New analysis says law enforcement efforts against Russian-language ransomware-as-a-service (RaaS) infrastructure helped consolidate influence behind BlackBasta, but some experts aren't so sure the brand means that much.

Source: JK Sulit via Alamy Stock Photo

The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.

Since the spectacular law enforcement takedown of Conti's operations in 2022, the Russian-language ransomware landscape has been a bit in flux. Upending usual business operations further was the subsequent August 2023 takedown of Qakbot botnets, long relied upon by these groups to deliver their ransomware. The law enforcement action, called "Operation Duck Hunt," removed Qakbot malware from more than 700,000 infected machines. The Qakbot botnet takedown success would be short lived. Analysts started to see the it pop back up in cyberattacks just a couple of months later.

Even so, by January, BlackBasta has already pivoted and was observed using a competing botnet tool called Pikabot, along with an emerging new threat group, Water Curupira, which similarly used Pikabot to drop BlackBasta ransomware.

From there BlackBasta diversified into phishing, vishing, and social engineering, as well as buying entry into target networks from initial access brokers. But by last August, the ransomware group was using its own custom-developed malware, Cogscan, used to map victim networks and sniff out the most valuable data, as well as a .NET-based utility called Knotrock, used to execute ransomware.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**Are Law Enforcement Takedowns Against Ransomware Working?**

In a new report, RedSense cybersecurity analyst Yelisey Bohuslavskiy has provided a detailed look at the evolution of BlackBasta tactics, concluding that the group's requirement to adapt in the wake of large-scale law enforcement has made it a leader in the Russian-language ransomware space. In fact, Bohuslavskiy worries that the group is in a position to become an important partner of the Russian state. In the report, he used the example of the punishing rounds of cyberattacks against the healthcare sector this year and a potential bleak peek at what's to come.

"Considering the abnormality of 2024 high-profile attacks against healthcare, I am concerned about the potential liaison between BlackBasta and \[Russian nation-state threat actor\] Nobelium \[Midnight Blizzard\] and the Russian security apparatus in general," Bohuslavskiy tells Dark Reading. "While at this point, the connection is mostly MS Teams exploitation and some other TTPs and can not be confirmed, if in the future Russian ransomware groups will develop direct cooperation with the Russian state, this will result in tangible deterioration of the threat landscape."

Related:Leaky Cybersecurity Holes Put Water Systems at Risk

He predicts that BlackBasta and the hackers in its orbit will get increasingly sophisticated in their attacks in the months to come, namely social engineering attempts at compromising credentials.

"I would advise preparing for defending different social engineering against endpoints with a focus on credentials," Bohuslavskiy adds. "Cisco, Fortinet, and Citrix credentials are definitely the main focus of BlackBasta now. I would also look at GitHub repositories and other open repositories that an enterprise may have, as we are seeing these actors hunting for them."

This is good news for cyber defenders. Social engineering is a much less efficient way to disseminate ransomware versus a botnet blast, Bohuslavskiy adds.

"To my opinion, the most important thing is that law enforcement action is working," he says. "The transition shows a slow but steady movement from botnets to social engineering, even for traditionalists like BlackBasta. And by all means, social engineering is inferior to botnets in dissemination."

Related:Going Beyond Secure by Demand

Bohuslavskiy points to the Conti group's foray into a massive experiment with call centers filled with people conducting social engineering cyberattacks, adding that it turned out to be a flop.

"Trickbot, Emotet, and Qbot were the ultimate sources of ransomware delivery for the entirety of the Russian-speaking domain, and by now, all of them are down due to law enforcement action," he says. "No substitute has come since. However, we should be aware that the leadership of the groups also understands this, and therefore, they will try to double down on developing new botnets. This is why I predict that BlackBasta's plays with social engineering will be short-lived."

**Russian-Language Ransomware Coordination**

Expert ransomware negotiator Ed Dubrovsky, COO and partner at Cypfer, isn't sure it's that simple. In his experience, he explains, these Russian RaaS operations are highly decentralized groups of individual hackers with a complex organizational structure. Assigning cooperation between groups and the Russian state implies a level of operational coordination he hasn't seen.

When one group is taken down by law enforcement, individual talent easily flows to another brand, in his view.

"We tend to bunch them up together into a named group like BlackBasta, which is nothing more than an umbrella structure offering software and infrastructure solutions and some adjacent services," Dubrovsky says. "They are completely dependent on the affiliates, aka franchisees, to actually conduct attacks. So to claim that there is cooperation between nation-state actors and a ransomware 'brand' or 'franchise' is almost equivalent to saying McDonald's is working with state actors because they have a McDonald's in Russia."

