Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Design Pics Inc Alamy Stock Photo

Researchers are warning that an otherwise positive European data regulation has introduced massive risks to individuals and the companies they work for.

Ever since the passage of the General Data Protection Regulation (GDPR), Internet users in Europe — and in many places around the world following suit — have been able to download the entirety of the data that websites save about them. Besides the obvious benefits to privacy and transparency, the idea was portability: Anyone could take the data one site possessed about them and transfer it to another.

In a new blog post, CyberArk highlights a theoretical yet severe cost to this new right to data portability. Before the rule, everyone's most sensitive data was protected behind brick walls at ultrasecure data centers. Now that users can retrieve that data via a cloud-based mechanism, hackers can access their accounts and steal it all. Considering the extent of the data that websites collect about us today, the possibilities for malfeasance are endless.

"It's my legal right, and it's perfectly fine that I'm capable \[of seeing\] what information is being kept about me," says Lior Yakim, threat researcher at CyberArk Labs, who dubs the attack "White FAANG," since the vulnerable data could be exported from services provided by major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG).

Related:'Bootkitty' First Bootloader to Take Aim at Linux

However, he warns, "Because it's so easy to get all of that highly intrusive information — together with the fact that people use the same devices for corporate and personal purposes — there's a major risk."

**The Data Sites Have on You**

Companies hoard gobs of sensitive information, especially the largest technology companies most central to our online lives. They possess everything from our most sensitive personally identifying information (PII) to the long histories of our online activity. But even the most jaded Internet users might be surprised just how deep this hole goes.

Meta, for example, records not only your documented Facebook activity, but also plenty of undocumented data, like what posts you viewed, and exactly how long you viewed them.

Google, likewise, saves not only your entire search history, but even searches you typed but didn't ultimately execute.

GDPR's well-intentioned data portability regulations forced companies to make all of this information exportable at the click of a button, in a machine-readable format. And what's stopping a hacker in possession of your account from doing just that? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

Related:China's Cyber Offensives Built in Lockstep With Private Firms, Academia

**The Risks to Individuals and Corporations**

With export data, there is no limit to what an attacker can do. They can use your Google search history to blackmail you, your GPS data from Meta to find where you live, and your Apple calendar history to know where you've been and where you'll be, to say nothing of the endless possibilities for cyberattacks.

Beyond all that, there's the risk to employers. Individual accounts can house all kinds of data that pertains to, or can otherwise be used to attack the companies they work for.

Again, the scenarios are limitless. With an Apple export, for example, a hacker could take the MAC address associated with an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access to them, then listen in on corporate meetings. Or, Yakim suggests, they can leverage information like the operating system version of the employee's mobile phone. "If I know, for example, that the mobile device of the employee is not up to date, I can search for specific, known vulnerabilities in order to target this employee," he says.

And there are far simpler, more present dangers than that. CyberArk surveyed 14,000 employees, finding that around 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. Thanks to this comingling, work passwords tend to end up stored in far less secure personal accounts, from which they can be exported. This was how Cisco got breached in 2022, and Okta in 2023, a case that affected every one of its customers as well.

Related:VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

To prevent that from happening, employees need to draw a clear line in the sand between their business and pleasure online. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'White FAANG' Data Export Attack: A Gold Mine for PII Threats

Cisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA).
The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

****SUMMARY****

*   **Targeted Campaign**: SmokeLoader malware attacks Taiwanese industries, including manufacturing, healthcare, and IT.

*   **Phishing Emails**: The campaign uses phishing emails exploiting MS Office vulnerabilities (CVE-2017-0199, CVE-2017-11882).

*   **Credential Theft**: Plugins target browsers, email clients, and FTP software to steal credentials and sensitive data.

*   **Advanced Techniques**: SmokeLoader employs evasion tactics like code obfuscation, anti-debugging, and sandbox evasion.

*   **Preventative Measures**: FortiGuard Labs blocked the malware, offering antivirus signatures and IPS rules for protection.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a series of new malware attacks targeting companies in Taiwan. The attacks, which have been linked to the **SmokeLoader malware**, have impacted industries ranging from manufacturing and healthcare to IT and beyond.

SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data.

According to research by FortiGuard Labs, the attacks began with phishing emails containing malicious attachments, which were designed to exploit vulnerabilities in Microsoft Office. These included **CVE-2017-0199**, enabling malicious documents to automatically download and execute harmful payloads, and **CVE-2017-11882**, exploiting a vulnerability in Microsoft Office’s equation editor for remote code execution.

The emails, as per FortiGuard Labs’ **blog post** shared with Hackread.com heard of this publishing on Monday, written in native Taiwanese, were convincing but contained inconsistencies, such as different font and colour schemes, that suggested the text had been copied from elsewhere.

Once the malicious attachment was opened, the SmokeLoader malware was downloaded and executed, allowing it to communicate with its command and control (C2) server. From there, the malware downloaded various plugins, each designed to target specific applications and extract sensitive information.

The plugins used by SmokeLoader were found to target popular web browsers, email clients, and file transfer protocol (FTP) software, including Internet Explorer, Firefox, Chrome, Opera, Outlook, Thunderbird, and FileZilla. The malware was able to extract login credentials, auto-fill data, and even email addresses from these applications.

One of the plugins, known as Plugin 4, was designed to clear cookies from targeted browsers, forcing victims to re-enter their login credentials. Another plugin, Plugin 8, was used to inject keylogging code into explorer.exe, allowing the malware to capture keyboard inputs and clipboard content.

