The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.

A new vector to exploit a vulnerable version of Google SLO Generator has been uncovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it is coming from a trusted source inside the network.

Google SLO Generator is a widely used Python library used by engineers who want to track their Web API performance. The tool is used by thousands of Google services, but prior to a September 2021 patch, it housed unsafe and exploitable functions, potentially exposing user input data.

Michael Assraf, co-founder and CEO of Vicarius, explains that this path to exploitation was previously unknown and created a new way to exploit outdated versions for worse outcomes than simple information disclosure.

It is unknown how many of the more than 167,000 applications using this library are running vulnerable versions, according to Vicarius, which published a report detailing the attack path. Users who updated the code won't be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way that companies are successfully attacked.

Assraf also raises the issue of potentially problematic workarounds as security researchers uncover new vectors to exploit vulnerable software instances. Developers will often use workarounds to protect against known exploits rather than deploying a systematic update/patch.

"Developers who fall into that category will be vulnerable to this new exploit — along with anyone else who has yet to deploy the patch," he says.

**Millions of Unpatched Devices Remain a Problem**

Externally accessible vulnerabilities expected to remain a favorite attack vector for cybercriminals in the future. A report published this week from Rezilion found vulnerabilities as old as a decade remain unpatched in software and Internet-connected devices.

The study identified more than 4.5 million Internet-facing devices that remain open to vulnerabilities discovered between 2010 to 2020. The report also identified active scanning/exploitation attempts in most of these vulnerabilities.

Yotam Perkal, director of vulnerability research at Rezilion, says there are multiple reasons why unpatched vulnerabilities are so common.

"First, many organizations with less mature security programs do not even have visibility into the vulnerabilities they have in their environment," he says. "Without the proper tooling and vulnerability management processes in place, they are basically blind to the risk and can't patch what they do not know about."

Second, even for organizations with mature vulnerability management processes in place, patching presents a challenge — it requires time and a considerable amount of effort and can often lead to unforeseen patch compatibility issues.

"With the constant rise in the number of new vulnerabilities discovered each year, organizations simply struggle to keep up," he explains.

**Unpatched Vulnerabilities a Top Security Issue**

Assraf calls unpatched vulnerabilities one of the most significant, prevalent, yet fixable security problems across the board — and for a multitude of reasons.

"This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place," he adds.

He points out there are also new vulnerabilities cropping up daily, so managing "zero vulnerabilities" is a bit of a pipedream.

In addition, large-scale updates also occasionally break things and create unforeseen consequences and compatibility issues, leaving many to take a stance of "If it ain’t broke, don’t fix it."

"The problem is, it is broken, you just don't see the chink in the armor until you've been breached," Assraf warns. "Other common issues are around visibility, shadow IT, and distributed teams that lead to ownership complications."

From his perspective, visibility is the first step in getting vulnerabilities and patching under control, as you can’t fix what you don’t know is broken.

"Having an accurate and continuously updated asset inventory of all assets and devices in your environment is a critical first step," he explains.

Next is knowing how to prioritize the updates available to those systems and assets, which is a common place where enterprises fall short and the volume begins to become just noise.

Perkal says he thinks the key point to having a more proactive posture towards risks from unpatched vulnerabilities is awareness.

"Once you are aware of the risk, make sure you have the right processes and tools in place that will allow you to effectively take action," he says. "At the end of the day, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy aspect of proper security hygiene."

A July report from Palo Alto Networks' Unit 42 also suggested attackers play favorites when looking at which software vulnerabilities to target.

**Solving the Patching Problem With Business Context**

Assraf says it's common to prioritize based on criticality from the major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black-box scoring systems.

"What's important to account for, and where this step — and vendors — often fall short, is a failure to take business context into account," he says.

It's important therefore to focus on the potential threats that will have the largest impact on your unique digital environment, not necessarily a third-party rating assigned without context.

"The most mature organizations will then automate the patching process based on said context, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment," Assraf says.

Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.

"While this allows organizations to focus on their core business logic and release code faster, this also introduces a security risk in the form of software vulnerabilities," he says. "Patching everything simply isn't feasible."

He says to be able effectively to cope with the risk, attack surface management platforms that can intelligently prioritize the vulnerabilities that matter most, as well as help automate some of the mitigation and remediation aspects, can help address this risk.

"The most concerning aspect I drew from the research is these old, known, exploitable vulnerabilities are still so pervasive," he adds. "It's especially concerning since it is likely the same analysis we did is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we are making their lives easy."