He suggests it's more likely individuals shuffling around ransomware trade secrets driven purely by return on investment rather than commitment to any specific group or specific fear of law enforcement.

It's also important to note that "Russian-speaking" doesn't necessarily mean "Russian threat actors" when it comes to the hackers circulating around these RaaS operations, Ngoc Bui, cyber expert with Menlo Security says.

"Many Dark Web forums and illicit communities predominantly use the Russian language, but this doesn’t necessarily mean all participants are Russian," she explains. "This distinction is critical when interpreting predictions about increased coordination."

She adds there is a "golden rule" among these adversaries.

"As long as operations don’t target Russia or its allies, they are often overlooked," she says. "This tolerance can make Russia an appealing environment for cybercriminals to operate, whether or not direct state coordination is involved."

Beyond assigning specific tactics to various brands, Dubrovsky urges cybersecurity teams to focus on protecting their systems from increasingly well-funded and well-trained Russian-speaking ransomware adversaries. The entire threat landscape has been exploding since 2013, and he views its "further deterioration" predicted by Bohuslavskiy as an obvious given.

"Could we say that this will accelerate even more due to the resources available to \[threat actors\] and certainly nation-states? Absolutely," Dubrovsky adds. "Would/could it be directly correlated because of observed TTPs? Not sure this will ever be conclusive. The real question is how do we defend against threat actors with increasing resources and capabilities to cause more impact."

BlackBasta Ransomware Brand Picks Up Where Conti Left Off

In a "new class of attack," the Russian APT breached a target in Washington, DC, by credential-stuffing wireless networks in close proximity to it and daisy-chaining a vector together in a resourceful and creative way, according to researchers.

Source: Science Photo Library via Alamy Stock Photo

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**A Cyberattack Chained Through Multiple Orgs**

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

**Beware Thy (Wi-Fi) Neighbors**

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\\ProgramData\\, and improve detection of data exfiltration from Internet-facing services running in an environment.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

By Philippe Laulheret
ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.
Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:

TALOS-2024-1964 (CVE-2024-38184)
TALOS-2024-1965 (CVE-2024-38185)

Monday, November 25, 2024 08:00

By Philippe Laulheret

ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.

Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:

*   TALOS-2024-1964 (CVE-2024-38184)
*   TALOS-2024-1965 (CVE-2024-38185)
*   TALOS-2024-1966 (CVE-2024-38186)
*   TALOS-2024-1968 (CVE-2024-38062) 
*   TALOS-2024-1969 (CVE-2024-38187)
*   TALOS-2024-1970 (CVE-2024-38062)
*   TALOS-2024-1971 (CVE-2024-38062)
*   TALOS-2024-1988 (CVE-2024-38062)

This research project was also presented at both HITCON and Hexacon. A recording of the latter’s presentation is embedded at the end of this article.

****What is ClipSp?****

ClipSp is a first-party driver on Microsoft Windows 10 and 11 that is responsible for implementing licensing features and system policies, and as such it is one of the main components of the Client Licensing Platform (CLiP). Little is known about this driver; while most Microsoft drivers and DLLs have publicly available debug symbols, in the case of ClipSp, those were removed from Microsoft's symbol server. Debug symbols provide function names and other related debug information that can be leveraged by security researchers to infer the intent behind the many functions of a binary; their absence hinders that. Surprisingly, the driver is also obfuscated, a very rare occurrence in Microsoft binaries, likely to deter reverse engineering even further. Limited public research exists, much of which either predates our findings or was released in response to our reports. The latter research also shares symbols from an older version of ClipSp, which could be a useful springboard for anyone wanting to research this driver. The most interesting aspect of this software involves implementing features related to licensing Windows applications from the Windows App store and activation services for Windows itself.

****Deobfuscation****

The driver is obfuscated with Warbird, which is Microsoft’s proprietary obfuscator. Luckily, past research comes in handy, and we can adapt to suit our needs. The plan to deobfuscate the driver is to leverage the binary emulation framework Qiling, to emulate the part of the driver responsible for deobfuscating the obfuscated sections, and dump the executable memory range to import it into our favorite reversing tool.

During normal operation, the obfuscation appears as follows:

We can see that a decrypt function is called twice with different parameters, followed by a call to the actual function being deobfuscated and, finally, two calls to re-obfuscate the relevant section.

Using Ida Python, we can track all the references to the decrypt functions (there are actually two distinct functions), and recover their arguments by looking at the instructions that precede the function call where the RCX and RDX registers are being assigned. Per calling conventions, these two registers are the first and second arguments of the function. Then, we can feed this information to our modified Qiling script to emulate the decryption functions and dump the whole deobfuscated binary. Once the driver is deobfuscated, we can start reversing it to understand how Windows communicates with the driver, understand various business logic elements, and look for vulnerabilities.

