In confidential computing environments, attestation is crucial in verifying the trustworthiness of the location where you plan to run your workload or where you plan to send confidential information. Before actually running the workload or transmitting the confidential information, you need to perform attestation.This blog provides an overview of the components implemented in the confidential containers (CoCo) to support the IETF RATS model (Remote ATtestation procedureS Architecture). The components include the Attestation Service (AS), Key Broker Service (KBS), Reference Value Provider Servi

In confidential computing environments, _attestation_ is crucial in verifying the trustworthiness of the location where you plan to run your workload or where you plan to send confidential information. Before actually running the workload or transmitting the confidential information, you need to perform **attestation**.

This blog provides an overview of the components implemented in the confidential containers (CoCo) to support the IETF RATS model **(Remote ATtestation procedureS Architecture)**. The components include the Attestation Service (AS), Key Broker Service (KBS), Reference Value Provider Service (RVPS), Attestation Agent (AA), and Confidential Data Hub (CDH). The AS, KBS, and RVPS components are part of the Trustee project, whereas the AA and CDH are part of the guest-components project in CoCo.

We begin by introducing the RATS model and its components. After that, we discuss the Trustee project, its various components, and how they relate to the RATS model. Finally, we present a few use cases that demonstrate the usage of the CoCo Trustee and guest-components project.

**RATS architecture and key components**

The key components in the RATS architecture are described in the following diagram:

*   **Attester** - provides **Evidence**, which is evaluated and appraised to decide its trustworthiness (for instance, a test to see whether it’s authorized to perform some action). Evidence may include configuration data, measurements, telemetry, or inferences.
*   **Verifier** - evaluates the validity of the evidence received from the attester and produces **attestation results**, which are sent to the Relying party. Attestation results typically include information regarding the Attester, while the Verifier vouches for the validity of the results.
*   **Relying party** - depends on the validity of information originating from the attester for reliably applying an action. This information can come from the verifier or directly through the attester.
*   **Relying party owner** - authorized to configure the appraisal policy that the **relying party** will use when receiving the attestation results (such as admin).
*   **Verifier owner** - authorized to configure the appraisal policy the **verifier** will use when receiving the evidence.
*   **Endorser** - for us, the hardware manufacturer who provides an **endorsement**, which the **verifier** uses to validate the evidence received from the attester. The endorsement is a secure statement the Endorser vouches for on the integrity of an Attester's various capabilities
*   **Reference Value Provider** - for us the hardware manufacturer who provides **reference values**, which the verifier uses to verify that claims were recorded by the attester. Reference values are, for example, golden measurements or nominal values.

In practice, the data flow between the verifier, attester, and relying party can be done through the **passport check model** and **background check model**.

**Passport check model**

In the passport model, the **attester** validates an identification token with the **verifier**. It then presents the **identification token** to the **relying party**. It's a similar process to when you present your passport at an airport to confirm your own identity when entering a country.

In this model, the attester requests the passport from the verifier by providing **evidence** and receives a passport in the form of **attestation results**. It can now interact directly with the relying party by presenting its passport (attestation result).

The following diagram shows this flow: 

**Background check model**

In the background check model, the **relying party** asks for verification each time the **attester** presents its evidence. This is similar to performing a full background check on an individual every time the individual enters a country.

The attester provides **evidence** to the relying party, which forwards it directly to the verifier. The verifier compares the evidence with the **appraised policy** it contains, and returns an **attestation result** to the relying party. The relying party compares the attestation results with its own **appraisal policy**.

Unlike a passport model, where the attester sends **attestation results** to the relying party, the background model requires the attester to send the relying party **evidence** (which is sent as-is to the verifier).

The following diagram illustrates the background check model:

**The Trustee project**

The trustee project (previously known as CoCo KBS) includes components deployed on a trusted side and used to verify whether the remote workload is running in a trusted execution environment (TEE). It also verifies that the remote environment uses the expected software and hardware versions.

This diagram shows the architecture for the Trustee model:

The **left side** includes the **guest components** running inside the TEE, including the Attestation Agent (AA) and Confidential Data Hub (CDH). The **right side** includes the external components, which the guest components interact with, such as the Key Broker Service (KBS), Attestation Service (AS), and the Reference Value Provider Service (RVPS).

**Trustee and guest components****Key Broker Service (KBS)**

The Key Broker Service (KBS) facilitates remote attestation and managing and delivering secrets. Equating this to the RATS model, the KBS is the **relying party** entity. The KBS, however, doesn’t validate the attestation evidence. Instead, it uses the attestation service (AS) to verify the TEE evidence.

**Attestation Service (AS)**

The Attestation Service (AS) is responsible for validating the TEE evidence. This includes evidence from the following TEEs: Intel TDX, Intel SGX, AMD SEV-SNP, ARM CCA, Hygon CSV, and more.

When mapped to the RATS model, the AS is the equivalent of the **verifier**.

The AS receives attestation evidence and returns an attestation token containing the results of a two-step verification process. Note that the KBS is the client of the AS, however the evidence originates from the attestation agent (AA).

The following diagram shows the AS components:

The AS runs the following verification process:

1.  **Verify the formatting and the origin of the evidence** - for example, checking the signature of the evidence. This is accomplished by one of the platform-specific Verifier Drivers.
2.  **Evaluate the claims provided in the evidence** - for example, validating that the measurements are what the client expects. This is done by a Policy Engine with help from the RVPS.

**Verifier driver**

A verifier driver parses the attestation evidence provided by the hardware TEE. It performs the following tasks:

1.  Verifies the hardware TEE signature of the TEE quote and report provided in the evidence
2.  Receives the evidence and organizes the status into a JSON format to be returned

**Policy Engine**

The AS allows users to upload their own policies when performing evidence verification. When an attestation request is received by the AS, it uses a policy ID in the request to decide which policies should be evaluated. The results of all policies evaluated are included in the attestation response.

**Reference Value Provider Service (RVPS)**

The reference value provider service (RVPS) is a component in the AS responsible for verifying, storing, and providing reference values. RVPS receives and verifies inputs from the software supply chain, stores the measurement values, and generates reference value claims for the AS. This operation is performed based on the evidence verified by the AS.