The SmokeLoader malware was also found to use advanced techniques to evade detection, including code obfuscation, anti-debugging, and sandbox evasion. Its modular design allows it to adapt to different attack scenarios, making it a formidable threat to organizations.

The attack flow and phishing emails used in the attack (Via: Fortinet’s FortiGuard Labs)

FortiGuard Labs has detected and blocked the malware, assigning it a severity level of “High.” The company has also provided protections for its customers, including antivirus signatures and IPS rules to detect and prevent malware.

In a comment to Hackread.com, **Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity suggests the use of SmokeLoader aligns with a broader global pattern of cyber actors preparing for future attacks by infiltrating systems in advance.

_“_Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs) and the use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world._“_

****What can you do to protect yourself?****

To avoid falling victim to the SmokeLoader malware, it’s important to stay cautious with emails from unknown or suspicious sources. Don’t click on links or download attachments, especially if they prompt you to enable macros or run files.

If you’re unsure about an email, even from a familiar source, check its content carefully. Scan links, files, and attachments using tools like VirusTotal or your system’s security software to ensure they’re safe.

1.  **Fickle Stealer Exploits Software Flaws, Steals Browser Data**
2.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security**
3.  **Malware Bypasses Microsoft Defender, Steals $24,000 in Crypto**
4.  **SteelFox Malware Posing as Popular Software, Steal Browser Data**
5.  **Facebook Malvertising Attack Spreads Malware via Fake Bitwarden**

SmokeLoader Malware Exploits MS Office Flaws to Steal Browser Credentials

A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.

Source: Kim Kuperkova via Shutterstock

Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day.

Sucuri security analyst Weston Henry discovered the attack in the form of a malicious JavaScript injection, which has multiple variants and target sites built on the popular e-commerce platform in two different ways, according to a blog post published on Nov. 26.

One way is by creating a fake credit card form to steal card details, the other is by extracting the data directly from the payment fields. "Its dynamic approach and encryption mechanisms make it challenging to detect," Sucuri security analyst Puja Srivastava explained in the post. The data is then encrypted and exfiltrated to a remote server controlled by the attacker.

Magento-based websites are a frequent target for cybercriminals due to their widespread usage for e-commerce and the valuable customer data they handle, including payment card or bank account details. And card-skimming — typically by a group of cybercriminals collectively known as Magecart — is a popular attack vector to steal such data from these sites.

Related:News Desk 2024: Can GenAI Write Secure Code?

**Cyber Victims Targeted During Shopper Checkout**

Henry discovered the malicious script during a routine inspection of a Magento-based site with Sucuri's SiteCheck. "The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app," explained Sucuri security analyst Puja Srivastava in the post. Eventually, the resource was found in two locations on the site.  

One of the locations where it was found was within the <referenceContainer> directive of the XML file, which is designed to load a JavaScript resource just before the closing <body> tag.

Attackers obfuscated the contents of the external script to avoid detection, "making it challenging to identify at first glance," Srivastava noted.

Once executed, the script activates only on pages containing the word "checkout" but excluding the word "cart" in the URL, with the aim of extracting sensitive credit card information from specific fields on the checkout page.

After it's completed this malicious task, the malware collects additional user data through Magento’s APIs, including the user's name, address, email, phone number, and other billing information. "This data is retrieved via Magento's customer-data and quote models," Srivastava explained.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Magento Malware's Strong Anti-Detection Game**

Attackers behind the malware have taken care to use multiple anti-detection techniques to hide their malicious activity, the researchers found. While the malware is collecting the data, it first encodes it as JSON and then XOR-encrypts it with the key "script" to add an extra layer of obfuscation, the researchers found.

The encrypted data also is Base64-encoded before being sent via a beaconing technique to a remote server at staticfonts.com. Beaconing is a method whereby a script or program sends data silently from the client to a remote server without alerting the user or interrupting their activity.

While legitimate applications such as analysis tools also use beaconing, malicious actors favor the technology because it's a stealthy and hard-to-detect way to transmit stolen data, the researchers noted.

**How to Secure E-Commerce Sites From Cyberattack**

To protect e-commerce sites from stealthy card-skimmers — particularly on busy shopping days like Black Friday, which are a goldmine for cybercriminals — Sucuri recommends administrators conduct regular security audits, monitor unusual activity, and deploy a robust Web application firewall (WAF) to protect sites.

Related:'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

They also should ensure that sites are consistently updated with the latest security patches, as "outdated software is a primary target for attackers who exploit vulnerabilities in old plug-ins and themes," Srivastava wrote.

Administrators also should ensure they use strong, unique passwords on e-commerce sites to bolster security and avoid having them easily cracked by attackers. Finally, implementing file integrity monitoring to detect any unauthorized changes to website files also can serve as an early warning system.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert…

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert advisories to mitigate these critical security risks.

In a recent presentation at SANS HackFest Hollywood 2024, cybersecurity researchers at London, England-based firm AmberWolf have revealed critical security vulnerabilities in widely used corporate Virtual Private Network (VPN) clients allowing attackers to target macOS and Windows systems.

These vulnerabilities, found in both traditional SSL-VPN clients and modern Zero Trust solutions, could be exploited by attackers to gain remote code execution and elevated privileges on end-user devices.

The researchers found that VPN clients, while essential for secure remote access, often have deep system access. This makes them attractive and possibly a lucrative target for hackers.

The main problem lies in how these clients trust VPN servers. Attackers can create malicious VPN servers that exploit this trust, allowing them to run commands and gain administrator-level access to a user’s computer with little to no user interaction.

****NachoVPN****

To help the security community understand and mitigate these risks, the researchers have released NachoVPN, an open-source tool that simulates the attack scenarios discussed in their presentation. This tool acts as a malicious VPN server and shows how it can exploit weaknesses in different VPN clients. NachoVPN is designed to be easy to use and can be adapted to test for new vulnerabilities as they are discovered.

_“_NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities, AmberWolf researchers wrote in their blog post. _“_It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution._“_

Alongside NachoVPN, the researchers have published detailed advisories documenting the specific vulnerabilities disclosed during their presentation. These advisories provide technical descriptions, attack vectors, and mitigation recommendations to help organizations protect themselves against these threats.

****Vulnerabilities****

The vulnerabilities affect popular corporate VPN clients, including Palo Alto GlobalProtect and SonicWall NetExtender for Windows. The advisories, identified as CVE-2024-5921 and CVE-2024-29014, highlight the risks of remote code execution and privilege escalation via malicious VPN servers.

****NachoVPN on GitHub****

For more information about NachoVPN and the disclosed vulnerabilities, interested parties can visit the project’s **GitHub** repository and review the detailed advisories. The researchers’ presentation from SANS HackFest Hollywood 2024 is also available on the SANS YouTube channel, providing further insights into their findings and recommendations.

1.  ASUS and NordVPN Partner to Integrate VPN into Routers
2.  Hackers Calling Employees to Steal VPN Logins from Firms
3.  Ivanti VPN Flaws Exploited by DSLog Backdoor, Crypto Miners
4.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws
5.  Hackers Use Stolen VPN Access against Ivanti Users Despite Patches

AmberWolf Launches NachoVPN Tool to Tackle VPN Security Risks

With a focus on creating technologies for other markets, Israel continues to be a valued destination for venture capital in cybersecurity outside the US and Europe.

Source: thinkhubstudio via Shutterstock

Though funding for cybersecurity startups began slowing globally in late 2022, Israeli startups continue to win significant cybersecurity investments, even with the nation's ongoing military operation in Gaza and escalating regional tensions.

The continued investment shows that Israel continues to be one of the strongest hubs for tech innovation in the US outside of Silicon Valley, says Or Shoshani, CEO and co-founder of Tel Aviv-based Stream.Security. His company, a cloud detection and response firm, garnered its first round of funding — a $26 million Series A — in March 2022 at the tail end of the boom. Earlier this month, the company was awarded a Series B round for $30 million.

"I've been traveling more than I've been doing in the last four years. Why? Just to show that we are here to support our customers, and we have built a business that is truly resilient, regardless of where we are and regardless of the state \[of affairs\] Israel is experiencing."

Following a two-year drought, cybersecurity startup companies are seeing an uptick in investment internationally, with the value of deals expected to grow by 45% in 2024 — a reversal of fortunes compared to the 40% decrease in 2022 and 49% drop in 2023, according to data from cybersecurity investment-advisory firm Altitude Cyber.

Related:Microsoft VS Code Undermined in Asian Spy Attack

Following a peak in Q4 2021, investment in cybersecurity firms tapered off for two years. It's starting to return. Top: Number of deals. Bottom: Value of deals in billions of US$. Source: Altitude Cyber

The investment focus of Altitude Cyber's clients, for example, remains the US, Israel, and Europe, followed by the rest of the world, says Dino Boukouris, founder and managing partner at the firm.

"We don't anticipate that trend will change any time soon," he says. "Even with the geopolitical climate we're in, Israel has continued to deliver, the US cyber market remains as strong as ever, and Europe \[and the\] UK continue to innovate and produce really great cyber companies."

**Cybersecurity Springs Back**

Israel's research and development centers took off during the US regulatory assault on encryption in the 1990s and the migration of chip design to many of the technology parks around Tel Aviv and Haifa during the past two decades. On the cybersecurity side, the nation has developed "outsized" capabilities, according to a recent history of Israel's evolution in cybersecurity.

Similar to Silicon Valley, going out for a cup of coffee often means running into two or three entrepreneurs that are going to tell you about their latest idea, says Jacques Benkoski, general partner at US Venture Partners, an investor in Stream.Security.

With the country's focus on cybersecurity and the density of talent and education available in a small area, innovation naturally follows, he says. 

Related:Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

"When you look at the history of venture capital, you have nodes of innovation that are characterized by a catalytic density of talent — you look at places like Silicon Valley, you look at places like Tel Aviv, and you just have a lot of people that are focused on the same thing," he says. "And from the acceleration through dialogues and the collisions \[of ideas\] between those people comes more innovation" than other parts of the world.

Yet, one aspect of Israel's venture-capital scene is that investors do not want to fund companies solving local problems. Instead, the focus is on creating technologies and businesses that address issues in the US, Europe, and worldwide, Benkoski say.

"We typically invest in companies that see the US as their primary market — it's actually an investment condition," he says. Second rounds of venture capital for companies like Stream.Security are often to develop a stronger presence in their primary market, he adds.

**Broadening Out Cybersecurity Investment**

While the country's cybersecurity ecosystem certainly has its adherents, other investors see a focus on local ecosystems to be desirable. Ukraine has historically had a strong cybersecurity community — albeit mixed with its share of cybercriminal groups — and that could see a resurgence if Russia ends its war, says Ron Gula, president of Gula Tech Adventures, an investment firm.

Related:Software Productivity Tools Hijacked to Deliver Infostealers

"I'm hopeful that the Ukraine war will end soon, and believe the tech ecosystem there will emerge as a rival to the Israeli ecosystem," he says.

Other areas of the world also offer substantial benefits for investment. In addition to expanding its investment into Israel, Forgepoint Capital plans to focus on Latin America and the Asia-Pacific regions, where the mobile-first ecosystem requires a tailored approach to cybersecurity, managing director J. Alberto Yépez says.

"Other geographies have more of a built-in enterprise industry infrastructure to support local innovation, with established institutions taking an active role to drive collaboration and better anticipate and address their customers' needs," he says, adding that the firm has partnered with global financial institutions to help innovate. "We aim to address a critical gap in growth funding for startups in Europe while expanding our purview into Latin America and Israel," he says.

One overhyped technology for investors? AI. While artificial intelligence has technology giants spending heavily — and nearly every cybersecurity firm boasts of AI features — the impact of AI startups on cybersecurity remains modest, says Altitude's Boukouris. But there have been some significant financing deals for AI-cybersecurity companies in past few years, including Protect AI ($60 million in Series B funding, HiddenLayer ($50 million, Series A), Witness AI ($28 million, Series A), and Cranium ($25 million, Series A), he says.

"Vendors specifically focused on security for AI/ML are still primarily in the early stages in terms of funding," he says. "We've only seen one significant M&A event so far, with Robust Intelligence being acquired by Cisco for around $300 million, which indicates that we are still in the early stages of security for AI."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Israel Defies VC Downturn With More Cybersecurity Investments

Cyberattackers have been targeting the online NFT marketplace with emails claiming to make an offer to a targeted user; in reality, clicking on a malicious link takes victims to a crypto-draining site.

Source: Mundissima via Alamy Stock Photo

Cyberattackers are targeting users of the OpenSea nonfungible token (NFT) platform with a phishing attack that lures users with the potential sale of items listed on the marketplace. The aim? Draining their cryptocurrency wallets dry.

Researchers at Cofense discovered the campaign, in which adversaries impersonate the OpenSea website and claim a user has a new offer on a listing on the site to try to bait them into clicking on a malicious link.

"The goal of the phishing scheme is to get recipients to connect their crypto wallets to the phishing page, which will drain their wallets," Cole Adkins of the Cofense Phishing Defense Center wrote in a post. "The phish presents itself as an offer on an NFT the recipient has listed on OpenSea, in hopes they will click on it and connect their wallet once redirected."

OpenSea is the largest marketplace for NFTs and thus "the go-to platform for many entry-level NFT enthusiasts looking to enter the crypto collectible market," who are likely unaware of the common tactics of phishers and thus can easily be fooled, he wrote.

The campaign demonstrates the speed with which attackers are targeting new and emerging technologies like NFT — which held little interest for people until OpenSea was launched in 2017 —  with custom campaigns tailored to their particular interests, he said. OpenSea marketplace currently has more than 2 million users with at least one transaction on the site, many of them enterprise users.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

**OpenSea Brand Impersonation for the Phishing Lure**

The attack begins when targeted victims receive an email that appears to come from OpenSea. To a savvy user, it would be a clear phish, as the sender address is "administrator\[at\]motordna\[dot\]io," and thus unrelated to the NFT marketplace. However, the branding in the content of the email mimics OpenSea using a look that's similar to the site, and it could fool someone not keeping an eye out for phishing clues, according to Cofense.

"By branding the email as OpenSea and employing the same email format used for an actual notification from the OpenSea NFT marketplace, the threat actor hopes to ease the recipient’s suspicion so they will click the button in the email body," Adkins wrote.

Recipients are prompted to hit an "Access Now" button to direct to a purported offer that's come on one of their items on the marketplace, demonstrating the use of social engineering that adds urgency and aims to instill excitement at the potential of a sale, he wrote.

Users that click on the button are directed to a fake OpenSea webpage that's also been designed by attackers to appear legitimate. The page shows that an offer has been made on an NFT owned by the victim and they must accept it quickly by connecting to their crypto wallet via a "Connect Wallet" button, or else lose their chance at a sale. Clicking presents the user with multiple ways to access the wallet, such as via a QR code or signing in with credentials. Once this step is complete, an attacker can control the wallet and any credentials associated with it.

Related:News Desk 2024: Can GenAI Write Secure Code?

**NFT in the Crosshairs**

The campaign is not the first time OpenSea has been targeted by a potential threat actor. A couple of years ago, an employee of one of the marketplace's email vendors, Customer.io, accessed and downloaded the company's email list, ostensibly for future phishing attacks. The cybercriminal group Marko Polo also has impersonated OpenSea as a way to target its users for fraud.

While NFT hasn't quite gone mainstream yet, attackers are increasingly targeting those interested in the novel technology to expand their attack surface. These attacks will likely ramp up as the technology gains popularity, according to Cofense. "This … highlights why recipients must stay vigilant and up to date with common phishing threats in order to protect their assets," Adkins wrote.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Cofense recommends that users of OpenSea and other NFT marketplaces use the same online hygiene as any other e-commerce user when navigating access to their accounts. Best practices for protecting assets include avoiding clicking on links in emails from addresses or users they don't recognize, and learning to recognize common phishing and social-engineering tactics. The company also recommends that OpenSea users should check the sender field of any email that purports to be from the marketplace for suspicious-looking addresses that could alert them to foul play.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OpenSea Phishers Aim to Drain Crypto Wallets of NFT Enthusiasts

New analysis says law enforcement efforts against Russian-language ransomware-as-a-service (RaaS) infrastructure helped consolidate influence behind BlackBasta, but some experts aren't so sure the brand means that much.

Source: JK Sulit via Alamy Stock Photo

The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.

Since the spectacular law enforcement takedown of Conti's operations in 2022, the Russian-language ransomware landscape has been a bit in flux. Upending usual business operations further was the subsequent August 2023 takedown of Qakbot botnets, long relied upon by these groups to deliver their ransomware. The law enforcement action, called "Operation Duck Hunt," removed Qakbot malware from more than 700,000 infected machines. The Qakbot botnet takedown success would be short lived. Analysts started to see the it pop back up in cyberattacks just a couple of months later.

Even so, by January, BlackBasta has already pivoted and was observed using a competing botnet tool called Pikabot, along with an emerging new threat group, Water Curupira, which similarly used Pikabot to drop BlackBasta ransomware.

From there BlackBasta diversified into phishing, vishing, and social engineering, as well as buying entry into target networks from initial access brokers. But by last August, the ransomware group was using its own custom-developed malware, Cogscan, used to map victim networks and sniff out the most valuable data, as well as a .NET-based utility called Knotrock, used to execute ransomware.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**Are Law Enforcement Takedowns Against Ransomware Working?**

In a new report, RedSense cybersecurity analyst Yelisey Bohuslavskiy has provided a detailed look at the evolution of BlackBasta tactics, concluding that the group's requirement to adapt in the wake of large-scale law enforcement has made it a leader in the Russian-language ransomware space. In fact, Bohuslavskiy worries that the group is in a position to become an important partner of the Russian state. In the report, he used the example of the punishing rounds of cyberattacks against the healthcare sector this year and a potential bleak peek at what's to come.

"Considering the abnormality of 2024 high-profile attacks against healthcare, I am concerned about the potential liaison between BlackBasta and \[Russian nation-state threat actor\] Nobelium \[Midnight Blizzard\] and the Russian security apparatus in general," Bohuslavskiy tells Dark Reading. "While at this point, the connection is mostly MS Teams exploitation and some other TTPs and can not be confirmed, if in the future Russian ransomware groups will develop direct cooperation with the Russian state, this will result in tangible deterioration of the threat landscape."

Related:Leaky Cybersecurity Holes Put Water Systems at Risk

He predicts that BlackBasta and the hackers in its orbit will get increasingly sophisticated in their attacks in the months to come, namely social engineering attempts at compromising credentials.

"I would advise preparing for defending different social engineering against endpoints with a focus on credentials," Bohuslavskiy adds. "Cisco, Fortinet, and Citrix credentials are definitely the main focus of BlackBasta now. I would also look at GitHub repositories and other open repositories that an enterprise may have, as we are seeing these actors hunting for them."

This is good news for cyber defenders. Social engineering is a much less efficient way to disseminate ransomware versus a botnet blast, Bohuslavskiy adds.

"To my opinion, the most important thing is that law enforcement action is working," he says. "The transition shows a slow but steady movement from botnets to social engineering, even for traditionalists like BlackBasta. And by all means, social engineering is inferior to botnets in dissemination."

Related:Going Beyond Secure by Demand

Bohuslavskiy points to the Conti group's foray into a massive experiment with call centers filled with people conducting social engineering cyberattacks, adding that it turned out to be a flop.

"Trickbot, Emotet, and Qbot were the ultimate sources of ransomware delivery for the entirety of the Russian-speaking domain, and by now, all of them are down due to law enforcement action," he says. "No substitute has come since. However, we should be aware that the leadership of the groups also understands this, and therefore, they will try to double down on developing new botnets. This is why I predict that BlackBasta's plays with social engineering will be short-lived."

**Russian-Language Ransomware Coordination**

Expert ransomware negotiator Ed Dubrovsky, COO and partner at Cypfer, isn't sure it's that simple. In his experience, he explains, these Russian RaaS operations are highly decentralized groups of individual hackers with a complex organizational structure. Assigning cooperation between groups and the Russian state implies a level of operational coordination he hasn't seen.

When one group is taken down by law enforcement, individual talent easily flows to another brand, in his view.

"We tend to bunch them up together into a named group like BlackBasta, which is nothing more than an umbrella structure offering software and infrastructure solutions and some adjacent services," Dubrovsky says. "They are completely dependent on the affiliates, aka franchisees, to actually conduct attacks. So to claim that there is cooperation between nation-state actors and a ransomware 'brand' or 'franchise' is almost equivalent to saying McDonald's is working with state actors because they have a McDonald's in Russia."

He suggests it's more likely individuals shuffling around ransomware trade secrets driven purely by return on investment rather than commitment to any specific group or specific fear of law enforcement.

It's also important to note that "Russian-speaking" doesn't necessarily mean "Russian threat actors" when it comes to the hackers circulating around these RaaS operations, Ngoc Bui, cyber expert with Menlo Security says.