****Driver communication****

Usually, drivers either register a device that can be reached from userland or export the functions that are meant to be used by other drivers. In the ClipSp case, things behave slightly differently. The driver exports a “ClipSpInitialize” function that takes a pointer to an array of callback functions that get populated by ClipSp, to then be used by the calling driver to invoke ClipSp functionalities. Grepping for “ClipSpInitialize” throughout the System32 folder shows that the best candidate for using ClipSp is “ntoskrnl.exe”, followed by a handful of filesystem drivers that use a limited amount of ClipSp functions. For the rest of this report, we will focus on how “ntoskrnl” interacts with ClipSp.

Analyzing the cross-references within the Windows’ kernel to ClipSp functions, it becomes clear that, to interact with them, a call to “NtQuerySystemInformation” with the SystemPolicy class is required. Other binaries in the CLiP ecosystem will issue these system calls, while also providing a remote procedure call (RPC) interface to decouple other software from the undocumented API. However, nothing stops us from interacting with the “NtQuerySystemIformation” endpoint directly, which becomes a handy trick to bypass some of the additional checks that are enforced by the intended RPC client library.

****Obfuscated structures****

Unfortunately for us, looking at how a legitimate binary interacts with the SystemPolicy class, we can see the following (from  wlidsvc!DeviceLicenseFunctions::SignHashWithDeviceKey):

This is another layer of obfuscation that encapsulates the data passed over to the API. The idea here is that a network of binary transformations (also known as a Feistel cipher) is used to encrypt the data with the various operations inline in the code (as seen above). Part of the API call will provide the list of operations that were used, and the kernel will call them directly with the appropriate parameters to decrypt the data. As such, the easier approach to dealing with this is to simply rip out both the encryption code and the associated parameters and re-use them in our own invocation of the API. Copying and pasting the decompiler’s output into Visual Studio is a little tedious but usually works fine. Before returning from the syscall, the resulting data is obfuscated in a similar fashion, and, once again, ripping out the data from a working implementation is the most straightforward way to deal with it. Overall, the data format looks as such:

The inner payload (left) is an array of size-value entries that contain the command number that needs to be executed, followed by the Warbird material used to encrypt the reply from the kernel, and finally command-specific data that depends on which ClipSp function is being invoked.

This data is then encapsulated into a structure that mostly specifies the number of entries there are in the provided array and the whole thing then gets encrypted. The remaining Warbird data in the righ-most part of the diagram is to instruct the kernel how to decrypt the provided data.

Here’s our best guess at the various available commands:

Most of them call into ClipSp, but a few (especially in the <100 range) may be solely handled by the Windows kernel.

****Sandbox considerations****

Microsoft provides a tool to test if a piece of code can be run within a low-privilege context called a Less Privileged Application Container (LPAC) sandbox. Using this with our proof of concept, we can confirm that ClipSp’s APIs are actually reachable from an LPAC context. This is particularly interesting as these application containers are usually used to sandbox high-risk targets, such as parsers and browser rendering processes. As such, any elevation of privilege vulnerabilities we could find would likely double as sandbox escapes as well.

****Processing licenses****

Throughout the reversing process, we observed that the license files handled by ClipSp were quite interesting. They are usually obtained silently from Microsoft when interacting with UWP applications (both coming from the App Store and those installed by default, such as Notepad). They can also be used for other purposes, such as Windows activation, hardware binding, and generally providing cryptographic material for various applications.

At first, license files appear to be opaque blobs of data that are installed via the “SpUpdateLicense” command. This can be invoked following the process described above with the command “\_id = 100”. Existing licenses are stored in the Windows registry at the following location:

HKLN\\SYSTEM\\CurrentControlSet\\Control\\{7746D80F-97E0-4E26-9543-26B41FC22F79}

Only the SYSTEM user can access this registry key. From an elevated prompt, the following command can open regedit as SYSTEM:

PsExec64.exe -s -i regedit

The format for these licenses is mostly undocumented, but looking at how they are being parsed is pretty informative. These licenses are in a tag-length-value (TLV) format, where the list of authorized tags is contained in an array of tuples of the form (tag, internal\_index) hardcoded inside ClipSp. Upon parsing, a pointer to each valid TLV entry is stored in an array at the location indicated by the internal\_index:

****Signature bypass (**TALOS-2024-1964**)****

Licenses are signed by various signing authorities whose public keys are hardcoded in ClipSp. Verification code looks as such:

The “entry\_of\_type\_24” value is a pointer saved during the parsing of the license and points to its signature. The difference between “entry\_of\_type\_24” and “License\_data” is pointer arithmetic used to count the number of bytes from the beginning of the license blob up to its signature. 