Researchers Debut Fresh RCE Vector for Common Google API Tool

Initial attacks used damaging wiper malware and targeted infrastructure, but the most enduring impacts will likely be from disinformation, researchers say. At Black Hat USA, SentinelOne's Juan Andres Guerrero-Saade and Tom Hegel will discuss.

The online attacks against infrastructure and information operations used by both sides in the conflict between Russia and Ukraine fulfill the definition of cyberwar and hold lessons for governments and companies, two researchers plan to say this week at the Black Hat USA conference in Las Vegas.

Cyberattacks preceding Russia's invasion of Ukraine on Feb. 24, 2022 — and ongoing operations since the initial push into eastern Ukraine — qualify as cyberwar because they involve state-sponsored actors, use tactics designed to support Russia's objectives, and focus on specific targets and motivations, says Tom Hegel, a senior threat researcher at threat intelligence firm SentinelOne, who will present the research at the conference. The threat actors aimed to support the overall war effort, in the case of Russia-linked actors, or the support for Ukraine's defense, in the case of Ukraine-linked actors, he says.

In their Wednesday, Aug. 10, presentation, "Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine," Hegel and colleague Juan Andres Guerrero-Saade plan to outline how attackers have used seven different families of malware and denial-of-service (DoS) attacks to attack everything from telecommunications infrastructure to oil and gas firms.

"We want to challenge the idea that cyberwar has not occurred, but also lay out a road map of what we have seen over the past few months in terms of actors and the types of activities," Hegel says. "The Russian threat actors, while there is not a clear line that they have crossed that makes it cyberwar, we have seen the initial wave of wipers, then community-focused hacktivism that took off, and finally a long tail of destructive attacks."

The presentation is the latest research attempting to define what constitutes cyberwar and cyber conflict.

**Defining "Cyberwar"**

The most formal definition comes from the second version of the _Tallinn Manual on the International Law Applicable to Cyber Warfare_, published in 2017, which defines cyberwar as "a cyberattack, in either an offensive or defensive cyber operation, that is reasonably expected to cause death to persons, damage, or cause destruction to objects." The manual, however, often uses the words cyberattack and cyberwar interchangeably and excludes cyber operations that could be supportive of war efforts, such as information operations and attacks on financial systems, neither of which aim to cause physical damage or death, two professors stated in a review of the manual in 2017.

In the current conflict, cyber operations have similarly supported the aims of either Russia or Ukraine rather than attempting to necessarily inflict physical damage or death.

"The connection to war is focused on destruction or disruption of infrastructure, or gaining an upper hand during an armed conflict, even if the coordination of the kinetic attacks with cyber operations is not there," Hegel says.

The playbook used by Russia in the early days of — and even prior to — the invasion of Ukraine included initial waves of damaging attacks focused on infrastructure, especially telecommunications systems. During Russia's buildup of forces on Ukraine's border, threat actors used a variety of attacks, such as WhisperGate and HermeticWiper, to target organizations in Ukraine with destructive wipers.

"In many conflicts, there is an aspect that has been modernized on the cyber side, but this is the first time that we have a really clear example of cyberwar," Hegel says.

**The Rise of Influence Campaigns**

While not traditionally considered a facet of cyberwar, the most enduring strategy of the current conflict may be information operations, he says. Russia has pursued a disinformation strategy to change worldwide opinions and gain support for its claims of Ukrainian territory, while Ukraine has pursued information operations to undermine Russian support for its invasion and bolster support for supplying the country with weapons.

"The disinformation side is a big piece of this war, but even more so, the weaponization of public information that is already out there," Hegel says. "A good example is the Amnesty International report, for example, and social media accounts supportive of Russia amplifying pieces of the message critical of Ukraine."

The researchers also had a message for corporate information-security teams. Companies should take note of the activities used by each side in a cyberwar, because the conflict can quickly impact participants who otherwise would be distant from the war. Organizations that take side or a stand in a conflict will often be targeted, but collateral damage is also a problem. The cyber-physical Stuxnet attack on Iran's nuclear processing capability, for example, spread to non-Iranian systems, although the payload did not affect those systems in the same way. Two even worse attacks, WannaCry and NotPetya, are both thought to have been cyber operations and both spread far beyond the original targeted group of organizations, causing billions in damages.

