish clear guidelines and policies to manage the complexities of multiple cloud environments. Key governance aspects include: 

*   Defining roles and responsibilities: Clarifying who is responsible for cloud administration and security across different platforms. 
    

*   Deploying consistent security controls: Ensuring that security measures are uniformly applied across all cloud environments. 
    

*   Ensuring regulatory compliance: Meeting compliance requirements in each cloud environment.  
    

Security in a multicloud environment is particularly challenging, due to the expanded attack surface and the need for consistent security measures across different cloud platforms. A key aspect of managing security is the centralization of security operations. Centralizing the deployment of images and infrastructure-as-code (IaC) is essential for maintaining a secure and consistent cloud environment. For instance: 

*   Standardizing configurations: Establishing uniform configurations across all cloud environments to minimize the risk of security breaches. 
    

*   Automating security controls: Implementing automated security checks to reduce the likelihood of human error. 
    

Cloud security posture management (CSPM) tools play a critical role in this process. These tools enhance visibility across multiple cloud environments by providing a unified view of security risks. CSPM tools help organizations identify and prioritize risk mitigations according to their business requirements, ensuring that the most critical vulnerabilities are addressed promptly. By consolidating security data from various clouds into a single dashboard, these tools offer a comprehensive picture of the organization's security posture, enabling more effective decision-making. 

CSPM tools like Wiz, Orca, and Lacework go beyond basic security monitoring. They provide continuous assessment of cloud infrastructure, detect misconfigurations, and monitor compliance against frameworks such as CIS, PCI, NIST, and HIPAA. These tools also offer automation features, which can streamline incident response processes by automatically remediating identified risks or alerting security teams for further investigation. 

For instance, in my experience, Wiz and Orca have been particularly effective in identifying and mitigating risks in multicloud environments. These tools not only help prioritize the mitigation of various security risks but also provide structured guidance based on widely accepted baselines. Similarly, Lacework offers robust capabilities in anomaly detection, allowing organizations to identify unusual behaviors that may indicate security breaches or misconfigurations. 

**Taking Multicloud Management to the Finish Line**

Managing a multicloud environment requires a strategic approach that prioritizes governance, security, and centralization. Organizations must develop comprehensive strategies that align with their specific needs and invest in the necessary tools and skills to navigate the complexities of multicloud environments successfully. Understanding which offerings are unique to each cloud service provider allows organizations to leverage the strengths of different platforms effectively. Building a consistent monitoring capability across clouds is essential to maintain visibility and control over the entire infrastructure. 

The use of third-party tools suited for multicloud environments can enhance security and operational efficiency. Applying a framework with consistent policies and controls ensures that security standards are uniformly enforced across all cloud environments. Additionally, implementing a single identity system across clouds simplifies identity and access management, reducing the risk of unauthorized access and improving overall security posture. 

CSPM tools are essential components of this strategy, offering enhanced visibility and control across multiple cloud platforms. These tools provide a single, comprehensive view of the organization's security posture, enabling more informed decision-making and more effective risk management. As businesses continue to embrace the multicloud paradigm, those that successfully manage these complexities will be better positioned to thrive in an increasingly digital and interconnected world. 

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

Navigating the Complexities &amp; Security Risks of Multicloud Management

NIST standardized three algorithms for post-quantum cryptography. What does that mean for the information and communications technology (ICT) industry?

Source: Cynthia Lee via Alamy Stock Photo

COMMENTARY

After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing.

Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online.

Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.

**The Post-Quantum Transition**

PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor's algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.

Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.

**Hybrid Approach to Security**

The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.

Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.

Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.

This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn't quantum-safe will become the focal point of any data harvesting attack.

Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.

Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.

**Ready for Q-Day**

PQC isn't the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It's vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.

Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.

Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.

**About the Author**

Senior Research Scientist, Nokia

Aritra Banerjee is a Senior Research Scientist in Nokia Standards leading quantum-safe standardization efforts. His research interests span cryptography, quantum technologies, security, privacy-preserving technologies, and machine learning trends.

What Communications Companies Need to Know Before Q-Day

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

CeranaKeeper is bombarding Southeast Asia with data exfiltration attacks via file-sharing services such as Pastebin, OneDrive, and GitHub, researchers say.

Source: Antonio Gill via Alamy Stock Photo

An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand.

The group has been working since early 2022, according to ESET researchers. Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub.

"Based on our findings, we decided to track this activity cluster as the work of a separate threat actor," a new ESET report said. "The numerous occurrences of the string \[Bb\]ectrl in the code of the group's tools inspired us to name it CeranaKeeper; it is a wordplay between the words beekeeper and the bee species Apis Cerana, or the Asian honey bee."

CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections.

Once comfortably in the network, the group began a massive data harvesting effort, ESET observed.

The group is "relentless," rapidly evolving, and nimble, ESET warned.

"The operators write and rewrite their toolset as needed by their operations and react rather quickly to keep avoiding detection," ESET added. "This group's goal is to harvest as many files as possible and it develops specific components to that end."

The Chinese government uses APT groups like Mustang Panda and CeranaKeeper to support government activities through espionage and other cybercrimes.