During the parsing, this looks as such:

If the internal index associated with the entry’s tag is 24, then the processing loop is temporarily exited. A pointer to the signature is saved, and if more data remains, the license processing is resumed.

We can see that this approach is flawed: If there is data after the license’s signature, it will still be parsed but not checked against the signature, effectively enabling an attacker to bypass the signature check of any license as long as they can get one that is already signed with the proper signing authority.

****Out-of-bound read vulnerabilities (**TALOS-2024-1965,TALOS-2024-1968, TALOS-2024-1969, TALOS-2024-1970, TALOS-2024-1971, TALOS-2024-1988**)****

We can cross reference where the license structure and its array of pointers to the TLV data is being used, and what we find is many wrapper functions that return either the length/size of a given entry or the data associated with it. In most cases, this is done in a secure fashion, but there are a few entries that make assumptions on the size of the data provided in the license blob, which leads to a handful of out-of-bound read vulnerabilities. An example of such vulnerabilities can be seen in the following screenshots:

These two functions retrieve either the size of the DeviceID field or its content. However, if the data is formatted in such a way that line 11 is reached (i.e., no entry of type 5 in the license provided) then the **data** field of entry 18 is used to provide both size and value by dereferencing its pointer, without checking if enough data was provided for that. For instance, if we append a DeviceID entry (type 18) at the end of a valid license blob, but make it so its data field is only one byte long, then the “get\_DeviceIDSize” function will read one byte out of bound, as it is expecting two bytes of data. Furthermore, any function that calls “get\_DeviceID” will receive a pointer that is pointing one byte past the end of the license file and will likely act on wrong information from the “get\_DeviceIDSize” function for further out of bound (OOB)-read problems.

****Turning an OOB-read into an OOB-write (**TALOS-2024-1966**)****

If we look specifically at the case described above where the DeviceIdSize field can be read out of bound, this creates a particularly interesting situation where the expected size of the DeviceID object can change throughout its lifetime if the data immediately adjacent in memory changes in a meaningful way. The first byte of data after the license blob will also be read as the leading byte of the (unsigned short) value defining the size of the DeviceID. Looking at how these two functions are used in ClipSp, we can see that during the installation of a hardware license, the following happens:

We can see multiple calls to the “get\_DeviceIDSize” function, with one providing the size field to a memory allocation routine, while another call is used as a parameter to a “memcpy”. If the size field changes in between the two calls, this may lead to an out-of-bounds write vulnerability.  

Exploiting a vulnerability like this is far from trivial, as one would have to win a race condition between the two fetches while being able to shape the PagedPool heap in such a way that there’s meaningful data located right after the malicious license blob.

****Conclusion****

As we have just seen, obfuscated code can hide low hanging fruit, trivial memory corruptions, and simple logic bugs. In the case of ClipSp, this issue is even more serious, as this attack vector may lead to sandbox escapes and potentially significant impact to the compromised user.

As such, this is a reminder for security researchers on the value of taking the less traveled path, even if it begins with a bramble of Feistel functions. And for the software engineers and project managers who decide to leverage obfuscation for their projects, this is also a stark reminder that this approach may hinder normal bug finding processes that would detect trivial bugs early on.

\[Please embed video from: https://www.youtube.com/watch?v=9t0Xt40RZEc  \]

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

Building on its broad security portfolio, Microsoft's new exposure management is now available in the Microsoft Defender portal, with third-party-connectors on the way.

Source: Wavebreak Media ltd via Alamy Stock Photo

Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.

Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.

Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.

"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."

Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.

**Unified Views of Attack Surfaces**

With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.

"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.

The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.

Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.

"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.

Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.

"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."

**Building an Ecosystem of External Connections**

While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.

Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.

Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.

"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."

Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."

Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.

The offering now consists of three primary tools:

*   Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
    
*   Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
    
*   Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
    

Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.

"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Highlights Security Exposure Management at Ignite

PRESS RELEASE

AUCKLAND, New Zealand and READING, UK – November 19, 2024 – Endace, the world leader in packet capture, announces the formation of a new company in the Kingdom of Saudi Arabia to continue expansion in the Middle East, further demonstrating Endace’s commitment to the Middle East Region.

Having successfully deployed a number of very large infrastructure projects in the Kingdom of Saudi Arabia (KSA) and the United Arab Emirates, Endace is expanding its footprint in the region with the establishment of a new Middle East Regional Headquarters – Endace Arabia LLC – located in Riyadh, Kingdom of Saudi Arabia. Endace will build a local team to assist customers in the Middle East to secure their mission critical networks by leveraging Endace’s Always-On packet capture.