"A lot of what we have seen is not just government attacking government, but businesses in the middle being impacted," Hegel says. "It is not just because of their function being impacted, such as a telecommunications company's infrastructure, but also because their messaging made them a target. So even though you are not taking a step in a conflict, you will likely get pulled in, if your business operates in those regions at all."

Russia-Ukraine Conflict Holds Cyberwar Lessons

Extends all aspects of the Arbor Sightline solution with unique, real-time multidimensional DDoS and traffic analytics capabilities.

WESTFORD, Mass., Aug. 9, 2022 --(BUSINESS WIRE) — NETSCOUT SYSTEMS INC., (NASDAQ: NTCT), a leading provider of cybersecurity, service assurance, and business analytics solutions, today introduced Arbor Insight, a groundbreaking technology that, when combined with Arbor Sightline, dramatically enhances and extends threat detection, service delivery, and network operator visibility to address the evolving threat landscape. This combination extends Netscout's DDoS leadership to unparalleled levels.

"ATRs provide the ideal solution for short- and longer-term reporting, so operators can better answer network, security, and business questions and provide reliable, relevant services to their customers."

With DDoS attack traffic continuing to exceed pre-pandemic levels and ISPs presenting a broader threat surface, network operators of all scales need unconstrained, multidimensional visibility into the traffic running across their networks to optimize their defenses.

The new, combined solution set of Sightline with Insight leverages ASI, Netscout's unique metadata technology, to correlate multiple sources of network telemetry with global intelligence and local configuration to deliver an 80-plus facet record for each monitored network communication. Arbor Insight provides security and network operations teams with the optimal data set to perform critical tasks — including time-series analysis of critical traffic dimensions and annotated flow data for in-depth investigations, forensics, and retrospective analysis. Additionally, by using configurable, optimized data sets, Insight delivers instant access to high-fidelity data with minimal storage and compute requirements, greatly extending the value of existing Sightline deployments.

**Powerful Advanced Traffic Reports**

Insight delivers flexible, multidimensional time-series threat and traffic analytics using new customizable Advanced Traffic Reports (ATRs). ATRs augment users' operational workflows with immediate n-dimensional visibility into key areas of interest, facilitating speed-of-thought drill downs and sub-filtering to quickly expose network dynamics such as top attack targets and vectors, top talkers/services/protocols, historical anomalies, threat signatures, and more. In addition, ATRs automatically maintain the desired data fidelity and granularity, allowing instant response to any query, supporting long- and short-term visibility needs, and optimizing total cost-of-ownership. These capabilities help network operators tune their defenses, deliver superior design, scale their mitigation capabilities, and more quickly onboard new service customers — reducing costs and increasing revenue.

"Arbor Insight extends the value of Sightline by providing the right data set at the speed of thought with integrated, end-to-end workflows for superior visibility and performance," stated Tom Lyons, vice president of product, Netscout. "ATRs provide the ideal solution for short- and longer-term reporting, so operators can better answer network, security and business questions, and provide reliable, relevant services to their customers."

Visit our website for more information on Arbor Sightline and Arbor Insight.

**About NETSCOUT  
**NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world’s largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

_©2022 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, Adaptive Service Intelligence, Arbor, ATLAS, Cyber Threat Horizon, InfiniStream, nGenius, nGeniusONE, and Arbor are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or its subsidiaries and/or affiliates in the USA and/or other countries. Third-party trademarks mentioned are the property of their respective owners._

Netscout Arbor Insight Leverages Patented ASI Technology to Enhance Security and Operational Awareness for Network Operators of Any Scale

By Deeba Ahmed
Meta says the company sabotaged two cyber espionage campaigns against Facebook which originated from South Asia. Meta, Facebook’s…
This is a post from HackRead.com Read the original post: Hackers Targeted Facebook in Cyber Espionage Campaigns – Meta

Meta, Facebook’s parent company, has disrupted two cross-platform cyber espionage campaigns. The malicious operations mainly relied on online platforms to deliver malware.

The announcement was made in Meta’s Quarterly Adversarial Threat Report, Second Quarter 2022, **published** this Thursday.

**Meta’s Crackdown Against Cyber espionage Operations**

According to Meta’s global threat intelligence lead, Ben Nimmo, and director of threat disruption, David Agranovich, earlier this year, Meta sabotaged the operations of two hacker groups targeting Facebook in cyber espionage campaigns.

The company noticed multiple policy violations worldwide, mainly by two hacking groups, both of which operated out of South Asia.

**Targeted Groups**

The first group is identified as **Bitter APT aka T-APT-17**. This group has been active since 2013 and was disrupted in the 2nd quarter of 2022. It targeted organizations in the engineering, energy, and government sectors.

The other group is APT36 which is known for delivering **Crimson RAT**. This group targeted people in India, Pakistan, Afghanistan, UAE, and Saudi Arabia. Their primary victims included government and military officials, human rights employees, and people associated with non-profit organizations.

As per Meta’s investigation, the activities of **APT36** who is also known as Earth Karkaddan were connected to Pakistan-based state-linked actors.

**Victims of Cyber Espionage Campaigns**

Bitter APT used many malicious tactics to target people online, including social engineering. They used different strategies to distribute malware, such as link-shortening services, infected websites, malicious domains, and third-party hosting service providers.

A similar case was noticed with ATP36 as their TTPs were also low in sophistication but good in persistence and attack tactics. The group targeted email providers, social media, and file-hosting services.

Meta revealed that the hacker groups targeted people in India, Pakistan, New Zealand, and the United Kingdom. Although they had low operational security and sophistication levels, the groups were well-resourced and persistent.

The hackers used fictitious personas such as posing as journalists, young women, and activists to connect with their victims and gain their trust before luring them into downloading malware.

**Attack Tactics, Techniques, and Procedures**

Regarding TTPs (tactics, techniques, and procedures), Bitter ATP used a combination of social engineering, adversarial adaptation, **Android malware** dubbed by Meta as Dracarys, and an iOS application. 

“As such, APT36 is known for using a range of different malware families, and we found that in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat, and YouTube with another commodity malware family known as Mobzsar or CapraSpy,” the report read.

Bitter APT deployed a chat application for iOS, which the group distributed through Apple’s Testflight service. Still, there’s no evidence that the application was just used for **social engineering** or contained malware.

They also used Dracarys Android malware to exploit accessibility services for carrying out malicious activities on the infected devices. This malware was injected into unofficial versions of Telegram, Signal, WhatsApp, and YouTube and collected device data, messages, call logs, user files, contacts, and location data, and could take photos, install apps, and activate the microphone.

In conclusion, it’s clear that social media platforms can be abused by cybercriminals for malicious purposes. Although Meta has done its job, It’s important for users to be aware of these threats and take steps to protect their information.

1.  **Facebook ads dropped malware posing as a Clubhouse app for PC**
2.  **Mandrake Android malware stealing Facebook, crypto data since 2016**
3.  **Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts**
4.  **CopperStealer malware stealing Facebook, Apple, and Google passwords**
5.  **Facebook removes 100s of accounts for spreading iOS and Android malware**

Hackers Targeted Facebook in Cyber Espionage Campaigns – Meta

Categories: News
Categories: Threat Intelligence
Tags: Healthcare

Tags:  Medical

Read about trends in cyberattacks in the Healthcare and Medical industry, as well as our recommendations for helping to secure your healthcare organization.



(Read more...)




The post Summer of exploitation leads to healthcare under fire appeared first on Malwarebytes Labs.

May 2021 was a tough month for the Healthcare and Medical sector–the most notable threat trend at the time was the heavy use of a new popular exploit against Dell systems, leading to immense effort by attackers to utilize the exploit before it became less effective due to patching.  

During this period, hospitals in central Florida were hit with malicious attacks that disrupted their operations and forced them to conduct business via pen and paper. In addition, a hospital system in Southern California was forced to modify how it did business due to a cyberattack. The San Diego-based health system quickly moved its information technology program offline, to reduce the damage done by the attack. However it also put a roadblock in the way of legitimate employees and customers trying access their medical information online.

_Figure 1. United States Healthcare and Medical Threat Family Detections by Month_

After the spike in May, CVE 2021-21551 detections dropped to about a quarter of the original numbers, and remained there throughout the year, except for another spike in February 2022. It seems the primary target for these attacks were healthcare and medical organizations in Pensacola, FL, but detections for New York, Wisconsin and New Jersey weren't far behind.

Heavy detections of TrickBot were observed, especially against organizations in York, Pennsylvania during the first three months of 2021. But detections of this threat all over the United States quickly dropped beginning in April 2021 and steadily declined throughout the time period. TrickBot isn't a stranger to healthcare organizations and has historically targeted them for the sake of launching ransomware or causing operational disruption.

This threat is even a concern to the US Government, which released an alert, through the CISA portal, back in October of 2020, about the danger of the TrickBot organization specifically targeting Healthcare organizations.

_Figure 2. United States Healthcare & Medical Family Threat Detections Pie Chart_

In August and September, we observed significant spikes of AI behavioral-based detections, which lines up with a series of newsworthy healthcare breaches during the same period. 

For example, a healthcare group in central Indiana was the victim of an attack that lead to a ransomware infection and the loss of information from patients and employees, then released on the dark web. The attack itself occurred in early August and forced organizations to turn away ambulances for several days, an action which led to the death of a person in Germany.

Another attack in early August, this time against a healthcare management firm in Dallas, Texas, resulted in the theft of valuable information, including patient information, health insurance and financial data. 

**Securing healthcare and medical organizations**

Our recommendations for securing healthcare and medical organizations start with acknowledging that securing these organizations from every possible threat is not possible. Therefore, when considering how to defend against a ransomware attack, be sure to account for getting operations back online after an attack. This includes having plans for operating the business without the use of computers, establishing secure backups of sensitive data off-site and off-line, while still following HIPPA protocol.

Beyond that, this industry has dealt with lots of heavy attacks originating from both attempts to exploit vulnerabilities, as well as spear phishing. Quickly patching vulnerabilities is a high priority, however given that quick patching isn’t always an option, times like these require risk reduction, such as removing non-patchable endpoints from direct Internet access, creating additional layers of authentication to access high value systems, and a thorough review of user accounts and permissions, to tighten up who has access to what.

Finally, many of these organizations utilize mobile stations for inputting or reviewing data. These systems should not be able to do things like using USB drives. They should have screen protectors to prevent unintended information disclosure, and these systems should be completely wiped with a new image on a regular basis, to ensure removal of any hidden rootkit-level threats.

Summer of exploitation leads to healthcare under fire

Categories: News
Categories: Threat Intelligence
Tags: Education

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.



(Read more...)




The post Education hammered by exploits and backdoors in 2021 and 2022 appeared first on Malwarebytes Labs.

In May of 2021, education underwent a siege of exploit attempts using the vulnerability CVE-2021-21551, which exploits a Dell system driver bug and helps attackers to gain access to a network. Considering that many schools across the United States use Dell hardware, it’s understandable to see such a large amount of this exploit. 

In fact, both Rockland Schools in Massachusetts and Visalia USD in California were hit with ransomware attacks during this period. The states that detected this threat the most were Minnesota and Michigan, with Detroit being the biggest target in the US. 

In September of 2021, there was a spike of the malicious setting, **RiskwareTool.IFEOHijack**, with detections having increased from July 2021 onward. This threat is flagged when malware modifies a registry setting that changes the default Windows debugger to a malware executable. It is a red flag that needs to be investigated immediately. Unfortunately, it doesn’t pinpoint which malware made the modification, but the increased presence of this threat, especially in Oklahoma and Washington State, calls for deeper threat hunting on the victims' networks. During the same period, a spike in exploit detections was observed and Howard University was breached.

The Trojan TechSupportScam covers an array of applications all designed to fool users into calling a “tech support” number to solve a problem created by the application, such as a blue screen, error message, activation alert, etc. These tools started spiking in January of 2022.  Educational institutions in New Jersey have had to deal with this threat more than any other state, however the public school district of Albuquerque, NM suffered a breach during the same month that could have been influenced by this spike in scams. Students and staff likely encountered these threats when installing risky software and/or visiting shady sites.

Finally, Pennsylvania schools have been dealing with an active campaign of backdoors, specifically QBot, since March of 2022, which will likely result in greater infections during the rest of 2022.

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.  Throughout the year, almost every month has a report of an educational institution under attack. The first half of 2021 saw attacks against schools in Florida, New York, Oregon, Massachusetts, and California, while the second half saw attacks against Texas, Washington D.C., Wisconsin, and Illinois. The biggest attack of 2022, so far, would be the breach of Austin Peay State University in April, though time will tell if that remains true.

The education industry has the largest userbase out of all industries, considering the constant rotation of students and faculty. Therefore, the greatest threat to these organizations are the users themselves, who may download their own applications, visit dangerous websites, and even make system modifications to get around monitoring tools.

**Recommendations for education**

Our recommendation for this sector includes keeping an eye out for all new exploits that might affect your organization, especially commonly used systems. In a lot of cases, organizations may have a difficult time updating quickly, because of operational needs, but in the case of schools, a single vulnerability might be duplicated across 99% of its endpoints, which turns each of those systems into backdoors for the bad guys. So, making vulnerability patching one of the highest priorities will reduce attacks and decrease malicious file installation.

Next, systems that have been infected may leave behind artifacts of its operations, for example the IFEOHijack registry setting. Additionally, threats that may be installed on day one, might not activate until a user does something specific, or a certain date comes around, allowing the threat to hide in the meantime. To combat this threat, consider creating a secure, default system image that can be easily duplicated to endpoints, returning them to a default state. While this is likely already done by many schools every year, consider increasing the frequency to every quarter, maybe even every month, and have students save their files on cloud-based storage solutions.

By utilizing a default image, an organization can erase hidden malware, reset modified settings, and provide confidence in quickly isolating or wiping out an infected system. For the education industry, it’s not so much about what threats are actively targeting schools, but rather what threats have been left behind, that open doors for other, future attacks.

Education hammered by exploits and backdoors in 2021 and 2022

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

Regulators are close to stopping Meta from sending EU data to the US, bringing a years-long privacy battle to a head.

Facebook faces trouble in Europe—and Meta wants you to know about it. Every three months since June 2018, the company has used its financial results to warn that it could be forced to stop running Facebook and Instagram across the continent—potentially pulling its apps from millions of people and thousands of businesses—if it can’t send data between the EU and the US.

Whether Meta’s bluffing will become clear soon enough.

Data regulators are on the verge of making a historic ruling in a years-long case, and they are expected to say Facebook’s data transfers across the Atlantic should be blocked. For years, Meta has fought against European privacy activists over how data is sent to the US, with courts ruling multiple times that European data isn’t properly protected and can potentially be snooped on by the NSA and other US intelligence agencies.

While the case focuses on Meta, it has widespread ramifications, potentially impacting thousands of businesses across Europe that rely upon the services of Google, Amazon, Microsoft, and more. At the same time, US and European negotiators are scrambling to finalize a long-awaited new data-sharing deal that will limit what information US intelligence agencies can get their hands on. If negotiators can’t get it right, people’s privacy will remain at risk and billions of dollars of trade will be put in jeopardy.

At the start of July, the Irish Data Protection Commission, Facebook’s main data regulator in Europe, issued a draft decision that would block Meta from sending data across the Atlantic. While the specifics of that draft decision aren’t known, if it is enacted, it could create a Facebook blackout across Europe.

Under the GDPR, Europe’s data law, countries across the continent get 30 days to scrutinize Ireland’s Meta decision and respond with any potential changes or complaints. That time is now up. A spokesperson for the Irish regulator says “some” objections have been received from a “small” number of other countries and it is working to address these. Experts say these are likely to be minor points of law, rather than overturning the entire decision.

So, how likely is it that Meta will actually pull its services from Europe? In reality, the chances are probably pretty slim. Meta has said it has “no desire” to leave the continent, going as far as publishing a blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.” Europe’s 30-plus countries are a large market for Meta, and stopping services, even temporarily, could be costly. (A close comparison is when the company briefly banned news posts in Australia in early 2021, following a row with publishers.) While Meta may not leave Europe, it may have to make changes to how it stores and transfers data once the final decision from the Irish regulator is published, although there is no set timeline. It may also face a fine.

“My guess is that Meta is going to have to look at some form of geo-siloing if they want to continue to operate in the EU,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit digital rights research organization. Schroeder, who previously worked with companies on international data transfers, says this approach could mean Meta would have to create its own servers and data centers in the EU that aren’t connected to its broader databases.

Harshvardhan Pandit, a computer science research fellow at Trinity College Dublin who is researching the GDPR, says that as data authorities are still considering Meta’s case and a final decision hasn’t been published yet, they could include several caveats or steps that Meta should take to fall in line. For instance, one recent data protection decision in Europe gave a six-month period for a company to make changes to its business.

“I think the most pragmatic solution would be for them to create the European infrastructure, like Google or Amazon, which have quite a few data centers here,” Pandit says, adding that Meta could also introduce more encryption to how it stores data and maximize how much it keeps in the EU. All these measures would be costly, though. Jack Gilbert, director and associate general counsel at Meta, says that the issue “is in the process of being resolved.” Facebook did not respond specifically to questions about its plan to respond to the Irish decision.

European officials have twice ruled that systems put in place to share data between the EU and US don’t properly protect people’s data—the complaints have been ongoing since the early 2010s. European courts ruled that international data-sharing agreements weren’t up to scratch first in 2015 and then again in July 2020, when the Privacy Shield agreement was ruled illegal.

“All that the EU is asking for when organizations transfer data to other countries is to protect that data in line with the GDPR,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. “The issue is that laws in the US that protect the data of ‘nonresident aliens’ are woefully insufficient and make it very difficult for organizations like Facebook to comply with local law and the GDPR.”

While Meta is the focus of the most high-profile complaint, it isn’t the only company impacted by a lack of clarity on how companies in Europe can send data to the US. “The data transfer issue is not Meta-specific,” David Wehner, Meta’s chief strategy officer, said in a July earnings call. “It relates to how in general data is transferred for all US and EU companies back and forth to the US.”

The impacts of the July 2020 decision to get rid of Privacy Shield are now being felt. Since January of this year, multiple European data regulators have ruled that using Google Analytics, the company’s traffic-monitoring service for websites, falls foul of the GDPR. Danish authorities went even further: Schools can’t use Chromebooks without restrictions being put in place. “There is a ton of legal uncertainty, and there is a significant compliance risk,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.

Politicians are well aware of the problems. In March, US president Joe Biden and European Commission president Ursula von der Leyen announced a new Trans-Atlantic Data Privacy Framework, which will change the way data is sent between the EU and US. The deal, which will be introduced by executive order, will limit what data US intelligence agencies can access and will create a new system where Europeans can complain if they think they’ve been illegally spied upon by US agencies.

However, since the deal was announced, no specifics—including any legal texts—have been published. In June, officials said the deal could be published in the coming weeks, but so far, there has been little public progress. The US Department of Commerce says discussions are still taking place, including a meeting between both sides last week. (A European Commission spokesperson says work on the new agreement is ongoing, but they do not have a timeline that can be shared.) The longer the negotiations take, the more blocking orders will drop. “Obviously, if that framework is not complete, we would be in jeopardy of being able to transfer data,” Facebook’s Wehner said earlier this year.

The deal is likely to take a while yet. “Realistically, at this point, we're looking at a potential adequacy decision for this Trans-Atlantic data transfers framework sometime next year—maybe the first quarter of next year,” Zanfir-Fortuna says. Once the details have been published, EU officials will spend months scrutinizing the specifics to see if they fall in line with court orders.

And they won’t be the only ones pouring over it. Privacy activists and lawyers will also be looking at the agreement and could launch further legal challenges if they find that data moving from Europe to the US still isn’t protected strongly enough. “The continued challenges are not unwarranted, particularly considering the Snowden revelations and the prevalence of Big Tech firms coming out of the US,” Schroeder says. “As a whole, America really needs to make sure we rise to the challenge of showing that we can be good stewards of the industry that we're trying to be leaders in.”

Will Europe Force a Facebook Blackout?

By Deeba Ahmed
The US Treasury Department has blacklisted Tornado Cash on the accusation that the platform helped bad actors harvest…
This is a post from HackRead.com Read the original post: US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

****The US Treasury Department has blacklisted Tornado Cash on the accusation that the platform helped bad actors harvest over $7 billion in cryptocurrencies.****

American citizens will not be able to use the Tornado Cash mixer protocol due to the US law enforcement agencies’ recent crackdown on the cryptocurrency industry. The authorities considered Tornado Cash a threat to the country’s national security and placed the platform on blocked entities, making it illegal to send/receive money via Tornado Cash.

The volatility of cryptocurrencies and the industry’s potential role in cybercrimes have been a cause of concern among US regulators/lawmakers.

> Seems like USDC has indeed blacklisted the @TornadoCash contracts, meaning if you had USDC deposited in Tornado you can not access it anymore even if everything you did was perfectly legit and legal. https://t.co/f5rpt4Ul9M
> 
> — Martin Köppelmann 🇺🇦 (@koeppelmann) August 8, 2022

The undersecretary for terrorism and financial intelligence, Brin Nelson, **stated** that Tornado Cash repeatedly got involved in laundering funds for cybercriminals despite “public assurance.”

It is worth noting that the State-backed North Korean Lazarus Group was blamed for **stealing 1.7 billion worth of cryptocurrencies** from different exchanges.

The Treasury Department claims that the platform laundered over $455 million in cryptocurrencies in 2022 via Lazarus Group, while overall, $7 billion have been laundered by Lazarus and other cybercrime groups.