The following diagram shows the RVPS components:

RVPS contains the preprocessors, extractors, and store components:

**Preprocessors**

These are plugins that preprocess the reference value registration messages before sending it to extractors.

**Extractors**

These are plugins that process different types of provenance in the input message. Each plugin consumes the input message, and then generates an output **Reference** value.

**Store**

The store component provides persistent storage for the reference values.

**Attestation Agent (AA)**

The Attestation Agent (AA) is the entity running inside the TEE that connects to the KBS in order to perform attestation.  AA is responsible for sending the evidence (claims) from the TEE to prove the trustworthiness of the environment.

**Confidential Data Hub (CDH)**

The Confidential Data Hub (CDH) facilitates secure key retrieval for kata-agent and applications. It also provides additional services, such as secure mount for external storage or key management client services to retrieve keys directly from external Key Management Services. The secure mount service enables mounting of encrypted storage inside the TEE. We'll cover the secure mount service in a subsequent blog.

The following diagram shows the CDH components:

**Resources for learning about the attestation flow**

For an **overview of attestation**, read our Learn about Confidential Computing Attestation blog series.

For details on **attestation flow in confidential containers**, read our Understanding the Confidential Containers Attestation Flow article.

For a **step-by-step flow of confidential containers attestation on Azure** cloud, read our Confidential Containers on Azure with OpenShift: A technical deep dive article.

**Mapping Trustee components to the RATS model**

This is how the RATS model maps to the Trustee components model:

Note the following:

*   The **Attester** functionally is performed by the **AA** and **CDH** guest side components.
*   The **Verifier** is mapped to the **AS**.
*   The **Relying party** is mapped to the **KBS** receiving attestation results from the AS, and performing actions based on the results.
*   The **Endorser** usually originates from the platform manufacturer (Intel, AMD, IBM, and so on), so it can be the manufacturer itself or a CSP that got endorsed by the hardware manufacturer.
*   The **Reference Value Provider** is mapped to the **RVPS** and provides the endorsed reference. Note that reference values do not originate from the hardware manufacturer, but rather they reference measurements of the kernel, firmware image, and so on. They are trusted artifacts meaning signed by an identity you can trust and are used for performing the verification.
*   The **Verify owner** and **Relying Party** owner are the entities who operate the KBS and AS on the user's behalf.

**Background check model**

The background check model is a common way to configure the KBS and AS components, so we present it before the passport model. The following diagram shows the model: 

In this model, the AA communicates with the KBS providing the hardware evidence and the KBS communicates with the AS to verify it. After the evidence is verified, the KBS releases the secrets back to the CDH when requested.

In background check mode, the KBS is the relying party, the AS is the verifier, and the AA is the attester.

**Passport model**

In the passport model, the validation of evidence and provisioning of resources are typically handled by  different KBSes. The following diagram shows the model: 

We now have 2 KBS entities:

*   The first KBS, with the AS, verifies the evidence from the guest.
*   The second KBS provides secrets to the guest.

The AA interacts with **upper KBS + AS (Trustee 1)** in order to attest, verify the evidence, and receive a token (a passport). It then requests the secret resources from the **lower KBS (Trustee 2)**.

In practice, we recommend using the passport model when the attestation and resource provisioning are handled by separate entities.

**Attestation use cases leveraging Trustee components**

There are many use cases that can leverage the Trustee and guest components. For simplicity, we focus on the **background check model** (a single KBS) and not the **passport model** (with two KBS entities).

**Attestation for virtual machines (VMs) and their workloads**

Confidential VMs (CVMs) leverage hardware-based security features, such as AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) or Intel TDX (Trust Domain Extensions) to provide a secure execution environment for sensitive workloads. These VMs confirm that code and data remain encrypted and isolated, even from other privileged softwares on the host system. However, validating the integrity of these VMs and their underlying hardware is critical to guaranteeing the confidentiality and security of the data that is processed.

For a detailed description of confidential VMs, read our Learn about Red Hat Confidential Virtual Machines blog series.

VM attestation verifies the integrity of a confidential VM and its underlying platform components, including the CPU, firmware, and hypervisor. The attestation process might be initiated by the firmware or initrd.

From a trust perspective, you need assurance that the VM you just created on a public cloud is really a CVM with an operating system of your choice. In particular, you need to make sure that the host hasn’t started a non-confidential VM with a specially crafted guest operating system to steal your secrets instead.

The following diagram shows the overall architecture for VM attestation: 

Note the following:

*   The CVM can run over a KVM hypervisor, some other hypervisor on bare metal or on a public cloud provider infrastructure.
*   The AA works with the Trustee AS.

Here is a list of Trustee and guest components being used:

**Trustee components**

**Guest components**

KBS

AA

AS

 

RVPS

 

**Attestation for a confidential containers workload**

Moving from the VM level attestation to a container level attestation, let’s focus on container workload the user wants to run in a secure manner protected from the host.

Attestation for confidential containers verifies the container runtime stack running in the confidential environment. This includes kata-agent, supporting services like agent-protocol-forwarder, process-user-data, open policy agent, and default policies that are needed to run the container.

If the confidential containers are using the VM trusted execution environment, then the attestation includes attestation of the VM followed by attestation of the container runtime components. This diagram shows the overall architecture for confidential container attestation: 

Note the following:

*   Peer-pods are used for running confidential containers over VMs (on-prem and public cloud). For additional details, read Deploying confidential containers on the public cloud
*   The trustee model is used twice in this case to attest the CVM and then attest the confidential container runtime components

Here's a list of Trustee and guest components being used:

**Trustee components**

**Guest components**

KBS

AA

AS

 

RVPS

 

**Attestation to retrieve container image signing or decryption keys**

This use case is specific to obtaining the key for signature verification of a signed container image or obtaining the decryption key for encrypted images. For example, you might use encrypted container images to ship proprietary or sensitive code, such as AI models.

If the confidential containers are using the VM trusted execution environment, then the attestation process begins with VM attestation to confirm the integrity of the underlying execution environment. Once the VM's trustworthiness is established, container attestation proceeds, confirming the authenticity and integrity of the container runtime components. After a successful attestation, the container runtime requests the key from the Key Broker Service (KBS) for signature verification or decryption of the container images before starting the application.