“This is an extremely significant market,” says Endace CEO, Stuart Wilson. “Endace products are already deployed in mission-critical networks across the Globe to secure critical infrastructure against cyberattacks. With our close partnership with StarLink we are uncovering strong growth opportunities for Endace capabilities in Defense, Government, Critical Infrastructure and Enterprise across the Middle East region.”

“It’s encouraging to see organizations in the Middle East recognizing the critical importance of cybersecurity and prioritizing investments to implement the foundations of robust cyber defense for critical infrastructure. They are not only adopting but in many cases actually defining global best practice,” Wilson says.  “StarLink has proven to be a fantastic partner in the region, providing local expertise and broad reach in promoting the adoption of Endace technology.”

“StarLink and Endace have been collaborating strategically in Saudi from the very first project.  With Endace now incorporated and expanding its local team, we can jointly provide this critical technology for cyber defense to a much wider set of customers across the region.  We are looking forward to a closer and stronger collaboration,” says Mohammad Abou Okdeh, Regional Director for KSA at StarLink Saudi Arabia.

About Endace

Endace’s scalable, always-on packet capture gives Network Operations and Security teams the deep visibility they need for fast, accurate incident investigation with rich forensic evidence at their fingertips from all their tools. EndaceProbes provide enterprise-class packet sniffing in on-prem, public and private cloud environments, with rapid, centralized search and one-click access to full pcap data from leading security and performance solutions (including Palo Alto Networks, Fortinet, Cisco, Splunk, Elastic, and many others). Analyze network traffic using a single, unified console across all on-premise, private, or public cloud infrastructure for total hybrid cloud visibility.  Capture every packet. See every threat. www.endace.com

Endace Establishes Middle East Regional Headquarters in Saudi Arabia

Starting in 2025, the RSAC Innovation Sandbox Top 10 Finalists will each receive a $5 million investment to drive cybersecurity innovation.

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- RSA Conference™, the world's leading cybersecurity conferences and expositions, today announced that starting in April 2025, the Top 10 Finalists in the RSAC Innovation Sandbox (ISB) contest will receive financing to help them further accelerate innovation to fight the next generation of cybersecurity threats. The investment program will provide these startups with additional capital to deliver solutions that help organizations defend against the increasing volume and complexity of cybersecurity attacks.

The RSAC™ ISB contest, celebrating its 20th anniversary in 2025, has become the world's premier showcase for the cybersecurity startup community. Some of the most successful cybersecurity innovators have competed in the RSAC ISB contest in order to highlight their game-changing ideas that have disrupted the cybersecurity industry. The contest has grown to receive roughly 150 applicants annually, forming an important source of innovation and ideation that has been essential in addressing ever-changing cybersecurity challenges. More than 750 investors, cybersecurity leaders, entrepreneurs and members of the media join the packed audience to watch the ISB event live.

The RSAC ISB contest has become a preeminent platform within the cybersecurity community, providing increased visibility and awareness to the Top 10 Finalists each year. Since the RSAC ISB contest's inception, companies named as Top 10 Finalists have collectively raised over $16.4 billion\* in investments and been involved in over 90 merger and acquisition transactions. Each year, a panel of independent judges selects the Top 10 Finalists after reviewing the applicants' submissions. At RSA Conference in San Francisco, each Top 10 Finalist presents an overview of their business, and a winner is selected by an independent panel of judges drawn from the cybersecurity community. Starting in 2025, the Top 10 Finalists will each receive a $5 million uncapped Simple Agreement for Future Equity (SAFE) investment, provided by affiliates of Crosspoint Capital Partners.

"Attackers are constantly adapting and changing their tradecraft. Continuous innovation from cybersecurity startups is essential to global cyber defense," said Dr. Hugh Thompson, Executive Chairman and long-serving program chair of RSA Conference, and Managing Partner of Crosspoint Capital Partners. "Historically, the RSAC Innovation Sandbox competition has anointed winners in cybersecurity long before they became winners in the marketplace. We are excited to introduce simplified, founder-friendly financing for the companies selected by the independent and neutral process of the RSAC Innovation Sandbox to further fuel cybersecurity innovation."

For many industry-leading cybersecurity companies, the ISB platform has been an important part of their journey. "When Wiz participated in the RSAC Innovation Sandbox contest in 2021, we were a young company in an emerging cybersecurity category," said Anthony Belfiore, Chief Security and Strategy Officer of Wiz. "The exposure that we received from the ISB platform and RSA Conference helped us attract more customers earlier in our journey. This was extremely helpful for us. This new investment program is a game-changer."