"Many Dark Web forums and illicit communities predominantly use the Russian language, but this doesn’t necessarily mean all participants are Russian," she explains. "This distinction is critical when interpreting predictions about increased coordination."

She adds there is a "golden rule" among these adversaries.

"As long as operations don’t target Russia or its allies, they are often overlooked," she says. "This tolerance can make Russia an appealing environment for cybercriminals to operate, whether or not direct state coordination is involved."

Beyond assigning specific tactics to various brands, Dubrovsky urges cybersecurity teams to focus on protecting their systems from increasingly well-funded and well-trained Russian-speaking ransomware adversaries. The entire threat landscape has been exploding since 2013, and he views its "further deterioration" predicted by Bohuslavskiy as an obvious given.

"Could we say that this will accelerate even more due to the resources available to \[threat actors\] and certainly nation-states? Absolutely," Dubrovsky adds. "Would/could it be directly correlated because of observed TTPs? Not sure this will ever be conclusive. The real question is how do we defend against threat actors with increasing resources and capabilities to cause more impact."

BlackBasta Ransomware Brand Picks Up Where Conti Left Off

In a "new class of attack," the Russian APT breached a target in Washington, DC, by credential-stuffing wireless networks in close proximity to it and daisy-chaining a vector together in a resourceful and creative way, according to researchers.

Source: Science Photo Library via Alamy Stock Photo

A sophisticated cyber-espionage attack used by notorious Russian advanced persistent threat (APT) Fancy Bear at the outset of the current Russia-Ukraine war demonstrates a novel attack vector that a threat actor can use to remotely infiltrate the network of an organization far away by compromising a Wi-Fi network in close proximity to it.

Fancy Bear (aka APT28 or Forest Blizzard) breached the network of a US organization using this method, which the researchers at Volexity are calling a "Nearest Neighbor" attack.

"The threat actor accomplished this by daisy-chaining their approach, to compromise multiple organizations in close proximity to their intended target, Organization A," Volexity researchers Sean Koessel, Steven Adair, and Tom Lancaster wrote in a post detailing the attack. "This was done by a threat actor who was thousands of miles away and an ocean apart from the victim."

The hack demonstrated "a new class of attack" for an attacker so far away from the intended target to use the Wi-Fi method, the researchers said. Volexity tracks Fancy Bear — a part of Russia's General Staff Main Intelligence Directorate (GRU) that's been an active adversary for at least 20 years — as "GruesomeLarch," one of the APT's many names.

Volexity first discovered the attack just ahead of Russia's invasion of Ukraine in February 2022, when a detection signature Volexity had deployed at a customer site indicated a compromised server. Eventually, the researchers would determine that Fancy Bear was using the attack "to collect data from individuals with expertise on and projects actively involving Ukraine" from the Washington, DC-based organization.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**A Cyberattack Chained Through Multiple Orgs**

The attack involved Fancy Bear performing credential-stuffing attacks to compromise at least two Wi-Fi networks in close physical proximity to the target. The attacker then used credentials to compromise the organization, since credential-stuffing attacks alone couldn't compromise the targeted organization's network due to the use of multifactor authentication (MFA), according to Volexity.

"However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect," the researchers wrote.

Ultimately, the investigation revealed "the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives," they wrote.

During the course of a lengthy investigation, Volexity worked with not only with the targeted organization but also connected with two other organizations (aka Organizations B and C) that were breached to eventually reach the target.

Related:Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

Ultimately, Volexity discovered an attack structure to breach Organization A that used privileged credentials to connect to it via the Remote Desktop Protocol (RDP) from another system within Organization B's network.

"This system was dual-homed and connected to the Internet via wired Ethernet, but it also had a Wi-Fi network adapter that could be used at the same time," the researchers explained in their post. "The attacker found this system and used a custom PowerShell script to examine the available networks within range of its wireless, and then connected to Organization A's enterprise Wi-Fi using credentials they had compromised."

Moreover, the APT also used two modes to access to Organization B's network to gain intrusion to the ultimate target, the researchers discovered. The first was using credentials obtained via password-spraying that allowed them to connect to the organization's VPN, which was not protected with MFA. Volexity also found evidence the attacker had been connecting to Organization B's Wi-Fi from another network that belonged to nearby Organization C, demonstrating the daisy-chain approach to the attack, the researchers wrote.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Throughout the attack, Fancy Bear adopted a living-off-the-land approach, leveraging standard Microsoft protocols and moving laterally throughout the organization. One tool in particular that they made particular use of was an inbuilt Windows tool, Cipher.exe, that ships with every modern version of Windows, the researchers found.

**Beware Thy (Wi-Fi) Neighbors**

Because the attack highlights a new risk for organizations of compromise through Wi-Fi even if an attacker is far away, defenders "need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security," treating them "with the same care and attention that other remote access services, such as virtual private networks (VPNs)," the researchers observed.

Recommendations for organizations to avoid such an attack include creating separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. They also should consider hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.

To detect a similar attack once the threat actor achieves presence on the network, organizations should consider monitoring and placing an alert on anomalous use of the common netsh and Cipher.exe utilities. Defenders also can create custom detection rules to look for files executing from various nonstandard locations, such as the root of C:\\ProgramData\\, and improve detection of data exfiltration from Internet-facing services running in an environment.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

By Philippe Laulheret
ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.
Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:

TALOS-2024-1964 (CVE-2024-38184)
TALOS-2024-1965 (CVE-2024-38185)

Monday, November 25, 2024 08:00

By Philippe Laulheret

ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.

Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:

*   TALOS-2024-1964 (CVE-2024-38184)
*   TALOS-2024-1965 (CVE-2024-38185)
*   TALOS-2024-1966 (CVE-2024-38186)
*   TALOS-2024-1968 (CVE-2024-38062) 
*   TALOS-2024-1969 (CVE-2024-38187)
*   TALOS-2024-1970 (CVE-2024-38062)
*   TALOS-2024-1971 (CVE-2024-38062)
*   TALOS-2024-1988 (CVE-2024-38062)

This research project was also presented at both HITCON and Hexacon. A recording of the latter’s presentation is embedded at the end of this article.

****What is ClipSp?****

ClipSp is a first-party driver on Microsoft Windows 10 and 11 that is responsible for implementing licensing features and system policies, and as such it is one of the main components of the Client Licensing Platform (CLiP). Little is known about this driver; while most Microsoft drivers and DLLs have publicly available debug symbols, in the case of ClipSp, those were removed from Microsoft's symbol server. Debug symbols provide function names and other related debug information that can be leveraged by security researchers to infer the intent behind the many functions of a binary; their absence hinders that. Surprisingly, the driver is also obfuscated, a very rare occurrence in Microsoft binaries, likely to deter reverse engineering even further. Limited public research exists, much of which either predates our findings or was released in response to our reports. The latter research also shares symbols from an older version of ClipSp, which could be a useful springboard for anyone wanting to research this driver. The most interesting aspect of this software involves implementing features related to licensing Windows applications from the Windows App store and activation services for Windows itself.

****Deobfuscation****

The driver is obfuscated with Warbird, which is Microsoft’s proprietary obfuscator. Luckily, past research comes in handy, and we can adapt to suit our needs. The plan to deobfuscate the driver is to leverage the binary emulation framework Qiling, to emulate the part of the driver responsible for deobfuscating the obfuscated sections, and dump the executable memory range to import it into our favorite reversing tool.

During normal operation, the obfuscation appears as follows:

We can see that a decrypt function is called twice with different parameters, followed by a call to the actual function being deobfuscated and, finally, two calls to re-obfuscate the relevant section.

Using Ida Python, we can track all the references to the decrypt functions (there are actually two distinct functions), and recover their arguments by looking at the instructions that precede the function call where the RCX and RDX registers are being assigned. Per calling conventions, these two registers are the first and second arguments of the function. Then, we can feed this information to our modified Qiling script to emulate the decryption functions and dump the whole deobfuscated binary. Once the driver is deobfuscated, we can start reversing it to understand how Windows communicates with the driver, understand various business logic elements, and look for vulnerabilities.

****Driver communication****

Usually, drivers either register a device that can be reached from userland or export the functions that are meant to be used by other drivers. In the ClipSp case, things behave slightly differently. The driver exports a “ClipSpInitialize” function that takes a pointer to an array of callback functions that get populated by ClipSp, to then be used by the calling driver to invoke ClipSp functionalities. Grepping for “ClipSpInitialize” throughout the System32 folder shows that the best candidate for using ClipSp is “ntoskrnl.exe”, followed by a handful of filesystem drivers that use a limited amount of ClipSp functions. For the rest of this report, we will focus on how “ntoskrnl” interacts with ClipSp.

Analyzing the cross-references within the Windows’ kernel to ClipSp functions, it becomes clear that, to interact with them, a call to “NtQuerySystemInformation” with the SystemPolicy class is required. Other binaries in the CLiP ecosystem will issue these system calls, while also providing a remote procedure call (RPC) interface to decouple other software from the undocumented API. However, nothing stops us from interacting with the “NtQuerySystemIformation” endpoint directly, which becomes a handy trick to bypass some of the additional checks that are enforced by the intended RPC client library.

****Obfuscated structures****

Unfortunately for us, looking at how a legitimate binary interacts with the SystemPolicy class, we can see the following (from  wlidsvc!DeviceLicenseFunctions::SignHashWithDeviceKey):

This is another layer of obfuscation that encapsulates the data passed over to the API. The idea here is that a network of binary transformations (also known as a Feistel cipher) is used to encrypt the data with the various operations inline in the code (as seen above). Part of the API call will provide the list of operations that were used, and the kernel will call them directly with the appropriate parameters to decrypt the data. As such, the easier approach to dealing with this is to simply rip out both the encryption code and the associated parameters and re-use them in our own invocation of the API. Copying and pasting the decompiler’s output into Visual Studio is a little tedious but usually works fine. Before returning from the syscall, the resulting data is obfuscated in a similar fashion, and, once again, ripping out the data from a working implementation is the most straightforward way to deal with it. Overall, the data format looks as such:

The inner payload (left) is an array of size-value entries that contain the command number that needs to be executed, followed by the Warbird material used to encrypt the reply from the kernel, and finally command-specific data that depends on which ClipSp function is being invoked.

This data is then encapsulated into a structure that mostly specifies the number of entries there are in the provided array and the whole thing then gets encrypted. The remaining Warbird data in the righ-most part of the diagram is to instruct the kernel how to decrypt the provided data.

Here’s our best guess at the various available commands:

Most of them call into ClipSp, but a few (especially in the <100 range) may be solely handled by the Windows kernel.

