77% of security leaders fear we’re in a perpetual cyber war • The Register
In short A survey of cybersecurity decision makers found that 77% believe the world is now in a perpetual state of cyber warfare.
Additionally, 82% believe that geopolitics and cybersecurity are “intrinsically linked” and two-thirds of organizations surveyed said they had changed their security posture in response to the Russian invasion of Ukraine.
Of those surveyed, 64% believe they have already been the target of a nation-state-led cyberattack. Unfortunately, 63% of security officials surveyed also believe they would never even know if a nation-state level actor framed them.
The survey, organized by security outlet Venafi, interviewed 1,100 security managers. Kevin Bocek, vice president of security strategy and threat intelligence, said the results show cyber warfare is here and it’s completely different than many would have imagined. “Any business can be damaged by nation states,” he added.
According to Bocek, it has been common knowledge for some time that government-backed Advanced Persistent Threat (APT) teams are used to pursue geopolitical objectives online. Unlike conventional warfare, Bocek said, everyone is a target and there is no military or government method to protect everyone.
Nor will there be many financial remedies available. Earlier this week, Lloyd’s of London announced it would no longer reward policyholders for certain attacks on nation states.
Late Friday, Facebook agreed in principle to settle a US lawsuit for damages for letting third parties, including Cambridge Analytica, access users’ private data. The terms of the settlement have not yet been finalized.
Googlers Discover a Charming Email Scraping Tool
Researchers from Google’s Threat Analysis Group (TAG) have detailed email-stealing malware believed to be from Iranian APT Charming Kitten.
The tool, which TAG has dubbed Hyperscrape, is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine and is able to browse the contents of a targeted inbox and download messages individually. To hide his tracks, he can, among other things, delete emails alerting users to possible intrusions.
Not to be confused with Rocket Kitten, another APT allegedly backed by Iran, Charming Kitten has been hijacking accounts, deploying malware and using “new techniques to conduct espionage aligned with Iranian government interests” for years. , said TAG.
In the case of Hyperscrape, it appears the tool is rarely used or still being worked on, as Google said it had seen fewer than two dozen instances of the malware, all located in Iran.
The malware is also limited in terms of its ability to function: it must be installed locally on the victim’s machine and has dependencies which, if moved from its folder, will interrupt its functionality. Additionally, Hyperscrape “requires the victim’s account credentials to run using a valid, authenticated user session that the attacker has hijacked, or credentials that the attacker has already earned,” Google said.
Although its use may be rare and its design somewhat restrictive, Hyperscrape is still dangerous malware that Google said it wrote about to raise awareness. “We hope this will improve understanding of tactics and techniques that will improve threat hunting capabilities and lead to stronger protections in the industry,” wrote Google security engineer Ajax Bash.
Security professionals can find the compromised data indicators for Hyperscrape in Google’s report.
A French agency could investigate Google again
A French government agency that fined Google twice for violating data privacy regulations and GDPR has been told by the European Center for Digital Rights (NOYB) about another potential bad practice: dressing ads so that ‘they look like normal emails.
According to NOYB, Google pops advertisements into Gmail users’ inboxes that appear to be regular emails, which would be a direct violation of the EU ePrivacy Directive, as people may not have not technically registered or have not consented to see this stuff.
“When commercial emails are sent directly to users, they constitute direct marketing emails and are regulated by the ePrivacy Directive,” NOYB said.
Because Google “successfully filters most external spam into a separate spam folder,” claims NOYB, when unsolicited messages end up in a user’s inbox, it makes it look like they’re is about something he actually signed up for, when he hasn’t.
“EU law already says it quite clearly: the use of email, for direct marketing purposes, requires the consent of the user,” NOYB said, referring to a court press release. of justice in the EU. [PDF] as of 2021 that outlines the rules around inbox advertising.
“It’s pretty simple. Spam is commercial email sent without consent. And that’s illegal. Spam doesn’t become legal just because it’s generated by the email provider,” the lawyer said. by Noyb, Romain Robert.
The French Data Protection Authority (CNIL) has spoken out against Google’s past behavior before. In February, Google was found to be in breach of GDPR regulations by transmitting data to the United States. Google was also fined by the French Competition Authority for failing to pay French publishers when using their content.
NOYB said in its complaint [PDF] to the CNIL that, because it accuses Google of violating the ePrivacy Directive and not the GDPR, the watchdog does not need to cooperate with, or wait for, the actions of other national data protection authorities to decide whether to amend or otherwise sanction the American web giant.
Nobelium is back with a new post-compromise tool
Microsoft security researchers have described custom software used by Nobelium, aka Cozy Bear, aka the perpetrators of the SolarWinds attack, to maintain access to compromised Windows networks.
Dubbed MagicWeb by Redmond, this malicious Windows DLL, once installed by a highly privileged intruder on an Active Directory Federated Services (ADFS) server, can be used to ensure that any user attempting to log in is accepted and authenticated. This will help attackers get back into a network if they somehow lose their initial access.
Microsoft noted that MagicWeb is similar to the FoggyWeb malware deployed in 2021, and added that “MagicWeb goes beyond FoggyWeb’s collection capabilities by directly facilitating covert access.”
It’s also not a theoretical example of malware: Microsoft said it found a real-life example of MagicWeb in action during an incident response investigation. According to Microsoft, the attacker had administrative access to the ADFS system and replaced a legitimate DLL with the MagicWeb DLL, “causing ADFS to load malware instead of the legitimate binary.”
MagicWeb is post-compromise malware that requires the attacker to already have privileged access to their target’s Windows systems. Microsoft recommends treating ADFS servers as higher level assets and protecting them as you would a domain controller.
Additionally, Microsoft recommends that domain administrators enable inventory certificate issuance policies in PKI environments, use verbose event logging, and check for event ID 501, which indicates an infection. MagicWeb.
Redmond said organizations can also avoid a MagicWeb infection by keeping an eye out for executable files located in Global Assembly Cache (GAC) or ADFS directories that have not been signed by Microsoft, and adding AD FS and GAC to Audit Analytics.
Hijacked anti-cheat software for killing AV
It turns out that the Genshin Impact role-playing game’s anti-cheat software can be, and is, used by malefactors to kill antivirus on victims’ Windows computers before mass deploying ransomware across a network.
TrendMicro said it spotted mhyprot2.sys, the kernel-mode anti-cheat driver used by Genshin, used much like a rootkit by intruders to disable endpoint protection on machines. The software is designed to kill unwanted processes, such as cheat programs.
You don’t need to have the game installed on your PC to be at risk, as ransomware launchers can drop a copy of the driver onto victims’ computers and use it from there.
It has the privileges, code signing and functionality necessary for extortionists to make their ransomware deployment a breeze, we are told. TrendMicro recommends monitoring for unexpected installations of the mhyprot2 driver, which should show up in the Windows event log, among other steps detailed in the link above. ®