The investment program is delivered as an uncapped SAFE, which provides an immediate capital infusion while maintaining future fundraising flexibility. "Post Series A investment, subsequent rounds have trended to be larger with multiple investors. A valued security investor like Crosspoint Capital with the deep operational experience of their founding partners would be welcomed into the cap table," said Theresia Gouw, co-founding partner, Acrew Capital.

In addition to the investment capital, RSAC is also developing a new forum, the RSAC Founders Circle, to provide past and present ISB Top 10 Finalists with additional exposure, coaching, mentorship, and connections with the CISO community. This initiative will also serve as a powerful alumni network for these distinguished entrepreneurs. Multiple ISB finalists have gone on to become standalone public companies while others become attractive acquisitions for platform assets. These previous Top 10 Finalists include leading cybersecurity innovators such as: Wiz, Imperva, SentinelOne, Talon Cyber Security, Phantom Cyber, and Hidden Layer.

Additional details on the RSAC ISB submission process for qualifying candidates will be made available in January 2025.

RSAC's Commitment to the Cybersecurity Community

RSAC has a heritage of supporting important investments for the community through former and existing programs, including the RSAC Innovation Sandbox, RSAC Security Scholar, child online safety, College Day, community philanthropic activities during the Conference and Conference scholarships to underrepresented communities through its vast network of partners. A portion of the returns received from the investments made in the Top 10 Finalists will be used by RSAC to support the cybersecurity community.

\*Indicates latest numbers according to Crunchbase

Additional Quotes: 

Nasrin Rezai, SVP and Chief Information Security Officer, Verizon – RSAC Innovation Sandbox Judge

"CISOs like me who are constantly trying to sort through the barrage of new cybersecurity entrants are always looking for a signal on who to spend time with and which solutions to try," said Nasrin Rezai, SVP and Chief Information Security Officer, Verizon and returning ISB judge. "The rigorous process of picking these Top 10 Finalists creates a signal to the market of who to pay attention to."

Dean Sysman, Co-Founder and CEO, Axonius – RSAC 2019 Innovation Sandbox Winner 

"One of the best things you want to achieve as a startup in the cybersecurity world is to be a part of the RSAC Innovation Sandbox contest," said Dean Sysman, Co-Founder and CEO, Axonius. "RSA Conference is the most important place where cybersecurity business, ideas, and products get introduced, talked about, and reviewed. The recognition and validation that winning ISB provides coming from that esteemed judging panel was instrumental in people trusting that we would follow through in what we promised we would do for them. There is nothing to lose by applying. Winning it sets you apart in a very differentiated and unique way while pushing the industry to look at you in a new light."

Rehan Jalil, CEO, Securiti AI – RSAC 2020 Innovation Sandbox Winner

"Making it into the RSAC ISB Top 10 and then winning the contest sends a very strong signal to not only the venture capitalists but the industry at large. The panel of judges for the ISB competition is very diverse, and they each evaluate startups with a different lens, which ultimately helps you as a company be judged more holistically. Winning ISB put us on the map, boosting our brand and increasing customer engagement. Whether you raise money before the contest or after, you get community interest in potentially making a jump to the next stage once you make it into the Top 10," said Rehan Jalil, CEO of Securiti AI, RSAC 2020 Innovation Sandbox Winner.

Oliver Friedrichs, Founder and CEO, Pangea and Founder and CEO, Phantom Cyber – RSAC 2023 Innovation Sandbox Finalist and RSAC 2016 Innovation Sandbox Winner

"Being a Finalist puts you on the map and separates you from the pack," said Oliver Friedrichs, Founder and CEO of Pangea, RSA Conference 2023 Innovation Sandbox Finalist and Founder and CEO of Phantom Cyber, RSAC 2016 Innovation Sandbox Winner. "If you're a new, relatively unknown entity, it's a great way to launch your company on the big stage. The attention you get being a Top 10 Finalist attracts venture capitalists, strategic investors, and enterprise customers who are all trying to understand what these new companies are doing and how they can help me. This new investment program for the Top 10 Finalists is a testament to the quality and potential of these companies. This added funding provides an even greater long-term financial impact for these startups and further extends their runway." 

Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley – RSAC Innovation Sandbox Judge

"Several of the companies that have been selected to the ISB Top 10 have gone on to become juggernauts in cybersecurity. The Innovation Sandbox competition is where some of the biggest stories in cybersecurity begin," said Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley. "I'm honored to be a judge for the 2025 contest."

Ben Colman, Co-Founder and CEO, Reality Defender – RSAC 2024 Innovation Sandbox Winner 

"For over a year, we had board members, investors, and clients encourage us to apply to the Innovation Sandbox contest," said Ben Colman, Co-Founder and CEO of Reality Defender and winner of the RSA Conference 2024 Innovation Sandbox contest. "We applied with no expectations, made it to the Top 10, and quickly realized our fellow Finalists were almost all pure play cybersecurity companies — something we thought was our disadvantage as a cybersecurity company focused on AI, but ultimately proved to be why we won. Awarding future winners with an uncapped SAFE note now makes applying to RSAC Innovation Sandbox a truly game-changing proposition."

Paul Kocher, Independent Researcher, Investor and Marconi Prize winner – RSAC Innovation Sandbox Judge

"The Innovation Sandbox contest is a fantastic event and terrific driver for bringing new technology to market — and for entrepreneurs it's an opportunity to present to the ideal audience," said Paul Kocher, RSAC ISB Judge, Investor, Independent Researcher and Marconi Prize winner. "I've served as a judge for most of the contest's 20 years, and have seen first hand how it raises Finalists' profiles, helping start-ups build enthusiasm with customers, investors, and new hires. Although the strong field of applicants makes the selection process challenging, I appreciate the Conference and judges' commitment to ensuring the neutrality and independence of the evaluation and selection process."

About RSA Conference

RSA Conference™ is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective "we" to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit www.rsaconference.com. Where the world talks security.

RSA Conference 2025 Innovation Sandbox Contest Celebrates 20th Anniversary

PRESS RELEASE

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- VISO TRUST, a leader in AI-powered third-party risk management (TPRM), today announced the closing of its latest funding round of $7M in additional funding, bringing the total raised to $24M, with participation from both existing investors, Bain Capital Ventures, Work-Bench, Sierra Ventures, and Lytical Ventures, and new investors, Allstate Strategic Ventures, Cisco Investments, EnvisionX Capital, and Scale Asia Ventures.

This funding will further VISO TRUST's mission to transform TPRM through an adaptive AI-driven platform, bringing enhanced security intelligence and seamless third-party risk management to enterprises worldwide.

Enhancing Third-Party Risk Management with Integrated Security Intelligence

VISO TRUST's AI-powered platform delivers real-time, evidence-based assessments by intelligently collecting, analyzing, and continuously monitoring artifacts from vendors. This approach removes friction for vendors, eliminates the manual analysis burden for TPRM professionals, and enables comprehensive, high-quality assessments. The platform analyzes control presence, testing methodologies, exceptions, Nth-party references, and more, allowing security teams to focus on strategic initiatives.

VISO TRUST's AI-driven automation platform has become the industry benchmark for third-party risk management for industry leaders like Upwork, Instacart, Notion, and Bain Capital. By leveraging intelligent automation, VISO TRUST reduces vendor assessment and onboarding time by up to 90%, cutting TPRM hours to mere minutes per vendor and enabling enterprises to achieve comprehensive risk management at scale. With rapid assessments completed in just 5-7 days and a remarkable 98% vendor adoption rate, the platform empowers organizations to make informed, proactive risk decisions.

Paul Valente, CEO of VISO TRUST, commented on the funding round:

"We're excited to assemble a set of complementary and deep tech investors to advance our mission of transforming third-party risk management. This funding will enable us to accelerate the innovation of our platform, creating a robust ecosystem that integrates security intelligence and aligns with today's complex business workflows."

An investment in Next-Generation Monitoring and Response

VISO TRUST is at the forefront of next-generation monitoring, aggregating and analyzing diverse sources of vendor intelligence, including breach advisories, Software Bill of Materials (SBOM), and SEC filings. The platform provides real-time insights, enabling teams to make data-driven decisions, respond swiftly to emerging threats, and maintain continuous compliance, offering a distinct advantage in managing evolving cyber risks across the cloud-first, AI-driven enterprise landscape. This funding round will allow VISO TRUST to scale its unique artifact-based platform, creating an adaptable AI governance framework focused on real risk reduction.

"VISO TRUST's platform reshapes governance, risk, and compliance, enabling organizations to streamline vendor risk assessments and manage evolving cyber risks with agility in an increasingly complex digital landscape leveraging AI," said Janey Hoe, vice president, Cisco Investments. "As part of Cisco's AI Fund, we are excited to help accelerate VISO TRUST's mission to enhance security intelligence and real-time monitoring capabilities for enterprises worldwide."

VISO TRUST continues to build a future in governance, risk, and compliance where AI not only strengthens security but empowers organizations to navigate the dynamic and high-stakes digital landscape with resilience and precision.