****Sandbox considerations****

Microsoft provides a tool to test if a piece of code can be run within a low-privilege context called a Less Privileged Application Container (LPAC) sandbox. Using this with our proof of concept, we can confirm that ClipSp’s APIs are actually reachable from an LPAC context. This is particularly interesting as these application containers are usually used to sandbox high-risk targets, such as parsers and browser rendering processes. As such, any elevation of privilege vulnerabilities we could find would likely double as sandbox escapes as well.

****Processing licenses****

Throughout the reversing process, we observed that the license files handled by ClipSp were quite interesting. They are usually obtained silently from Microsoft when interacting with UWP applications (both coming from the App Store and those installed by default, such as Notepad). They can also be used for other purposes, such as Windows activation, hardware binding, and generally providing cryptographic material for various applications.

At first, license files appear to be opaque blobs of data that are installed via the “SpUpdateLicense” command. This can be invoked following the process described above with the command “\_id = 100”. Existing licenses are stored in the Windows registry at the following location:

HKLN\\SYSTEM\\CurrentControlSet\\Control\\{7746D80F-97E0-4E26-9543-26B41FC22F79}

Only the SYSTEM user can access this registry key. From an elevated prompt, the following command can open regedit as SYSTEM:

PsExec64.exe -s -i regedit

The format for these licenses is mostly undocumented, but looking at how they are being parsed is pretty informative. These licenses are in a tag-length-value (TLV) format, where the list of authorized tags is contained in an array of tuples of the form (tag, internal\_index) hardcoded inside ClipSp. Upon parsing, a pointer to each valid TLV entry is stored in an array at the location indicated by the internal\_index:

****Signature bypass (**TALOS-2024-1964**)****

Licenses are signed by various signing authorities whose public keys are hardcoded in ClipSp. Verification code looks as such:

The “entry\_of\_type\_24” value is a pointer saved during the parsing of the license and points to its signature. The difference between “entry\_of\_type\_24” and “License\_data” is pointer arithmetic used to count the number of bytes from the beginning of the license blob up to its signature. 

During the parsing, this looks as such:

If the internal index associated with the entry’s tag is 24, then the processing loop is temporarily exited. A pointer to the signature is saved, and if more data remains, the license processing is resumed.

We can see that this approach is flawed: If there is data after the license’s signature, it will still be parsed but not checked against the signature, effectively enabling an attacker to bypass the signature check of any license as long as they can get one that is already signed with the proper signing authority.

****Out-of-bound read vulnerabilities (**TALOS-2024-1965,TALOS-2024-1968, TALOS-2024-1969, TALOS-2024-1970, TALOS-2024-1971, TALOS-2024-1988**)****

We can cross reference where the license structure and its array of pointers to the TLV data is being used, and what we find is many wrapper functions that return either the length/size of a given entry or the data associated with it. In most cases, this is done in a secure fashion, but there are a few entries that make assumptions on the size of the data provided in the license blob, which leads to a handful of out-of-bound read vulnerabilities. An example of such vulnerabilities can be seen in the following screenshots:

These two functions retrieve either the size of the DeviceID field or its content. However, if the data is formatted in such a way that line 11 is reached (i.e., no entry of type 5 in the license provided) then the **data** field of entry 18 is used to provide both size and value by dereferencing its pointer, without checking if enough data was provided for that. For instance, if we append a DeviceID entry (type 18) at the end of a valid license blob, but make it so its data field is only one byte long, then the “get\_DeviceIDSize” function will read one byte out of bound, as it is expecting two bytes of data. Furthermore, any function that calls “get\_DeviceID” will receive a pointer that is pointing one byte past the end of the license file and will likely act on wrong information from the “get\_DeviceIDSize” function for further out of bound (OOB)-read problems.

****Turning an OOB-read into an OOB-write (**TALOS-2024-1966**)****

If we look specifically at the case described above where the DeviceIdSize field can be read out of bound, this creates a particularly interesting situation where the expected size of the DeviceID object can change throughout its lifetime if the data immediately adjacent in memory changes in a meaningful way. The first byte of data after the license blob will also be read as the leading byte of the (unsigned short) value defining the size of the DeviceID. Looking at how these two functions are used in ClipSp, we can see that during the installation of a hardware license, the following happens:

We can see multiple calls to the “get\_DeviceIDSize” function, with one providing the size field to a memory allocation routine, while another call is used as a parameter to a “memcpy”. If the size field changes in between the two calls, this may lead to an out-of-bounds write vulnerability.  

Exploiting a vulnerability like this is far from trivial, as one would have to win a race condition between the two fetches while being able to shape the PagedPool heap in such a way that there’s meaningful data located right after the malicious license blob.

****Conclusion****

As we have just seen, obfuscated code can hide low hanging fruit, trivial memory corruptions, and simple logic bugs. In the case of ClipSp, this issue is even more serious, as this attack vector may lead to sandbox escapes and potentially significant impact to the compromised user.

As such, this is a reminder for security researchers on the value of taking the less traveled path, even if it begins with a bramble of Feistel functions. And for the software engineers and project managers who decide to leverage obfuscation for their projects, this is also a stark reminder that this approach may hinder normal bug finding processes that would detect trivial bugs early on.

\[Please embed video from: https://www.youtube.com/watch?v=9t0Xt40RZEc  \]

Tag

#cisco