China-Backed APT Group Culling Thai Government Data

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

Source: J Poulssen via Alamy Stock Photo

A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.

It's been some time now that individuals in the US and Russia, Germany and Indonesia, Korea, China, Spain, and most everywhere in between have been reporting cases of "perfctl" (aka perfcc) eating up all their compute power.

"We've seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don't know, I'm trying to kill it,'" Aqua Nautilus chief researcher Assaf Morag recalls. "There are a lot of articles describing how you kill perfctl, but people can't kill it because it keeps hiding itself, and it's very persistent."

The malware looks for vulnerabilities and misconfigurations to exploit in order to gain initial access. To date, Aqua Nautilus reported today, the malware has likely targeted millions of Linux servers, and compromised thousands. Any Linux server connected to the Internet is in its sights, so any server that hasn't already encountered perfctl is at risk.

Related:Dark Reading News Desk Live From Black Hat USA 2024

And, Morag warns, its ambitions don't necessarily end with cryptomining and proxyjacking. Though not recorded in his report, Morag has observed the malware dropping TruffleHog, a legitimate penetration testing tool designed to snuff out hardcoded secrets in source code.

"So imagine: They're earning money on the side \[by cryptomining and proxyjacking\], but also stealing secrets and maybe selling them in the cyber underground — selling access to servers that are related to big companies," he posits.

**Every Misconfiguration in the Book**

The volume and variety of potential server misconfigurations that perfctl is capable of identifying and exploiting is vast.

By tracking its infections, researchers identified three Web servers belonging to the threat actor: two that were previously compromised in prior attacks, and a third likely set up and owned by the threat actor. One of the compromised servers was used as the primary base for malware deployment. The other compromised server contained a much more interesting find: a list of potential avenues to directory traversal, nearly 20,000 entries long.

The list contained more than 12,000 known server misconfigurations, nearly 2,000 paths towards nabbing unauthorized credentials, tokens, and keys, more than 1,000 techniques for unauthorized login, and dozens of possible misconfigurations in different applications (68, for example, associated just with Apache RocketMQ, the open source distributed messaging and streaming platform). Citing just a few examples, Morag explains that "if you have an HTTP server, maybe you expose a template. In Kubernetes, by mistake, you could expose secrets, or roles. Or even a weak password can be a misconfiguration."

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

Alongside this fuzzing list on the compromised server were follow-on files containing exploits for the various kinds of documented misconfigurations.

Besides misconfigurations, perfctl is also capable of gaining initial access to a server via various bugs, such as CVE-2023-33246, a remote command execution (RCE) vulnerability in Apache RocketMQ. CVE-2023-33246 earned a "critical" 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) last year.

**How perfctl Hides Loud Activity**

Cryptomining and proxyjacking are loud by nature. Whether it be third-party proxyware or the XMRig Monero miner, the programs that perfctl drops onto a compromised server will exhaust its CPU resources. And yet, perfctl itself is not easy to spot or excise, thanks to its layers of sophisticated stealth and persistence mechanisms.

Related:LockBit Associates Arrested, Evil Corp Bigwig Outed

For example, to facilitate stealthy communication, the program drops a backdoor and listens for communications via Tor. And to avoid detection and obscure evidence of its presence, it uses process masquerading, copying itself to various locations under names that map to legitimate system processes.

The very name its authors gave to it, "perfctl," is evidence of the same sort of tactic: "perf" is a Linux monitoring tool, and "ctl" is commonly used as a suffix for command line tools which control system components or services. The legitimate-looking name of the malware, then, allows it to more easily blend in with typical processes.

And then, after executing, perfctl deletes its binary but continues to run as a service behind the scenes.

To further hide its presence and malicious activities from security software and researcher scrutiny, it deploys a few Linux utilities repurposed into user-level rootkits, as well as one kernel-level rootkit. The kernel rootkit is especially powerful, hooking into various system functions to modify their functionality, effectively manipulating network traffic, undermining Pluggable Authentication Modules (PAM), establishing persistence even after primary payloads are detected and removed, or stealthily exfiltrating data.

And when a user logs in to the compromised server, perfctl instantly halts its noisiest behaviors, laying low until the user logs off and the coast is clear.

In short, "it's a powerful tool," Morag says. "You can decide to erase data, to steal data, to buy cryptocurrency, to do proxyjacking — it's up to the attacker."

**Mitigation for perfctl & Other Fileless Malware**

Those running Linux servers should take immediate steps to protect their environments, researchers warned. Aqua recommends the following mitigations for perfctl and similar threats:

*   Patch vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications such as RocketMQ servers and CVE-2021-4043 (Polkit). Keep all software and system libraries up to date.
    
*   Restrict file execution: Set noexec on /tmp, /dev/shm and other writable directories to prevent malware from executing binaries directly from these locations.
    
*   Disable unused services: Disable any services that aren’t required, particularly those that may expose the system to external attackers, such as HTTP services.
    
*   Implement strict privilege management: Restrict root access to critical files and directories. Use role-based access control (RBAC) to limit what users and processes can access or modify.
    
*   Network segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially TOR traffic or connections to cryptomining pools.
    
*   Deploy runtime protection: Use advanced anti-malware and behavioral detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl.
    

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading