The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Source: Sergiy Palamarchuk via Shutterstock

Cisco has disabled public access to one of its DevHub environments after threat actors downloaded some customer data from the site and put it up for sale on a cybercrime forum.

The compromised data included source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

**Data Heist From Public-Facing Environment**

News of the breach first surfaced a week ago, when researchers spotted three threat actors using the monikers IntelBroker, EnergyWeaponUser, and zjj, putting up the data for sale on BreachForums. IntelBroker is a known Serbian entity that began operations in 2022 and is linked to several major data heists, including ones at Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

Cisco announced it was investigating the incident on Oct. 15. Three days later, the company confirmed the security incident in an update that offered little detail on the kind of data that the attackers managed to access and download.

Cisco's own systems appear not to have been affected in the incident. "We have determined that the data in question is on a public-facing DevHub environment — a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," Cisco's advisory noted. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

The company said that, at the moment, there is no evidence the attackers illegally accessed any personal identity data or financial information, but it added that it was still investigating that possibility. "Out of an abundance of caution, we have disabled public access to the site while we continue the investigation," the company said.

In their BreachForums post, the threat actors claimed the data they downloaded from Cisco's DevHub site included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and at least some confidential Cisco information.

**Reminder: The Need to Secure Public-Facing Assets**

The Cisco incident is a reminder why organizations need to protect public-facing environments with measures like input validation to protect against injection attacks, strong authentication tools and processes, and regular vulnerability assessments, says Jason Soroko, senior fellow at Sectigo.

Common mistakes organizations make when it comes to securing their public-facing assets include neglecting OWASP guidelines, underestimating security risks, failing to update systems regularly, and not prioritizing secure coding practices, Soroko says: "Don't forget to back up your website code and practice restoring it. Malware detection tools are available that make it easy to regularly scan."

Organizations can sometimes tend to perceive their public-facing assets as less critical when, in reality, they can expose sensitive information that attackers could use for future intrusions, he adds. The data that the attackers obtained in the Cisco incident, for instance, included source code, API tokens, certificates, and credentials that attackers could potentially leverage in a significant way in a future campaign.

Eric Schwake, director of cybersecurity strategy at Salt Security, says various factors contribute to sensitive data ending up on an organization's public-facing environments. "This can occur due to accidental misconfigurations of access controls, human errors in code or file management, inadequate security testing before deployment, or the compromise of third-party services," he says. These oversights can lead to the exposure of sensitive data and create potential entry points for attackers.

Schwake recommends that organizations implement a multilayered security strategy to reduce this risk. "This involves enforcing strict access controls, promoting secure coding practices, conducting thorough security testing, building posture governance standards, and performing regular security assessments," he says. "Using secrets management solutions and continuous monitoring tools can further improve security and protect against unauthorized access to sensitive information."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Disables DevHub Access After Security Breach

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

Akira ransomware continues to evolve

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale,…

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale, allegedly containing classified data on advanced space-based defence systems and AI-driven weapons.

A hacker using the alias “TAINTU” is offering what they claim to be 1.45 TB of “top secret USSF military technology archives” for sale, priced at $15,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency.

The acronym USSF stands for the United States Space Force, the space operations branch of the U.S. Armed Forces. The USSF is responsible for organizing, training, and equipping military personnel for space-related operations.

The ad, viewed by _**Hackread.com**_, was initially posted on the data breach and cybercrime platform Breach Forums on Saturday, October 19, 2024. However, it was removed by the hacker on the same day. When _**Hackread.com**_ inquired about the removal, the hacker explained that the data remains available for sale through underground channels, citing the lack of “seriousness” from users on Breach Forums.

Partial screenshot from the now deleted post (Screenshot: Hackread.com)

**What’s in the Archive?**

The hacker’s use of the term “archive” implies a comprehensive collection of information rather than just a single piece of file/data. The sample data published by the hacker appears to be contains classified leaks from the United States Space Force (USSF), detailing advanced military technologies, space-based weapon systems, future developments, and simulated battle scenarios.

The trove of data also allegedly also includes in-depth technical analyses, project files, and system diagrams from ongoing USSF development programs, with a focus on next-generation orbital defence.

This collection, described as “dozens of files,” holds critical military data, technical diagrams, and performance simulations. It reportedly provides unprecedented insight into next-generation weaponry and space-based defence systems, including the following:

**Directed Energy Weapons (DEW):** Advanced systems optimized for targeting satellites and enemy space infrastructure using high-energy lasers. 

**Quantum Cyber Warfare:** Cutting-edge encryption-breaking technology for intercepting and neutralizing enemy satellite communications. 

**Electromagnetic Pulse (EMP) Systems:** Area-wide electronic grid disruptors, capable of disabling enemy communication, radar, and missile systems over a vast range. 

**AI-Controlled Weapons:** Autonomous targeting systems using advanced machine learning algorithms for real-time satellite interception and space warfare scenarios. 

The archive allegedly contains leaked content such as project files with technical breakdowns and financial allocations for the development of Directed Energy Weapons (DEW), AI-based orbital weapons, and quantum cybersecurity systems. It also includes research on future technologies like antimatter energy and quantum teleportation, schematics and diagrams outline high-orbit defence systems and missile interception strategies, while CSV data files provide comprehensive simulation data on energy consumption and AI response times.

In addition, the files appears to be contain over 20 technical PDF reports covering satellite communication encryption, EMP defence, and AI targeting systems, as well as classified intelligence on adversarial capabilities from nations like China and Russia, and countermeasures for hypersonic missile threats.

The sample files published by the hacker are claimed to be "technical samples extracted directly from the archive." These include PDF files detailing “Phase 3 testing of the Helios *** laser platform,” CSV files containing detailed test results related to high-tech weapons or defence systems—apparently involving directed energy weapons (DEWs) or similar technologies—and a project file snippet outlining the budget and technical progress report for the DEW-\*\*\*1.

The data also includes several diagrams, including one titled “Orbital Defense and Interception Scenarios,” which details a “beam divergence analysis for orbital defence” among other related information. However, due to security concerns and the potential implications of this being a national security breach for the United States, **_Hackread.com_** is refraining from publishing any images or details that could compromise the security of the institution.

**“Exclusive Access and Direct Breach”**

When asked whether the alleged data breach involving a third-party contractor, as seen in the April 2024 case of US defence contractor Acuity Inc., where an Intel Broker hacker leaked ICE and USCIS data, the hacker claimed it was a “direct data breach,” with no third-party firm involved.

“This archive offers exclusive access to classified military technologies currently in development by the USSF. The data covers cutting-edge research, including highly advanced AI-controlled defence systems and quantum-based communication, which are reshaping the future of warfare,” the hacker told _**Hackread.com**_.

“These documents are invaluable to anyone interested in military technology or defence strategies, providing insights into the most advanced space-based weapon systems on the planet.”

The authenticity of the breach has yet to be confirmed. _**Hackread.com**_ has reached out to the Cybersecurity and Infrastructure Security Agency (CISA) for comment. However, the hacker remains confident in the legitimacy of the archive.

1.  **Crimson Palace: Chinese Hackers Stole Military Secrets**
2.  **Military Satellite Access Sold on Russian Forum for $15,000**
3.  **Intel Broker Claims Cisco Breach, Selling Data from Major Firms**
4.  **Russian National Jailed for Smuggling US Military Tech to Russia**
5.  **S3 Buckets Exposed US Military’s Social Media Spying Campaign**

1.  \* indicates redacted information ↩︎

Hacker Advertises “Top Secret US Space Force (USSF) Military Technology Archive”

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Source: Rawpixel via Shutterstock

Cybercriminals have found a new way to get around what has been an effective deterrent to phishing attacks, with novel anti-bot services sold on the Dark Web that allow them to bypass the protective "Red Page" warning in Google Chrome that alerts users to potential fraud.

The anti-bot services aim to prevent security crawlers from identifying phishing pages and blocklisting them by filtering out cybersecurity bots and disguising phishing pages from Google scanners, according to new research published today by SlashNext.

They do this by rendering ineffective the Red Page, a feature of Google Safe Browsing — which itself is a feature of Chromium-based browsers and other Google services — that aims to protect users from harmful websites by warning them of potential dangers, such as phishing attempts. The page is so-named because it is displayed in red and provides a warning that a site to which someone is navigating may be deceptive, advising them to avoid it.

In doing so, the warning can "severely" limit "the potential success of phishing attacks," according to the post, providing "a massive hurdle" to threat campaigns. That's because these campaigns rely on high click-through rates, which is significantly lowered when Google's detection flags a phishing page and adds it to a blocklist.

Now various anti-bot services found on the Dark Web, such as Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, "threaten to undermine this line of defense, potentially exposing more users to sophisticated phishing attempts," according to the post.

**How Anti-Bot Services Work**

Though each service has its own unique features, they are all based on a combination of several techniques that allow malicious content to bypass Google's Red Page feature. Most rely on bot detection mechanisms that analyze user-agent strings and IP addresses to filter known security bot traffic that would otherwise be blocked, according to SlashNext.

"Public lists of cybersecurity crawlers are widely available (for example, Shodan), making it easy to filter known security bot traffic," according to the post. "Once an IP address or user-agent is flagged as a security crawler, it is blocked, ensuring the page remains accessible to real users but hidden from cybersecurity entities."

The services also use cloaking techniques such as context-switching or JavaScript obfuscation to serve different content based on the visitor’s profile. These techniques effectively redirect security crawlers to benign content while directing a user to a phishing page.

Another common feature of the anti-bot services is to introduce CAPTCHA or challenge pages to filter out automated scanners that typically would analyze a webpage for malicious content. "Since most bots cannot solve CAPTCHAs, this technique effectively blocks them while allowing real users through," according to the post.

Some anti-bot services might even introduce a time delay, which further confuses security bots by making them "time out" before they can scan the page and thus warn users of a potential security threat.

They also can bypass the Google Red Page by delivering region-specific content and blocking foreign traffic, according to SlashNext. For example, if a phishing campaign is targeting a Korean bank, the service might allow only Korean traffic to visit the site while blocking foreign IP addresses, the researchers noted. Moreover, these methods can get extremely specific in terms of geography, even narrowing campaigns down to the city level, which would prevent international cybersecurity services from detecting the page entirely, according to the post.

**Not Completely Foolproof**

While these anti-bot services can significantly reduce the scope of Google Red Page, they do have their limitations, the researchers noted. The malicious services work best in less sophisticated phishing campaigns because they can identify and block known crawlers in the user-agent string — where many security vendors declare their bots and crawlers, the researchers noted.

"This allows cybercriminals to filter out bot traffic, prolonging the lifespan of phishing campaigns," according to the post. However, in more sophisticated phishing operations, manual analysis by analysts will eventually detect the page, leading to its inclusion on blocklists.

Still, anything that can limit the detection of phishing by end users is a threat to the overall security, not just of individuals but also enterprises. That's because despite being one of the oldest forms of cybercrime, phishing is still one of the primary ways attackers gain initial entry onto corporate networks to perform other types of malicious activities, such as ransomware attacks.

Moreover, the rise in the availability of phishing kits that make it easy for attackers to create campaigns, the growing sophistication of phishing tactics and now the emergence of anti-bot services make detection by individuals and defenders more complex.

The best defense against the use of anti-bot services to bypass Google Red Page is to use security platforms that can detect threats in real-time across email, mobile, and messaging apps with as much accuracy as possible, according to SlashNext. Aforementioned manual analysis of phishing pages and the subsequent addition of malicious sites to blocklists also can prevent these services from being effective.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.
The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.
"This

Threat Intelligence / Malware

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.

The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.

"This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader," security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted.

RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations such as ransomware, extortion, and targeted credential gathering since its emergence in 2022.

It's been assessed that the operational tempo of their attacks has increased in recent months with an aim to set up long-term persistence on compromised networks and exfiltrate data, suggesting a clear espionage agenda.

To that end, the threat actor is said to be "aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms" such as C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

The attack chains start with a spear-phishing message that delivers a downloader -- either coded in C++ (MeltingClaw) or Rust (RustyClaw) -- which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy document is displayed to the recipient to maintain the ruse.

While DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary commands, and download files from the server, ShadyHammock acts as a launchpad for SingleCamper as well as listening for incoming commands.

Despite's ShadyHammock additional features, it's believed that it's a predecessor to DustyHammock, given the fact that the latter was observed in attacks as recently as September 2024.

SingleCamper, the latest version of RomCom RAT, is responsible for a wide range of post-compromise activities, which entail downloading the PuTTY's Plink tool to establish remote tunnels with adversary-controlled infrastructure, network reconnaissance, lateral movement, user and system discovery, and data exfiltration.

"This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647's two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise," the researchers said.

"It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 


Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. 
UAT-5647 is also known

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

PRESS RELEASE

SAN FRANCISCO, Oct. 16, 2024 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced cybersecurity, today released its annual Inside the Mind of a Hacker 2024 report, which analyzed responses from 1,300 hackers, also known as ethical hackers and security researchers on the Bugcrowd Platform. This report provides a comprehensive overview of the hacking community and their perspectives on topics at the forefront of cybersecurity.

AI adoption and integration has continued its rapid momentum within the hacking community. Nevertheless, it continues to pose both benefits and unfortunate cyber risks. According to the report, 82% of hackers believe that the AI threat landscape is evolving too fast to adequately secure.

AI is the new attack vector

This year's report revealed a significant shift in the perceived value of AI in hacking compared to the previous year. While only 21% of hackers believed that AI technologies enhance the value of hacking in 2023, 71% reported it to have value in 2024. Additionally, hackers are increasingly using generative AI solutions, with 77% now reporting the adoption of such tools—a 13% increase from 2023.

While the use and value of AI solutions among hackers have increased, the 2024 report reaffirms that hackers believe AI has limitations. This year's survey revealed that only 22% of hackers believe that AI technologies outperform human hackers, and only 30% believe that AI can replicate human creativity. These results are consistent with those of the 2023 survey.

"There is no denying that AI remains a strong force within the hacking community, changing the very strategies hackers are using to find and report vulnerabilities," says Dave Gerry, CEO of Bugcrowd. "Bugcrowd is in a privileged position to work with a creative, forward-thinking community that thrives on the cutting edge of cybersecurity. Celebrating hackers is part of the core of what we do at Bugcrowd, and these insights can help businesses understand the unique value this community brings to fighting against today's AI-driven cyberattacks."

Key findings from the survey include the following:

*   93% of hackers agree that companies using AI tools have created a new attack vector
    
*   82% believe that the AI threat landscape is evolving too rapidly to be effectively secured from cyberattacks
    
*   86% believe that AI has fundamentally changed their approach to hacking
    
*   74% agree that AI has made hacking more accessible, opening the door for newcomers to join the fold
    
*   Despite these threats, 73% of hackers reported being confident in their ability to uncover vulnerabilities in AI-powered apps
    

These findings point towards the need for hackers in an organization's defense against today's cyberattacks. Although AI is introducing a new attack vector, the majority of hackers still report confidence in their ability to uncover these vulnerabilities, emphasizing the need for organizations to lean on human ingenuity alongside security tooling.

The Rise of Hardware Hacking

The report illuminated the rise of a surprising trend: the increasing prominence of hardware hacking. In the past 12 months, 81% of hardware hackers encountered a new vulnerability they had never seen before, and 64% believe that there are more vulnerabilities now than a year ago. Additionally, in response to the rise of AI, 83% of hardware hackers are now confident in their ability to hack AI-powered hardware and software, indicating a new potential avenue for exploitation. While those familiar with the field may recognize this growing threat, only 33% of hackers in general identified hardware hacking as one of the most valuable specialties. However, there is a low barrier to entry, with 80% of hardware hackers being self-taught.

"Hardware hacking, or the exploitation of vulnerabilities in the physical components of electronic devices, was once considered a specialized field," says Michael Skelton, VP of Security Operations at Bugcrowd. "However, the proliferation of inexpensive, vulnerable smart devices has increased interest in hardware hacking among both ethical hackers and cybercriminals."

A Career Path for a New Generation

This year's survey results also emphasized hacking as a viable and strong career path, particularly for younger generations. Of the respondents, 88% were between the ages of 18 and 34. Additionally, 67% indicated that they are either hacking full-time or actively trying to pursue a full-time hacking career.

Additionally, hacking offers a career path for self-motivated individuals who are eager to learn new skills. While 73% of respondents reported having a college degree or higher, only 29% learned their hacking skills through academic or professional coursework. Instead, 87% reported learning through online resources, 78% through self-study, and 43% through trial and error. Hacking offers younger generations an incredibly desirable career with flexible hours, a remote work environment, and without the requirement of a college degree to achieve success.

Access the Full Report

The survey included 1,300 respondents from 85 countries, including the United States, India, Bangladesh, Pakistan, Nepal, Egypt, Nigeria, the United Kingdom, Vietnam, and Australia. Building upon the success of previous years, this year's edition offers the latest demographic data on the hacking community, a detailed analysis of hackers' daily experiences, and direct insights into hackers' journeys through extensive "Hacker Spotlight" interviews. Readers of this report will better understand how hackers can reduce risks for organizations, provide one of the most significant security returns on investment, and accelerate digital transformation. To download a copy of the Inside the Mind of a Hacker 2024 report, click here.

About Bugcrowd  
We are Bugcrowd. Since 2012, we've been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors.

Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.

71% of Hackers Believe AI Technologies Increase the Value of Hacking

Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity.
Trend Micro said it detected "threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection."
EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is

Endpoint Security / Malware

Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity.

Trend Micro said it detected "threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection."

EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is designed to block outbound traffic of running EDR processes using the Windows Filtering Platform (WFP).

It supports terminating various processes related to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.

By incorporating such legitimate red teaming tools into their arsenal, the goal is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.

"The WFP is a powerful framework built into Windows for creating network filtering and security applications," Trend Micro researchers said. "It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications."

"WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks."

EDRSilencer takes advantage of WFP by dynamically identifying running EDR processes and creating persistent WFP filters to block their outbound network communications on both IPv4 and IPv6, thereby preventing security software from sending telemetry to their management consoles.

The attack essentially works by scanning the system to gather a list of running processes associated with common EDR products, followed by running EDRSilencer with the argument "blockedr" (e.g., EDRSilencer.exe blockedr) to inhibit outbound traffic from those processes by configuring WFP filters.

"This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention," the researchers said. "This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions."

The development comes as ransomware groups' use of formidable EDR-killing tools like AuKill (aka AvNeutralizer), EDRKillShifter, TrueSightKiller, GhostDriver, and Terminator is on the rise, with these programs weaponizing vulnerable drivers to escalate privileges and terminate security-related processes.

"EDRKillShifter enhances persistence mechanisms by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and cleaned," Trend Micro said in a recent analysis.

"It dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity

Go behind the scenes with Talos incident responders and learn from what we've seen in the field.

Wednesday, October 16, 2024 08:51

Ensuring the cybersecurity of major events — whether it’s sports, professional conferences, expos, inter-government meetings or other gatherings — is a complex and time-intensive task.  

It requires a comprehensive approach and collaboration among various stakeholders, including vendors, hospitality teams, and service providers, to establish a consistent cybersecurity strategy across the entire event ecosystem. 

In our latest version of the “Protecting major events: An incident response blueprint” whitepaper, Cisco Talos Incident Response outlines the essential steps organizations should take to secure any major event. This paper highlights 13 critical focus areas that will guide organizing committees and participating businesses, offering key questions and actionable answers to help ensure robust event security.

Tag

#cisco