Citrix has fixed a critical-severity vulnerability in NetScaler Console, its cloud-based monitoring and management product, which if exploited could give attackers unauthorized access to sensitive data.

The flaw (CVE-2024-6235), which scores 9.4 out of 10 on the CVSS scale, stems from improper authentication and could be exploited with an attacker that has access to a NetScaler Console IP. Versions of NetScaler Console 14.1 before 14.1-25.53 are impacted. In separate advisories, both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre urged users and administrators to apply updates for the flaw, as well as several other vulnerabilities patched by Citrix on Tuesday.

“Citrix released security updates to address vulnerabilities in multiple Citrix products,” according to CISA’s alert on Tuesday. “A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”

Citrix also fixed a high-severity denial-of-service flaw in its NetScaler Console, which also exist in the NetScaler Agent and NetScaler Service Virtual Machine (SVM). The bug (CVE-2024-6236) stems from the improper restriction of operations within the bounds of a memory buffer, and an attacker with access to a NetScaler Console, NetScaler Agent or SVM IP could launch denial-of-service attacks. Citrix also warned of another high-severity denial-of-service bug (CVE-2024-5491) in its NetScaler ADC and Gateway appliances.

“Cloud Software Group strongly urges customers of NetScaler Console to install the relevant updated versions of NetScaler Console as soon as possible,” according to Citrix’s NetScaler security advisory.

In the Citrix Workspace app for Windows, a high-severity vulnerability (CVE-2024-6286) was patched that could give low-privileged attackers SYSTEM privileges if they have local access to the targeted system. The flaw impacts the Citrix Workspace app for Windows versions before 2403.1 in the current release (fixes are available in 2403.1 and later versions) and versions before 2402 in the long-term service release (fixes are available in 2402 and later versions).

NetScaler has previously been a target for threat actors. Last year, threat actors exploited a critical-severity flaw in Citrix NetScaler ADC and Gateway appliances in order to target professional services, technology and government organizations. The flaw (CVE-2023-4966) stemmed from an unauthenticated buffer-related issue and could enable sensitive information disclosure.

Some versions of OpenSSH contain a serious vulnerability–distinct from CVE-2024-6387 disclosed last week–that can potentially remote code execution. The bug was discovered during the analysis of the other OpenSSH flaw last month, but was not disclosed at the same time because some of the affected vendors did not have a fix ready in time.

The newly disclosed vulnerability (CVE-2024-6409) is a race condition that in some cases will expose the same weakness as the CVE-2024-6387 bug.

“A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” the vulnerability description says.

Security researcher Alexander Peslyak, known as Solar Designer, discovered the new bug while reviewing Qualys researchers’ analysis of the initial OpenSSH flaw late last month. The issues are related, but not identical, and the newer bug only affects OpenSSH 8.7 and 8.8.

“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant. In particular, the "LoginGraceTime 0" mitigation works against both issues, whereas the "-e" mitigation only works against CVE-2024-6387 and not (fully) against CVE-2024-6409,” Solar Designer’s advisory says.

On July 1, Qualys researchers disclosed the details of CVE-2024-6387, which is also a race condition, and can lead to remote unauthenticated code execution. The bug is a regression that was introduced in 2020 after initially being fixed in 2006. CVE-2024-6387, nicknamed regreSSHion, affected more version of OpenSSH than the newer vulnerability.

“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization,” the Qualys advisory says.

Affected vendors released fixes for CVE-2024-6387 as part of the disclosure last week.

Agencies in the U.S., Australia and a number of other countries are warning of the ongoing threat posed by the PRC state-sponsored group known as APT40, which they said has repeatedly targeted Australian networks and government agencies, as well as private sector organizations globally.

Tuesday’s joint advisory by the U.S., Australia, UK, Canada and New Zealand outlined how starting in 2017 the APT group has steadily been finding more success in quickly exploiting newly public flaws in popular software, including ones in Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207 and CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473). Many times, the threat actors jump on these flaws days or even hours within public release, the advisory warned.

“Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability,” according to the advisory. “APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.”

APT40, which has been around since 2009, is known for previously hacking organizations and government entities in the U.S. and beyond in order to steal IP, trade secrets and other sensitive data, and in 2021 the U.S. indicted four members of the hacking group.

In their advisory, the various agencies broke down campaigns by the group in April and August 2022 against two unnamed organizations, which the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) investigated. After initial access via exploitation of flaws in internet-facing applications, the group would deploy webshells, use remote services (like the RDP and SMB protocols) for lateral movement, and leverage various system commands to discover system information, accounts, and credentials.

APT40 previously used compromised Australian websites for command-and-control hosts in its operations, but it has recently relied on compromised small-office/home-office (SOHO) devices for its operational infrastructure in Australia. The advisory said that many of the compromised devices are end-of-life or unpatched, and create a valuable way for attackers to blend in with legitimate traffic to skirt by network defenders.

Chinese threat activity has been under scrutiny over the past year, especially after the U.S. government earlier this year highlighted the compromise of hundreds of SOHO routers by the Chinese attack group known as Volt Typhoon, which then used its access to those devices to facilitate access to critical infrastructure networks in various sectors, such as water and power.

The advisory recommended a number of measures that organizations can take to defend against APT40’s activities, including staying up to date on patching internet exposed devices and services, as most exploits used by the actors were publicly known and had patches available. Organizations should also ensure they have a network segmentation strategy in their environments in order to block lateral movement, and utilize logging and monitoring processes.

“During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs,” according to the advisory.

Ben Nahorney, threat intelligence analyst with Cisco, gives an inside look at Cisco’s “Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette” and talks about how his team digs into malicious DNS activity to unearth new insights about threat actor activity involving information stealers, ransomware and trojans.

Below is a lightly edited transcript of the conversation.

Lindsey O'Donnell-Welch: This is Lindsey O'Donnell-Welch with Decipher. I'm here today with Ben Nahorney, threat intelligence analyst with Cisco, and we're going to talk about Cisco's recent Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette. Ben, thanks so much for joining me today. How's it going?

Ben Nahorney: Doing well. Thanks for having me, Lindsey. Appreciate being on the podcast.

Lindsey O'Donnell-Welch: I was just reading over this report, there were a lot of really cool takeaways and it all stemmed from looking specifically at DNS data. That can tell us a lot about the prevalent threats out there and kind of how they work. Tell me a little bit about this report and the actual act of putting it all together.

Ben Nahorney: Sure, yeah, it's kind of an interesting angle to look at within the threat landscape, when we're looking at DNS related activity. Because when you think about how a lot of threats work in the modern era, you've got everything kind of connecting out to the internet, anything from a backdoor to infostealers exfiltrating data. Essentially, they all need internet related connectivity to carry out their malicious activity. So DNS activity is a great area to look at when it comes to seeing how active certain threats are and seeing what's actually happening in the threat landscape. So yeah, what we ended up doing with this report was taking a look at that data that we're seeing from the DNS side of things, and we have a lot of DNS security related features and tools out there within Cisco. Some of those biggest ones to talk about - two products would be Cisco umbrella and Cisco Secure Access, both of which monitor DNS related activity and offer a lot of functionality around blocking malicious threats.

So we see lots and lots of DNS activity within Cisco, so much so that we look at an average of around 715 billion DNS requests a day. So within that, we're looking at all the malicious activity that's there.

So, essentially, we're able to classify a lot of this activity into various categories. And that's what we looked at in the threat report that we released. It's a variety of stuff ranging from seeing inflostealer activity, ransomwares, trojans, backdoors, APTs, all sorts of different things. And then we looked to see what sort of activity was the most prevalent. Some of that can be very noisy, you know, being DNS related, but it shows you the proportion of traffic that we're seeing for all these different threats.

Lindsey O'Donnell-Welch: Yeah, how do you even begin to approach that data and look out for some of those patterns that you're talking about? It's so much data there and I'm sure that there are different specific characteristics that you need to kind of look at. How do you even start to do that?

"We're looking at that sort of data... and collectively bringing that together to ultimately see what larger trends we're seeing across our customer base which, gives given its size, gives us kind of a good representation of what we see in the larger threat landscape."

Ben Nahorney: Yeah, exactly. It's just a mountain of data. So we want to take all this data and put it in some form that's digestible for the average reader or the average security person or just anyone that might be interested in this sort of information. So ultimately what we kind of have done is we take all these things that we know are blocked and known blocked websites that we know are malicious. And these have been classified by Umbrella and by Secure Access into these different categories. So starting from there, you're still talking about millions and millions of blocks, basically. So a way that we thought would be kind of nice to put that into something that's understandable is we averaged out the monthly activity over a time frame. So what we're actually looking at in this report is data starting in August of 2023 through March of 2024.

And so then we basically… took a look at each month, and got an average over that time frame by month and used that as a basis to start looking at this activity, based on each one of these categories. So then taking that, when you have an average for the time frame, we're able to then compare each month. And so what we did is we looked to see whether a particular month was above average compared to the average for the whole time period or below average. And then that kind of teases out a trend that we can look at and examine to see ultimately if activity is increasing or decreasing over the timeframe that we looked at.