About VISO TRUST

VISO TRUST is an AI-driven third-party risk management platform transforming traditional vendor risk assessments through automation and acceleration. Our platform provides continuous monitoring, risk remediation, Nth-party intelligence, and seamless workflow integrations, serving a global customer base across sectors like financial services, healthcare, and technology. VISO TRUST helps organizations mitigate the risks of vendor relationships at scale.

For more information, visit www.visotrust.com or contact \[email protected\].

VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

The Threat Source Newsletter is back! William Largent discusses bidirectional communication in the SOC, and highlights new Talos research including the discovery of PXA Stealers.

Thursday, November 21, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  

 Sounds difficult. Is difficult.    
Sounds difficult. Is easy.   
Sounds easy. Is difficult.     
Sounds easy. Is easy.  

 Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie - you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

**The one big thing **

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

**Why do I care? **

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

**Top security headlines of the week **

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it's director Jen Easterly will step down from her position on President-elect Donald Trump's Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

**Can’t get enough Talos? **

*   Unwrapping the emerging Interlock ransomware attack 
*   Talos Takes on Interlock 
*   November Patch Tuesday release contains three critical remote code execution vulnerabilities 
*   It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

**Upcoming events where you can find Talos **

 CyberCon Romania

(Nov 21-22)    
Bucharest, Romania 

 Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)    
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR

(Dec 4-6)    
Chennai, India 

 Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

When a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too.

Source: Panther Media GmbH via Alamy Stock Photo

Question: What value do public relations experts bring to a company during a cybersecurity incident?

Ronn Torossian, founder, 5WPR: The threat of a cyberattack is ever-present, making cybersecurity a top priority for organizations of all sizes. But when a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too. This is where public relations (PR) can step in as a critical safeguard. A well-executed cybersecurity PR strategy can help contain the fallout of a cybersecurity breach, maintain stakeholder trust, and position the organization for recovery.

Here are five ways PR professionals can protect a company against damage from a cybersecurity incident.

**1\. Build Trust With Stakeholders Ahead of Time**

PR's role in a cybersecurity incident starts long before a breach happens. Proactive engagement with stakeholders builds a reservoir of goodwill to draw upon in times of crisis. Engagement includes providing regular updates on the company's cybersecurity measures, sharing tips for data protection, and offering insights into industry best practices.

For instance, tech giants like Cisco and IBM consistently communicate their cybersecurity initiatives, positioning themselves as leaders in the space. By doing so, they reinforce their commitment to security. This proactive approach helps set the stage for smoother communication during a crisis.

**2\. Communicate With Transparency and Speed**

The first hours of a cybersecurity breach are crucial. Prompt, transparent communication helps shape public perception and can significantly influence the level of trust that stakeholders place in the company. When an incident occurs, PR teams must work swiftly to inform customers, employees, and partners about what happened, what steps the company is taking, and what they should do next.

A classic negative case study is Equifax's 2017 breach, where delayed communication compounded the public's distrust. Companies that immediately acknowledge a breach and provide clear updates often regain trust faster. Transparency demonstrates accountability and commitment, both of which are key to repairing reputational damage.

**3\. Harness Social Media for Crisis Responses**

Social media is a double-edged sword in the wake of a cybersecurity breach. These digital channels amplify both the reach of the company's crisis communications and the spread of misinformation or negative sentiment. A strong social media strategy is essential for managing the narrative.

PR teams should use platforms like LinkedIn and other digital channels to provide real-time updates, address customer concerns, and reinforce the company's commitment to resolving the issue. These channels offer an opportunity to humanize the brand, which can help mitigate panic and frustration.

**4\. Bring in Cybersecurity Teams for Updates**

Effective crisis communication requires more than just PR expertise. Collaboration with IT and cybersecurity teams ensures that messaging is accurate, clear, and credible.

Cybersecurity experts lend authority to media briefings or stakeholder updates and signal that the situation is under control. PR professionals translate complex technical details into language that resonates with diverse audiences. This partnership helps build confidence in the organization's ability to manage and resolve cybersecurity incidents.

**5\. Rebuild Trust After an Attack**

Long-term organizational recovery from a cybersecurity breach depends on rebuilding trust, which is rooted in ongoing education and advocacy. PR teams can drive awareness campaigns that encourage both internal and external audiences to adopt better cybersecurity practices.

This might involve publishing blogs, hosting webinars, or participating in industry panels to share insights on navigating the evolving threat landscape. Advocacy for stronger industry standards or collaboration on public policy can further position the company as a thought leader committed to enhancing cybersecurity for all.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Can PR Protect Companies During a Cyberattack?

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco