The pro-Russian group Killnet is targeting countries supporting Ukraine. It has declared "war" against 10 nations.

The attacks against Lithuania started on June 20. For the next 10 days, websites belonging to the government and businesses were bombarded by DDoS attacks, overloading them with traffic and forcing them offline. “Usually the DDoS attacks are concentrated on one or two targets and generate huge traffic,” says Jonas Sakrdinskas, acting director of Lithuania’s national cybersecurity center. But this was different.

Days before the attacks started, Lithuania blocked coal and metal from being moved through its country to the Russian territory of Kaliningrad, further bolstering its support for Ukraine in its conflict with Russia. Pro-Russian hacker group Killnet posted “Lithuania are you crazy? 🤔” on its Telegram channel to 88,000 followers. The group then called on hacktivists—naming a number of other pro-Russian hacking groups—to attack Lithuanian websites. A list of targets was shared.

The attacks, Sakrdinskas explains, were continuous and spread across all areas of daily life in Lithuania. In total more than 130 websites in both the public and private sectors were “hindered” or made inaccessible, according to Lithuania’s government. Sakrdinskas says the attacks, which were linked to Killnet, have mostly dropped off since the start of July, and the government has opened a criminal investigation.

The attacks are just the latest wave of pro-Russian “hacktivist” activity since the start of Vladimir Putin’s war in February. In recent months Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks against websites in Germany, Italy, Romania, Norway, Lithuania, and the United States have all been linked to Killnet. The group has declared “war” on 10 nations. The targeting often happens after a country offers support for Ukraine. Meanwhile XakNet, another pro-Russian hacktivist group, has claimed to have targeted Ukraine’s biggest private energy company and the Ukrainian government.

While security experts have frequently warned that attacks from Russia could target Western countries, the efforts of volunteer hacktivist groups can have an impact without being officially backed or conducted by the state. “They definitely have malicious intent when they conduct these attacks,” says Ivan Righi, a senior cyberthreat intelligence analyst at security firm Digital Shadows who has studied Killnet. “They're not working together with Russia but in support of Russia.”

Killnet started as a DDoS tool and was first spotted in January this year, Righi says. “They were advertising this app or this website, where you could hire a botnet and then use it to launch DDoS attacks.” But when Russia invaded Ukraine at the end of February, the group pivoted. The vast majority of Killnet’s efforts and those of its “legion” group—members of the public who are asked to join and launch attacks—have been DDoS attacks, Righi says, but he has also seen the group linked to some website defacements, and the group itself has made unverified claims that it has stolen data.

Its Telegram channel, where it makes political statements and talks about targets, was created at the end of February and has grown in popularity, with the number of members doubling since May. “They began to gain a lot of popularity from the public in Russia,” Righi says. Righi says it produces slick promotional videos and sells its own merchandise.

While DDoS attacks aren’t sophisticated, they “will still be able to create uncertainty in the population and give the impression that we are a piece in the current political situation in Europe,” said Sofie Nystrøm, the head of Norway’s NSM cybersecurity agency, in a statement after businesses in the country were targeted by DDoS attacks at the end of June.

Russia has long been home to cybercriminals such as ransomware groups, which the country has largely ignored as long as they don’t target companies in Russia. Simultaneously, Russian military hackers have stirred global chaos for years—causing electricity blackouts in Ukraine, hacking the Olympics, and conducting the worst cyberattack in history. Evidence against state-backed Russian hackers has been piling up since the start of the war, though Russia has consistently denied launching cyberattacks around the world. The Russian embassy in the United States did not immediately respond to a request for comment.

In April, cybersecurity officials in the US, Australia, Canada, New Zealand, and the UK warned against the potential damage that pro-Russian groups, including XakNet and Killnet, could cause. While it is not clear who is behind Killnet or whether the group is backed by the Russian state, one other notorious Russian hacktivist group has been linked to the Kremlin. At the end of June, US cybersecurity company Mandiant, as first reported by Bloomberg, said Russian intelligence operatives had passed stolen information to XakNet. Ukrainian officials have also pinned attacks on DTEK, the country’s largest private energy firm, on XakNet. (The group has posted about DTEK multiple times in its 36,000-subscriber Telegram channel.)

“We've seen a number of groups emerge in the context of the Russian invasion of Ukraine,” says Alden Wahlstrom, a senior analyst at Mandiant. “XakNet and Killnet both have questionable provenance.” Wahlstrom says any claims of hacktivism should be approached with “a healthy dose of skepticism” and that Russian intelligence agencies have an “established history of using cutout groups” for cyberactivities. Last week the Trickbot cybercriminal group—which is made up of multiple smaller groups like the Conti ransomware group, and has links to the Russian state—was spotted by IBM targeting Ukraine for the first time. IBM describes the move as a “huge shift” in the group’s behavior.