Lindsey O'Donnell-Welch: Yeah, that's a great way to approach it because then you can see, you know, month by month, but then also if there is a broader change, like you're talking about, then that's something that you can also kind of discern through that data.

How did you first sit down and kind of say, here's the different types of threat categories that we need to create, and then how did you look at the different clues of each activity and how it would fall into each category?

Ben Nahorney: Well, fortunately, a lot of this is actually done behind the scenes. So if someone is actually using something like Cisco Umbrella or Cisco Secure Access, they can actually look at their own information themselves, their own malicious blocks, and actually categorize these within the product. So we're actually taking these out of the product itself, these threat categories that we have, and looking at those in particular. um but they're largely automated as far as how they're actually detected and classified.

Now, some of that is interesting in the sense that you get into threat actors may be using particular domains that are brand new. Those would be generally flagged by Umbrella right away, say one customer sees something. Then ultimately, say it’s 24 hours old, it goes, wait a minute, that's a very new domain. Maybe this could be a little strange for suddenly popping up in a whole bunch of messages or say emails, for instance. It'll flag that as a new domain. Then there's some backend work that's done to look more carefully at that yeah URL, find out what's going on there. If it turns out to be that your aunt Jenny has created a new website to share famous cookie recipes, that's something that they'll realize, okay, this is all right. But if it is malicious activity, it gets categorized based on a whole variety of parameters within Umbrella itself.

And then ultimately those categories are present within the dashboards that you'd be looking at for that. What we're doing on our side basically is looking across the entire customer base and everything that people that are using Umbrella are seeing and are willing to share back with us - It's worth pointing out, it's an opt-in sort of situation, we're not just taking information from customers. We're ultimately making sure that it's something that they've agreed to do. So it's opt-in to start. So then we're looking at that sort of data from all that that customer base that's sharing with us and collectively bringing that together to to ultimately see what sort of larger trends we're seeing across our customer base which, gives given its size, gives us kind of a good representation of what we see in the larger threat landscape.

"Information stealers were the most prevalent."

Lindsey O’Donnell-Welch: Right, right. And can you talk a little bit about what trends you did see? And was there anything that really jumped out to you and surprised you in your different findings from the report?

Ben Nahorney: Yeah, actually there were a couple of really interesting things that I saw and it gave us some time to kind of look at this and sort of see some behavior that we're seeing from particular areas of the threat landscape. Probably the first one I'd bring up that was the most interesting I thought had to do with information stealers. Now, information stealers was our most active category this time around when we were looking at threat landscape-related activity on the DNS side. And that probably doesn't come as too much of a surprise if you stop to think about how much activity, or the way that that information information stealers would use an internet connection. Ultimately, you'd have a bad activist going in there and they are getting into an environment and then they're trying to find this PII or trade secret information and whatnot and trying to steal that.

So ultimately, what you're talking about then is a lot of DNS activity as they attempt to exfiltrate those secrets or information that they're stealing from an organization. So it is a little bit noisy. On top of that, we also categorize things like audio and video related threats that might be listening in on say conference calls or say WebEx calls or something along those lines. Those are the sort of things that would follow this classification too, and so that would also have a large amount of DNS activity.

So information stealers were the most prevalent. But what was really interesting about that was that we noticed a pattern fall within this activity. We would see about three months of above average activity, given the way that we were looking at this data, followed by one month where it was below average, for one month. Then three months, it was above average again, and then the following month below average.

So what we kind of theorize is happening in this case is we, what these bad actors, what they're probably doing is going out, they're gathering as much information as they can for three month periods. But, you know, it's one thing to gather that information, right? It's another thing to actually find that useful stuff that's in there. So what we think they're actually doing is three months of gathering and then they kind of dial back a bit. They don't drop their activity entirely for the month. but they dial it back a bit and maybe examine what they've already gathered for a month. So what you're talking about, is three months of gathering, one month of basically sifting through all that gathered information, and then they go back at it for another three months, and then take another month to dial it back and look at what they have.

Lindsey O’Donnell-Welch: That's a really interesting trend because I feel like it gives us a glimpse, too, of what's going on on the threat actor side of things. And that was one big part of the report that I thought was particularly fascinating was that you can make these potential correlations between the different data trends. For instance, you noted about the majority of backdoor activity being you know observed could be attributed to Cobalt Strike, but then you saw a spike of activity in October that coincided with a similar spike with RAT activity and that spike could be attributed potentially to the release of a new version of Cobalt Strike. How do you look at these different patterns and say what's really going on here behind the scenes and kind of between the lines?

"Ultimately it just comes down to monitoring that DNS traffic. Keep an eye on those logs on the DNS side and look out for malicious patterns and various things that could indicate malicious activity within your network."

Ben Nahorney: Yeah, there's a certain amount of looking at data and then trying to correlate it with what's happening, from anything from news articles to social media related activity, what people out there, researchers are talking about, and trying to see if there's something that correlates. This is really, there's a lot of interesting things that we can make educated guesses about what's actually happening out there. But one of the goals that I personally have with a lot of this is to extend this even further and try to figure out more specifically tying you know spikes to particular you know set activities, just like it is with Cobalt Strike. That's one of the easier ones to make a connection because you see the Cobalt Strike official software coming out with a new release. And lo and behold, there's more activity around that shortly thereafter. So ultimately, it's neat to be able to tie more of those together as we go through. Another interesting one that we saw was correlations between different categories entirely, one of those being ransomware and droppers. So when you look at the pattern, we would see month on month for ransomware, and you compare it to droppers, there were almost mirror images of each other - very little difference and or very little changes between the two charts.

And that seems pretty obvious that what you're probably seeing in that case is bad actors using droppers… and then attempting to seed ransomware through those droppers.

Lindsey O’Donnell-Welch: Were there other patterns that you noticed over time that really stood out to you?

Ben Nahorney: Yeah, there was one other that really caught me there and it ties in back to these droppers and ransomware. And that's that we had a direct correlation between those two, but however, when we looked at trojans, we actually seemed to see a reverse correlation in that during the timeframe as a whole, ultimately, these ransomware and droppers had low activity in the first part and then high activity.

What we saw was the opposite of trojans, where it was high activity at the beginning and low at the end. And what we believe is happening in this case is that the trojans are being used as a step prior to the droppers. They're using a variety of different trojans. It's a very large category. It was actually our second highest activity as far as all the different categories we saw. But there's, you know how Trojans are, they're kind of like a swiss army knife of malicious code, if you will. They can do all sorts of things. So they're a real useful tool for getting in there, compromising an organization, lateral movement, basically getting backdoor connections set up, reverse shells, etc., and being able to take over those networks. Then what the threat actor would end up doing is using the droppers, perhaps through a Trojan, and then using those droppers to get the ransomware payload. So what we're seeing is a lot of activity early on with those Trojans as they take over that network, followed by a drop in trojan activity as droppers and ransomware increases in activity.

Lindsey O’Donnell-Welch: Now, when you're looking at the report, are there any kind of takeaways there for businesses that are looking to defend against these types of threats? What did you find specifically in that area?

Ben Nahorney: So yes, there are a variety of things that they can do to protect against threats like this. Probably the most obvious, given what the subject matter we're talking about here, is to implement DNS filtering, to use various filtering services to block access to known malicious domains and IP addresses. But then also to leverage threat intelligence, to be able to basically keep up on the latest malicious hosts. You really want to stay up to date on that sort of list. They change all the time. So threat intelligence around malicious sites and using DNS security to block them. It can be a really helpful way to go about stopping that.

And then ultimately it just comes down to monitoring that DNS traffic. Keep an eye on those logs on the DNS side and look out for malicious patterns and various things that could indicate malicious activity within your network.

Researchers are warning of a ransomware-as-a-service group called Eldorado, which has developed and deployed a “highly effective” ransomware builder used to target both Windows and Linux systems.

The ransomware group was first discovered in March 2024 in an underground forum for ransomware-as-a-service advertisements called RAMP, after posting about its affiliate program and advertising the availability of a locker and a loader. Upon further investigation, researchers with Group-IB found that as of June, 16 companies have been targeted by the group, with the majority (13) of those in the U.S. The group has targeted the real estate industry, as well as the education, professional services, healthcare and manufacturing sectors.

“Although relatively new and not a rebrand of well-known ransomware groups, Eldorado has quickly demonstrated its capability within a short period of time to inflict significant damage to its victims’ data, reputation, and business continuity,” said Nikolay Kichatov, cyber intelligence analyst with Group-IB, and Sharmine Low, malware analyst with Group-IB, in an analysis last week.

Eldorado’s ransomware builder is unique, and unlike other ransomware groups the threat actor does not rely on previously leaked, publicly available ransomware tools like the LockBit 3.0 ransomware or the Babuk ransomware source code. The ransomware uses the Go language, and has versions crafted for both Windows and Linux systems (with an encryptor available in four formats: esxi, esxi_64, win, and win_64).

“The choice of using the Go programming language could be due to its cross-platform capabilities,” said Kichatov and Low. “Go programs’ ability to cross-compile code into native, self-contained binaries could be a reason why malware authors favored developing in Golang.”

