Administrators and security teams who have lost visibility into their own networks can use DNS telemetry to home in on anomalous traffic.

**Question: How can administrators use DNS telemetry to complement NetFlow data in detecting and stopping threats?**

**David Ratner, CEO, Hyas:** For many years, DevSecOps teams relied heavily on flow data (the information collected by NetFlow and similar technology) to glean insight into events occurring within their networks. However, flow data's usefulness has waned with the shift to the cloud and increased network complexity.

Monitoring network traffic is the new big data problem. You either sample a smaller amount of flow data or incur the high costs of receiving a more comprehensive set. But even with all of the data, detecting subtle anomalous incidents (perhaps involving just one or a handful of devices and relatively low-volume traffic) that indicate malicious activity is still like looking for a needle in a haystack.

Administrators and security teams can regain visibility into their own networks with DNS telemetry. It is is easier and cheaper to monitor than flow data and can identify unknown, anomalous, or malicious domains based on threat intelligence data. These services can alert DevSecOps administrators and provide information on exactly where to look to investigate the incident. If necessary, administrators can access the corresponding flow data to get additional actionable information about the event, identify if the event is innocuous or malicious, and stop nefarious activity in its tracks. DNS telemetry solves the big data problem by letting teams more quickly and efficiently zero in on the areas that need attention.

An easy way to visualize the problem is to imagine staking out all the payphones in a neighborhood to intercept calls related to criminal activity. Actively watching each payphone and monitoring the content of each call made from each payphone would be incredibly tedious. However, in this analogy, DNS monitoring would notify you that a certain payphone made a call, when it made it, and who it called. With this information, you can then query flow data to find out additional pertinent information, like if the person on the other end picked up the call and how long they spoke.

A real-world scenario might occur like this: Your DNS monitoring system notices multiple devices making calls to a domain flagged as anomalous and potentially malicious. Even though this particular domain has never been used before in an attack, it is unusual, anomalous, and requires additional and immediate investigation. This triggers an alert, prompting administrators to query flow data for those particular devices and the specific communication with that domain. With that data, you can quickly determine if malicious activity is actually happening and, if it is, you can block the communication, cutting the malware off from its C2 infrastructure and stopping the attack before major damage is done. On the other hand, there may have been some legitimate reason for anomalous traffic, and it isn’t actually nefarious — maybe the device is simply reaching out to a new server for updates. Either way, now you know for sure.

How Does DNS Telemetry Help Detect and Stop Threats?

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Microsoft's Certificate-Based Authentication Enables Phishing-Resistant MFA

In the nearly two years since the company discovered the cyber intrusion, SolarWinds has fundamentally rearchitected its development environment to make it much harder to compromise, CISO Tim Brown tells Dark Reading.

The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company's alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.

If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide "other equitable relief" for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.

SolarWinds disclosed the SEC's potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called "Wells Notice" from the SEC noting that the regulator's enforcement staff had made a preliminary decision to recommend the enforcement action. A Wells Notice basically notifies a respondent about charges that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.

SolarWinds maintained that its "disclosures, public statements, controls, and procedures were appropriate." The company noted that it would prepare a response to the SEC enforcement staff's position on the matter.

The breach into SolarWinds' systems wasn't discovered until late 2020, when Mandiant found that its red-team tools had been pilfered in the attack.

**Class-Action Settlement**

Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a class action lawsuit filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company's applicable liability insurance.

The disclosures in the 8-K Form come nearly two years after SolarWinds reported that attackers — later identified as Russian threat group Nobelium — had breached the build environment of the company's Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company's customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium's victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.

**SolarWinds Executes a Complete Rebuild**

SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company's new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.

In a recent conversation with Dark Reading, SolarWinds CISO Tim Brown describes the new development environment as one where software is developed in three parallel builds: a developer pipeline, a staging pipeline, and a production pipeline. 

"There's no one person that has access to all of those pipeline builds," Brown says. "Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches." The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — don't get carried over to the next phase of the software development life cycle. 

"If you wanted to affect one build, you would not have the ability to affect the next build," he says. "You need collusion amongst people in order to affect that build again."

Another critical component of SolarWinds' new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.

**"Assume" a Breach**

As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an "assumed breach" mentality of which red-team exercises and penetration testing are an essential component.

"I'm in there trying to break into my build system all the time," Brown says. "For example, could I make a change in development that would end up in staging or end up in production?" 

The red team looks at every component and service within SolarWinds' build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.

"It took six months of shutting down new feature development and focusing on security alone" to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a "heavy lift" but one that he thinks has paid off for the company. 

"They were just major investments to get ourselves right \[and\] reduce as much risk as possible in the whole cycle," says Brown, who also recently shared key lessons his company learned from the 2020 attack.

SolarWinds Faces Potential SEC Enforcement Act Over Orion Breach

One attack used 400 mule accounts to steal money by making fraudulent withdrawals, researchers say.

At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018. 

A new report from Group-IB explains it has been tracking OPERA1ER's activities since 2019; however, they waited to publish its findings until the group resurfaced after a 2021 break. Now the gang is back in action, the analysts explain, allowing Group-IB to document their OPERA1ER TTPs from 2019 through 2021, as well as the latest iteration in 2022. 

The researchers reported OPERA1ER has successfully breached the targets' systems at least 30 times since 2018. As an example of the group's sophistication and coordination, the report added, one of the of the group's attacks used more than 400 mule accounts to make fraudulent money withdrawals.

The group doesn't use exotic malware, in fact, the researchers said in the report that OPERA1ER's hallmark is easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. OPERA1ER delivers remote access Trojans (RATs) through French-language email phishing lures and takes its time gathering intelligence about its victims before "cashing out," the report added. 

"Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays," Rustam Mirkasymov, head of cyber-threat research at Group-IB Europe, said in a statement. "It correlates with the fact that they spend from three to 12 months from the initial access to money theft." 

Mirkasymov added the gang could be based out of Africa and the total number of OPERA1ER group members is unknown. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybercrime Group OPERA1ER Stole $11M From 16 African Businesses

SMBs concerned about tightening security budgets despite increased risks.

**WATERLOO, ON, Nov. 7, 2022 /PRNewswire/** — OpenText™ _(_NASDAQ: OTEX), (TSX: OTEX), today released results of the OpenText Security Solutions 2022 Global Small-Medium Business (SMB) Ransomware Survey. Findings show growing concern about ransomware attacks, the impact of geopolitical tensions, and rising inflation rates. Eighty-eight percent of respondents noted they are concerned or extremely concerned about an attack impacting their business.

"SMBs are a sweet spot for hackers to exploit because they often lack cybersecurity resources, both technology and security expertise," said Prentiss Donohue, Executive Vice President, OpenText Security Solutions. "Today's complex threat landscape presents a huge risk to SMBs that don't have sufficient cyber resiliency preparation to stop the spread and recover quickly from an attack. With adversaries becoming increasingly sophisticated and relentless, a multi-layered protection strategy is no longer a nice to have, it is a necessity."

**Spotlight findings:**

**SMBs fear tightening security budgets amid growing concern of increased ransomware risks due to heightened geopolitical** **tensions.**

*   More than half (57%) of SMBs are worried about their cybersecurity budget shrinking amid rising inflation rates.
*   Fifty-two percent of respondents feel more at risk of suffering a ransomware attack because of heightened geopolitical tensions.
*   Eighty-four percent are concerned about a ransomware attack impacting their business.

**There's a concerning lack of awareness among SMBs when it comes to knowing if they've suffered a ransomware attack. Meanwhile, budgets to protect against these risks are low.**

*   Nearly half (46%) of SMBs have experienced a ransomware attack, yet 67% still don't think or aren't sure they are a ransomware target.
*   The majority (60%) of respondents are not confident or only somewhat confident that they can fend off a ransomware attack.
*   Despite many having experienced an attack before, security budgets are minimal to protect against ransomware and other threats:

*   60% spend less than $50,000 per year.
*   50% spend less than $20,000 per year.
*   Only 10% spend more than $50,000 per year.

**Managed service providers (MSPs) are an appealing security option for SMBs to offset resource constraints.**

*   More SMBs outsource their security to an IT provider or MSP than not, with 58% using external security management support.
*   Concurrently, 65% of SMBs that don't currently use a MSP would consider doing so in the future.

**Survey Resources Now Available:**

To learn more about the findings of the OpenText Security Solutions 2022 Global SMB Ransomware Survey, view the infographic (PDF) or read the blog.

**Survey Methodology**

OpenText Security Solutions polled 1,332 security and IT professionals from small and medium-sized businesses (SMBs), up to 1,000 employees, in the United States, the United Kingdom, and Australia from September 24 to October 10, 2022. Respondents represented a range of roles from security and technical employees to the C-Suite, and across multiple industries including technology, retail, education, manufacturing, healthcare and more.

**About OpenText Security Solutions**

As attack surfaces expand, OpenText Security Solutions help organizations of every size achieve cyber resilience with Webroot Security, Carbonite Data Management, BrightCloud® Threat Intelligence, and EnCase Digital Forensics and Threat Response. With a united front of best practices paired with layered solutions, we prevent, detect, and restore small, mid-sized and enterprise business operations in the event of a cybersecurity attack.

**About OpenText**  
OpenText, The Information Company™, enables organizations to gain insight through market leading information management solutions, powered by OpenText Cloud Editions. For more information about OpenText (NASDAQ: OTEX, TSX: OTEX) visit opentext.com.

**Connect with us:**  
OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise.

Copyright © 2022 OpenText. All Rights Reserved. Trademarks owned by OpenText. One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.

**SOURCE:** Open Text Corporation

OpenText Security Solutions Global SMB Ransomware Survey Reveals Heightened Worry About Increased Cyberattacks Due to Geopolitical Tensions

Plus: Liz Truss’ phone-hacking trouble, Cash App’s sex-trafficking problem, and the rising cost of ransomware.

Open internet proponents were relieved last month when an American candidate beat a Russian challenger in an election to run the International Telecommunications Union, an important international standards body tasked with cross-boundary communications. Meanwhile, though, we took a look at the fragility of the world’s internet infrastructure and the vulnerability of crucial undersea cables.

Researchers see evidence that the US’s new legal climate for abortion access is promoting a culture of community surveillance, a hallmark of authoritarian states in which neighbors and friends are encouraged to report possible wrongdoing. And surveillance is on the rise in soccer stadiums around the world as well. The eight stadiums in use during the 2022 World Cup in Qatar, for example, will be packed with more than 15,000 cameras to monitor spectators and to conduct biometric scanning.

The more secure, “memory safe” programming language Rust is making inroads across the tech industry, offering hope that a massive swath of common vulnerabilities could eventually be preempted and eliminated. In the meantime, we’ve got a roundup of the most important vulnerabilities that you can—and should!—patch right now.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

There’s no longer a question about whether TikTok staff in China can access Europeans’ data. The company this week announced that it plans to update its privacy policy to explicitly list China as one of the countries where workers can access data from users in the European Union, such as location data that users opt to share. TikTok’s policy update comes amid a yearlong investigation by Ireland’s Data Protection Commission, which is looking into its data-transfer policies under the EU’s General Data Protection Regulation. The inquiry is part of Western governments’ increased scrutiny of the video-sharing platform, which some US officials have characterized as a national security threat due to frequently close relationships between Chinese companies and the government in Beijing. TikTok, which is owned by China-based ByteDance, says in its announcement that its privacy policy update is meant to “include greater transparency into how we share user information outside of Europe and how we collect user location information.” The new policy goes into effect on December 2.

Liz Truss is having a rough time. Soon after her historically brief stint as the UK prime minister, the _Mail on Sunday_ reported that agents working on behalf of Russia had hacked her personal cell phone when she was foreign minister. The breach allegedly allowed these Russian operatives to intercept messages between Truss and officials in other countries, including messages about Ukraine. The _Mail_ report further claims that former prime minister Boris Johnson and cabinet secretary Simon Case suppressed the breach. While the breach remains unconfirmed, Labor Party officials are calling for an “urgent investigation” into their Conservative opponents. "There are immensely important national security issues raised by an attack like this by a hostile state which will have been taken extremely seriously by our intelligence and security agencies," Labor Party shadow home secretary Yvette Cooper said last weekend. "There are also serious security questions around why and how this information has been leaked or released right now, which must also be urgently investigated."

Another of Jack Dorsey’s corporate creations is facing new heat this week. According to a _Forbes_ investigation, the Cash App is helping fuel sex trafficking in the US and elsewhere. Based on police records, “hundreds of court filings,” and claims by former Cash App employees, the investigation found rampant use of the Cash App in sex trafficking and other crimes. The company, which is owned by Dorsey-led Block Inc., maintains that it “does not tolerate illegal activity on Cash App” and has staff dedicated to working with law enforcement. Meanwhile, the National Center for Missing and Exploited Children says that although rival payment platforms like PayPal provide the the center with tips about potential child abuse facilitated by their services, _Forbes_ writes, “Block hasn’t provided any tips, ever.”

The US Treasury Department this week said US financial institutions facilitated ransomware payments totaling nearly $1.2 billion in 2021—a 200 percent increase since 2020. The report landed amid an international White House summit aiming to combat the rise of ransomware, a type of malware that allows attackers to encrypt a target’s files and hold them for ransom until the victim pays. Himamauli Das, acting director of the Treasury Department’s Financial Crimes Enforcement Network, said in a statement that “ransomware—including attacks perpetrated by Russian-linked actors—remain a serious threat to our national and economic security. While $1.2 billion in payments is already painful enough, the number does not take into account the costs and other financial consequences that come with a ransomware attack outside of the payment itself.

TikTok Admits Staff in China Can Access Europeans’ Data

Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.
The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that

Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that organizations patch such exploits in a timely manner.

This also corroborates an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits.

This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, leading to the increased use of zero-days for espionage activities designed to advance its economic and military interests.

Some of the vulnerabilities that were first exploited by Chinese actors before being picked up other adversarial groups include -

*   **CVE-2021-35211** (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.
*   **CVE-2021-40539** (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).
*   **CVE-2021-44077** (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).
*   **CVE-2021-42321** (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the Tianfu Cup hacking contest on October 16-17, 2021.
*   **CVE-2022-26134** (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged against an unnamed U.S. entity days before the flaw's disclosure on June 2.

The findings also come almost a month after CISA released a list of top vulnerabilities weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.

"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation state and criminal actors," the company said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Dark Reading's analysis suggests that Human Security's acquisition of clean.io will significantly expand the company's fraud prevention and anti-malvertising portfolio.

When dealing with a medium as flexible as the Web, it’s impossible for the site owner to fully control what a user sees. The user doesn't need the site's consent to change the user interface or experience through add-ons, custom browser properties, proxies, and firewall settings.

However, certain things are still within the site owner’s control, such as advertiser selection, security, pricing, and content policy. That's the idea behind _site integrity_, that the user or third parties can't try to force a change on the server or the site's backend operations without consent. If someone, or something, can violate site integrity, that is a threat with real business impact.

An example is malvertising, when cybercriminals abuse the programmatic advertising ecosystem to deliver malware to end users via online advertisements. Exposing users to malware is bad enough, but malvertising creates a significant brand reputation problem for the brands and platforms delivering the ads.

How does Human Security's acquisition of clean.io — announced on Thursday for an undisclosed amount — change the market for anti-malvertising technology? Dark Reading's analysis of the two companies suggests that by joining forces, Human Security and clean.io will be able to offer publishers, platforms, and brands a full range of anti-fraud and anti-abuse tools for the advertising ecosystem.

**What's So Great About Clean Humans?**

Safeguarding the advertising ecosystem means ensuring the industry's $500 billion annual ad spend reaches real humans rather than funding criminal schemes. Toward that goal, clean.io employs real-time behavioral protections on the page, as opposed to relying on static creative reviews and pre-scanning techniques offline, according to Human Security. Integrating clean.io's client-side JavaScript behavioral analysis and mitigation to Human Security's Human Defense Platform will make malvertising incredibly costly for bad actors, the company says.

"Human and clean.io have long been strategic partners to help combat two of the most important problems we face in programmatic advertising: malvertising and fraud," Ron Lissack, senior vice president and chief architect at Xandr, said in the release announcing the acquisition. "This type of consolidation in the ecosystem is welcome news and brings with it a true and holistic, 360-degree approach to fighting cybercrime."

**A Solution to the Cart Problem**

Many merchants and retailers rely on coupons to help boost sales (more than 90% of online consumers say they search for and use coupon codes while shopping online), but when those coupons are abused, they have to deal with lost revenue and damaged brand reputation. Between taking the hit on the coupons themselves, having to pay affiliate fees to the coupon app folks, and getting false impressions about the success of certain ad campaigns, coupon fraud is no joke.

Fraud prevention is Human's bread and butter, and Dark Reading's analysis suggests that cart protection is one of the areas that will benefit from the clean.io acquisition. Human Security can expand its concept of site integrity to include fighting checkout fraud and automated coupon and affiliate code replication. By integrating clean.io's cleanCart technology into its BotGuard product, Human Security can expand coverage beyond the detection and elimination of fake leads from the first-party marketing pool.

This combination will eliminate fake affiliates from the pool in some cases, and in others drastically reign in affiliate payouts for out-of-scope automated coupon redemptions.

It's a potent combination; cleanCart was already boasting a 3% conversion rate boost, while claiming to pay for itself entirely within 90 days of purchase. Add BotGuard's improvement to lead quality and conversion rates, and the percentage of fraudulently sourced clients making it through the checkout process should be low.

**Final Analysis**

Human Security is creating a significant pattern of scalable growth through innovation and acquisition. While the recent merger with PerimeterX took them deep into the enterprise e-commerce checkout process, the clean.io acquisition will help stop fraud at its source through its anti-malvertising leadership and bridge the gap, making potential tech partnerships with e-commerce solutions as a whole (Shopify, WooCommerce, et al.) and cart-specific solutions (X-Cart, OpenCart, etc.) even more attractive.

The acquisition of clean.io by Human Security should give a significant boost to the company's real-time fraud detection capabilities and increase its ability to catch novel threats in the wild. The sheer amount of threat intelligence the combined company will have visibility into is another significant product advantage.

"With the clean.io acquisition, the Satori team will gain invaluable talent and threat intelligence. This will help us defend our customers from future attacks and support disruption efforts like 3ve, Methbot, PARETO, and most recently, Scylla," Gavin Reid, vice president of threat intelligence and research at Human Security, said in a statement. "We're looking forward to expanding our investigative power and strengthening our takedown mechanisms to continue safeguarding all of our clients and the industry as a whole."

Human Security Tackles Malvertising With Clean.io Buy

An analysis of the RomCom APT shows the group is expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). It's a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).

During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations. The researchers determined the UK and other English-speaking countries were new RomCom targets based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.

Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberry's analysis.

"It's predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia," Bestuzhev says.

Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.

"Information is valuable, and when it's strategic, it helps the attacker build better offensive strategies and take advantage in any domain," Bestuzhev adds. "Geopolitics will set new targets. Since RomCom has been widely exposed, it's reasonable to believe the group behind it might change their TTPs."

This isn't the first shift in strategy for the group. "When RomCom was discovered, it was publicly associated with ransomware," Bestuzhev says. "The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets."

**RomCom RAT's Wrap**

The trojanizing scheme isn't terribly complicated, the BlackBerry team explained in its report.

RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain that's likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.

The wrapping approach isn't new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and groups like FIN7 have used similar tactics.

"This attack looks like it's a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or 'wrapped' with malware," Barratt says. "The 'wrapping' process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment."

**RomCom Targeting Humans**

To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.

"With the current geopolitical situation, it's quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets," Parkin explains to Dark Reading. "They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface."

RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author have involved young women with profile photos that appear to be generated by artificial intelligence (AI) tools.

We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology. AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people. Fake accounts sometimes use these convincing, AI-generated profile photos to make their fake LinkedIn profile appear more authentic.

Responding to a recent surge in AI-generated bot accounts, **LinkedIn** is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.

LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.

LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).

“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.

For example, on October 10, 2022, there were 576,562 **LinkedIn** accounts that listed their current employer as **Apple Inc.** The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at **Amazon** fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.

“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s **Oscar Rodriguez** wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”

It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and **Indeed**, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

Tag

#intel