XakNet has claimed it is not being directed by the Russian government. In one Telegram post responding to Mandiant’s findings, it said it “fully” supports the Kremlin’s position and acknowledges its activities aren’t legal. It said it does not cooperate with Russia’s FSB security service “at the moment” but is “happy to provide data to those who ask.”

It is possible there are some connections among Russian hacker groups themselves. In multiple instances, Wahlstrom says, they have cross-posted about other groups’ work on their Telegram channels. For instance, when Killnet called for Lithuania to be targeted it posted a message asking for help from XakNet, Russian ransomware groups, and other pro-Russian hacking groups.

“XakNet and Killnet have given a decent amount of media interviews in the Russian media space, which is a reason to at least consider that there is a potential dual component to some of this activity,” Wahlstrom says. “They are helping to advance Russian interests abroad, either in Ukraine or further afield, but on the flip side they're being heavily promoted in the Russian media as groups that are displays of these patriotic volunteers that embody support for Russian government decisions.”

Killnet responded to a request for comment by saying it was “no longer friends” with XakNet. “Our enemy is your government bro,” the group says. “But we are not dangerous to ordinary people.”

DDoS attacks have been prominent in Ukraine, too. Officials there created a volunteer IT army, where people from around the world can help launch attacks against Russian targets. The IT army has claimed to take down, at least temporarily, the websites of Russian government departments, food delivery services, and banks—one of Putin’s speeches last month was delayed by an hour after the IT army attacks. Attacks against Russia have also come from hacktivist groups outside of Ukraine, such as Anonymous.

Ultimately, as Russia’s war against Ukraine continues, the activity of pro-Russian cyber groups continues to be in line with Russian aims. “Moscow has kept its relationship with Russia-based hacktivist groups deliberately ambiguous,” says Emily Harding, deputy director of the international security program at the Center for Strategic and International Studies, a US-based think tank. “Moscow’s security services know who these operators are and will use some form of leverage to force them to cooperate when needed.”

Harding says analysts have continuously predicted that Russia would use “deniable tools” and groups to react against countries that support Ukraine. While DDoS attacks may not be sophisticated, they contribute to this effort. And if attacks by so-called hacktivist groups become more advanced, there’s a greater chance they could cause more damage or risk escalation of the conflict. “The risk of miscalculation is real,” Harding says. “No one has yet really tested the limits of cyber operations without causing escalation.”

Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine

DUBLIN, July 8, 2022 /PRNewswire/ -- The "Global Enterprise Endpoint Security Market - Forecasts from 2022 to 2027" report has been added to **ResearchAndMarkets.com's** offering.

Endpoint security is the technique of preventing harmful actors and campaigns from exploiting endpoints or entry points of end-user devices such as PCs, laptops, and mobile devices. Endpoint security solutions on a system or cloud protect against cybersecurity threats. Endpoint security has progressed beyond antivirus software to supply comprehensive security against sophisticated malware and new zero-day dangers.

Nation-states, hacktivists, organized crime, and purposeful and unintentional insider threats all pose a hazard to businesses of all sizes. Endpoint security is frequently referred to as cybersecurity's frontline, and it is one of the first places where businesses attempt to defend their networks. Due to several benefits, such as cost savings with cloud storage, compute scalability, and low maintenance requirements, enterprise use of SaaS-based or cloud-delivered endpoint security solutions continues to grow.

**The growing number of enterprise endpoints and mobile devices with access to sensitive data has created a tremendous need for endpoint security solutions, which is expected to drive the market.**

In today's environment, mobile gadgets such as smartphones and tablets have become necessary for both individuals and businesses. The number of employees using their phones for work is fast expanding, and mobile devices and applications have presented a slew of new attack vectors and data security challenges.

These cyber dangers range from Trojans and viruses to botnets and toolkits, and they can have a significant impact on the broader network, putting sensitive and private data at risk. For example, according to the Mobile Security Report 2021 by Check Point, 97 percent of businesses globally were hit by mobile attacks that used several attack vectors. At least one employee in 46 percent of those businesses downloaded a malicious app to their phone.

According to the same report, nearly every firm had at least one smartphone malware assault in 2020. The mobile network was responsible for 93 percent of the attacks. As previously stated, around 40% of all mobile devices are at risk of being targeted by cyber-attacks. As a result, businesses are increasingly implementing endpoint security solutions to secure their networks and give secure access to confidential data to their employees.

As a result, factors such as increased mobile and wireless device usage, advancements in connectivity infrastructure around the world, and dropping mobile device prices are all expected to have a significant impact on the endpoint security industry. For instance, according to Ericsson, there are already over six billion smartphone subscribers worldwide, with several hundred million more expected in the next years.

By 2026, the number of smartphone users is predicted to increase to 7516 million. Employees at firms are increasingly using their personal mobile devices to access corporate data owing to the growing BYOD trend. However, it poses security concerns, necessitating powerful endpoint security solutions to protect sensitive company data, resulting in significant demand.

However, the lack of awareness about endpoint security among the general public, as well as the fact that many enterprises are struggling to deal with security threats and data breaches as a result of a lack of understanding about endpoint security, is expected to limit the market expansion.

**By region, the Asia Pacific and North America are expected to hold a notable share in the global enterprise endpoint security market during the forecast period.**

North America and Asia-Pacific are predicted to have a significant share of the global enterprise endpoint security market. Applying technology to restrict threats on organizational endpoints and the rising penetration of mobile devices that are initially prone to endpoint attacks are two reasons supporting the market expansion in these regions.

For instance, in July 2021, SentinelOne and ConnectWise established a partnership to strengthen their security relationship. MSPs will be able to obtain SentinelOne Control and SentinelOne Complete as standalone products from ConnectWise rather than having to purchase them as part of the SOC-targeted Fortify Endpoint offering.

Similarly, in September 2020, Palo Alto Networks and OPSWAT expanded their partnership to add support for new endpoint platforms and IoT devices in GlobalProtect and Prisma Access for branch offices, retail locations, and mobile users. The integration detects and evaluates the state of the endpoint as well as any third-party security programs installed on it. The Host Information Profile (HIP) gathers data about the network's endpoints' security state, used to implement gateway policies.

**COVID-19 Insights**

The COVID-19 outbreak compelled enterprises all around the world to mobilize swiftly in order to secure large numbers of remote workers and expand their tooling beyond traditional security measures. With the growing number of cybercrimes in 2020, the market for global enterprise endpoint security has been positively impacted by the pandemic.

For instance, the US Department of Health and Human Services (HHS) systems were subjected to a large DDoS attack in March 2020. In the same month, a cyberattack hit databases at the University Hospital in Brno, one of the Czech Republic's main centers for COVID-19 blood testing. As a result, doctors could not complete coronavirus testing and had to postpone several surgical procedures.

**Key Topics Covered:**

**1\. INTRODUCTION**

**2\. RESEARCH METHODOLOGY**

**3\. EXECUTIVE SUMMARY**

**4\. MARKET DYNAMICS**  
4.1. Market Drivers  
4.2. Market Restraints  
4.3. Porter's Five Forces Analysis  
4.3.1. Bargaining Power of Suppliers  
4.3.2. Bargaining Powers of Buyers  
4.3.3. Threat of Substitutes  
4.3.4. Threat of New Entrants  
4.3.5. Competitive Rivalry in Industry  
4.4. Industry Value Chain Analysis

**5\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY SOLUTION**  
5.1. Anti-Virus  
5.2. Firewall  
5.3. Endpoint Device Control  
5.4. Anti-Spyware/Anti-Malware  
5.5. Others

**6\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY COMPONENT**  
6.1. Application Control  
6.2. Endpoint Encryption

**7\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY DEPLOYMENT**  
7.1. Cloud  
7.2. On-Premise

**8\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY ORGANIZATION SIZE**  
8.1. Small  
8.2. Medium  
8.3. Large

**9\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY INDUSTRY VERTICAL**  
9.1. BFSI  
9.2. Government  
9.3. Aerospace and Defense  
9.4. Healthcare  
9.5. Communication and Technology  
9.6. Others

**10\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY GEOGRAPHY**  
10.1. Introduction  
10.2. North America  
10.2.1. United States  
10.2.2. Canada  
10.2.3. Mexico  
10.3. South America  
10.3.1. Brazil  
10.3.2. Argentina  
10.3.3. Others  
10.4. Europe  
10.4.1. Germany  
10.4.2. France  
10.4.3. United Kingdom  
10.4.4. Spain  
10.4.5. Others  
10.5. Middle East and Africa  
10.5.1. Saudi Arabia  
10.5.2. Israel  
10.5.3. Others  
10.6. Asia Pacific  
10.6.1. China  
10.6.2. Japan  
10.6.3. South Korea  
10.6.4. India  
10.6.5. Thailand  
10.6.6. South Korea  
10.6.7. Taiwan  
10.6.8. Indonesia  
10.6.9. Others

**11\. COMPETITIVE ENVIRONMENT AND ANALYSIS**  
11.1. Major Players and Strategy Analysis  
11.2. Emerging Players and Market Lucrativeness  
11.3. Mergers, Acquisition, Agreements, and Collaborations  
11.4. Vendor Competitiveness Matrix

**12\. COMPANY PROFILES**  
12.1. Intel Corporation  
12.2. Broadcom Inc. (Symantec Corporation)  
12.3. Trend Micro Incorporated  
12.4. RSA Security LLC  
12.5. Kaspersky Lab  
12.6. Bitdefender  
12.7. WatchGuard Technologies  
12.8. ESET  
12.9. Sophos Ltd  
12.10. McAfee LLC

For more information about this report visit https://www.researchandmarkets.com/r/fyl26c

Worldwide Enterprise Endpoint Security Industry to 2027: Focus on Antivirus, Firewall, Endpoint Device Control, and Anti-Spyware/Anti-Malware

It's time to tap the large reservoir of talent with analytical skills to help tackle cybersecurity problems. Train workers in cybersecurity details while using their ability to solve problems.

When I decided to get a degree in criminal justice, cybersecurity wasn't top of mind for me. I just wanted to get justice for folks who had been wronged.

But as I learned more about the criminal justice system in the United States, it wasn't long before I made a pivot. In my junior year in college, while working for a degree in history, I received an unpaid internship to work at a small company in New Hampshire. It was there that I got my introduction to the cybersecurity world — and it led to an epiphany.

I realized that what I learned in college about human behavior extends in the same way to any criminal — whether we're talking about the physical or cyber worlds, a similar logic applies. Since I had always wanted a job where I could develop my analytical skills, cybersecurity was an unexpected fit.

**Tapping an Untapped Talent Pool**

This field can also be an unexpected fit for some of the hundreds of thousands of people who enter the job market each year, even if they graduate with degrees other than computer science. Cybersecurity suffers from a talent shortage and we're making it worse by not tapping this reservoir of potential talent.

There's no one-size-fits-all handbook to guide the battle against cybercriminals. Most often, it requires cybersecurity defenders to fit together different pieces of a human puzzle that will vary depending on a myriad of geographical, political, and cultural influences.

Essentially, this boils down to problem-solving on a global scale. Yet, whether it's cybercrime or physical crime, it's possible to read into the motivations of the threat actors and understand why they're doing the things they do. And then, once we know that, we get closer to predicting their next steps. This is where people with finely honed analytic skills can make excellent cyber sleuths.

Clearly, it's important to possess technical knowledge. But I think you can always teach technical skills to curious minds who enjoy a challenge. The critical thinking aspect is harder to come by. People who possess top-flight problem-solving abilities can make a difference and leverage their skills and fill the cybersecurity ranks with badly needed talent. It's key to have skilled individuals who are capable of training and teaching these individuals.

**Understanding Criminal Motivations**

In terms of adversary detection, there are several variables to consider. But you don’t need to be a veritable Sherlock Holmes to understand the criminal mindset. We need people who can determine what motivates someone to commit a certain act, and subsequently identify the likely next potential actions a threat actor would conduct, whether we’re talking about a distributed denial-of-service (DDoS) attack or a home intrusion.

When it comes to deciphering criminal groups, we repeatedly find similar patterns.

Cybercriminals can often be lazy and tend to choose targets that are designated as "easier," or simply target everyone to see what sticks. Professional cybercriminal groups develop and distribute malware on a global scale, and some groups can be very sophisticated and financially motivated. For example, advanced persistent threat (APT) groups are highly sophisticated professionals that tend to be motivated to carry out the theft of sensitive information, and sometimes, the destruction or prevention of resource access. With Russia-sponsored groups increasingly active since the Ukraine invasion, we can sometimes see both motivations simultaneously. Cyber espionage is solely motivated by information, and threat actors will go to great lengths and show extreme patience to get it. Nation-state groups arguably have the most resources at their disposal, and they can function with different motivation depending on their given objectives.

So, the process of adversary detection comes down to making logical deductions to understand how cybercriminals approach their goals. Once we know what the bad guys tend to do, then it becomes easier to detect their behavior. That's not to dismiss the complexity of the task. Attacker detection is challenging, but not impossible.

It's about getting that full picture of the actor, their motivations, and how they like to operate. Just like Sun Tzu said a long time ago, "If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Cybersecurity Has a Talent Shortage & Non-Technical People Offer a Way Out

By Deeba Ahmed
Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute…
This is a post from HackRead.com Read the original post: Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute Ratel C4 or BRc4 attack simulation/penetration testing tool in their recent and active attacks.

**Hackers Using BRc4 to Evade Detection?**

Unit 42 threat intelligent experts wrote in their report that the malicious payload linked with the BRc4 tool allows it to evade detection by most commonly used security products. Moreover, researchers believe that hackers are targeting entities worldwide, but primarily their targets are located in South and North America.