The ransomware is fairly straightforward during attacks, encrypting files with the extension “.00000001” and dropping a ransom note in victims’ Documents and Desktop folder with instructions to contact the threat actor. The ransomware uses Chacha20 to encrypt files and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption.

"For each file, it will generate a 32-byte key and 12-byte nonce, and encrypt the file using Chacha20," said researchers. "The key and nonce will be encrypted with RSA-OAEP with the embedded public key from the configuration, and appended to the end of each file... It can encrypt files on shared networks using Server Message Block (SMB) protocol. Key parameters for customization during the build include target networks or company names, ransom note details, and admin credentials.”

The emergence of Eldorado shows that despite law enforcement efforts to disrupt ransomware-as-a-service networks like BlackCat and Ragnar Locker, the threat remains a lucrative one for cybercriminals. Between 2022 and 2023, researchers with Group-IB said that they saw 27 ads for ransomware-as-a-service programs on underground forums. In 2023, the number of ads published in these forums that were searching for potential program participants has increased since 2022, which researchers said potentially highlights a growth in demand for affiliates.

“Despite the widespread awareness and ongoing discussions about the threat of ransomware, cybercriminals continue to find new and effective ways to attack various organizations,” said researchers with Group-IB. “The persistent evolution of ransomware tactics and strategies ensures that these malicious actors remain a formidable threat in the cybersecurity landscape.”

After disclosing a security incident on Thursday, remote access software company TeamViewer on Friday said that the attack was “tied to credentials of a standard employee account” within its corporate IT environment. The company on Friday also said it currently attributes the activity to APT29, a Russian threat actor also known as Midnight Blizzard that has hit other high-profile targets this year including Microsoft and HPE.

TeamViewer, which first detected the attack on Wednesday, June 26, said that its internal corporate IT environment was impacted. The company said its internal corporate IT environment is “completely independent” from its product environment, and there is no evidence as of Friday morning that the threat actor gained access to its product environment or customer data. After identifying suspicious behavior on the compromised account, TeamViewer said it carried out incident response measures.

“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” according to the security statement from TeamViewer. “This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.”

TeamViewer did not give more details when asked for more information about the credentials that were part of the incident and whether multi-factor authentication was enabled on the compromised account.

The investigation into the incident is ongoing. Other third-party organizations have also sent out alerts regarding the incident. NCC Group on Thursday issued a warning to its customers sharing details of the attack "with the relevant stakeholders that are affected by this threat actor." While the alert was initially privately issued under the TLP:AMBER-STRICT limited disclosure classification it has since been changed to the TLP:GREEN classification, and NCC Group has issued an alert on its website.

"NCC group is continuing its investigation into this intelligence and attempting to establish the extent of the APT’s activities," according to Matt Hull, global head of threat intelligence with NCC Group in a Friday statement. "Our SOC teams have been placed on heightened alert for activity associated with TeamViewer. We advise that until further details are known about the type of compromise TeamViewer has been subjected to, removal of TeamViewer from your estate will assist in mitigating any potential compromise via this vector."

"We also recommend reviewing hosts that have this installed for unusual behaviour that might suggest it has already been compromised," according to Hull. "If you are unable to remove the application, then placing those hosts with it installed under heightened monitoring may provide you with further assurance."

According to a separate alert by the American Hospital Association (AHA), the Health Information Sharing and Analysis Center (H-ISAC) on Thursday also issued a private threat bulletin alerting the healthcare space about threats that were “exploiting TeamViewer.”

“H-ISAC recommends users review logs for any unusual remote desktop traffic,” according to the AHA alert. “Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”

APT29, which has been tracked by Mandiant since 2014, has previously targeted the U.S. and countries part of NATO, and has been behind major attacks over the years including the SolarWinds supply-chain intrusion. The group is well-resourced in its capabilities and tactics, and in an advisory earlier this year the Cybersecurity and Infrastructure Security Agency (CISA) said the threat group is continuing to evolve its techniques and in more recent attacks has targeted cloud providers. APT29 is known to use a variety of methods to gain initial access, including tactics like password spraying and brute forcing to gain access to service accounts and unused accounts, according to CISA.

Meanwhile, as a remote access tool, TeamViewer is a prime target for threat actors and it has previously been abused in various attacks. In January, Huntress researchers discovered that attackers had used TeamViewer to gain initial access to endpoint devices and attempt to install ransomware. Researchers in May 2023 also discovered threat actors achieving access to target companies via TeamViewer in order to install XMRig cryptomining malware on several dozen endpoints.

A popular JavaScript library used by more than 100,000 websites has been injecting malicious code into pages delivered to mobile users in some circumstances and researchers and CDN providers are warning site owners to remove the library immediately.

The incident began earlier this week when researchers noticed that in some cases, the polyfill.io library was injecting dynamic code that would redirect users to a third-party site. Researchers estimate more than 100,000 sites are affected by this at the moment. Polyfill.io is a library used to dynamically deliver some functionality to older browsers that don’t support specific features. Sites that use the library load it dynamically based on information in the HTTP headers presented by the user’s browser. It has been in use for many years, but the author of the library said in February that he had never owned the polyfill.io domain, which was purchased by a Chinese company in February.

“The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository,” researchers at e-commerce security company Sansec said in an analysis of the incident.

“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware (see below) which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com). The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”

In response to the incident, Cloudflare has created its own safe mirror of polyfill.io and has taken the additional step of replacing any reference in its customers’ sites to the polyfill.io CDN with a redirect to that safe mirror. Fastly developed its own fork of polyfill.io in February and also released drop-in replacements for the original library. Namecheap, the registrar for the polyfill.io domain, has suspended it and GitHub has flagged the polyfill repository, as well.

Researchers recommend any site owners whose sites pull in the polyfill.io library look for it in their code and remove any links to it.

"Given how widespread this is, we don't expect to understand the real impact of this supply chain attack for many weeks. Attacks like these, however, can be quite devastating," Ax Sharma of Sonatype said.

Fortra has disclosed a critical-severity SQL injection flaw in FileCatalyst Workflow, its browser-based file transfer platform. In conjunction with the disclosure, security researchers this week have also released a proof-of-concept exploit code for the vulnerability.

The vulnerability (CVE-2024-5276), which ranks 9.8 out of 10 on the CVSS scale, could enable attackers to modify application data, which could then allow them to create administrative users, or delete or modify data in the application database. However, Fortra said that data exfiltration via SQL injection is not possible with this vulnerability.

“Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required,” according to Fortra in its advisory this week. “This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.”

Patches are available, and users are urged to upgrade to FileCatalyst Workflow version 5.1.6 build 139 or later.

Tenable researchers, which first reported the vulnerability, published the PoC exploit code on Tuesday after Fortra fixed the flaw. The flaw stems from a failure of certain processes to appropriately validate input, which can enable SQL injection. SQL injection flaws can allow threat actors to craft input strings, and when targeted applications create SQL statements based on that input, those statements perform actions that weren’t intended by the original application.

“A user-supplied jobID is used to form the WHERE clause in an SQL query… An anonymous remote attacker can perform SQLi via the JOBID parameter in various URL endpoints of the workflow web application,” according to Tenable’s advisory. According to Tenable, it first contacted Fortra about the flaw in mid-May. On June 25, Fortra informed Tenable that they released a patch and disclosure advisory for the issue.

Fortra products have previously had critical-severity issues in its products related to file transfer functionalities, mostly notably in its GoAnywhere Managed File Transfer (MFT) software. In January, a critical-severity authentication bypass bug was disclosed in GoAnywhere MFT (CVE-2024-0204), and last year, the Cl0p ransomware group exploited a high-severity pre-authentication command injection flaw (CVE-2023-0669) in the software.

Progress Software disclosed two critical-severity authentication bypass flaws in its MOVEit Gateway and Transfer products on Tuesday. The Shadowserver Foundation, a nonprofit security organization, said that it has observed exploit attempts for one of the flaws in MOVEit Transfer "very shortly after vulnerability details were published" on Tuesday.

The latest flaw (CVE-2024-5806) in MOVEit Transfer, Progress Software’s managed file transfer software that is known for last year’s major, widely exploited zero-day bug, stems from improper authentication in the SSH File Transfer Protocol (SFTP) module and can enable an authentication bypass. Progress Software said the issue impacts MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6 and from 2024.0.0 before 2024.0.2.

In addition to upgrading to fixed MOVEit Transfer versions (2023.0.11, 2023.1.6 and 2024.0.2) customers are urged to block any public, inbound RDP access to their MOVEit Transfer servers and limit outbound access to only known trusted endpoints from the servers.

“A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue… if left unpatched,” according to Progress Software in its Tuesday security alert. “While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

While Progress Software has released only limited details of the MOVEit Transfer vulnerability, researchers with WatchTowr performed a deep-dive analysis of the issue and found that it’s a “serious vulnerability” that stems from the interaction between MOVEit and the IPWorks SSH library, which is a suite of components used to integrate SSH into applications.

“While this CVE is being touted as a vulnerability in Progress MOVEit, which is technically correct, we feel that what we’re actually seeing is not a case of a single issue, but two separate vulnerabilities, one in Progress MOVEit and one in IPWorks SSH server,” according to WatchTowr researchers Aliz Hammond and Sina Kheirkhah in the analysis. “While the more devastating vulnerability, the ability to impersonate arbitrary users, is unique to MOVEit, the less impactful (but still very real) forced authentication vulnerability is likely to affect all applications that use the IPWorks SSH server.”

There are several pieces of criteria that attackers would need to meet to be able to exploit this flaw. They would need to have knowledge of a valid username that exists on the SFTP subsystem (so they know who to impersonate), and that username would need to pass any IP-based restrictions from a targeted organization. Attackers would also need to know whether the SFTP service is exposed.

As an enterprise file transfer product that handles troves of sensitive data, MOVEit Transfer has previously been targeted by threat actors, including the Cl0p ransomware group. However, WatchTowr researchers noted that the flaw had been previously discovered and embargoed for weeks, and during that time Progress Software has likely been contacting customers to patch the issue and give them a leg up against threat actors.

A Progress Software spokesperson said that the company has not received any reports that the flaws have been exploited and are "not aware of any direct operational impact to customers."

"We recently internally confirmed vulnerabilities in MOVEit Transfer and MOVEit Gateway, notified those customers and made patches available," said the spokesperson. "Following industry best practice for responsible disclosure, we published the CVEs two weeks after notifying our customers and releasing the patch. The time period between patch release and CVE publication allowed our customers the ability to patch before public disclosure, decreasing the likelihood of exploitation."

Progress Software also patched a second critical-severity authentication bypass flaw this week (CVE-2024-5805) in MOVEit Gateway, which is a proxy service that can be used alongside deployments of the MOVEit Transfer file transfer software. The flaw stems from an improper authentication issue in version 2024.0.0, and a fix exists in version 2024.0.1.

“A patch is available for CVE-2024-5805 and should be applied on an emergency basis for organizations running MOVEit Gateway,” according to Rapid7 vulnerability researcher Ryan Emmons in an analysis of the flaw.

This article was updated on June 26 to include a comment from Progress Software.

Multi-factor authentication (MFA) is a critical form of defense for organizations, and threat actors are recognizing that: According to the latest Cisco Talos Incident Response Quarterly Trends report, instances related to MFA were involved in some capacity in half of all security incidents that the Talos team responded to in the first quarter of 2024.

Hazel Burton with Cisco Talos talks about how threat actors are using targeted social engineering techniques to try to skirt by MFA, how phishing kits are increasingly incorporating MFA bypass tactics, and what businesses can do. Watch the video above or listen to the podcast here (MP3 download).

Below is a lightly edited transcript of the conversation.

Lindsey O'Donnell Welch: This is Lindsey O'Donnell Welch. I'm here today with Hazel Burton with Cisco Talos to talk about some of the key takeaways in the latest Cisco Talos Incident Response Quarterly Trends Report. Hazel, thanks so much for joining me today. How are you doing?

Hazel Burton: Thanks, Lindsey. I'm doing good. Thank you so much for asking me to do this. Always great to talk to you.

Lindsey O'Donnell Welch: Yeah, you as well. And it's great to keep a finger on the pulse of what's going on. And Cisco does that a ton with these quarterly trends reports that come out. And this latest one is really interesting because it really takes stock of what we're seeing in terms of the threats that are hitting organizations from BEC to ransomware. But I thought that what was really unique were the findings around multifactor authentication and how different threat actors are targeting weaknesses in MFA.

Hazel Burton: So yeah, these quarterly trends are based on real incidents that our team have been called in to help out with. And in the latest report, we saw that getting up to half of the incidents involved MFA weaknesses in some sort of guise, whether that is a poor implementation or a lack of MFA solution across the board, not putting it on critical services, or not having it on unpatched devices. And then the other one, it's something that we have seen rise and it's actually the number one security weakness for the last quarter, was users accepting fraudulent push notifications that originated from an attacker. So the user didn't generate the MFA requests and the attacker did and they've clicked accept and that has paved the way for an attacker to to enter the system.

And I guess we see this as a growing trend because attackers are really going after these credentials now. They would much rather log in to a system with valid account details than use an exploit because exploits can be a bit noisy. If you log in, it's more likely that they'll go under the radar, they'll get to a certain stage within the system, having escalated privileges, for example, and then they will deploy their attack, be it ransomware, whatever it is. So there's a strong connection between stolen credentials, the use of valid accounts and attackers really going after MFA, because MFA can be a huge barrier to attackers and organizations have done a fantastic job of implementing MFA over the years. So if it's a big barrier for attackers, they're going to throw everything they have at it. And that's what we're seeing in these incidents.

Lindsey O'Donnell Welch: Yeah, I think you make a good point that I'm seeing on my end in the security news as well, which is threat actors trying to leverage identity-based tactics as much as they can and now incorporating MFA into that. And we've seen these MFA fatigue or push bombing attacks for a couple years now. But personally, I was pretty surprised, the extent to which these attacks seem to be popping up, as outlined in the report. Was that something that surprised you as well, and what have you been seeing in previous quarters?

Hazel Burton: Probably not surprised - we also just released a blog which contains some data from Cisco Duo’s AI and security research team, because I was really interested to see why so many of these incidents had MFA at the heart of them. So that team gave me some data that looked at their entire push spray attack dataset, which was over the course of almost a year.

Ninety-five percent of these push-spray attacks aren't successful, which you know they get reported or ignored. Five percent are.

Now that might not seem like a big number, but for an organization, if just one gets through, that can be quite devastating. So yeah, we're certainly seeing these push-spray attacks continue to rise. um But I think what's quite the more important point is how targeted the attackers are being. So we're seeing the attackers try and get people at the beginning of their day when they would normally log on to their systems and authenticate for the first time. That's when they're trying to put those fraudulent pushes in because then it comes with more context. We also saw a little rise in the early evening. Less clear cut about that one, but perhaps people are on their phones, catching up with you know the new social media and an acceptance might sneak in there. So yeah, we're seeing attackers follow our normal working patterns, which is what they have done for many, many years. And this is why I think we need to be having these conversations about the installation of MFA in your organization is great, it's one of the best things that you could possibly do, but it's having that room for that there might be users who do accept by no fault of their own these these fraudulent pushes, having a plan in place to deal with that, looking at you know putting a challenge in place, so asking the users to input a number rather than just click accept or deny. Just having those extra things in place because we are seeing these - as I mentioned - attackers targeting MFA. As well, we're also seeing social engineering come back, calling up IT departments and saying, I've got a new device, could you enable MFA on my new device, please? And then that gets them into the system or potentially, and this is based on, again, incident response engagements, compromising a single endpoint, escalating their privileges, and then actually disabling the MFA from within. So it's just kind of looking at, “okay, we have MFA installed. It's not a silver bullet. Where are the potential weaknesses and where we need to shore up our defenses and have that defense in depth come through?”

Lindsey O'Donnell Welch: Right. And yeah, one part of the post that you wrote that I really loved was what you were talking about, kind of looking at those different metrics in terms of the time frame and you know the fact that these are happening between like 8 to 9 a.m. Eastern time, when people are starting to log onto their phone, they're starting to check the news, they're starting to potentially be in a position where they're on their phone.

Hazel Burton: Yeah, exactly. People are busy. They have all sorts of things that they're thinking about when they're logging on. “What feedback is going to await me today when I check my emails?” They're not thinking about what an attacker would want with their device, with their data. It's not the first thing they think about. So that's what I was talking about at the beginning, attackers are trying to go under the radar, not be spotted, and no flags to be raised when they are gaining this initial access. The same is true with these push spray attacks. Can they do it, in context, under the radar, so that the user themselves don't go, “oh, whoops, I've accidentally let an attacker in.”

Lindsey O’Donnell-Welch: Yeah. If I woke up, you know, and had a notification at like 3 a.m. or something, I think I would be like very red flags raised instantly.

Hazel Burton: Yeah. I mean, that probably does still happen as well. We do still see some of these in bombardments where you get 20, 30, 50 pushes and the easiest thing to do is go, fine. That's that's still very much the case as well.

Lindsey O’Donnell-Welch: Right, the psychology behind it all is so fascinating to me.

Hazel Burton: Yeah, the psychology for the attackers’ perspective is how do I follow how people are working today? And how do I make sure that they don't spot anything amiss? And for the defenders, it's about what are the anomalies that I need to detect? What are the things that I need to have in place that will raise that red flag for further investigation? It's a cat and mouse game, it always has been.

Lindsey O’Donnell-Welch: That's very indicative of how some other attacks have played out even beyond this type of specific attack. You mentioned too using other sophisticated tactics, including social engineering to trick IT departments into adding new MFA enabled devices. And do you see success with these other types of attacks in terms of how they play out, as opposed to doing more of the MFA fatigue route for attackers?

Hazel Burton: Yeah, it definitely depends on the attacker's aims and the organization they're going after. They have done presumably a lot of reconnaissance before they partake in the social engineering, so they may have used MFA scanners to see where the MFA is in place in an organization. They all have a good idea of what somebody has in place before they do the social engineering attacks. Again, they will try and go under the radar. But yeah, these have been popping up more and more in these incidents. So whether that be yet calling the IT department, maybe even compromising a temporary worker as well, it was like stolen authentication tokens from employees as well. There's just been a variety of ways. There's no single way that the attackers are trying to bypass MFA. It's multiple ways depending on what they have found in their reconnaissance period and they then choose the best course of action from there.

Lindsey O’Donnell-Welch: Looking ahead, how do you see attackers continuing to evolve their approach to MFA or their strategies around trying to bypass these really important protections?

Hazel Burton: Yeah, we're seeing increasing only the commercialization of cybercrime and more tools appearing on the market that do things as a service. We’ve been writing about these phishing as-a-service tools. And we have seen in recent times, some of those phishing as a service tools actually come with MFA bypass capabilities within them. So if an attacker were to use this tool and they discover that the organization, the target organization does have MFA, then there is part of this tool that can help them overcome that significant barrier. Attackers are looking at ways that they can use social engineering to try and persuade organizations to do something that they wouldn't normally. But there's also new tools popping up in the market where they can - if they don't have the necessary skills, the technical skills, or perhaps even the social engineering skills - there might be a tool that somebody else has built that they can take advantage of and use there. So yeah, we're seeing that pop up more and more. That's probably a trend that people need to be aware of, these new sort of developments in the tool sets.

Lindsey O’Donnell-Welch: I think what sticks out to me is that MFA is inherently a very necessary thing for organizations. And like you said, though, nothing is a silver bullet. And this is just another example of you know there being a defense and threat actors saying, OK, I want to figure out how to bypass that or figure out.

Hazel Burton: Yeah, but what I don't want people to take away from this video is, well, MFA seems very dangerous now, so I'm not going to install it. That is possibly one of the worst things that you could do because the attackers will know if you don't have MFA and then it's just a walk in the park for them. What I want people to take away is how secure at the moment is the MFA that we have? How robust is it? And do we have it on some of our critical services? Maybe let's just kind of test that and see if there is anything that we can do to shore up those defenses and maybe have some education from our employees as well, specifically for the IT department, if this kind of social engineering attack takes place, here's the things that you should do to escalate that from a user perspective. Also making people aware that there may be attempts to send these fraudulent pushes to their work enabled devices.

Lindsey O’Donnell-Welch: Hazel, any other takeaways that you think we should highlight in the report regarding MFA or other other types of threats you're seeing?

Hazel Burton: The one thing to mention is there are sometimes legitimate cases where MFA simply cannot be enabled. There are certain circumstances where it's the case. So under those circumstances, have a robust access policy in place or whenever MFA can't be done there is also like security keys. These are the hardware devices that you can get, which require a pin. So if MFA isn't the right sort of answer for certain aspects of your organization, there are other ways that you can really concentrate on getting that identity context in place, knowing where people are logging in, how they're logging in, and if there's anything unusual about that, a process in place for what to do to highlight that.

New evidence uncovered by security researchers indicates that a Chinese cyberespionage group known as ChamelGang has been deploying ransomware in some of its intrusions during the past few years, including attacks on an Indian healthcare facility and the office of the president of Brazil.

ChamelGang has been active for several years and has targeted organizations in the aviation, healthcare, and critical infrastructure sectors in several countries, including Russia, India, the United States, and Brazil. The group typically has conducted cyber espionage operations, but it also is known to use the CatB ransomware, and researchers from SentinelIOne have found links connecting ChamelGang to an intrusion at the All India Institute of Medical Sciences in 2022 and another at the Presidency of Brazil that involved the use of CatB.

Though cyber espionage groups are, by definition, mostly interested in stealing information, it is not unprecedented for them to conduct financially motivated operations, as well. This is quite common among North Korean APT groups, some of which are deeply involved in cryptocurrency theft and other financially motivated intrusions. But SentinelOne’s research, which was conducted in cooperation with Recorded Future, shows evidence that ChamelGang has joined the ranks of APT groups deploying ransomware.

“This research highlights the strategic use of ransomware by cyberespionage actors for financial gain, disruption, or as a tactic for distraction or misattribution. The use of ransomware as part of cyber espionage activities may result in their misattribution as financially-motivated operations. To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors. Ransomware also provides cover for the true motive behind the central component of cyberespionage operations, data exfiltration, which is also carried out by ransomware actors that follow a multi-extortion model,” the research report says.

“The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage."

“Further, we suspect that in late 2022, ChamelGang was responsible for attacks on the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution. These attacks were publicly disclosed as ransomware incidents and attribution information regarding the perpetrators has never been released. We discovered strong indicators pointing to these institutions as being targeted using ChamelGang’s CatB ransomware.”

The CatB ransomware has been publicly linked to ChamelGang in the past, as has the BeaconLoader tool used to deploy Cobalt Strike. The SentinelOne researchers uncovered technical artifacts that linked the AIIMS and Presidency of Brazil intrusions to ChamelGang, including the presence of a file named svchosts.exe, which is part of CatB ransomware deployments, and some other tell-tale files. In other intrusions last year, SentinelOne researchers observed ChamelGang using common off-the-shelf tools for privilege escalation and other tasks.

“We did not observe ransomware deployment in these particular intrusions; however, despite ChamelGang not necessarily using ransomware in every operation, we do not exclude the possibility that it may have occurred outside of our visibility,” the report says.

“ChamelGang uses a variety of publicly available tooling and custom malware beyond those we observed, such as Neo-reGeorg, and the DoorMe and MGDrive malware. DoorMe and MGDrive have also been associated with other suspected Chinese APT clusters.”

The SentinelOne researchers emphasized that ChamelGang’s use of ransomware is one more link in the chain of APT groups moving to expand the scope of their intrusions.

“The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage, providing adversaries with advantages from both strategic and operational perspectives. The operational methods of APT clusters, such as ChamelGang, the APT41 umbrella, and the recently discovered Moonstone Sleet, highlight that ransomware intrusions are not exclusively conducted by financially-motivated threat actors,” the report says.

The European Council has sanctioned six individuals, who are allegedly involved in cyberattacks that have impacted critical infrastructure in EU member states and Ukraine, including two linked to Conti and Trickbot attacks.

For impacted individuals, the sanctions by the European Council, a council that helps to shape the direction and priorities of the European Union, will mean asset freezes and travel bans, and all EU people and entities are barred from making funds or economic resources available to them. Four of the six individuals already face charges in the U.S., but the European Council’s sanctions put further pressure on them.

“For the first time, restrictive measures are being taken against cybercriminal actors that use ransomware campaigns against essential services, such as health and banking,” according to the EU on Monday. “With these new listings, the EU and its member states reaffirm their willingness to step up efforts to provide a stronger and more sustained response to persistent malicious cyber activities targeting the EU, its member states and partners. This is in line with joint efforts with our international partners, such as the UK and the US, to disrupt and respond to cyber crime.”

Those sanctioned include Ruslan Peretyatko and Andrey Korinets, who are allegedly part of the Callisto group, a group made up of Russian military intelligence officers that have launched phishing campaigns against several EU countries in order to steal sensitive data in “critical state functions” like the defense sector. The officers were previously charged by the U.S. in December 2023, after targeting current and former employees of the U.S. Intelligence Community, Department of Defense, Department of State, defense contractors, and Department of Energy facilities between 2016 and 2022.

The EU also sanctioned Mikhail Tsarev and Maksim Galochkin, who are allegedly “key players” in the deployment of the Conti and Trickbot malware families. Tsarev and Galochkin are part of the Wizard Spider threat group, which is behind several high-profile ransomware attacks against the health and banking sector. They were previously charged in September 2023 by the U.S. Department of Justice, which had alleged that Galochkin acted as a “crypter” for Conti and modified the ransomware to help it slip past anti-virus detections, while Tsarev was a manager of other Conti conspirators.

Two other individuals - Oleksandr Sklianko and Mykola Chernykh - were also listed as part of the European Council’s Monday sanctions. These two are part of the Armageddon threat group, which is supported by the Russian Federal Security Service (FSB) and has carried out various cyberattacks on EU and Ukraine governments via phishing and malware campaigns. The Ukraine government previously identified these two Armageddon members in 2021, and on Monday the European Council said that Chernykh is a former employee of the Security Service of Ukraine, and therefore is charged in Ukraine with treason and unauthorized interference in the operation of electronic computing machines and automated systems.

The sanctions come as part of the European Council's Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, which was first set up for the EU and its member states in 2019. They also come as countries in the EU, U.S. and others globally strategize about how to best approach the problem of individuals behind cyberattacks that reside in safe harbor locations like Russia - whether through sanctions, indictments or takedown efforts. A key piece of law enforcement operations against individuals behind cyberattacks has been increased collaboration between different countries, both in sharing critical information and teaming up on carrying out crackdowns on infrastructure.

“On the 21st of May, 2024 the Council approved conclusions on the future of cybersecurity aiming to provide guidance and setting the principles towards building a more cyber secure and more resilient EU,” according to the European Council. “The EU will continue to strengthen its cooperation in particular with Ukraine to advance international security and stability in cyberspace, increase global resilience and to raise awareness on cyber threats and malicious cyber activities.”

Below is a lightly edited transcript from the podcast conversation.

Lindsey O'Donnell Welch: This is Lindsey O'Donnell Welch with Decipher and I'm here today with Metin Kortak, CISO with Rhymetec. Thank you so much for coming on today. It's really nice to speak to you?

Metin Kortak: Thank you very much for having me.

Lindsey O'Donnell Welch: Can you talk about your path into the cybersecurity industry, and what drew you to the CISO role?

Metin Kortak: Yeah, absolutely. I have a computer science background and when I first started working at Rhymetec we were actually only offering penetration testing as a service to our customers, and then later on we realized that with our customers, there's this demand for becoming compliant with various cybersecurity frameworks, which at that time wasn't my specialty - I was more of a network security person. But as we realized that this is a very big demand from our customers, we expanded our business more for compliance and providing cyber security solutions services.

Lindsey O'Donnell Welch: I know that you do a lot with compliance and privacy and I wanted to talk a little bit about what you're seeing there, specifically with AI being such a big topic over the past year with generative AI and the general availability there. How does AI fit into companies’ existing compliance and privacy frameworks, from your perspective?

Metin Kortak: Yeah I always say that because technology evolves so fast, laws, regulations, any sort of compliance frameworks, they always come after the technology has been created and actually built in a proper manner. We have been actually working with AI systems for the past couple of years but not until recently there has been some more compliance frameworks and regulations that became more solid. Recently we've been working with ISO42001, which has been a recent cybersecurity framework that was really created to secure artificial intelligence systems. But this framework hasn't even been in place up until just a couple months ago and even with the auditors that we're working with they're not even yet accredited to conduct audits against these frameworks. So it's all just very new and there are a lot of concerns from our customers because they want to make sure that they're doing the right thing, they want to make sure that they're complying with certain regulations. But at the same time the regulations are not really available to them. So they don't have a lot of guidance from the government or from other cybersecurity framework providers. So it has definitely been difficult and what we have been doing is following these guidelines and sometimes we have to create our own guidelines for ensuring data privacy on data security.

Lindsey O'Donnell Welch: Outside of the Biden administration's executive order around AI and security, there haven't been really any official types of things that people, companies can point to and say here's what we need to do about AI and privacy and security. I know in the EU they recently passed the AI Act that outlined some of the governance policies that companies need to follow. Is that something that is top of mind for companies?

Metin Kortak: Yeah, absolutely we’ve been following the key frameworks, we have been also following the NIST AI frameworks that have been kind of released, but it's not really being used by a lot of companies right now. But on top of that, as you know, GDPR, that has been around for a long time. And on top of that in California there has been CCPA for data privacy acts and even if there wasn't an official artificial artificial intelligence cybersecurity framework, what we have been doing to kind of like get around that is ensuring that our customers are still complying with frameworks like GDPR, CCPA, while they are producing artificial intelligence systems because even though there isn't specific AI guidelines, there are guidelines around data privacy and data security and we can interpret those guidelines and ensure that AI systems are still complying with those frameworks.

“It has definitely been difficult and what we have been doing is following these guidelines and sometimes we have to create our own guidelines for ensuring data privacy and data security.”

Lindsey O'Donnell Welch: Yeah, so it seems like the the main approach here is to look at the the existing frameworks and see if those policies can encompass what we're seeing with AI and lean on those existing ones?

Metin Kortak: Correct. For example, when we're working with artificial intelligence systems, there are language learning models - LLMs- the language learning models capture personal information and other data and based on that data they will yield results. And they continue to learn from that data. And when we're talking about a data privacy framework like GDPR, end users do have the option for their data to be removed. So what we do is implement procedures in place so that their personal data can not only be removed from databases but also from language learning models, so that data cannot be used for teaching the artificial intelligence learning behavior.

Lindsey O'Donnell Welch: Do you see like companies thinking about data governance at all, is that top of mind or people as it relates to AI, or are people mostly just diving in headfirst and saying “here's this really cool AI application that we can deploy,” and then not really [thinking about] dealing with the consequences after?

Metin Kortak: Yeah I've been seeing a lot of companies just like jumping on the bandwagon. Whenever AI is out there, they're like “we have to do something AI, we have to do something AI,” and they're working with all of these third -party providers, they're trying to build their own artificial intelligence systems. But they're trying to do it in a fast way because it's no longer about data security governance and privacy and it's more about competing in the marketplace. Everybody wants to make sure that they have some type of an AI product because now it makes them better than the competitor that doesn't. So I have been seeing very little attention to cybersecurity and data privacy when implementing these artificial intelligence systems because companies, mostly they care about how they can be better when it comes to their competitors. And because there wasn't a lot of regulation/compliance frameworks it was almost like a free for all, you can do whatever you want, you can create your AI system, you can opt your users and you can capture their data without really having some solid consequences from a legal standpoint. I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems. But before that what I have seen is that companies just try to utilize these AI systems as much as they can without having a lot of consequences.

Lindsey O'Donnell Welch: Yeah, that seems to be kind of the overall trend. When you're looking at the data governance policies themselves, what I'm seeing for one best practice for companies that are implementing AI systems is to map out all the different data sources that are being used in the AI model training. And there's so much there, right? It's crazy. But a lot of the types of models aren't really publicly available. So what's the best way to navigate something like that?

Metin Kortak: Yeah, a lot of these companies are now using open source artificial intelligence systems, meaning the AI platforms are learning from publicly available data, publicly available images, text, Google searches. So there's definitely a difference between publicly available data versus privately owned data by end users. If data is publicly available there, there isn't any regulations there that prevent companies from using publicly available information. I can go do a Google search, I can use information I see from articles and other links that I see, and utilize that information to teach my AI model to respond in a certain way. Where it gets more tricky is when behavior is based on personal information, like if a lot of people like the color yellow, and they say that they like the color yellow on their Instagram stories, or they say it on their Facebook posts or whatever, that information can be personal data, and if AI models are making decisions based on private information like that, then that's when it becomes an issue from a data governance and some privacy standpoint, because now the AI model is not just learning from publicly available information. It is actually obtaining that data from individual user accounts and utilizing their personal information to make certain decisions.

“I think that's why a lot of those recent laws in the European Union and other countries have been making a bigger difference because companies actually now care more about data governance and privacy as it relates to artificial intelligence systems.”

Lindsey O'Donnell Welch: I'm curious more from the defense side of things how you're seeing AI transforming actual cyber security practices this year. How does that compare to what you've seen in the past as well?

Metin Kortak: Yeah, so like I said when I started working at Rhymetec, we were just in penetration testing services and penetration testing is a pretty manual labor. You have to understand what vulnerabilities are in place, and then at times exploit those vulnerabilities in order to identify any issues with the networks, any issues with servers and other platforms. With artificial intelligence recently we have been seeing that AI models have been also used in aiding penetration testing, or they have been actually conducting the penetration test on their own by identifying security vulnerabilities and eventually exploiting them. Now, this is great from a pen tester standpoint because now they have an easier way to conduct these penetration tests and understand these vulnerabilities. However it can also be dangerous in the hands of the wrong people, because that means now people have a much faster way of identifying and exploiting security vulnerabilities. So how I see this impacting the future of cybersecurity is that I think in the beginning it might be definitely dangerous because people will be able to identify these security vulnerabilities a lot faster, but at the same time I think that if this practice became more common then a lot of organizations can also implement much better security controls in place and the standard for cybersecurity can be a lot higher.

Lindsey O'Donnell Welch: I think you bring up a really interesting point - this has been kind of the one of the biggest discussions around AI - which is who's this going to help more the defenders or the threat actors and when I was at RSA a couple weeks ago, it seemed like the consensus was was that right now the defenders and the ways that you know we're using this on the defense side seems to be more sophisticated right now than what they're seeing from threat actors which is kind of basic uses for content and phishing lures, things like that.

Metin Kortak: I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence. I think that they're likely using more manual and sophisticated ways to reach networks. But I think that on the defense side, absolutely, I think using artificial intelligence can be very beneficial. I think it can help us identify these vulnerabilities a lot faster, a lot quicker and then remediate them. But I think that if somebody is really looking to breach a network they probably have a lot better options than relying on artificial intelligence models.

Lindsey O'Donnell Welch: How is AI being used in differing capacities in ways across different industry verticals, whether that's health care or banking, and as a follow up question to that, given the compliance challenges that each of these industries deal with, how is that a factor in how AI is being used?

Metin Kortak: So in the cybersecurity field I have been saying that artificial intelligence has been used more in things like intrusion detection platforms to identify anomalies, suspicious activity. We already have intrusion detection systems in place, but they usually identify the anomalies and other suspicious activity and other security related issues using a certain algorithm. With AI because it is using learned behavior, it is able to identify these security incidents a lot better than simply just following an algorithm. So we have seen that with things like intrusion detection systems, vulnerability monitoring platforms, there is definitely an added benefit to utilizing artificial intelligence systems. In addition to that, we have been also seeing artificial intelligence systems and platforms, for example, answering security questionnaire services or like answering RFPs or customers, those really tedious processes that take a lot of time manually, I think that using artificial intelligence has been actually helping us complete those type of works in a much faster way. When it comes to other industries like healthcare and banking, artificial intelligence is never 100 percent. It may give you a very solid answer and then it might give you a really bad answer the next time. So when an industry is impacting someone's life, like when you're in the healthcare industry, we don't really see artificial intelligence being used that much because it is still unpredictable, and there are still answers that we can get that may not yield good results. I think that it can still be used to aid doctors and other systems that they're using for healthcare, but I do not see that really being used for systems that might directly impact a person's life.