The following diagram shows the overall architecture for retrieving the container image signing or decryption keys:

The attestation process is similar to attesting a confidential container workload, with the extra step of CDH retrieving the signing or decryption key that gets used by the kata-agent for signature verification or decrypting the container image.

This is a list of Trustee and guest components being used:

**Trustee components**

**Guest components**

KBS

AA

AS

CDH

RVPS

 

**Attestation for releasing application secrets**

This use case is specific to obtaining the key used by the workload. An example use case for obtaining the key is **Data Clean Rooms**. 

A number of organizations want to analyze data without compromising the privacy of individuals whose data is being analyzed (a joint bank fraud detection effort, for example). They're required to create a shared secured environment for data leaving the boundaries of those individuals. They would also want that environment to run in the cloud at scale. This can be accomplished by a secure key release where the data decryption key is only released to a specific TEE based on attestation.

The following diagram shows the idea: 

If the confidential containers are using the VM trusted execution environment, then the attestation process begins with VM attestation to ensure the integrity of the underlying execution environment. Once the VM's **trustworthiness** is established, container attestation proceeds, confirming the authenticity and integrity of the container runtime components. After a successful attestation, the container runtime starts the application.

The application then starts another attestation sequence to request the application secret from the Key Broker Service (KBS).  Confidential Data Hub (CDH) is used to request the application secret from the KBS by initiating an attestation sequence to prove the trustworthiness of the environment.

The following diagram shows the additional step of obtaining the application secret:

Note the following:

*   The attestation process is similar to attesting a confidential container workload, with the extra step of CDH retrieving the application secrets and providing it to the application
*   If the container images are signed or encrypted, then first the signing or decryption key is fetched (as described in the previous use case), followed by the application secret retrieval by CDH

Here's a list of Trustee and guest components being used:

**Trustee components**

**Guest components**

KBS

AA

AS

CDH

RVPS

 

**Trustee project and confidential computing**

In this blog we have introduced the Trustee project which is part of the confidential containers CNCF initiative and includes a number of services providing attestation capabilities for containers, VMs, shared keys and more.

We’ve covered the IETF RATS model, reviewed the Trustee components and showed the mapping between Trustee and the RATS model. We’ve also reviewed a number of use cases requiring attestation and presented how the Trustee components are used for those purposes.

In future blogs, we'll dive deeper into the Trustee projects looking at the technical details and hands on instructions on how to try out things.

Introducing Confidential Containers Trustee: Attestation Services Solution Overview and Use Cases

Nearly three months after Operation Cronos, it's clear the gang is not bouncing back from the innovative law-enforcement action. RaaS operators are on notice, and businesses should pay attention.

Source: Jan Zwoliński via Alamy Stock Photo

Despite the LockBit ransomware-as-a-service (RaaS) gang claiming to be back after a high-profile takedown in mid-February, an analysis reveals significant, ongoing disruption to the group's activities — along with ripple effects throughout the cybercrime underground, with implications for business risk.

LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to Trend Micro, easily making it the biggest financial threat actor group of the last year. Since it emerged in 2020, it has claimed thousands of victims and millions in ransom, including cynical hits on hospitals during the pandemic.

The Operation Cronos effort, involving multiple law enforcement agencies around the world, led to outages on LockBit-affiliated platforms, and a takeover of its leak site by the UK's National Crime Agency (NCA). Authorities then used the latter to make arrests, impose sanctions, seize cryptocurrency, and more activities related to the inner workings of the group. They also publicized the LockBit admin panel and exposed the names of affiliates working with the group.

Further, they noted that decryption keys would be made available, and revealed that LockBit, contrary to its promises to victims, never deleted victim data after payments were made.

In all it was a savvy show of force and access from the policing community, spooking others in the ecosystem in the immediate aftermath and leading to wariness when it comes to working with any re-emergent version of LockBit and its ringleader, who goes by the handle "LockBitSupp."

Researchers from Trend Micro noted that, two and a half months after Operation Cronos, there's precious little evidence that things are turning around for the group — despite LockBitSupp's claims that the group is clawing its way back into normal operations.

**A Different Kind of Cybercrime Takedown**

Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent, high-profile takedowns of RaaS groups like Black Basta, Conti, Hive, and Royal (not to mention the infrastructure for initial access trojans like Emotet, Qakbot, and TrickBot), have resulted in only temporary setbacks for their operators.

However, the LockBit strike is different: The sheer amount of information that law enforcement was able to access and make public has permanently damaged the group's standing in Dark Web circles.

"While they often focus on taking out command and control infrastructure, this effort went further," Trend Micro researchers explained in an analysis released today. "It saw police manage to compromise LockBit's admin panel, expose affiliates, and access information and conversations between affiliates and victims. This cumulative effort has helped to tarnish the reputation of LockBit among affiliates and the cybercrime community in general, which will make it harder to come back from."

Indeed, the fallout from the cybercrime community was swift, Trend Micro observed. For one, LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hampering the admin's ability to garner support and rebuild.

Shortly after, a user on X (formerly Twitter) called "Loxbit" meanwhile claimed in a public post to have been cheated by LockBitSupp, while another presumed affiliate called "michon" opened up a forum arbitration thread against LockBitSupp for nonpayment. One initial-access broker using the handle "dealfixer" advertised its wares but specifically mentioned that they did not want to work with anybody from LockBit. And another IAB, "n30n," opened a claim on the ramp\_v2 forum about loss of payment surrounding the disruption.

Perhaps worse, some forum commentators were extremely concerned by the sheer amount of information that police were able to compile, and some speculated that LockBitSupp may even have worked with law enforcement on the operation. LockBitSupp quickly announced that a vulnerability in PHP was to blame for the ability of law enforcement to infiltrate the gang's information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit's security practices and lack of protection for affiliates.

"The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group's future, hinting at the significant impact of the incident on the RaaS industry," according to Trend Micro's analysis, released today.

**LockBit Disruption's Chilling Effect on the RaaS Industry**

Indeed, the disruption has sparked some self-reflection among other active RaaS groups: A Snatch RaaS operator pointed out on its Telegram channel that they were all at risk.

"Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown," according to Trend Micro. "Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand."

Jon Clay, Trend Micro's vice president of threat intelligence, tells Dark Reading that LockBit's defanging and the disruption's chilling effect on RaaS groups in general present an opportunity for business risk management.

"This can be a time for businesses to reassess their defense models as we may see a slowdown in attacks while these other groups assess their own operational security," he notes. "This is also a time to review a business incident response plan to make sure you have all aspects of a breach covered, including business operation continuity, cyber insurance, and the response — to pay or not pay."

**LockBit Signs of Life Are Greatly Exaggerated**

LockBitSupp is nonetheless attempting to bounce back, Trend Micro found — though with few positive results.

New Tor leak sites launched a week after the operation, and LockBitSupp said on ramp\_v2 forum that the gang is actively seeking out IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn't long before scores of supposed victims started appearing on the leak site, starting with the FBI.

However, when the ransom payment deadline came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy declaration that it would continue to operate. In addition, more than two-thirds of the victims consisted of reuploaded attacks that occurred prior to Operation Cronos. Of the others, the victims belonged to other groups, such as ALPHV. In all, Trend Micro's telemetry revealed just one small true LockBit activity cluster after Cronos, from an affiliate in southeast Asia that carried a low, $2,800 ransom demand.

Perhaps more concerningly, the group has also been developing a new version of ransomware — Lockbit-NG-Dev. Trend Micro found it to have a new .NET core, which allows it to be more platform-agnostic; it also removes self-propagating capabilities and the ability to print ransom notes via the user's printers.

"The code base is completely new in relation to the move to this new language, which means that new security patterns will likely be needed to detect it. It's still a functional and powerful piece of ransomware," researchers warned.

Still, these are anemic sign of life at best for LockBit, and Clay notes that its unclear where it or its affiliates may go next. In general, he warns, defenders will need to be prepared for shifts in ransomware gang tactics going forward as those participating in the ecosystem assess the state of play.

"RaaS groups are likely looking at their own weaknesses being caught by law enforcement," he explains. "They may review what types of businesses/organizations they target so as to not give much attention to their attacks. Affiliates may look at how they can rapidly shift from one group to another in case their main RaaS group gets taken down."

He adds, "shifting towards data exfiltration only versus ransomware deployments may increase as these don't disrupt a business, but can still allow profits. We could also see RaaS groups shift entirely towards other attack types, like business email compromise (BEC), which don't seem to cause as much disruption, but are still very lucrative for their bottom lines."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

LockBit Ransomware Takedown Strikes Deep Into Brand's Viability

PRESS RELEASE

MINNEAPOLIS, April 2, 2024 – Businesses are facing a critical gap when it comes to protecting endpoint data, according to a study released today by TAG Infosphere, Inc., a leading  cybersecurity research and advisory firm. The report, conducted in partnership with CrashPlan, identified the ever-growing potential for ransomware attacks, frequent misuse of cloud collaboration tools as a substitute for backup, and an over-reliance on manual policies as the break in the chain for current enterprise security configurations. 

For the study, TAG surveyed a group of CISOs and security practitioners, and the key findings were clear: The overwhelming majority (93%) of IT and cybersecurity teams aren’t confident in their policies to protect their enterprise data. Furthermore, survey respondents acknowledged the likelihood of a severe data breach through an employee’s endpoint.

“We were surprised to learn that a whopping 71% of those asked responded that they would not be surprised if they had a serious data breach on their PCs and laptops. If the question was extended to include that they might be surprised, the number grew to 86%,” said Dr. Edward Amoroso, Chief Executive Officer and founder of TAG Infosphere. “This is important because it implies that serious risk exists in this area. If that many CISOs would not be surprised if something bad happened, then that’s a problem.”

TAG introduces the MEAD framework (Malware, EDR, Analytics, and Data) for modernizing endpoint security. Central to MEAD is the adoption of endpoint backup solutions as a pivotal measure for enhancing cyber resilience. The report advocates for endpoint backup to reduce risks to data on endpoints, detailing how this strategy safeguards data against hardware malfunctions, user errors, and cyber threats. 

“New cybersecurity technologies are introduced every year, yet data breaches continue to happen,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The reality is work habits have changed. Most companies now have a hybrid work model—and this has shined a light on just how ineffective manual policies are when it comes to protecting endpoint data. To improve resiliency, you simply can’t lose sight of the foundation. Despite new tools and technology designed to identify, detect and protect against bad actors and malicious activity, breaches will still happen. Which is why having strong data backup and resilience capabilities are critical for effective response and recovery.”

CrashPlan offers a cloud-native platform designed to address the aggregate risk associated with data stored on endpoints within organizations. It offers a comprehensive backup and data protection system that safeguards valuable business data from loss, theft, or accidental deletion. Businesses of all sizes, across all different business sectors, use CrashPlan today to ensure a more robust data protection and resilience approach.                                          

About CrashPlan  
CrashPlan® enables organizational resilience through secure, scalable, and straightforward endpoint data backup. With automatic backup and customizable file version retention, you can bounce back from any data calamity. What starts as endpoint backup and recovery becomes a solution for ransomware recovery, breaches, migrations, and legal holds. So, you can work fearlessly and grow confidently.

About Tag Infosphere

TAG is a trusted research and advisory company that provides insights and recommendations in cybersecurity, artificial intelligence, and climate science to thousands of commercial solution providers and Fortune 500 enterprises. Founded in 2016 and headquartered in New York City, TAG bucks the trend of pay-for-play research by offering unbiased and in-depth guidance, market analysis, project consulting, and personalized content—all from a practitioner perspective.

About Dr. Edward Amoroso

Dr. Ed Amoroso is currently Chief Executive Officer of TAG Infosphere Inc, a global research and advisory company that supports enterprise cyber security teams and commercial security vendors around the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has served as Research Professor at the Tandon School of Engineering at NYU since 2017. He has also been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past thirty years, where he has introduced nearly two thousand graduate students to the topic of information security. Ed also serves the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

TAG Report Reveals Endpoint Backup Is Essential to Improving Data Resiliency

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

Source: rarrarorro via Shutterstock

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, when researchers at NetWitness spotted it during a routine audit for the service provider. During that period, the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

**A Near Miss**

But it's the "what else could have happened" that's the really scary part, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, discussing the incident for the first time with Dark Reading recently.

The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup, Maccaglia says.

"We are normally very collected, but in this case, we were terrified," Maccaglia says of NetWitness' discovery. "The threat actor literally had their finger on the button but didn't push it."

NetWitness' involvement in the Qatar World Cup began in 2022, about six months before the event, when several local service providers hired the company to assess the cybersecurity preparedness of some of the supporting IT infrastructure for the games. Like with other security vendors involved in the effort, the telecom provider gave NetWitness access to a substantial portion of its tech stack and environment — but not to all of it.

According to Maccaglia, the NetWitness team detected and remediated several issues on parts of the provider's tech stack to which the company had access. But it wasn't until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for additional auditing. This was when NetWitness unearthed log activity suggesting that someone had gained access to the provider's network.

**A Rootkit and a Backdoor**

The company's subsequent investigation showed the attacker had planted a sophisticated rootkit and a backdoor, dubbed Waterbear, on a critical configuration management database (CMDB) storing device configurations for the provider's customers. NetWitness found the attackers had used PLEAD — a remote access Trojan commonly associated with the BlackTech APT — to target additional systems within the environment.

"The attacker aimed to control this database \[from\] the beginning, because it would allow him/her to swap configurations on the fly and revert them back, once finished, leaving no traces," Maccaglia says.

BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics, and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without detection and the exploiting routers' domain-trust relationships to gain access to victim networks. "BlackTech actors' TTPs include developing customized malware and tailored persistence mechanisms for compromising routers," CISA noted. "These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters' networks."

In the attack on the telecom provider in Qatar, BlackTech actors used their access to the CMDB to change configurations on Asus routers associated with various organizations in such a manner as to make systems belonging to these organizations become accessible over the Internet. They then uploaded PLEAD — concealed in legitimate looking software updates from Asus — to these systems by modifying the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from the victim organizations. Among the systems infected in this manner were those associated with the World Cup games. The attackers would change the router config details for a few hours at a time and then revert back to the original rules to minimize the chances of detection, Maccaglia says.

**Worrying Lack of Visibility**

The fact that no one was able to spot the intrusion in the months leading up to the World Cup, during the event, or for months later is worrisome, Maccaglia says. With the countdown for the 2024 Summer Olympics well underway, it is imperative that the entire technology stack supporting the games be vetted for security issues, he says.

The Olympics, like other major sporting events, such as the Super Bowl, have become huge cyberattack targets in recent years. In 2019, for instance, a threat group later identified and linked to Russia's military intelligence also attempted to disrupt the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating over doping concerns.

"As we saw with the World Cup, threats can live in obscure places and keep a very low profile," Maccaglia says, adding, "You can't find what you aren't allowed to look for," in advocating for broader visibility for companies like NetWitness into the entire supporting infrastructure for the game.

"When you behave as if there's always a threat present, you put yourself in a position to mitigate damage and, potentially, get ahead of the threat in the environment," he says. "This will be critical for the 2024 Summer Games."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

Source: Casimiro PT via Shutterstock

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top 10 lists maintained by the Open Web Application Security Project (OWASP).

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application security experts consider one of 13 different "unforgivable" classes of vulnerabilities that programmers should catch during development.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agency stated in its March 25 advisory. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007."

The root of injection vulnerabilities is a lack of input sanitization; when the application receives variable input, there's always the risk of that input being tainted, says Randall Degges, head of developer relations at application security firm Snyk.

"Although this has been an issue since programming existed, the reason it’s still in the top 10 vulnerabilities after all this time is because there are an infinite number of ways to use input, and often time sanitizing input is tricky," he says.

For software developers looking to nix this particular issue, here's how.

**1\. Educate Yourself and Others**

The first step is always education. OWASP offers cheat sheets on SQLi, how to detect the vulnerability, and ways of creating safe code. Some Web application frameworks aim to educate developers while they are programming, using application programming interface (API) names to make the risk of some functions clear, such as React's "dangerouslySetInnerHTML" function, says James Kettle, director of research at PortSwigger, an application security testing firm.

In addition, developers should not necessarily trust the makers of open source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

"I think the core issue is that there's a lot of unsafe APIs, where anyone using the API is vulnerable by default," Kettle says. "Even when there are more modern secure APIs available, fresh code is written using the unsafe versions, thanks to old unsafe examples in StackOverflow."

**2\. Harden the DevOps Pipeline Using Automated Tools**

Developers should implement unit tests to check code for SQLi flaws — and other common security issues — during development, add static application security testing (SAST) both prior to and after commits, and include scans for SQLi as part of dynamic application security testing (DAST).

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and avoiding descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk's Degges.

"Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you're using it correctly when building queries," he says.

**3\. Play Around With SQLMap**

The open source program SQLMap is a great tool for penetration testers to experiment with SQLi, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQLi and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says PortSwigger's Kettle.

"In my experience, the detection capabilities are slow, heavyweight, and prone to false positives," Kettle says. "Also, it can't explore websites to find the attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically."

**4\. Consider a DAST Service**

Automating SQL injection scanning using DAST as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQLi in legacy code.

While Web application firewalls (WAFs) can prevent SQLi attacks from reaching an application, they should be used only as part of a defense-in-depth strategy, Kettle says.

"Personally, I've seen runtime protection like WAFs bypassed so many times that I don't have much confidence in them," he says. "I would recommend a bug-bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can't be patched."

**5\. Expand Beyond SQL**

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, since SQLi is only one class of injection vulnerabilities.

OWASP broadened the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating system scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of artificial intelligence models, for instance, prompt injection is the latest form of an injection attack.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

How to Tame SQL Injection

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

Source: Anatolyi Deryenko via Alamy Stock Phot

It's clear from the comments by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, and from documents leaked from a Chinese hacker-for-hire ring, that there's a growing threat from and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly's assessment that "we've made it easy on" attackers through poor software design. To secure our systems and prevent a whole-of-society or whole-of-economy attack like the one that Easterly and her peers descripted to Congress, it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

Cybersecurity statistics from 2023 paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero-days) were identified. Even software designed to keep users and networks secure was not immune from compromise. CISA opened 2024 with an emergency directive for federal departments and agencies to patch a series of vulnerabilities in VPN software designed for securing employee connections to federal networks. In the coming months, it's also likely that the creation of a market for hacks and hacked data by the likes of iSoon, as well as the growing offensive threat posed by AI, will make cyber defense even more challenging.

As CISA articulated in its Secure by Design initiative, vendors are the first step to creating technologies that are both secure and usable. Taking security into account along with performance and features from day one of a product's development will not only help build a secure technology stack but will also ensure that products truly balance security and performance instead of creating hurdles to good user experience masquerading as security features. But even CISA's ambitions to bring Secure by Design to life as a regulatory framework is insufficient to drive the sea change that's needed to turn the tide against emboldened and AI-empowered hackers — without support from the market, even the most well-intentioned and well-informed regulations will devolve into a box-checking enterprise.

**Cyber-Risk Is Business Risk**

To secure our economy and privately operated infrastructure, businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. By increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes. In doing so, cybersecurity will become less of a last-minute hurdle to business effectiveness and more of an enabler to build a technology ecosystem and operations model that are both successful and secure.

As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency incur unnecessary risk for their companies; in return, cybersecurity professionals must proactively look for technology that provides users a good experience while isolating them from technical risks. Both groups need to collaborate to create education for their workforces that are based on a real-time understanding of the risks they face and empowering good decisions about those risks rather than annual, quarterly, or monthly training that too often runs in the background while employees do their "real jobs."

The final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens. While CISA and the US government writ large have put much of the burden for secure development and secure decisions on companies, citizens must realize that the cybersecurity stakes go far beyond individual credit cards and bank accounts. The doomsday scenario of a simultaneous power, water, and communications disruption brings these stakes into focus, and day-to-day citizens must be willing to increase their cyber literacy and compliance to stop this scenario from unfolding. Just as we accept and comply with the incessant tones that remind us to buckle our seatbelts when driving, we must accept minor cybersecurity "nudges" like multifactor authentication of sensitive work and personal.

It's easy to catastrophize the consequences a Chinese cyberattack could bring — and it's certainly worth talking about response, resiliency, and recovery policies. It's hard to look in the mirror and realize that, in the rush to develop, purchase, and consume feature-rich technology, we've made it "easy" for our adversaries. But this doesn't have to be the case. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for the hackers and safer for ourselves.

**About the Author(s)**

Field CTO, Garrison Technology

Adam Maruyama is a cybersecurity and national security professional and the current Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.

Why Cybersecurity Is a Whole-of-Society Issue

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Ultimately, Scott argues that those three years of code changes and polite emails were likely not spent sabotaging multiple software projects, but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically—and potentially other projects in the future. “He just never got to that step because we got lucky and found his stuff,” says Scott. “So that’s burned now, and he’s gonna have to go back to square one.”

**Technical Ticks and Time Zones**

Despite Jia Tan’s persona as a single individual, their yearslong preparation is a hallmark of a well-organized state-sponsored hacker group, argues Raiu, the former Kaspersky lead researcher. So too are the technical hallmarks of the XZ Utils malicious code that Jia Tan added. Raiu notes that, at a glance, the code truly looks like a compression tool. “It’s written in a very subversive manner,” he says. It’s also a “passive” backdoor, Raiu says, so it wouldn’t reach out to a command-and-control server that might help identify the backdoor’s operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private key—one generated with a particularly strong cryptographic function known as ED448.

The backdoor’s careful design could be the work of US hackers, Raiu notes, but he suggests that’s unlikely, since the US wouldn’t typically sabotage open source projects—and if it did, the National Security Agency would probably use a quantum-resistant cryptographic function, which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, like China’s APT41, North Korea’s Lazarus Group, and Russia’s APT29.

At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead, perhaps when Jia Tan forgot to make the change.

“Another indication that they are not from China is the fact that they worked on notable Chinese holidays,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. They note that Jia Tan also didn't submit new code on Christmas or New Year's. Boehs, the developer, adds that much of the work starts at 9 am and ends at 5 pm for Eastern European or Middle Eastern time zones. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says.

Though that leaves countries like Iran and Israel as possibilities, the majority of clues lead back to Russia, and specifically Russia’s APT29 hacking group, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity firm Immunity. Aitel points out that APT29—widely believed to work for Russia’s foreign intelligence agency, known as the SVR—has a reputation for technical care of a kind that few other hacker groups show. APT29 also carried out the Solar Winds compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation matches the style of the XZ Utils backdoor far more than the cruder supply chain attacks of APT41 or Lazarus, by comparison.

“It could very well be someone else,” says Aitel. “But I mean, if you’re looking for the most sophisticated supply chain attacks on the planet, that’s going to be our dear friends at the SVR.”

Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a government’s secret intentions in their code commits.

_Updated 4/3/2024 at 12:30 pm ET to note the possibility of Israeli or Iranian involvement._

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

By Waqas
The leaked data was previously being sold by the IntelBroker hacker for just $3,000 in Monero (XMR) cryptocurrency.
This is a post from HackRead.com Read the original post: IntelBroker Leaks Alleged National Security Data Tied to US Contractor Acuity Inc.

IntelBroker hacker leaks data linked to US contractor Acuity Inc., exposing potentially sensitive intelligence agencies-related data – US government previously denied Acuity Inc. breach, but experts warn of national security risks.

The notorious IntelBroker hacker and their affiliates have leaked a trove of sensitive records, which they claim jeopardize the United States national security. The data, leaked on **Breach Forums**, is linked to US Federal contractor Acuity Inc., in a data breach allegedly carried out in March 2024. The data was previously being sold for just $3,000 in Monero (XMR) cryptocurrency.

As seen by Hackread.com, IntelBroker has classified the breach as a “National Security Documents Leak,” involving documents from the “Five Eyes Intelligence Group.” The leaked records now accessible to the public include highly sensitive information such as full names, email addresses, office numbers, personal cell numbers, email addresses (government, military, and Pentagon), classified information, and communications between the Five Eyes, 14 Eyes, and the US’s allies.

Screenshot from Breach Forums (Credit: Hackread.com)

For your information, The Five Eyes Intelligence Group is an intelligence alliance including five English-speaking countries: the United States, the United Kingdom, Canada, Australia, and New Zealand. The alliance aims to share intelligence and collaborate on signals intelligence (SIGINT) gathering, surveillance, and **cybersecurity activities**.

****Background of the alleged Acuity Inc. data breach****

On March 4, 2024, **Hackread.com published an exclusive report** on a data breach allegedly involving Acuity Inc., a federal contractor based in Reston, Virginia. The breach was claimed by IntelBroker.

The hacker claimed the use of a zero-day security vulnerability in GitHub to access Acuity Inc.’s tokens and facilitate their malicious activities, including the theft of data belonging to U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement (ICE).

Hackread.com reported the breach to GitHub, Acuity Inc., ICE, and USCIS. However, none of the organizations responded to the report. In contrast, Homeland Security, responding to a third-party media site that had not reported on the incident or analyzed the data, denied IntelBroker’s claims and labelled the breach as false, categorizing the leaked information as “test demos for vendors” with fake names and contact information used solely to provide examples of received data.

****Now What?****

Despite the US Government’s version that the data leak is fake, Hackread.com’s analysis suggests that the publicly leaked information remains highly consequential. Even if the data is fabricated, it exposes the modus operandi of US intelligence agencies and their allies, potentially risking their operational security and strategies.

> I will say again: data like this can’t be faked unless it’s copy paste from different and previous leaks which is highly unlikely based on IntelBroker’s previous attacks.
> 
> Also, their availability on twitter should be good for OSINT researchers, no? https://t.co/6CkYBp07Ua
> 
> — Waqas (@WAK4S) April 3, 2024

****IntelBroker****

The hacker’s origins and affiliates are unknown; however, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

Additionally, IntelBroker is known for targeting high-profile targets in the United States. Some of their previous data breaches include **Las Angeles Intl. Airport**, **US DoD Documents**, **Staffing Giant Robert Half**, **Facebook Marketplace Database**, DARPA-related accesses in **General Electric breach**, **Weee! Grocer**y and several others.

1.  US Govt’s secret terrorist watchlist with 2M records exposed online
2.  Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft
3.  Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
4.  Traffic sign near ICE headquarters hacked with “Abolish ICE” message
5.  Norweigian researcher exposes how a US firm collected his location data

IntelBroker Leaks Alleged National Security Data Tied to US Contractor Acuity Inc.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “**The Manipulaters**,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

In May 2015, KrebsOnSecurity published a brief writeup about the brazen Manipulaters team, noting that they openly operated hundreds of web sites selling tools designed to trick people into giving up usernames and passwords, or deploying malicious software on their PCs.

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed as long as possible. Image: DomainTools.

The core brand of The Manipulaters has long been a shared cybercriminal identity named “**Saim Raza**,” who for the past decade has peddled a popular spamming and phishing service variously called “**Fudtools**,” “**Fudpage**,” “**Fudsender**,” “**FudCo**,” etc. The term “FUD” in those names stands for “**F**ully **U**n-**D**etectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

A September 2021 story here checked in on The Manipulaters, and found that Saim Raza and company were prospering under their FudCo brands, which they secretly managed from a front company called **We Code Solutions**.

That piece worked backwards from all of the known Saim Raza email addresses to identify Facebook profiles for multiple We Code Solutions employees, many of whom could be seen celebrating company anniversaries gathered around a giant cake with the words “FudCo” painted in icing.

Since that story ran, KrebsOnSecurity has heard from this Saim Raza identity on two occasions. The first was in the weeks following the Sept. 2021 piece, when one of Saim Raza’s known email addresses — **bluebtcus@gmail.com** — pleaded to have the story taken down.

“Hello, we already leave that fud etc before year,” the Saim Raza identity wrote. “Why you post us? Why you destroy our lifes? We never harm anyone. Please remove it.”

Not wishing to be manipulated by a phishing gang, KrebsOnSecurity ignored those entreaties. But on Jan. 14, 2024, KrebsOnSecurity heard from the same bluebtcus@gmail.com address, apropos of nothing.

“Please remove this article,” Sam Raza wrote, linking to the 2021 profile. “Please already my police register case on me. I already leave everything.”

Asked to elaborate on the police investigation, Saim Raza said they were freshly released from jail.

“I was there many days,” the reply explained. “Now back after bail. Now I want to start my new work.”

Exactly what that “new work” might entail, Saim Raza wouldn’t say. But a new report from researchers at **DomainTools.com** finds that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.

DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

“Curiously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware,” DomainTools wrote. “All observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.”

A number of questions, indeed. The core Manipulaters product these days is a spam delivery service called **HeartSender**, whose homepage openly advertises phishing kits targeting users of various Internet companies, including **Microsoft 365**, **Yahoo**, **AOL**, **Intuit**, **iCloud** and **ID.me**, to name a few.

A screenshot of the homepage of HeartSender 4 displays an IP address tied to fudtoolshop@gmail.com. Image: DomainTools.

HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the service’s customers is unknown.

However, DomainTools also found the hosted version of HeartSender service leaks an extraordinary amount of user information that probably is not intended to be publicly accessible. Apparently, the HeartSender web interface has several webpages that are accessible to unauthenticated users, exposing customer credentials along with support requests to HeartSender developers.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk for abuse, this domain will not be published.”

This is hardly the first time The Manipulaters have shot themselves in the foot. In 2019, _The Manipulaters failed to renew their core domain name_ — manipulaters\[.\]com — the same one tied to so many of the company’s past and current business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that focuses on connecting cybercriminals to their real-life identities.

Currently, The Manipulaters seem focused on building out and supporting HeartSender, which specializes in spam and email-to-SMS spamming services.

“The Manipulaters’ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS,” DomainTools wrote. “Proofs posted on HeartSender’s Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit.”

Reached via email, the Saim Raza identity declined to respond to questions about the DomainTools findings.

“First \[of\] all we never work on virus or compromised computer etc,” Raza replied. “If you want to write like that fake go ahead. Second I leave country already. If someone bind anything with exe file and spread on internet its not my fault.”

Asked why they left Pakistan, Saim Raza said the authorities there just wanted to shake them down.

“After your article our police put FIR on my \[identity\],” Saim Raza explained. “FIR” in this case stands for “First Information Report,” which is the initial complaint in the criminal justice system of Pakistan.

“They only get money from me nothing else,” Saim Raza continued. “Now some officers ask for money again again. Brother, there is no good law in Pakistan just they need money.”

Saim Raza has a history of being slippery with the truth, so who knows whether The Manipulaters and/or its leaders have in fact fled Pakistan (it may be more of an extended vacation abroad). With any luck, these guys will soon venture into a more Western-friendly, “good law” nation and receive a warm welcome by the local authorities.

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

April 3, 2024

5 Min Read

Source: Feng Yu via Alamy Stock Photo

COMMENTARY

In recent global election cycles, the Internet and social media have facilitated the widespread dissemination of false news, misleading memes, and deepfake content, overwhelming voters. Given that it is difficult to directly compromise election systems used to vote and count votes, adversaries turn to the age-old psychological manipulation technique to get the desired outcomes: no hacking needed. With the emergence of generative artificial intelligence (AI) tools, the impact of disinformation campaigns is expected to escalate further. This has led to increased uncertainty and ambiguity regarding reality, with personal biases often shaping perceptions of truth.

In a sense, disinformation is like a cyber threat: As security leaders, we realize that malware, phishing attempts, and other attacks are a given. But we put controls in place to minimize the impact, if not prevent it entirely. We develop defense strategies based on decades of historical knowledge and data to gain the best advantage.

Today's disinformation campaigns, however, are essentially a product of the last decade, and we have not yet designed a mature series of controls to counter it. But we need to. With 83 national elections in 78 countries taking place in 2024 — a volume not expected to be matched until 2048 — the stakes have never been higher. A recent wave of troubling incidents and developments illustrate the many ways that adversaries are attempting to deceive the hearts and minds of the world's voters:

*   In Europe, the French Foreign Minister accused Russia of setting up a network of more than 190 websites intended to spread disinformation to "destroy Europe's unity" and "make our democracies exhausted" in seeking to discourage support for Ukraine. The network, codenamed "Portal Kombat," has also sought to confuse voters, discredit certain candidates, and disrupt large sporting events like the Paris Olympics.
    
*   In Pakistan, voters have been exposed to false Covid-19 and anti-vaccination propaganda, online hate speech against religious groups, and attacks on women's movements.
    
*   The World Economic Forum ranks foreign and domestic entities' or individuals' use of misinformation and disinformation as the "most severe global risk" for the next two years — over extreme weather events, cyberattacks, armed conflicts, and economic downturns.
    

Let's be clear here about the difference between disinformation and misinformation: The latter is information that is wrong, but not intended for mass distribution. The "fake news" distributor may not even be aware of its inaccuracies.

Disinformation, on the other hand, occurs when an entity (such as an adversarial nation-state) knowingly leverages misinformation with the intent of viral distribution.

The psychological manipulation jeopardizes the stability of democratic institutions. Think of disinformation farms as a large office floor with hundreds or even thousands of people doing nothing but making up authentic-looking blogs, articles, and videos to target candidates and positions that contradict their agendas. Once unleashed on social media, these falsehoods spread rapidly, reaching millions and masquerading as real events.

How can citizens best protect themselves from these campaigns to maintain a firm grasp on what's real and what isn't? How can cybersecurity leaders help?

Here are four best practices.

**DYOV: Do Your Own Vetting**

A meme or GIF doesn't stand alone as a credible source of information. Not all professional-looking publications are credible or accurate. Not every statement from a trusted source may be their own. It’s too easy to create fake videos using AI-generated images. There are few arbiters of truth on the Internet, so buyer beware. Moreover, we can't depend on social media platforms to monitor and eliminate disinformation — regardless of whether we agree or embrace it. Section 230 has established immunity for online companies serving as publication resources for third-party content.

It's critical to look at different platforms and reconcile those with what government websites, real news outlets, and respected organizations such as the National Conference of State Legislatures (NCSL) are reporting. Inconsistencies should serve as a warning sign. Also, when seeking out biases from the information source, always ask, "Why should I believe this? Who is the author? What is their interest in this position?"

**2\. Avoid Becoming Part of the Problem**

Social media makes it too easy to run with a post or video that presents a version of "truth" that is anything but. Architects of disinformation campaigns depend upon individual users to spread their messages, i.e., "It came from my sibling/boss/neighbor, so it must be true." Again, DYOV before passing anything along. Be judicious about clicking on "forward" and "like" buttons to avoid being an engine of these campaigns.

**3\. Follow Watchdogs**

Organizations like the Netherlands-based Defend Democracy, the University of Pennsylvania-based FactCheck.org and Santa Monica, Calif.-based RAND Corp. offer resources to better help distinguish fact from fiction. In the academic community, San Diego State University's University Library and Stetson University's duPont-Ball Library maintain a list of watchdog groups, databases, and other resources.

**4\. Take a Leadership Stand**

As cybersecurity professionals, we recognize that threats like brand impersonation and phishing occur beyond our controlled technology environments. We cannot block every email, and our controls won't block or even detect impersonations on technology that we don't control. Instead, we must actively promote cyber education and awareness so employees can learn about the latest phishing attempts and the dangers of clicking on unfamiliar links.

We should take a similar, education-focused approach with disinformation campaigns. We can create employee awareness programs so they understand what to look for, even when the attempts do not involve our technology. We can even promote this knowledge through various platforms — internal company communications, public-facing blogs, articles — where we have a prominent voice. Offer credible and contextual resources against which they can vet information.

Unfortunately, disinformation — especially during political seasons — cannot be avoided, forcing us to field all relevant "facts" through appropriate vetting. However, tools enable everyone to do this while educating employees and the public as cybersecurity leaders. If they do so, 2024 may be remembered as the year when the global community decided that the truth matters.

**About the Author(s)**

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

Tag

#intel