In a warning issued by the researchers, they have urged the cybersecurity fraternity to look for signs of malware, including the BRc4 tool. Researchers dubbed it a “uniquely dangerous” tool designed to avoid detection by EDR (endpoint detection and response) and AV (antivirus) scanners.

**How was The Abuse Detected?**

According to Palo Alto Networks’ researchers, someone uploaded a document to the VirusTotal website for inspection in May 2022. This document included a BRc4-associated payload. Surprisingly, 56 of VirusTotal scanners couldn’t recognize the malware, after which it was assigned Benign status. 

**Possible Perpetrator?**

Researchers identified that the malicious payload’s packaging hinted at the involvement of the APT29 group (Advanced Persistent Threat group 29) The Dukes or Cozy Bear as the deployed tactics were similar to this group. CozyBear is a Russian state-sponsored hacker group. Previously it was involved in the devastating Solar Winds attacks in 2020.

**What is BRc4 Tool, and What are its Capabilities?**

Dark Vortex sells this penetration testing tool. It is similar to the commercially available, legit Cobalt Strike attack simulation tool, which IT departments mainly use in testing defenses and staff training.

Previously, attackers used illegal versions of Cobalt Strike for scanning victims in their attacks, and now they are abusing BRc4. This tool has been used since 2020, mainly by Indian security engineer Chetan Nayak (aka Paranoid Ninja) who used to work for red teams at mainstream western security vendors.

However, the product was recently commercialized. Nayak explained that this tool was designed for reverse-engineering major security products. But Unit42 researchers claim it is a relatively new tool that boasts similar capabilities as Cobalt Strike. Once installed, BRc4 can capture screenshots, create Windows system services, patch AMSI, and upload/download documents.

**Attack Delivery Mechanism**

The malicious, self-contained, and benign ISO file is included in the primary lure file, which is a Windows shortcut file (LNK) disguised as an MS Word file, complete with the fake Word icon. The file is sent to the target via spear-phishing, or the victim downloads it by a second-stage downloader.

An analysis of the files shows it appears to be a CV for someone named Roshan Bandara, but this is actually the main malicious file. This file appears on the user’s hard drive after double-clicking, and when the lure file is clicked, it installs the BRc4.

Researchers discovered 41 malicious IP addresses, 9 BRc4 samples, and three impacted organizations.

> “While we lack insight into how this particular payload was delivered to a target environment, we observed connection attempts to the C2 server originating from three Sri Lankan IP addresses between May 19-20.”
> 
> Unit 42

**More Russian Hackers Topic**

*   Russian language hacking forums warming up to Chinese hackers
*   Pro-Russia Killnet Group Hit Top Lithuanian websites with DDoS Attacks
*   BlackGuard Password Stealing Malware Sold on Russian Hacking Forums
*   New Russian Android Malware Tracks GPS Location and Spies on Victims
*   Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

INTERVIEW The hegemony of CAPTCHAs, the reliably infuriating means by which websites distinguish human users from bots, is – mercifully – in peril.

John Graham-Cumming, chief technology officer (CTO) at web security and performance specialist Cloudflare, tells The Daily Swig that an alternative technology developed by Cloudflare, Apple, Google, and others eliminates the friction and privacy infringements involved in clicking squares that contain bicycles, vans, or traffic lights.

RELATED WWDC 2022: Apple showcases next-gen security tech at annual developer event

Incidentally, CAPTCHAs – or ‘Completely Automated Public Turing Tests to tell Computers and Humans Apart’ – reference the legendary computer scientist Alan Turing, who received a posthumous apology from the UK government in 2009 following an online campaign by Graham-Cumming.

Graham-Cumming, the POPFile architect who shares with fellow Brit Turing a remarkable mathematical acuity, also talks HTTP/3, ‘zero trust’ architecture, the distributed denial-of-service (DDoS) landscape, and novel ways to generate random, cryptographic numbers.

Daily Swig: Last month Cloudflare announced Private Access Tokens, a technology that leverages ‘private attestation’ to offer an alternative to CAPTCHAs. What drove the decision to focus on this area of authentication?

John Graham-Cumming: Does anybody like CAPTCHAs? They're the most frustrating thing ever, and are often used across websites, so can potentially be used for tracking.

We’ve driven down our use of CAPTCHAs over time by replacing them with other methods.

Private attestation demonstrates that you are essentially coming from a known device. Apple knows who I am, what I use my device for, and they are able to say to a website, ‘This is a legit human, the device hasn't been hacked’.

And private attestation uses a bunch of clever cryptography to prove that you are legit without Apple saying who you are. We think this is going to remove CAPTCHAs in a way that preserves people’s privacy.

Unveiled at WWDC 2022, will Private Access Tokens become the CAPTCHA-killer?

DS: Cloudflare has also just added new capabilities to its network-as-a-service zero trust platform, Cloudflare One. How important is the move to zero trust architecture and is it happening quickly enough?

JGC: Businesses used to keep their employees, servers, and applications inside heavily guarded walls. If you needed to travel, there were VPNs.

But the castle walls got stormed from the inside out when applications started moving out of the business with SaaS, the cloud, and mobile devices. Suddenly the castle walls didn’t make sense.

‘Zero trust’ provides a much more flexible and less expensive \[alternative\] and Cloudflare has been a player in this space for a long time.

Before the pandemic we announced Cloudflare for Teams, which allows teams to work remotely, and we launched zerotrustroadmap.org to help businesses plan out which applications are going to be outside and inside the firewall, how you connect, \[and\] who you connect \[with\].

I think that businesses are, by and large, on a journey towards zero trust. Some are more advanced, some are less advanced. The US federal government has talked about zero trust as the right architecture.

RELATED US government’s ‘zero trust’ roadmap calls time on perimeter-based paradigm

It reflects how we work, and Covid just accelerated this trend because suddenly everybody was at home and needed access.

How significant was the recent news that the HTTP/3 protocol received RFC 9114 standardization?

JGC: About 25% of traffic on Cloudflare already uses HTTP/3, and major browsers are implementing it very quickly, so it’s clearly getting taken up very quickly.

It’s fantastic to see this level of innovation because we depend on HTTP for pretty much everything we do online.

There was a very long standardization process between HTTP/1.1 and HTTP/2, so the fact HTTP/3 was able to follow on quite quickly is a sign that we really are continuing to innovate at fundamental levels on the internet.

What important trends are you seeing when it comes to defending your clients against DDoS attacks?

JGC: Attackers don’t just go after the front door anymore – knocking your website offline. Now attackers are more business-like, especially in ransom-related DDoS where they might go after your DNS, email server, or VPN servers.

Read more cybersecurity interviews

Second, although there are still very large attacks at the network level, there has been a rise at the application level. And I think this is partly because we’ve got very good at defending against network-level attacks.

We’ve also seen more use of cloud providers as the source of attacks. I think this is partly to get the request-per-second up really high, because you get more compute power, and because everything on the web is becoming HTTPS, then attacks are also running over HTTPS and that’s more expensive for the attacker.

Cloudflare’s John Graham-Cumming: ‘We really are continuing to innovate at fundamental levels on the internet’

What inspired Cloudflare’s use of lava lamps to generate random numbers for SSL encryption?

JGC: It’s part \[practically useful\] and part art project. You can generate random numbers in all sorts of ways using different physical processes. Radioactivity is a classic one \[as ripening bananas can demonstrate\] and there are interesting quantum things.

Catch up with the latest encryption security news

In London we have a wall of double pendulums, because it turns out that a pendulum attached to a pendulum moves in a very unpredictable way.

We wanted to make the point that randomness is fundamental to keeping things secure online, but computers are not fantastic at creating random numbers. You, me, and everybody else have been told over and over again not to pick easy-to-guess passwords – which is a way of saying ‘pick random passwords’.

Cloudflare has evolved considerably since its foundation in 2009 as an email spam protection platform. How might it continue to evolve in the coming months or years?

JGC: Fundamentally, Cloudflare makes things that are connected to the internet faster, more available, more secure, and more private.

Our product roadmap is really about bringing those attributes to internet-connected things across our application services, CDN \[content delivery network\], DDoS, network services, and our compute platform, Cloudflare Workers.

We recently acquired an email protection company called Area 1, so email is becoming a big area for us.

Don't forget email – it’s old, but it’s still important. Something like 80-90% of security problems at companies start with email, through phishing and stuff like that.

What are you most proud of in your career and why?

JGC: Having built Cloudflare up from having 20-something people to making a real impact on everybody’s use of the internet in terms of security and performance is probably the most satisfying thing.

And doing that with a curious, empathic, open culture is very satisfying.

Everybody always asks me about the Alan Turing thing. I’m glad I did it, but it feels like a long time ago now!

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

‘Does anybody like CAPTCHAs?’ – Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

By Deeba Ahmed
Cybersecurity researchers urge parents to keep track of their children’s online activities. Avast security researchers have discovered a server on…
This is a post from HackRead.com Read the original post: Teen Hackers on Discord Selling Malware for Quick Cash

****Cybersecurity researchers urge parents to keep track of their children’s online activities.****

Avast security researchers have discovered a server on Discord where a group of minors is involved in developing, upgrading, marketing, and selling malware and ransomware strains on the platform, supposedly to earn pocket money.

The researchers believe all of them are minors since they repeatedly mentioned their parents and teachers and casually used age-specific insults. Researchers learned about their activities through their discussion on Discord.

**Minors Promoting Easy-to-Use Malware**

The hackers are involved in selling malware strains of Snatch, Lunar, and Rift and offer all kinds of services from info-stealers to ransomware and cryptominers. However, researchers noted that teen hackers mainly provide easy-to-use malware builders and toolkits, which help users employ the “Do it yourself” (DIY) approach to use them without actual programming. All they need to do is customization of appearance and functions.

**More “Kids Doing Cyber Crime” News**

*   Teen hires attacker to DDoS his school district
*   Teen Charged for Selling Malware Used in DDoS Attacks
*   Female DDoS Attacker Charged with Crippling School System
*   Japanese boy arrested for developing cryptocurrency stealing malware
*   Teen arrested for 8 DDoS attacks that disrupted school’s online classes

**How does the Group operate?**

Interested parties must pay a fee to become a group member or use the malware-as-a-service feature. The registration fee ranges between €5 and €25. In their report, Avast researchers noted that around 100 accounts have already subscribed to access a hacking group.

The malware distribution process is a little unconventional. The hackers create a YouTube video demonstrating a fake crack for a popular computer game or commercial software, including a download link in the description.

To develop a sense of authenticity, other members of the Discord group post comments on the video and thank the author while confirming that the link actually worked. This strategy is much more twisted than bots for adding comments since it becomes impossible to identify fraud when a video receives comments from genuine users.

**How to Deal with Teen Hackers?**

It is a fact that this scenario is concerning. Therefore, hacking talent among teens and minors must be diverted towards positive, ethical purposes for the overall betterment of the cybersecurity industry.

Parents must talk to their kids and understand the motivating factors that compel them to indulge in malware distribution. There are so many resources available on Discord and other platforms to help interested individuals start a career in the cybersecurity industry.

However, the first step is that parents should communicate with their kids without judging them. It is worth noting that the group performs illegal malware distribution without realizing the issue’s severity and perceiving it all as just a prank.

*   New YTStealer Malware is Hijacking YouTube Channels
*   New malware targets Discord users to steal personal data
*   Cryptocurrency users on Discord & Slack hit by macOS malware
*   Hackers are using Microsoft Teams chat to spread nasty malware
*   New malware blocks victims from visiting The Pirate Bay, illegal sites

Teen Hackers on Discord Selling Malware for Quick Cash

From cryptocurrency thefts to intrusions into telecom giants, state-backed attackers have had a field day in the year’s first half.

Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of this complicated year. With the Covid-19 pandemic, economic instability, geopolitical unrest, and bitter human rights disputes grinding on around the world, cybersecurity vulnerabilities and digital attacks have proved to be thoroughly enmeshed in all aspects of life.

With another six months left in the year, though, there's more still to come. Here are the biggest digital security debacles that have played out so far.

For years, Russia has aggressively and recklessly mounted digital attacks against Ukraine, causing blackouts, attempting to skew elections, stealing data, and releasing destructive malware to rampage across the country—and the world.  After invading Ukraine in February, though, the digital dynamic between the two countries has changed as Russia struggles to support a massive and costly kinetic war and Ukraine mounts resistance on every front it can think of. This has meant that while Russia has continued to pummel Ukrainian institutions and infrastructure with cyberattacks, Ukraine has also been hacking back with surprising success. Ukraine formed a volunteer “IT Army” at the beginning of the war, which has focused on mounting DDoS attacks and disruptive hacks against Russian institutions and services to cause as much chaos as possible. Hacktivists from around the world have also turned their attention—and digital firepower—toward the conflict. And as Ukraine launches other types of hacks against Russia, including attacks utilizing custom malware, Russia has suffered data breaches and service disruptions at an unprecedented scale.

The digital extortion gang Lapsus$ went on an extreme hacking bender in the first months of 2022. The group emerged in December and began stealing source code and other valuable data from increasingly prominent and sensitive companies—including Nvidia, Samsung, and Ubisoft—before leaking it in apparent extortion attempts. The spree reached its zenith in March when the group announced that it had breached and leaked portions of Microsoft Bing and Cortana source code and compromised a contractor with access to the internal systems of the ubiquitous authentication service Okta. The attackers, who appeared to be based in the United Kingdom and South America, largely relied on phishing attacks to gain access to targets’ systems. At the end of March, British police arrested seven people believed to have associations with the group and charged two at the beginning of April. Lapsus$ seemed to briefly continue to operate following the arrests but then became dormant.

In one of the most disruptive ransomware attacks to date, Russia-linked cybercrime gang Conti brought Costa Rica to a screeching halt in April—and the disruptions would last for months. The group's attack on the country's Ministry of Finance paralyzed Costa Rica's import/export businesses, causing losses of tens of millions of dollars a day. So serious was the attack that Costa Rica's president declared a “national emergency”—the first country to do so because of a ransomware attack—and one security expert described Conti's campaign as “unprecedented.” A second attack in late May, this one on the Costa Rican Social Security Fund, was attributed to the Conti-linked HIVE ransomware and caused widespread disruptions to the country's health care system. While Conti's attack on Costa Rica is historic, some believe that it was meant as a diversion while the gang attempts to rebrand to evade sanctions against Russia over its war with Ukraine.

As the cryptocurrency ecosystem has evolved, tools and utilities for storing, converting, and otherwise managing it have developed at breakneck speed. Such rapid expansion has come with its share of oversights and missteps, though. And cybercriminals have been eager to capitalize on these mistakes, frequently stealing vast troves of cryptocurrency worth tens or hundreds of millions of dollars. At the end of March, for example, North Korea's Lazarus Group memorably stole what at the time was $540 million worth of Ethereum and USDC stablecoin from the popular Ronin blockchain “bridge.” Meanwhile, in February, attackers exploited a flaw in the Wormhole bridge to grab what was then about $321 million worth of Wormhole's Ethereum variant. And in April, attackers targeted the stablecoin protocol Beanstalk, granting themselves a “flash loan” to steal about $182 million worth of cryptocurrency at the time.

Health care providers and hospitals have long been a favorite target of ransomware actors, who look to create maximum urgency to entice victims to pay up in the hopes of restoring their digital systems. But health care data breaches have also continued in 2022 as criminals pool data they can monetize through identity theft and other types of financial fraud. In June, the Massachusetts-based service provider Shields Health Care Group disclosed that it suffered a data breach throughout much of March impacting roughly 2 million people in the United States. The stolen data included names, Social Security numbers, birth dates, addresses, and billing information, as well as medical information like diagnoses and medical record indicators. In Texas, patients of Baptist Health System and Resolute Health Hospital announced a similar breach in June that exposed similar data, including Social Security numbers and sensitive patient medical information. Both Kaiser Permanente and Yuma Regional Medical Center in Arizona also disclosed data breaches in June.

At the beginning of June, the US Cybersecurity and Infrastructure Security Agency warned that Chinese government-backed hackers had breached a number of sensitive victims worldwide, including “major telecommunications companies.” They did so, according to CISA, by targeting known router vulnerabilities and bugs in other network equipment, including those made by Cisco and Fortinet among other vendors. The warning did not identify any specific victims, but it hinted at alarm over the findings and a need for organizations to step up their digital defenses, especially when handling massive quantities of sensitive user data. “The advisory details the targeting and compromise of major telecommunications companies and network service providers,” CISA wrote. “Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked.”

Separately, hackers likely conducting Chinese espionage breached News Corp in an intrusion that was discovered by the company on January 20. Attackers accessed journalists' emails and other documents as part of the breach. News Corp owns a number of high-profile news outlets, including _The Wall Street Journal_ and its parent, Dow Jones, the _New York Post_, and several publications in Australia.

Just days after a consequential US Supreme Court decision at the end of June pertaining to concealed-carry permit laws, an unrelated data breach potentially exposed the information of everyone who applied for a concealed-carry permit in California between 2011 and 2021. The incident impacted data including names, ages, addresses, and license types. The breach occurred after a misconfiguration in the California Department of Justice 2022 Firearms Dashboard Portal exposed data that should not have been publicly accessible. "This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department," state attorney general Rob Bonta said in a statement. "The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered."

The Worst Hacks and Breaches of 2022 So Far

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the  loadAnnotation() function, due to the usage of insecure regex.



Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

    regex = /A(B|C+)+D/
    

This regular expression accomplishes the following:

*   A The string must start with the letter 'A'
*   (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
*   D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
    0.04s user 0.01s system 95% cpu 0.052 total
    
    

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1.  CCC
2.  CC+C
3.  C+CC
4.  C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String

Number of C's

Number of steps

ACCCX

3

38

ACCCCX

4

71

ACCCCCX

5

136

ACCCCCCCCCCCCCCX

14

65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

CVE-2022-25758: Regular Expression Denial of Service (ReDoS) in org.webjars.npm:scss-tokenizer | CVE-2022-25758 | Snyk

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.

Tag

#ddos