“I think that if a sophisticated threat actor is actually attempting to breach a network, they're likely not using artificial intelligence.”

Lindsey O'Donnell Welch: As a CISO, what do you see in terms of CISO interest in AI use cases and then also how it fits into security programs within companies?

Metin Kortak: Yeah, so recently I've been seeing a lot of third- party vendors that we work with automatically enabling artificial intelligence learning models without really asking us, especially if you're using a SaaS product, there is a likely chance that if you go to the settings stage, there is an option to disable artificial intelligence or keep it enabled, and you will see that also the time it has been enabled by default. So we have been really just seeing that option enabled by default, and it has been really making our jobs a lot more difficult because it's essentially a new product that's being enabled without really asking our consent and that's creating issues with third-party security assessments. So because of that we have been actually reviewing some of our customers’ products and other critical third-party vendors that they work with, and either like disabling the AI tools or conducting further assessments to ensure that enabling AI will not really cause any compliance or other governance-related security concerns. So that has really caused some issues with third-party security assessments. However, we have also been using artificial intelligence for things like answering RFPs, answering security questionnaires and also analyzing logs, analyzing security reports to better gather some information in a much faster way. So I do think that it has been very valuable to us. I think that it has made our jobs a lot easier, but at the same time we have been doing a lot more strict due diligence because of how common AI has become recently in the platforms that we use on a day-to-day basis.

Lindsey O'Donnell Welch: I think that brings up a good point which is, a lot of companies I talked to are saying “we want AI, but we want to make sure that it solves a business problem that we have. We don't just want it slapped onto a product.” As a CISO when you're looking at different things for AI, what sticks out to you where you say “this could be something that is applicable and might be useful for an organization” versus “okay that seems like it's more hype.”

Metin Kortak: I really see AI as an efficiency improvement. I think that if something is taking a long time manually, it can be likely done faster using artificial intelligence, which is why we started using AI for analyzing security logs and also identifying certain security incidents, because doing manual log reviews or reviewing certain systems manually, it just takes up a lot of time. And I think at the end of it this saves organizations a lot of money and resources because they can actually allocate those resources for solving better problems.

Lindsey O'Donnell Welch: Are there any like trends related to AI and cybersecurity that you think is going to be big or something to keep our eyes on over the next year?

Metin Kortak: I would definitely keep your eyes open for any other cybersecurity regulations that are coming up. I think ISO42001 has been becoming a lot bigger. We have a lot of customers asking us about that framework. We have already started working on that framework with some of our customers. But on top of that we are expecting some additional cybersecurity frameworks and regulations to be released soon. So I think those should be definitely important to watch out for. Because we're expecting that in the next couple of years, a lot of organizations are going to start requiring these frameworks, if you’re utilizing an AI system, and if you have not implemented these security controls or if you haven't really followed the guidance from some of these cybersecurity frameworks then that means you might have a lot more work to do later down the line.

The developers of the popular ExpressionEngine content management system have patched two serious vulnerabilities in all current versions of the CMS, including an open HTTP redirection bug that could allow an attacker to redirect a victim to a malicious site.

The bugs affect all versions of ExpressionEngine prior to 7.4.11 and Packet Tide, which owns and develops the software, has released fixes for them. In addition to the HTTP redirection flaw, there is also a group of cross-site scripting bugs, one of which could give an attacker admin access to the application. Researchers at Bishop Fox discovered the vulnerabilities and Packet Tide released version 7.4.11 to address them.

“ExpressionEngine is affected by multiple cross-site scripting vulnerabilities that could allow an attacker to execute JavaScript in the browsers of targeted users. Bishop Fox staff demonstrated that an attacker could exploit this issue to create a super admin account in the ExpressionEngine instance by convincing or causing an administrator to view crafted content,” the Bishop Fox advisory says.

“One instance of the issue is a reflected XSS vulnerability that can be exploited by an attacker without credentials for the ExpressionEngine instance. The remaining instances of the issue are stored XSS vulnerabilities that affect the ExpressionEngine control panel.”

ExpressionEngine is a free and open source CMS that is used widely in enterprise environments.

The second vulnerability is the HTTP redirection flaw, which could allow an attacker to bypass the warning dialog that ExpressionEngine would show a user when the user is being redirected to an external site.

“ExpressionEngine includes URL-redirection functionality that displays a warning prompt when redirecting to external URLs. Bishop Fox staff determined that the warning prompt can be bypassed by sending a crafted value for the URL parameter. An attacker could take advantage of this vulnerability to execute convincing phishing attacks against ExpressionEngine users by leveraging the trust that legitimate users have in the instance domain,” the advisory says.

“It is possible to bypass the redirection warning screen by omitting the protocol used.”

Both vulnerabilities are fixed in ExpressionEngine version 7.4.11 and organizations using vulnerable versions should upgrade as soon as is practical.

A newly uncovered threat actor named SneakyChef has been targeting government entities in multiple countries across the EMEA and Asia regions with known malware called SugarGh0st in an ongoing espionage campaign.

Researchers with Cisco Talos first reported on SugarGh0st in November 2023, after unearthing the malware as part of August 2023 attacks that targeted the Uzbekistan Ministry of Foreign Affairs and users in South Korea. After seeing the use of the malware continue in attacks against more countries since then, researchers have tied the campaign to a threat actor they call SneakyChef. The threat actor’s targeting has now expanded to include the Ministries of Foreign affairs in Latvia, Kazakhstan, Turkmenistan, India and Angola, as well as the Royal Embassy of Saudi Arabia.

“Talos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and other government entities,” said Chetan Raghuprasad and Ashley Shen with Cisco Talos in a Friday analysis, released in collaboration with the Yahoo! Paranoids Advanced Cyber Threats team.

The attack chain in the campaign involves decoy documents, likely delivered via phishing emails. The SugarGh0st campaign in November started the same way, but while those decoy documents used real content published in multiple Uzbekistan sources in 2021 (a document titled “investment project details.docx”) the newer attacks use scanned documents relating to government agencies or research conferences that don’t appear to be publicly available on the internet. For instance, one attack used decoy documents that purported to be from the Ministry of Foreign Affairs in Angola and related to a financial meeting between the Angolan Ministry of Fisheries and Marine Resources and a financial advisory company.

In addition to previous infection chains used by the threat actor to spread these decoy documents and ultimately execute the malware, which researchers had disclosed in November, they found another infection chain in the attack that has leveraged SFX RAR files to deliver SugarGh0st. Nick Biasini, head of outreach with Cisco Talos, said that SFX RAR files are self extracting, meaning that instead of a .rar file, an .exe file is delivered.

"It's difficult to say for certain why the actors chose this path, but rar files can require additional software to extract," said Biasini. "Rar is officially supported in Windows 11 but older versions of windows would require additional software to extract the contents, this mitigates that risk by providing the victim with a self extracting executable."

The infection chain leads to the eventual execution of SugarGh0st, which has various remote control and espionage capabilities, from taking screenshots of victims’ desktops to accessing the devices’ cameras. The RAT also attempts to cover up its track by clearing victims’ Application, Security and System event logs.

Other researchers have been tracking activities involving the SugarGh0st RAT. In May, Proofpoint researchers said they observed campaigns against a U.S. telecommunications company as well as organizations in the U.S. involved in artificial intelligence efforts in academia, the private sector and government sectors.

In addition to Gh0stRAT, these more recent campaigns rely on a new remote access trojan, which researchers call SpiceRAT. The malware relies on a well-known sideloading technique where it leverages a legitimate loader, in order to sideload a malicious loader and the payload. In this specific campaign, SpiceRAT uses a legitimate Samsung executable, the Samsung RunHelp application, in order to sideload a malicious DLL, which has previously been seen in a handful of malware campaigns.

“Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign,” according to Raghuprasad and Shen. “With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.”

A new deep-dive investigation into the known UNC3886 gives insight into how the China-linked threat actor has exploited zero days in various Fortinet and VMware products, deployed various malware and novel backdoor variants and collected credentials from victim organizations over the years.

UNC3886 was first discovered after Mandiant researchers investigated malware in ESXi hypervisors in 2022. After that, the threat actor was tied to exploitation of (now-patched) zero-day flaws in FortiOS (CVE-2022-42475 and CVE-2022-41328), VMware vCenter (CVE-2023-34048 and CVE-2022-22948) and VMware Tools (CVE-2023-20867). Beyond zero-day exploitation, however, researchers in their investigations of UNC3886 found several post-exploitation tactics showing how “the actor operates in a sophisticated, cautious, and evasive nature.”

“Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time,” said Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi with Mandiant in the analysis this week. “Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.”

The threat actor’s operations have targeted various industries, including governments, as well as the telecommunications, technology, aerospace and defense, and energy and utility sectors. Targeted entities are primarily in North America, Southeast Asia or the Oceania regions.

In addition to paving the way for initial access, the group’s zero-day exploitation activity has also supported its espionage goals. For example, UNC3886 used a VMware vCenter flaw (CVE-2022-22948) in order to obtain encrypted credentials in postgresDB and gain further access on the system.

After gaining initial access to vCenter servers, the threat actor would access managed ESXi servers and gain control over guest VMs that shared the ESXi server with the vCenter server. The group then used publicly available rootkits on the guest VMs for persistence and detection evasion. These rootkits include Reptile, an open-source Linux rootkit and Medusa, an open-source rootkit that has capabilities for logging user credentials from successful authentications and executing commands.

The threat actor leveraged the Medusa rootkit in order to deploy a custom SSH server that could collect SSH credentials, however “REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” said researchers. “REPTILE offers both the common backdoor functionality, such as command execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking.”

The group used several other tactics, leveraging backdoor variants (including ones that researchers called VirtualShine, VirtualPie and VirtualSphere) that used the Virtual Machine Communication Interface (VMCI) as a communication protocol, for instance. UNC3886 was also spotted targeting a TACACS+ server with sniffer malware and a backdoor in order to steal credentials. TACACS+ is a version of the TACACS network protocol used for centralized authentication, and it is used by network appliances for security and access control.

“An unauthorized access to a system functioning as an authentication server like a TACACS+ server is an absolute security nightmare,” said researchers. “The threat actor could access or manipulate user credentials and authorization policies stored within its database. Accountability of TACACS+ would also be affected as the threat actor could tamper with the accounting logs stored on the TACACS+ server, covering their tracks and concealing malicious activities.”

Many of UNC3886's campaigns have been documented over the years, including its exploitation of the bug in VMware Tools (CVE-2023-20867) in order to gain unauthenticated remote code execution in 2023, and its attacks against a critical-severity remote code execution flaw in VMware’s centralized management utility, vCenter Server, which occurred since 2021, for almost two years before patches were released.

VMware is urging customers to apply patches for two critical vulnerabilities in its vCenter Server centralized management utility, which if exploited could allow remote code execution.

The heap overflow flaws (CVE-2024-37079 and CVE-2024-37080) exist in the vCenter Server’s implementation of the DCE/RPC protocol, which enables remote procedure calls. VMware said it is not aware of current exploitation of the bugs in the wild, but vCenter Server is a product that has previously been targeted by threat actors. The two flaws have a base score of 9.8 on the CVSSv3 severity scale.

“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution,” according to VMware’s security update on Monday.

The two flaws were reported to VMware by Hao Zheng and Zibo Li from TianGong Team of Legendsec at Qi'anxin Group.

VMware urged customers to install the patches listed in its security advisory, noting that products that contain vCenter Server, including vSphere and Cloud Foundation, are also impacted.

VMware said that no mitigations are available, however, “there may be other mitigations and compensating controls available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of perimeter firewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those protections.”

VMware also issued a fix for important-severity local privilege escalation bugs (tied to CVE-2024-37081) in vCenter. VMware said that attackers with non-administrative privileges could exploit the bugs to elevate privileges to root on a vCenter Server Appliance - but they would need to be authenticated and local, making the flaws slightly less severe.

Critical flaws have previously been found in VMware’s vCenter Server, which aims to help users manage virtual machines, ESXi hosts, and other components from a centralized location. Vulnerabilities in this server management software have also been targeted by threat actors. Earlier this year, researchers found that a Chinese threat group had exploited a critical vCenter Server remote code execution flaw for almost two years before patches were released in October 2023.

A recent revision to a proposal in the European Union Council that would require the operators of communications services to develop a method for “upload moderation” of content such as pictures and videos has drawn sharp criticism from the president of Signal, one of the more popular secure messaging apps.

EU legislators have been considering various proposals that are ostensibly aimed at addressing the issue of child exploitation material on encrypted messaging and communications platforms for several years. Previous versions have included language that required client-side, or on-device, scanning of private messages and photos, something that cryptographers and computer scientists fought against this clause, explaining that it was not possible without introducing crippling security weaknesses to the encryption schemes on those devices and apps. That version was eventually voted down, but debate about the ability to somehow inspect encrypted messages and files has continued and the most recent proposal includes a requirement that platform operators have the ability to do so-called “upload moderation” of these files.

That idea has not gone over well in the security and privacy communities, as any implementation of that kind of technology would affect not just European companies and users, but people and operators around the world. The proposal would not be voluntary and the EU Council may reach a decision on it later this week.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” Meredith Whittaker, president of Signal, the non-profit that operaties the secure messaging platform of the same name, said in a post Monday.

Whittaker echoed the sentiments of many in the cryptography and privacy communities who have repeatedly pointed out the dangers of introducing a weakness intentionally into these platforms. But lawmakers in the EU and elsewhere have continually gone down the same road, tweaking the language and looking for new ways to say the same thing.

“Rhetorical games are cute in marketing or tabloid reporting, but they are dangerous and naive when applied to such a serious topic with such high stakes. So let’s be very clear, again: mandating mass scanning of private communications fundamentally undermines encryption. Full stop. Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted. We can call it a backdoor, a front door, or ‘upload moderation’,” Whittaker said.

“But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”

Congress has considered various bills in the last few years that have included similar proposals, but none has made it through the process yet. There are likely to be future bills in the U.S., Europe, and elsewhere, however.

“Either end-to-end encryption protects everyone, and enshrines security and privacy, or it’s broken for everyone. And breaking end-to-end encryption, particularly at such a geopolitically volatile time, is a disastrous proposition,” Whittaker said.

Several threat actors are leveraging a “unique social engineering” tactic in order to infect users with various information stealers and remote access trojans like Lumma Stealer, DarkGate and NetSupport.

The technique has been observed in attacks that started in early March and that are ongoing. Attackers show victims a pop-up textbox, which they either send in malicious emails or display on compromised, legitimate websites. The pop-up message tells users that an error occurred when attempting to open a document attachment or webpage, and gives instructions to copy and paste a malicious script on their systems, which leads to the installation of malware.

While the attack chain requires significant user interaction to be successful, researchers said that “the social engineering in the fake error messages is clever and purports to be an authoritative notification coming from the operating system.” At the same time, hundreds of thousands of emails from a spam distributor have been sent that use this attack technique.

“While we don’t have insight into how many of these attacks were successful, it is likely the threat actors are seeing a decent infection rate given that they keep using this technique,” said Selena Larson, threat researcher at Proofpoint. “This is why it’s extremely important for organizations to train users on new and evolving threats across the landscape and ensure defense in depth—like flagging on non-administrative users executing PowerShell—to prevent exploitation at multiple steps in the attack chain.”

The social engineering technique has been used by the TA571 spam distributor, which is an initial access broker that sends emails in bulk in an attempt to deliver malware for various cybercriminal customers. Starting in March, TA571 has sent over 100,000 email messages and targeted thousands of organizations globally using this tactic. The messages in this campaign contain an HTML attachment that purports to be a Microsoft Word document, and when opened the attachment shows an error message saying the “Word Online” extension isn’t installed and giving targeted email recipients instructions for fixing the issue, displaying "How to fix" and "Auto-fix" buttons.

"Clicking the 'How to fix' button copied a base64-encoded PowerShell command to the computer’s clipboard, and the message on the page changed to instruct the target to open a PowerShell terminal and right-click the console window," said Tommy Madjar, Dusty Miller and Larson with Proofpoint in the Monday analysis. "Right clicking a terminal window pasted the content of the clipboard and executed the PowerShell. Proofpoint observed two different PowerShell commands in these files: one that downloaded and executed an MSI file, and one that downloaded and executed a VBS script... Proofpoint observed TA571 use similar attack chains in campaigns throughout the spring, using various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box by pressing the Windows button+R."

The tactic has also been used in campaigns since April tied to ClearFake, which is a cluster of tracked activity, not currently attributed to a known threat actor, which involves fake browser updates that have compromised legitimate websites with malicious HTML and JavaScript. These attacks leverage legitimate websites, and when users visit those websites they load a malicious script (which is hosted on the blockchain through Binance’s Smart Chain Contracts).These scripts purport to be a Google Chrome warning telling website visitors that “something went wrong while displaying this webpage,” and instruct the targets to install a "root certificate" in order to see the website correctly. This campaign leads to the execution of Lumma Stealer, information stealer malware, and also loads various payloads including a downloader (ma.exe) that downloads and runs the XMRig cryptocurrency miner.

The number of organizations targeted by the ClearFake activity is more difficult to quantify, because it’s more opportunistic. Additionally, due to filtering, not everyone who visits the website would be vulnerable, said researchers. While both actors are relying on similar tactics for social engineering, researchers said they are not associated with each other. However, the attack chain showcases how threat actors are adopting increasingly creative tactics for malware delivery.

“In all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript, commonly used on legitimate sites too,” according to researchers. “The malicious content is contained in the HTML/website in various places, and encoded in several ways, such as double-Base64, reverse Base64 or even clear text in various elements and functions. The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult.”