With almost every business experiencing growth in human and machine identities, firms have made securing those identities a priority.

Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.

In a survey of IT and identity professionals released Wednesday from Dimensional Research, almost every organization — 98% — experiences rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.  

The rising incidence of breaches is unsurprising, says Julie Smith, executive director of the Identity Defined Security Alliance (IDSA), which sponsored the survey,

"The number and complexity of identities organizations are having to manage and secure is increasing," she says. "Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts."

For the most part, organizations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.

    

Source: IDSA

The IDSA recommends that companies focus on identity-related security outcomes that reduce the risk and impact of data breaches. Almost every respondent (96%) believes that implementing security controls focused on identities, such as multifactor authentication (MFA), could have prevented or minimized a breach.

"Centered on enabling effective identity governance, access, and behavioral detection, the security outcomes add a layer of protection around IT environments," the report states. "It is here that multifactor authentication as a mitigation strategy jumped to the top of the list in preventing breaches."

**MFA Reduces Identity-Related Breaches**

The top three countermeasures identified by respondents as potentially blunting the impact of breaches included MFA, more timely review of privileged access, and continuous discovery and monitoring of privileged access rights, according to the survey. Those three security controls also are likely to get the most investment in the coming year, says IDSA's Smith.

"We wouldn’t necessarily expect the countermeasures and planning to match up 100% as that would indicate organizations are chasing their tails and focusing only on the last breach when forward-thinking strategy and vision about the next potential breach is needed," she says.

Machine identities — such as system credentials, software secretes, and Internet of Things (IoT) passwords — are the main factors driving increased identities at 43% of organizations, according to the report. Despite that, only 18% of companies consider machine identities to be a significant source of breaches.

"Both human and machine identities are vulnerable without the proper mitigation and security tactics in place," Smith says. "Given that machine identities have the potential to expand much quicker than human identities, if a machine identity isn’t properly secured, managing the network of machine identities can quickly pose a major risk."

Meanwhile, the growing number of cloud workloads means that the credentials that allow software to talk use APIs and communicate with other software is an expanding surface of attack, Alex Simons, corporate vice president of program management for Microsoft's Identity division, said in March.

Companies that have executives focused on identity security are more likely to reduce the risk of breaches, according to the IDSA report. While only 30% of respondents consider training in securing passwords to be a very effective strategy, companies that have top-level business executives espousing support for password security are much more likely to be more careful with work-related credentials compared with companies that rely on security teams as the primary evangelist.

"If we’re talking about implementing and deploying meaningful security outcomes, we have to increase engagement beyond IT or security teams," IDSA's Smith says. "This simply demonstrates that when management embraces security as a part of messaging, the general trend implies that security becomes a strategic part of the company’s culture."

80% of Firms Suffered Identity-Related Breaches in Last 12 Months

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the "RSOCKS" botnet, a collection of millions of hacked devices that were sold as "proxies" to cybercriminals looking for ways to route their malicious traffic through someone else's computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a Russian man living abroad who also runs the world's top Russian spamming forum.

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “**RSOCKS**” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the **U.S. Department of Justice**, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum **Verified** changed his name to RSOCKS from a previous handle: “**Stanx**,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to **Spamdot**, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum **Antichat** (since 2005), and the Russian crime forum **Exploit** (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from **Omsk**, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address **stanx@rusdot.com**, and the ICQ number **399611**. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a **Denis “Neo” Kloster**, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address **istanx@gmail.com** registered at the Russian freelancer job site **fl.ru** with the profile name of “**Denis Kloster**” and the Omsk phone number of **79136334444**. Another record indexed by Constella suggests Denis’s real surname may in fact be “**Emilyantsev**” \[Емельянцев\].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including **proxy\[.\]info**, **allproxy\[.\]info**, **kloster.pro** and **deniskloster.com**.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called **Internet Advertising Omsk** (“**riOmsk**“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “**SL MobPartners**.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Rsocks told the BlackHatWorld community they would be back soon under a new name.

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of **VIP72\[.\]com**, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Meet the Administrators of the RSOCKS Proxy Botnet

Culture of ‘insecure-by-design’ security is cited in discovery of bug-riddled operational technology devices.

Culture of ‘insecure-by-design’ security is cited in discovery of bug-riddled operational technology devices.

Researchers discovered 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors, most of which they’ve attributed to inherent design flaws in equipment and a lax approach to security and risk management that have been plaguing the industry for decades, they said.

The vulnerabilities–found in devices by reputed vendors Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, Yogogawa as well as an unnamed manufacturer–vary in terms of their characteristics and what they allow threat actors to do, according to the research from Forescout’s Vedere Labs.

However, overall the “impact of each vulnerability is high dependent on the functionality each device offers,” according to a blog post about the flaws published Tuesday.

Researchers broke down the type of flaw that they found in each of the products into four basic categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; or remote code execution via native functionality.

Among the activities that threat actors can engage in by exploiting the flaws on an affected device include: remote code execution (RCE), with code executed in different specialized processors and different contexts within a processor; denial of service (DoS) that can take a device completely offline or block access to a certain function; file/firmware/configuration manipulation that allows an attacker to change important aspects of a device; credential compromise allowing access to device functions; or authentication bypass that allows an attacker to invoke desired functionality on the target device, researchers said.

****Systemic Problem****

That the flaws—which researchers collectively dubbed OT:ICEFALL in a reference to Mount Everest and the mountain device makers need to climb in terms of security–exist in key devices in networks that control critical infrastructure in and of itself is bad enough.

However, what’s worse is that the flaws could have been avoided, as 74 percent of the product families affected by the vulnerabilities have some sort of security certification and thus were verified before being sent to market, researchers found. Moreover, most of them should have been discovered “relatively quickly during in-depth vulnerability discovery,” they noted.

This free pass OT vendors have been giving to vulnerable products demonstrates a persistent lackluster effort by the industry as a whole when it comes to security and risk management, something researchers hope to change by shining a light on the problem, they said.

“These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them,” researchers wrote in the post. “The goal \[of our research\] is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.”

****Security Paradox****

Indeed, security professionals also noted the paradox of the lax security strategy of vendors in a field that produces the systems running critical infrastructure, attacks on which can be catastrophic not just for the networks on which the products exist but for the world at large.

“One may incorrectly assume that the industrial control and operational technology devices that perform some of the most vital and sensitive tasks in critical infrastructure environments would be among the most heavily secured systems in the world, yet the reality is often the exact opposite,” noted Chris Clements, vice president of solutions architecture for Cerberus Sentinel, in an email to Threatpost.

Indeed, as evidenced by the research, “too many devices in these roles have security controls that are frighteningly easy for attackers to defeat or bypass to take complete control of the devices,” he said.

The findings of researchers are yet another signal that the OT industry “is experiencing a long overdue cybersecurity reckoning” that vendors must address first and foremost by integrating security at the most basic level of production before proceeding further, Clements observed.

“Manufacturers of sensitive operational technology devices must adopt a culture of cybersecurity that starts at the very beginning of the design process but continues through to validating the resulting implementation in the final product,” he said.

****Challenges to Risk Management****

Researchers outlined some of the reasons for the inherent issues with security design and risk management in OT devices that they suggest manufacturers remedy in swift fashion.

One is the lack of uniformity in terms of functionality across devices, which means that their inherent lack of security also varies widely and makes troubleshooting complicated, they said. For example, in investigating three main pathways to gaining RCE on level 1 devices via native functionality–logic downloads, firmware updates and memory read/write operations—researchers found that individual technology handled these pathways differently.

None of the systems analyzed support logic signing and more than 50 percent compiled their logic to native machine code, they found. Moreover, 62 percent of the systems accept firmware downloads via Ethernet, while only 51 percent have authentication for this functionality.

Meanwhile, sometimes the inherent security of the device wasn’t directly the fault of the manufacturer but that of “insecure-by-design” components in the supply chain, which further complicates how manufacturers manage risk, researchers found.

“Vulnerabilities in OT supply chain components tend to not be reported by every affected manufacturer, which contributes to the difficulties of risk management,” they said.

****Long Road Ahead****

Indeed, managing risk management in OT and IT devices and systems alike requires “a common language of risk,” something that’s difficult to achieve with so many inconsistencies across vendors and their security and production strategies in an industry, noted Nick Sanna, CEO of RiskLens.

To remedy this, he suggested vendors quantify risk in financial terms, which can enable risk managers and plant operators to prioritize decision-making on “responding to vulnerabilities – patching, adding controls, increasing insurance — all based on a clear understanding of loss exposure for both IT and operational assets.”

However, even if vendors begin to address the fundamental challenges that have created the OT:ICEFALL scenario, they face a very long road ahead to mitigate the security problem comprehensively, Forescout researchers said.

“Complete protection against OT:ICEFALL requires that vendors address these fundamental issues with changes in device firmware and supported protocols and that asset owners apply the changes (patches) in their own networks,” they wrote. “Realistically, that process will take a very long time.”

Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

The threat actor targets institutions and companies in Europe and Asia.

The threat actor targets institutions and companies in Europe and Asia.

An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now.

“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT.

Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.”

The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network.

The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky.

The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious program called Ninja.

Aspects of ToddyCat’s threat activities were also tracked by cybersecurity firm ESET, which dubbed the “cluster of activities” seen in the wild as Websiic. Meanwhile, researchers at GTSC identified another part of the group’s infection vectors and techniques in a report outlining the delivery of the malware’s dropper code.

“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” Kaspersky wrote.

****Multiple Strings of Attacks on Exchange Server Over the Years****

During the period between December 2020 and February 2021, the first wave of attacks were carried out against the limited number of servers in Taiwan and Vietnam.

In the next period, between February 2021 and May 2021, researchers observed a sudden surge in attacks. That’s when, they said, the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries including Iran, India, Malaysia, Slovakia, Russia and the United Kingdom.

After May 2021, the researchers observed the attributes linked to the same group which targets the previously mentioned countries as well as the military and government organizations based in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.

****Attack Sequence****

The attack sequence is initiated after the deployment of the China Chopper web shell attack sequenc, which allows the dropper to execute and install the components and create multiple registry keys.

The registry modification in the prior step forces “svchost” to load a malicious library “iiswmi.dll” and performs its action to invoke the third stage where a “.Net loader” executes and opens the Samurai backdoor.

According to the researchers, the Samurai backdoor is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” and uses obfuscation techniques.

In the specific incidents, the advanced tool Ninja was implemented by Samurai to coordinate and collaborate multiple operators to work simultaneously on the same machine. The researchers explained that the Ninja provides a large set of commands allowing an attacker to “control remote systems, avoid detection and penetrate deep inside a targeted network”.

Ninja shares similarities with the other post-exploitation toolkit like Cobalt strike in terms of capabilities and features. It can “control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths,” the researcher noted.

****ToddyCat Activity Extend Over to Chinese APTs****

According to the report, China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame. In those instances, researchers observed the Chinese-language hackers use an Exchange backdoor called FunnyDream.

“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations and in one case they used the same directory,” researchers wrote.

The security researchers believe that despite the ‘occasional proximity in staging locations’, they do not have any concrete proof that shows the linkage between the two malware families.

“Despite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment,” Kaspersky wrote. “Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” the report added.

“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests,” Kaspersky wrote.

Elusive ToddyCat APT Targets Microsoft Exchange Servers

A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021.
To that end, it has come to light that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis

A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021.

To that end, it has come to light that two malware domains identified as hosting credit card skimmer code — "scanalytic\[.\]org" and "js.staticounter\[.\]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis.

"We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines," Jérôme Segura said. "However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits."

The earliest evidence of the campaign's activity, based on the additional domains uncovered, suggests it dates back to at least May 2020.

Magecart refers to a cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by injecting JavaScript code on e-commerce storefronts, typically on checkout pages.

This works by operatives gaining access to websites either directly or via third-party services that supply software to the targeted websites.

While the attacks gained prominence in 2015 for singling out the Magento e-commerce platform (the name Magecart is a portmanteau of "Magento" and "shopping cart"), they have since expanded to other alternatives, including a WordPress plugin named WooCommerce.

According to a report published by Sucuri in April 2022, WordPress has emerged as the top CMS platform for credit card skimming malware, outpacing Magento as of July 2021, with skimmers concealed in the websites in the form of fake images and seemingly innocuous JavaScript theme files.

What's more, WordPress websites accounted for 61% of known credit card skimming malware detections during the first five months of 2022, followed by Magento (15.6%), OpenCart (5.5%), and others (17.7%).

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin noted at the time.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign

An email campaign lures users with a voicemail notification to enter their Office 365 credentials on a fake login page.
The post Watch out for the email that says “You have a new voicemail!” appeared first on Malwarebytes Labs.

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.

According to researchers at ZScaler, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. ♫ to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.

The javascript uses the **windows.location.replace** method to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.

**Spoofed email**

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.

**Targets**

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.

**How to avoid being phished**

*   Do not open unverified email attachments. If someone you know sends you an attachment you’re not expecting, check it is really them via another contact method.
*   Do not enter your credentials before checking the actual URL of the site.
*   If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
*   Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t foolproof though, as some phishing sites will also try to steal your 2FA codes.

Stay safe, everyone!

Watch out for the email that says “You have a new voicemail!”

Most organizations still rely on virtual private networks for secure remote access.

Zero-trust initiatives may be on the security roadmap for most enterprises today, but remote-access architecture today is still highly dependent upon virtual private network (VPN) technology.

Newly published data shows that approximately 90% of organizations still utilize VPN in some capacity to secure remote access for their users. Meantime, across a broad population of IT and security practitioners, fewer than one in three say they have plans to — or have begun to — roll out zero-trust network access (ZTNA) to supplant VPN.

The results are from a survey conducted by Sapio Research on behalf of Banyan Security, which reached out to 1,025 IT respondents, focusing the bulk of the survey on the 410 who were aware of both VPN and ZTNA. The study shows that among that group, a full 97% reported that adopting a zero-trust model is a priority for them. Slightly over half of those aware of both VPN and ZTNA said they've begun to roll out zero-trust solutions.

ZTNA is a term Gartner started championing in 2019 to describe in broad strokes a range of products and services that create logical access boundaries around applications or sets of applications using a combination of identity- and context-based factors. The firm predicted at the time that by next year, 2023, approximately 60% of enterprises will start phasing out their VPNs in favor or ZTNA.

"VPNs are just a band aid on a fundamentally broken network security model. And ultimately this has to be replaced," Neil MacDonald, vice president and distinguished analyst for Gartner, said in a recent analysis of zero-trust strategies in 2022. "We need to invert the model. Instead of connecting and then worrying about authentication, we need to authenticate first, then connect. This is where you see many of the tenets of zero-trust networking coming in."

**The Problem With VPNs**

One of the biggest problems with VPN technology is the fact that it "allows for network-level access to an enterprise," explains Deloitte's Andrew Rafla, who leads the consultancy's zero-trust offering.

In contrast, ZTNA restricts remote users' access to only the specific applications and assets they need and nothing more, says Rafla. ZTNA is one important component of a broader zero-trust architecture, he says, which also should include a centralized and federated identity store, privileged access management controls, data protection, network segmentation, device security, and telemetry and analytics.

"General cyber hygiene fundamentals should not be overlooked as well; in order to realize the true benefits of the zero-trust model, an organization should have a solid grasp on its IT asset management, configuration and vulnerability management, and data classification," Rafla says.

Given these weighty requirements to truly grab the zero-trust brass ring, it should come as no surprise that many organizations can feel overwhelmed by it all. Over two-thirds of current VPN users report in this survey that implementing a ZTNA strategy is a large to very large undertaking.

The biggest constraint for VPN-dependent organizations that keep them from transitioning to ZTNA are cost/budget constraints, which was named by 62%. Approximately 13% of them say zero trust is confusing and they don’t even know where to start.

Interestingly, though, among those who have adopted ZTNA, the implementation timeframes may not be as scary as those clinging to VPN may think. The study shows that the mean time to deployment was about 11.5 months. This may be a good lesson in the fact that an organization can and should roll out zero-trust components in a phased manner, and that ZTNA for remote access may be an accessible first step in the journey.

VPNs Persist Despite Zero-Trust Fervor

ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

After the Raccoon Stealer Trojan disappeared, the RIG Exploit Kit seamlessly adopted Dridex for credential theft.

The cybercriminals behind the RIG Exploit Kit earlier this year traded out the credential-stealer Trojan Raccoon Stealer after its lead developer was killed in the Russian invasion of Ukraine.

According to analysts with Bitdefender, the cybercrime group behind the RIG Exploit Kit was able to quickly substitute in the tried-and-true financial Trojan Dridex, which has a range of functions, including keylogging and the ability to steal screenshots. 

"The move to Dridex was a strategic decision to save the operation," Bogdan Botezatu, director, Threat Research and Reporting at Bitdefender, tells Dark Reading. "Cybercriminals running this campaign had to move to a different option or lose the money they had already invested in renting out access to the RIG EK panel. Dridex is a powerful information-stealer that, to some extent, provides similar functionality to Raccoon. Unlike Raccoon, it is still operational and can offer 'business continuity' to the cybercriminals behind this campaign."

The RIG Exploit Kit lets cybercriminals quickly swap out payloads to avoid detection or in case of compromise, according to researchers at Bitdefender, making adaptability part of its product. 

"This once again demonstrates that threat actors are agile and quick to adapt to change," the analysts wrote in their report on the malware campaign. 

"In order to be prepared, defenders should patch the known vulnerabilities in software used across the organization and monitor for the indicators of compromise (IOCs), Botezatu counsels. "A security solution with machine-learning capabilities can detect and block the payload at various execution stages as well."

It's also worth noting that Racoon is likely to make a reappearance, Botezatu notes.

"The Raccoon group has hit a temporary stop with the death of one of its operators, but we believe the team will regroup," he says. "Usually, such groups suspend their operations when teams get arrested or when they voluntarily decide to shift to a more lucrative business. Loss of a team member is a temporary road block and we presume that they will get back online as soon as they manage to recruit a replacement."

RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex

Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

Tag

#mac