Another cryptocurrency exchange under the radar of US authorities and may be facing blacklisting is **Kraken**.

**What is Tornado Cash?**

Tornado Cash is a decentralized mixer protocol (smart contract) launched in 2019. It is used to carry out private transactions on Ethereum. The platform accepts mixes, and pools cryptocurrency from different senders to ensure maximum privacy and obscure audit trail. These crypto mixers combine multiple streams of transactions to hide the funds’ origin and destination

**GitHub Removes Tornado Cash Co-founder**

Within hours after the US government blacklisted Tornado Cash, actions were taken against the platform, and all websites and accounts linked to it were removed from the internet.

**Microsoft-owned GitHub** also deleted the account of one of the co-founders of Tornado Cash, Roman Semenov. GitHub previously hosted code related to the mixer. When checked, the co-founder’s accounts returned a “Page Not Found” error, and emails also bounced back with the following message:

>  “The email account that you tried to reach is disabled.”

According to a GitHub spokesperson, as per trade laws, they are required to restrict entities/customers declared Specially Designated Nationals (SDNs) or who have been blocked by authorities from using GitHub.

The spokesperson further added that they need to check government sanctions regularly to ensure such entities don’t impact other users. On the other hand, Semenov later tweeted about his account’s blocking on GitHub stating the following:

> My @GitHub account was just suspended 🤷
> 
> Is writing an open source code illegal now?
> 
> — Roman Semenov 🌪️ 🇺🇦 (@semenov\_roman\_) August 8, 2022

1.  **German Authorities Warn Against Using Kaspersky Products**
2.  **US Warns Firms About North Korean Hackers Posing as IT Workers**
3.  **US Adds Kaspersky to List of Firms Posing Threat to National Security**
4.  **GitHub Blocks Accounts of Two Large Russian Banks Amid US Sanctions**
5.  **LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users**

US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.
Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.

Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the department said.

Thefts, hacks, and fraud account for $1.54 billion of the total assets sent through the mixer, according to blockchain analytics firm Elliptic.

Crypto mixing is akin to shuffling digital currencies through a black box, blending a certain quantity of digital funds in private pools before transferring it to its designated receivers for a fee. The aim is to make transactions anonymous and difficult to trace.

"Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks," Brian E. Nelson, under secretary of the Treasury for terrorism and financial intelligence, said.

The development comes as North Korea's Lazarus Group (aka Hidden Cobra) has been linked to the use of the decentralized crypto mixer to funnel the proceeds from a string of major hacks targeting virtual currency services, including that of Axie Infinity and Harmony Horizon Bridge in recent months.

The theft of $624 million worth of Ethereum from Axie Infinity's Ronin network bridge is the largest known cryptocurrency heist to date, with the $190 million hack of Nomad Bridge last week taking the fifth spot. The Horizon Bridge theft hack comes in at 11.

Specifically, the Treasury Department pointed to Tornado Cash's role in laundering over $455 million and $96 million worth of cryptocurrency stolen from the two heists. It has also been implicated for facilitating the theft of at least $7.8 million following the attack on Nomad Bridge.

"Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients," the agency said. "While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists."

Also sanctioned by the department are 38 Ethereum-based addresses holding Ether (ETH) and USD Coin (USDC) that are linked to it, effectively prohibiting U.S. entities from transacting with these wallets.

"As a smart contract-based mixer, Tornado Cash is one of the most advanced methods available for laundering ill-gotten cryptocurrency, and cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out," Chainalysis said.

The move makes Tornado Cash the second cryptocurrency mixer to be blocklisted by the Office of Foreign Assets Control (OFAC) following the designation of Blender.io in May 2022, also for its part in laundering illicit funds siphoned by the Lazarus Group and cybercrime cartels like TrickBot, Conti, Ryuk, and Gandcrab.

It's also the latest escalation in a series of enforcement actions aimed at tackling cryptocurrency-based crime, in the wake of similar sanctions imposed by the Treasury on virtual currency exchanges SUEX, CHATEX, and Garantex over the past year.

"Tornado Cash community tries its best to make sure it can be used by good actors by providing compliance tools for example," Roman Semenov, one of the co-founders of Tornado Cash, said in a tweet. "Unfortunately it's technically impossible to block anyone from using the smart contract on the blockchain."

The sanctions seem to be having further repercussions, what with Semenov's GitHub account suspended in the aftermath of the announcement. "Is writing an (sic) open source code illegal now?," he tweeted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel