Monday, May 27, 2024

Moroccan Cybercrime Group Steals Up to $100K Daily Through Gift Card Fraud

Microsoft is calling attention to a Morocco-based cybercrime group dubbed Storm-0539 that's behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks.

"Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate," the company said in its latest Cyber Signals report. "We've seen some examples where the threat actor has stolen up to $100,000 a day at certain companies."

Storm-0539 was first spotlighted by Microsoft in mid-December 2023, linking it to social engineering campaigns ahead of the year-end holiday season to steal victims' credentials and session tokens via adversary-in-the-middle (AitM) phishing pages.

The gang, also called Atlas Lion and active since at least late 2021, is known to then abuse the initial access to register their own devices to bypass authentication and obtain persistent access, gain elevated privileges, and compromise gift card-related services by creating bogus gift cards to facilitate fraud.

The attack chains are further designed to gain covert access to a victim's cloud environment, allowing the threat actor to carry out extensive reconnaissance and weaponize the infrastructure to achieve their end goals. Targets of the campaign include large retailers, luxury brands, and well-known fast-food restaurants.

The end goal of the operation is to redeem the value associated with those cards, sell the gift cards to other threat actors on black markets, or use money mules to cash out the gift cards.

The criminal targeting of gift card portals marks a tactical evolution of the threat actor, which has previously engaged in stealing payment card data by using malware on point-of-sale (PoS) devices.

The Windows maker said it observed a 30% increase in Storm-0539 intrusion activity between March and May 2024, describing the attackers as leveraging their deep knowledge of the cloud to "conduct reconnaissance on an organization's gift card issuance processes."

Earlier this month, the U.S. Federal Bureau of Investigation (FBI) released an advisory [PDF] warning of smishing attacks perpetrated by the group targeting the gift card departments of retail corporations using a sophisticated phishing kit to bypass multi-factor authentication (MFA).

"In one instance, a corporation detected Storm-0539's fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards," the FBI said.

"Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards."

It's worth noting that the threat actor's activities go beyond stealing the login credentials of gift card department personnel, their efforts also extend to acquiring secure shell (SSH) passwords and keys, which could then be sold for financial gain or used for follow-on attacks.

Another tactic adopted by Storm-0539 entails the use of legitimate internal company mailing lists to disseminate phishing messages upon gaining initial access, adding a veneer of authenticity to the attacks. It has also been found creating free trials or student accounts on cloud service platforms to set up new websites.

The abuse of cloud infrastructure, including by impersonating legitimate non-profits to cloud service providers, is a sign that financially motivated groups are borrowing a page out of advanced state-sponsored actors' playbooks to camouflage their operations and remain undetected.

Microsoft is urging companies that issue gift cards to treat their gift card portals as high-value targets by monitoring for suspicious logins.

"Organizations should also consider complementing MFA with conditional access policies where authentication requests are evaluated using additional identity-driven signals like IP address location information or device status, among others," the company noted.

"Storm-0539 operations are persuasive due to the actor's use of legitimate compromised emails and the mimicking of legitimate platforms used by the targeted company."

The development comes as Enea revealed details of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams that redirect users to malicious websites with an aim to plunder sensitive information.

"The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions," Enea researcher Manoj Kumar said.

"When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket. This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user's awareness."

In early April 2023, Enea also uncovered campaigns that involve URLs constructed using the legitimate Google address, "," which is then combined with encoded characters to conceal the scam URL.

"This kind of trust is being exploited by malicious actors trying to trick mobile subscribers by hiding behind seemingly legitimate URLs," Kumar pointed out. "Attacker techniques can include luring subscribers to their websites under false pretenses, and stealing sensitive information such as credit card details, email or social media credentials, and other personal data."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

PinnacleOne ExecBrief | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

Last week, PinnacleOne examined the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

This week, we dive into the new great game emerging in the Middle East over AI, nuclear, and other critical tech.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions:

Insight Focus | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

The United Arab Emirates (UAE) and Saudi Arabia (KSA) are making bold moves in artificial intelligence (AI) and nuclear energy, using their deep pockets to diversify their economies and increase their geopolitical influence. As Sheikh Tahnoon bin Zayed Al Nahyan and Crown Prince Mohammed bin Salman write eye-popping checks and cut strategic tech deals, the West is taking notice and weighing the risks.

The Gulf States’ Trillion-Dollar Tech Play

The UAE and KSA are going all-in on AI and nuclear power (among other strategic industries like smart cities, synthetic biology, and space). Abu Dhabi’s sovereign wealth funds and state-owned enterprises, armed with over $2 trillion in assets, are hunting for cutting-edge tech, securing increasingly pole position in the funding rounds for emerging unicorns and snapping up large portions of the capital stack in leading western tech start-ups. The Abu Dhabi Investment Authority ($993B), Mubadala ($139B), and G42 ($10B) are leading the pack.

The Emirates recently launched a $100 billion AI-focused investment vehicle called MGX, with Mubadala and G42 as foundational partners. The focus of the fund is AI infrastructure, semiconductors, and AI core tech and applications, and will invest in data centers, fiber connections, chip design and manufacturing, frontier models, applications, data, biotech, and robotics.

As Bloomberg recently wrote, Sheikh Tahnoon bin Zayed Al Nahyan’s “conglomerate International Holding Co., or IHC, has investments in everything from Rihanna’s lingerie line to Elon Musk’s SpaceX… is up more than 400-fold since 2019…IHC also makes money from trading on the very exchange where it’s listed. It owns the Abu Dhabi stock exchange’s most active broker. Meanwhile, the emirate’s ADQ fund, which Sheikh Tahnoon chairs, oversees the exchange itself…It’s as if one man directed the New York Stock Exchange as well as two-thirds of the companies in the S&P 500 stock index.”


Source: Bloomberg

The Barakah nuclear plant, with its four reactors churning out 5,600MW, is set to power 25% of Abu Dhabi. But the UAE isn’t stopping there – it’s eyeing a spot on the global nuclear stage as an investor and developer, eager to partner with both west and east (including Russia) to pursue its strategic ambitions.

Meanwhile, Saudi Arabia’s $620B Public Investment Fund is eyeing a massive $40B AI fund with Silicon Valley heavyweight Andreessen Horowitz. Nuclear energy is also on the table, as the kingdom looks to diversify and counter Iran, as part of the fraught US-brokered diplomatic grand-bargain with Israel (in a tenuous position now given the Gaza conflict).

High-Stakes Partnerships

The Gulf states are forging high-stakes partnerships with Western tech titans and governments. For example, Microsoft’s $1.5B investment in UAE’s G42 comes with strings attached – G42 must use Microsoft’s cloud and play by security rules. However, many of these security arrangements “remain to be worked out, including how to protect AI model weights, which… currently cannot be encrypted while in use… and [the] technical approaches for doing so remain at least a year away.”

Microsoft has “considered several alternative options to protect its technology, including a ‘vault within a vault’ that would involve physically separating parts of data centers where AI chips and model weights are housed and restricting physical access.” It remains to be seen how this arrangement will evolve as lawmakers and Microsoft’s customers continue to ask questions about the security controls.

France is also opening its doors to Emirati nuclear and AI investments, with Finance Minister Bruno le Maire rolling out the red carpet for senior level meetings, “adding that Paris wanted to work closely with Abu Dhabi on semiconductors and computer chip capabilities.”

It should be noted that Mubadala is the majority shareholder in chipmaker GlobalFoundaries, which is building a semiconductor facility in France with STMicroelectronics. France is now looking to jointly invest with the UAE in “cloud computing and data processing and that the strategic partnership would see more scientists and researchers at the Abu Dhabi campus of the Paris Sorbonne.”

For the West, it’s a tempting proposition, getting access to the Gulf’s deep pockets and booming digital markets along with a chance to outmaneuver China. But, the risks are real. Sensitive tech and know-how could slip through the cracks, and the western tech and innovation ecosystem may find itself strategically dependent on investment flows from an authoritarian partner known to be geopolitically promiscuous.

Balancing Act with Beijing

As the U.S. and China jockey for tech supremacy, the Gulf states are walking a tightrope. They’re courting American giants like Microsoft, but also keeping lines open to Beijing. Case in point: Saudi Arabia’s finance minister, Mohammed Al-Jadaan, just wrapped up high-level talks in China, focused on economic collaboration. The meeting, which brought together heavy hitters from the Saudi Central Bank, Capital Market Authority, and National Development Fund, underscores the kingdom’s delicate balancing act.

The West is watching warily. The Microsoft-G42 deal is an explicit attempt to try to box out China, but will it work? The tangled web of interests and alliances in the region makes it an ambiguous and ever shifting affair. As the Gulf states push more “chips” on the geopolitical table, they’re likely to keep playing both sides, seeking to maximize their own interests and extract concessions from western firms looking to do politically favored deals.

The G42-Microsoft Kenya Deal | A Case Study in Digital Sovereignty

The recent $1B investment by G42 and Microsoft in Kenya’s digital infrastructure is a prime example of the tech competition unfolding in the Global South. The deal, which includes a green data center, AI research, skills training, and connectivity investments, is being touted as a milestone in Kenya’s digital transformation.

Beneath the surface though, thorny questions of digital sovereignty and network competition loom large. The involvement of unnamed “UAE ecosystem partners” in Kenya’s fiber cable infrastructure raises eyebrows. Will these be U.S.-aligned firms, cementing Kenya’s place in the Western tech sphere? Or, will Chinese players sneak in, tilting the balance of surveillance and digital economic power?

The answers could have far-reaching implications. As countries like Kenya become battlegrounds in the global AI and digital infrastructure race, their choices about tech partners and standards will shape the geoeconomic and technological map. The G42-Microsoft deal is a test case, a preview of the complex trade-offs and power plays that will define the digital future.

Navigating the AI-Nuclear Nexus

For the West, the Gulf states’ AI and nuclear ambitions are a strategic contest. The prize: a slice of the region’s riches and a tech edge over China. The price: sharing sensitive tech with opaque, autocratic regimes.

To play this game and win, the West needs to strike a delicate balance. Robust safeguards and constant vigilance are a must to keep cutting-edge capabilities in AI, semiconductors, and nuclear tech from falling into the wrong hands. Data access, tech leakage, and research collaboration all need tight controls.

Equally important is a coherent, values-driven strategy. Engaging with the Gulf states can’t just be about chasing short-term profits or geopolitical points. It needs to align with the West’s long-term interests and principles. That means tough conversations about human rights, transparency, and responsible tech stewardship.


The Gulf states are making a trillion-dollar gambit on an AI and nuclear-powered future. For the West, it’s an opportunity and a risk. Navigating this landscape will require a deft touch, balancing short-term gains with long-term strategic imperatives.

As Saudi and Emirati money pours into AI labs, venture ecosystems, and nuclear reactors, and cutting-edge chips and algorithms flow back in return, the stakes couldn’t be higher. The choices made now – in boardrooms from Silicon Valley to Riyadh, in the government corridors from Washington to Abu Dhabi – will shape the global balance of power.

The challenge for the West is to engage with eyes wide open, to seize the moment while safeguarding its crown jewels. It must be a partner to the Gulf states, but also a principled leader, setting the rules of the road for an AI-enabled, nuclear-powered world. Only then can it hope to emerge as a true victor in the age of algorithms and atoms. The new Digital Great Game is on.

from SentinelOne

Report: The Dark Side of Phishing Protection

May 27, 2024The Hacker NewsEmail Security / Browser Security

The transition to the cloud, poor password hygiene and the evolution in webpage technologies have all enabled the rise in phishing attacks. But despite sincere efforts by security stakeholders to mitigate them - through email protection, firewall rules and employee education - phishing attacks are still a very risky attack vector.

A new report by LayerX explores the state of phishing attacks today and analyzes the protections organizations have in place to protect against them. This report, "The Dark Side of Phishing Protection: Are You as Protected as You Should Be?" (Download here), can be leveraged by security and IT professionals across organizations in their security efforts. They can use it to pinpoint any internal security blind spots they have and identify controls and practices that can help them gain visibility into those blind spots.

Understanding the Threat: Phishing Stats

Phishing is on the rise. Based on a number of sources, the report describes the magnitude of the problem:

  • 61% increase in overall phishing attacks on enterprises
  • 83% of organizations were subject to a successful phishing attack
  • Over 1100% increase in phishing URLs hosted on legitimate SaaS platforms

A Phishing Attack Breakdown: Where is the Protection Blind Spot?

Why are these stats so high? The report details the three main ways attackers are able to exploit systems through phishing:

  • Email Delivery: Successfully sending maliciously crafted emails to the victim's inbox or through social media, SMS messages and other productivity tools.
  • Social Engineering: Luring the user to click the malicious link.
  • Web Access and Credential Theft: Having the user access the malicious web page and insert his\her credentials. This is also where the protection blindspot resides.

The Three Alternatives to Protecting Against Phishing Page Access

As a security professional, you also need solutions to the problems. The report provides three paths forward to protecting from phishing page attacks:

  1. Page Reputation Analysis: Analyzing the target page's URL by utilizing threat intelligence feeds and calculating its score. The gap: these feeds are not technologically able to cover all threats and risks.
  2. Browser Emulation: Any suspected web page is executed in a virtual environment to unfold any phishing or other malicious features it embeds. The gap: cannot be applied at scale, as it is resource-heavy and creates latency.
  3. Browser Deep Session Inspection: Analyzing every live web session from within the browser and inspecting the gradual assembly of the web page to detect phishing behavior, which triggers either session termination or disablement of the phishing component.

This solution protects the organization at the critical point of where the attack's objective takes place: the browser itself. Therefore, it succeeds where other solutions fail: if an email protection solution fails to flag a certain email as malicious and passes it to the employees' inbox and if the employee fails to avoid clicking the link in the email, the browser security platform will still be there to block the attack.

Deep Dive: Browser Security Platform and Deep Session Inspection 101

The key takeaway from the report is that IT and security experts should evaluate a browser security platform as part of their phishing protection stack. A browser security platform detects phishing pages and neutralizes their password theft capabilities or terminates the session altogether. It deeply inspects browsing events and provides real-time visibility, monitoring and policy enforcement capabilities.

Here's how it works:

  1. The browser receives a web page code
  2. The browser begins executing the page
  3. The browser security platform monitors the page and utilizes ML to detect phishing components
  4. The browser security platform disables the page's phishing attacks

The complete report click here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users' credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.

The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, "uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens," Netskope researcher Jan Michael Alcantara said in a report.

A majority of phishing campaigns hosted on Cloudflare Workers over the past 30 days have targeted victims in Asia, North America, and Southern Europe, spanning technology, financial services, and banking sectors.

The cybersecurity firm said that an increase in traffic to Cloudflare Workers-hosted phishing pages was first registered in Q2 2023, noting it observed a spike in the total number of distinct domains, jumping from a little over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

The phishing campaigns make use of a technique called HTML smuggling, which involves using malicious JavaScript to assemble the malicious payload on the client side to evade security protections. It also serves to highlight the sophisticated strategies threat actors are using to deploy and execute attacks on targeted systems.

What's different in this case is that the malicious payload is a phishing page, which is reconstructed and displayed to the user on a web browser

The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes.

"The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Michael Alcantara said. "Once the victim accesses the attacker's login page, the attacker collects its web request metadata."

"Once the victim enters their credentials, they will be logged in to the legitimate website, and the attacker will collect the tokens and cookies in the response. Furthermore, the attacker will also have visibility into any additional activity the victim performs after login."

HTML smuggling as a payload delivery mechanism is being increasingly favored by threat actors who wish to bypass modern defenses, making it possible to serve fraudulent HTML pages and other malware without raising any red flags.

In one instance highlighted by Huntress Labs, the fake HTML file is used to inject an iframe of the legitimate Microsoft authentication portal that's retrieved from an actor-controlled domain.

"This has the hallmarks of an MFA-bypass adversary-in-the-middle transparent proxy phishing attack, but uses an HTML smuggling payload with an injected iframe instead of a simple link," security researcher Matt Kiely said.

Another campaign that has attracted attention involves invoice-themed phishing emails containing HTML attachments that masquerade as PDF viewer login pages to steal users' email account credentials, before redirecting them to a URL hosting the so-called "proof of payment."

In recent years, email-based phishing attacks have taken various forms, including leveraging phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and circumvent MFA using the AitM technique, with attackers incorporating QR codes within PDF files and utilizing CAPTCHA checks before redirecting victims to the bogus login page.

Financial services, manufacturing, energy/utilities, retail, and consulting entities located in the U.S., Canada, Germany, South Korea, and Norway have emerged as the top sectors targeted by the Greatness PhaaS.

"These services offer advanced capabilities that appeal to attackers by saving them time on development and evasion tactics," Trellix researchers said.

The development comes as threat actors are constantly finding new ways to outsmart security systems and propagate malware by resorting to generative artificial intelligence (GenAI) to craft effective phishing emails and delivering compressed file attachments containing overly large malware payloads (more than 100 MB in size) in hopes of evading analysis.

"Scanning larger files takes more time and resources, which can slow down the overall system performance during the scan process," the cybersecurity firm said. "To minimize heavy memory footprint, some antivirus engines may set size limits for scanning, leading to oversized files being skipped."

The file inflation method has been observed as an attack ploy to deliver additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, it added.

What's more, the adversarial use of GenAI for exploit development and deepfake generation by various threat actors underscores the need for robust security measures, ethical guidelines, and oversight mechanisms.

These innovations to bypass traditional detection mechanisms have also extended to campaigns like TrkCdn, SpamTracker, and SecShow that are leveraging Domain Name System (DNS) tunneling to monitor when their targets open phishing emails and click on malicious links, track spam delivery, as well as to scan victim networks for potential vulnerabilities.

"The DNS tunneling technique used in the TrkCdn campaign is meant to track a victim's interaction with its email content," Palo Alto Networks Unit 42 said in a report published earlier this month, adding the attackers embed content in the email that, when opened, performs a DNS query to attacker-controlled subdomains.

"[SpamTracker] employs emails and website links to deliver spam and phishing content. The intent of the campaign is to lure victims to click on the links behind which threat actors have concealed their payload in the subdomains."

The findings also come amid a surge in malvertising campaigns that take advantage of malicious ads for popular software on search engine results to trick users into installing information stealers and remote access trojans such as SectopRAT (aka ArechClient).

On top of that, bad actors have been observed setting up counterfeit pages mimicking financial institutions like Barclays that deliver legitimate remote desktop software like AnyDesk under the guise of offering live chat support, granting them remote access to the systems in the process.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Pakistan-linked Hackers Deploy Python, Golang, and Rust Malware on Indian Targets

The Pakistan-nexus Transparent Tribe actor has been linked to a new set of attacks targeting Indian government, defense, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust.

"This cluster of activity spanned from late 2023 to April 2024 and is anticipated to persist," the BlackBerry Research and Intelligence Team said in a technical report published earlier this week.

The spear-phishing campaign is also notable for its abuse of popular online services such as Discord, Google Drive, Slack, and Telegram, once again underscoring how threat actors are adopting legitimate programs into their attack flows.

According to BlackBerry, the targets of the email-based attacks included three companies that are crucial stakeholders and clients of the Department of Defense Production (DDP). All the three companies targeted are headquartered in the Indian city of Bengaluru.

While the names of the firms were not disclosed, indications are that the email messages targeted Hindustan Aeronautics Limited (HAL), one of the largest aerospace and defense companies in the world; Bharat Electronics Limited (BEL), a government-owned aerospace and defense electronics company; and BEML Limited, a public sector undertaking that manufactures earth moving equipment.

Transparent Tribe is also tracked by the larger cybersecurity community under the names APT36, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

The adversarial collective, believed to be active since at least 2013, has a track record of conducting cyber espionage operations against government, military, and education entities in India, although it has also undertaken highly targeted mobile spyware campaigns against victims in Pakistan, Afghanistan, Iraq, Iran, and the United Arab Emirates.

Furthermore, the group is known to experiment with new methods of intrusion and has cycled through different malware over the years, iterating on their tactics and toolkit many times over to evade detection.

Some of the notable malware families put to use by Transparent Tribe include CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo, with the latter two linked to a freelance developer group based out of Lahore.

These developers are "available for hire" and "at least one government employee moonlights as a mobile app developer," mobile security firm Lookout noted way back in 2018.

Attack chains mounted by the group involve the use of spear-phishing emails to deliver payloads using malicious links or ZIP archives, particularly focusing their efforts on distributing ELF binaries due to the Indian government's heavy reliance on Linux-based operating systems.

The infections culminated in the deployment of three different versions of GLOBSHELL, a Python-based information-gathering utility that was previously documented by Zscaler in connection with attacks targeting the Linux environment within Indian government organizations. Also deployed is PYSHELLFOX to exfiltrate data from Mozilla Firefox.

BlackBerry said it also discovered bash script versions and Python-based Windows binaries being served from the threat actor-controlled domain "apsdelhicantt[.]in" -

  •, a bash version of GLOBSHELL
  •, an open-source command-and-control (C2) framework called Sliver
  •, a script to gather files from a connected USB driver
  • afd.exe, an intermediate executable responsible for downloading win_hta.exe and win_service.exe
  • win_hta.exe and win_service.exe, two Windows versions of GLOBSHELL

In what's a sign of Transparent Tribe's tactical evolution, phishing campaigns orchestrated in October 2023 have been observed making use of ISO images to deploy the Python-based remote access trojan that uses Telegram for C2 purposes.

It's worth pointing out that the use of ISO lures to target Indian government entities has been an approach observed since the start of the year as part of two possibly related intrusion sets – a modus operandi the Canadian cybersecurity company stated: "had the hallmark of a Transparent Tribe attack chain."

Further infrastructure analysis has also unearthed a Golang-compiled "all-in-one" program that has the capability to find and exfiltrate files with popular file extensions, take screenshots, upload and download files, and execute commands.

The espionage tool, a modified version of an open-source project Discord-C2, receives instructions from Discord and is delivered via an ELF binary downloader packed within a ZIP archive.

"Transparent Tribe has been persistently targeting critical sectors vital to India's national security," BlackBerry said. "This threat actor continues to utilize a core set of tactics, techniques, and procedures (TTPs), which they have been adapting over time."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Sunday, May 26, 2024

Is Everyone's AI Strategy in Chaos?

When you see the headline “<ex-employee> says <company> AI strategy is in chaos”, what does it really mean? Is any company’s AI strategy NOT in chaos at this point? 

SHOW: 824







  • Google
  • OpenAI
  • Microsoft / Azure / GitHub
  • Amazon / AWS
  • Meta
  • Apple
  • IBM / Red Hat
  • Oracle
  • Snowflake
  • Databricks
  • VCs
  • Startups


from The Cloudcast (.NET)

Friday, May 24, 2024

AWS Security Best Practices, Auditing, and Alarm Use Cases

If your organization operates in an Amazon Web Services (AWS) environment, you may face a series of unique security challenges to protect sensitive data and abide by compliance mandates. To reduce risk, you need to continually mature your security operations and keep up with AWS security best practices. 

In this blog, I’ll dive into common challenges security teams face, how to monitor CloudTrail and GaurdDuty logs, and three AWS security use cases that you can implement for better visibility and protection across your cloud environment.  

Overcoming AWS Security Challenges  

With a shared responsibility model, where AWS is responsible for the security of the cloud infrastructure, the customer is responsible for securing their data and applications within the cloud. Security teams must understand their responsibilities and implement appropriate security controls. 

Protecting AWS environments is challenging because it consists of multiple services, configurations, and dependencies. Especially in multi-account or multi-region deployments, security teams struggle to gain complete visibility and insights into their AWS assets and enforce security policies effectively. Addressing these challenges requires a combination of technology, processes, and expertise.  

  • Security teams need a way to consolidate data into one place to better understand what is happening across the environment and to easily audit log data for AWS security compliance.  
  • Manual processes won’t get the job done quickly and effectively and leave room for human error. To keep pace with the attack surface, security operations centers (SOCs) should leverage automation and orchestration tools to streamline security operations, such as automating security configuration management, incident response, and compliance checks.  

Security teams need to adopt a proactive and holistic approach to security by leveraging best practices, streamlined processes, and trusted security partnerships to safeguard their AWS environments effectively.  

Monitoring CloudTrail and AWS GuardDuty Logs  

A security information and event management (SIEM) is a useful solution for security teams to centrally collect and enrich data across the environment, achieve auditing and compliance standards, and better detect, investigate, and respond to cyberthreats. 

For AWS security best practices, I will dive into the importance of monitoring AWS CloudTrail and GuardDuty logs and provide examples of how to do so using LogRhythm Axon, a cloud-native SIEM platform 

Monitoring AWS CloudTrail Logs 

AWS CloudTrail records API calls made on your AWS account, capturing details such as who made the request, when it was made, and the IP address from which it originated. 

By logging all API calls, security teams can gain insight into who is accessing AWS resources, what actions they are performing, and where these actions originate from.  

CloudTrail Auditing with LogRhythm Axon 

CloudTrail provides an audit trail of all actions taken within your AWS environment. LogRhythm Axon can ingest these logs to monitor and analyze user activity, resource changes, and security events. This will help your team with: 

  • Forensics and Investigation: When incidents occur, CloudTrail logs help investigators trace back actions, identify the source of security breaches, and understand the context. 
  • Compliance and Governance: CloudTrail logs are essential for compliance audits, ensuring adherence to security policies and regulatory requirements. 

By forwarding CloudTrail logs to LogRhythm Axon, you gain real-time visibility into AWS activities, enabling proactive threat detection and incident response. 

Learn more about logging using CloudTrail here. 

Monitoring AWS GuardDuty Logs 

Amazon Guard Duty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior in your AWS accounts and workloads. 

There are several benefits to ingesting GuardDuty logs into a SIEM solution.  

GuardDuty Auditing with LogRhythm Axon 

  • Threat Detection: GuardDuty analyzes network traffic, DNS data, and AWS CloudTrail logs to detect suspicious activities, compromised instances, and potential threats. 
  • Automated Alerts: GuardDuty generates findings based on threat intelligence and anomaly detection. These findings can be ingested by your SIEM for further analysis and alerting. 

By forwarding GuardDuty logs to LogRhythm Axon, you gain real-time visibility into Suspicious AWS activities, enabling proactive threat detection and incident response. 

Learn more about GuardDuty integrations here. 

How LogRhythm Can Help Protect Your AWS Environment  

LogRhythm Axon provides seamless visualization of AWS data, including CloudTrail threats, GuardDuty events, Kubernetes activities, and more. 

Leverage a Custom AWS Dashboard 

Using the cloud-native SIEM, you can take advantage of an AWS dashboard to quickly understand user actions — such as enabling accounts, deleting nodes, and managing users — enhancing your AWS security posture. 

LogRhythm Axon AWS Dashboard

Figure 1: LogRhythm Axon AWS Dashboard. 

Three AWS Alarm Use Cases 

Let’s explore three AWS alarm use cases that can help you improve AWS security monitoring and bolster your defenses. 

1. AWS GuardDuty Access Denied

When GuardDuty detects an unauthorized or suspicious activity, it generates an event log. In the following example, explore a scenario where Access is Denied and how you can detect this potential threat.  

Log Sample: 

  “eventTime”: “2024-04-17T00:50:00.016097Z”, 

  “eventSource”: “”, 

  “eventName”: “EnableOrganizationAdminAccount”, – User Is Attempting to Enable an Admin Account 

  “awsRegion”: “us-xxxx-x”, 

  “sourceIPAddress”: “x.x.x.x”, 

  “userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36”, 

  “errorCode”: “AccessDenied”, 

  “errorMessage”: “User is not authorized to perform this action.”, Access is Denied 

  “requestParameters”: { 

   “adminAccountId”: “xxxxxxxxxxxx” 

You can detect this threat in LogRhythm Axon and have a Case Created to investigate it further. Below is an example of the rule block that will generate an Alarm for this activity. 

Rule for observing GuardDuty logs in LogRhythm Axon

Figure 2: Rule for observing GuardDuty logs in LogRhythm Axon. 

Below in Figure 3, you can observe details of what tracking this activity looks like using LogRhythm Axon’s Case Management and Single Screen Investigation workflow. This feature helps you drill down further and shows contextual insights across logs, Observations, security analytics, and raw metadata — all in one view. 

LogRhythm Axon’s Case Management workflow for AWS GuardDuty – Access Denied Alarm.   

Figure 3: LogRhythm Axon’s Case Management workflow for AWS GuardDuty – Access Denied Alarm.

2. AWS Kubernetes Unauthorized Deletion Attempt 

Unauthorized attempts in Amazon Elastic Kubernetes Service (EKS) can occur when an entity or user tries to access resources without proper authorization. In the example below, explore a scenario that involves an unauthorized attempt and how you can detect it. 

Log Sample: 


  “eventName”: “DeleteNodegroup”, 

  “awsRegion”: “us-xxx-x”, 

  “sourceIPAddress”: “x.x.x.x”, 

  “userAgent”: “”, 

  “errorCode”: “UnauthorizedAttempt”,    Unauthorized Attempt error code 

  “errorMessage”: “User attempted unauthorized deletion of a node group“, – Error Message  

Below, is an example of the rule block that will generate an Alarm for this activity. 

LogRhythm Axon Alarm details for an AWS Unauthorized Attempt. 

Figure 4: LogRhythm Axon Alarm details for an AWS Unauthorized Attempt.

Security analysts can dive deeper into the Case to investigate this threat. Figure 5 shows key insights into who attempted the unauthorized deletion of the host where the request originated.  

LogRhythm Axon’s Single Investigation Workflow for AWS unauthorized attempt. 

Figure 5: LogRhythm Axon’s Single Investigation Workflow for AWS unauthorized attempt. 

3. AWS CloudTrail High-Severity Alerts 

LogRhythm Axon employs seamless and innovative parsing techniques for all ingested events. Specifically, when it comes to AWS CloudTrail logs, we focus on identifying detected threats. These logs are meticulously labeled and assigned threat severities on a scale of 0 to 10. Leveraging this severity information, you can set up alarms to trigger for high-severity CloudTrail alerts. 

Below is an example of formatting AWS CloudTrail logs as well as assigning a Threat Severity.   

Formatting AWS CloudTrail logs in LogRhythm Axon. 

Figure 6: Formatting AWS CloudTrail logs in LogRhythm Axon.

You can alarm on this in LogRhythm Axon and have a Case Created. Below is an example of the rule block.  

LogRhythm Axon Alarm that triggers based on threat severity of AWS CloudTrail Logs. 

Figure 7: LogRhythm Axon Alarm that triggers based on threat severity of AWS CloudTrail Logs.

See the Case details below, you can analyze relevant meta data such as the user or host involved.  

Investigating a Critical Severity AWS CloudTrail alert in LogRhythm Axon. 

Figure 8: Investigating a Critical Severity AWS CloudTrail alert in LogRhythm Axon.

Streamline Your AWS Security Monitoring 

In the dynamic landscape of cloud computing, robust AWS security best practices are non-negotiable. By following these best practices, organizations can strengthen the security of their AWS environments and better protect their data, applications, and infrastructure from security threats and vulnerabilities.  

Cybersecurity is a challenging job, and there is a shortage of cybersecurity professionals with expertise in cloud security and AWS. You may face challenges in hiring and retaining skilled personnel to effectively protect AWS environments. 

Integrating LogRhythm Axon into your AWS environment helps you gain the ability to detect threats and visualize all your data in one location for an easier security and compliance experience.  

To learn more about how LogRhythm can improve your AWS security monitoring challenges, request more information 

Related Resources  

Enjoy these additional reads for protecting against AWS-related cyberthreats.  

The post AWS Security Best Practices, Auditing, and Alarm Use Cases appeared first on LogRhythm.

from LogRhythm

Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

May 24, 2024NewsroomEndpoint Security / Threat Intelligence

The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment.

"The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE researchers Lex Crumpton and Charles Clancy said.

"They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure."

The motive behind such a move is to sidestep detection by obscuring their malicious activities from centralized management interfaces like vCenter and maintain persistent access while reducing the risk of being discovered.

Details of the attack emerged last month when MITRE revealed that the China-nexus threat actor -- tracked by Google-owned Mandiant under the name UNC5221 -- breached its Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting two ICS flaws CVE-2023-46805 and CVE-2024-21887.

Upon bypassing multi-factor authentication and gaining an initial foothold, the adversary moved laterally across the network and leveraged a compromised administrator account to take control of the VMware infrastructure to deploy various backdoors and web shells to retain access and harvest credentials.

This consisted of a Golang-based backdoor codenamed BRICKSTORM that were present within the rogue VMs and two web shells referred to as BEEFLUSH and BUSHWALK, allowing UNC5221 to execute arbitrary commands and communicate with command-and-control servers.

"The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives," MITRE said.

"Rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively."

One effective countermeasure against threat actors' stealthy efforts to bypass detection and maintain access is to enable secure boot, which prevents unauthorized modifications by verifying the integrity of the boot process.

The company said it's also making available two PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to help identify and mitigate potential threats within the VMware environment.

"As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats," MITRE said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Fake Antivirus Websites Deliver Malware to Android and Windows Devices

May 24, 2024NewsroomMalvertising / Endpoint Security

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.

"Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan said.

The list of websites is below -

  • avast-securedownload[.]com, which is used to deliver the SpyNote trojan in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency
  • bitdefender-app[.]com, which is used to deliver a ZIP archive file ("") that deploys the Lumma information stealer malware
  • malwarebytes[.]pro, which is used to deliver a RAR archive file ("MBSetup.rar") that deploys the StealC information stealer malware

The cybersecurity firm said it also uncovered a rogue Trellix binary named "AMCoreDat.exe" that serves as a conduit to drop a stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.

It's currently not clear how these bogus websites are distributed, but similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.

Stealer malware have increasingly become a common threat, with cybercriminals advertising numerous custom variants with varying levels of complexity. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (aka Album Stealer or S1deload Stealer).

"The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers," Kaspersky said in a recent report.

The development comes as researchers have discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update to facilitate information theft by abusing Android's accessibility and MediaProjection APIs.

"Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers," Broadcom-owned Symantec said in a bulletin.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

The Good, the Bad and the Ugly in Cybersecurity – Week 21

The Good | Leaders of Crypto Investment Scam Arrested & Charged for $73 Million Laundering Scheme

This week, the tables were turned on two alleged cyber ‘pig butcherers’ who could now face time in the iron pen. The DoJ indicted Daren Li (41) and Yicheng Zhang (38) for their alleged roles leading a global syndicate that has laundered over $73 million through cryptocurrency investment scams. Both Li and Zhang are charged with conspiracy to commit money laundering and six counts of international laundering. If convicted, they face 20 years in prison on each count.

Source: Department of Justice

Pig butchering scams involve criminals building up trust with targeted victims via social media and messaging or dating platforms to convince them to invest in fraudulent schemes. After falling for the bait, the criminals then steal their victims’ cryptocurrency, draining the compromised wallets.

According to court documents, Li and Zhang transferred millions of their victims’ cryptocurrency to U.S. bank accounts connected to shell companies. The funds were then moved through various domestic and international accounts and crypto platforms in order to obscure their origins. Communications uncovered during the investigation revealed details on the operations, including commissions, victim information, and interactions with U.S. financial institutions.

In 2023 alone, the U.S. Secret Service recovered more than $1.1 billion from scam operations and the IC3 reported that investment fraud investment scams rose from $3.31 billion in 2022 to $4.57 billion last year. As schemes revolving around financial fraud become increasingly common and complex, cyber defenders reiterate the importance of learning how to spot predatory behavior online, staying vigilant with securing digital assets and identities, verifying the legitimacy of brokerages before investing, and reporting suspicions of fraud immediately.

The Bad | Threat Actors Exploit Legitimate Cloud Services to Deliver Malware in Emerging Campaign

In a new attack campaign, popular cloud storage services like Google Drive and Dropbox are being exploited to stage malicious payloads. Dubbed “CLOUD#REVERSER”, security researchers this week broke down how the campaign uses VBScript and PowerShell to perform command and control-like (C2) activities within the storage platforms to manage file uploads and download.

Attacks begin with a phishing email containing a ZIP archive file that includes an executable disguised as a Microsoft Excel file. This is done through making use of the hidden right-to-left override (RLO) Unicode character (U+202E) so that the order of the characters in the string are reserved. In this case, the victims receiving the email would see the file name RFQ-101432620247fl*U+202E*xslx.exe as RFQ-101432620247flexe.xlsx and open the file thinking it is a legitimate Excel spreadsheet. This is not a new trick, but it is less commonly seen in 2024.

Executing this file drops a total of eight payloads, one of which includes a decoy Excel file and an obfuscated VBScript that displays the .xlsx file to continue the deception. From there, a series of additional scripts allow the threat actor to establish persistence on the system, connect to the actor-controlled Google Drive and Dropbox accounts, fetch files from the storage services, and maintain connection to the actor’s command and control (C2) server.

CLOUD#REVERSER Stage 1 (VirusTotal)

These developing attacks highlight the trend of threat actors abusing SaaS platforms to deliver malicious payloads under the guise of legitimate network traffic. By embedding multi-stage downloaders that run code within widely-used cloud platforms, the threat actors can ensure they have persistent access for data exfiltration while keeping a low profile.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

The Ugly | Military & Government Orgs Repeatedly Targeted by New PRC-Linked Threat Actor Over 6 Years

Details on a previously undocumented threat group called “Unfading Sea Haze” emerged this week when cybersecurity researchers reported on a series of attacks across countries bordering the South China Sea. So far, eight high-level organizations in critical sectors have been repeatedly targeted over the last six years with the attackers’ exploiting poor credential hygiene and unpatched devices and web services in particular.

Unfading Sea Haze is currently not linked to any known APT group, but appears to share similar goals, techniques, geopolitical victimology, and choice of tools known to be associated with Chinese-speaking threat actors. This includes the use of Gh0st RAT malware and running a tool called SharpJHandler, often employed by PRC-based APT41.

So far, Unfading Sea Haze has been observed sending spear phishing emails containing Windows shortcut (LNK) files. When launched, these files execute commands to retrieve the next-stage payload, a backdoor called “SerialPktdoor”, which then runs PowerShell scripts and manages files remotely. Also characteristic of Unfading Sea Haze attacks is use the Microsoft Build Engine (MSBuild) to execute files filelessly and minimize the risk of detection, and scheduled tasks to load a malicious DLL and establish persistence.

Other tools in the group’s arsenal include “Ps2dllLoader”, keylogger called “xkeylog”, a web browser data stealer, a monitoring tool keyed to the presence of portable devices, and a custom data exfiltration program named “DustyExfilTool”. The widely varied and complex toolkit points to a certain level of sophistication. Researchers note that the combination of both custom and commercial tools is indicative of a cyber espionage campaign, aimed at gathering sensitive information from military and government entities.

Organizations can mitigate the risks threat groups like Unfading Sea Haze pose with the SentinelOne Singularity platform.

Good security hygiene such as timely patch management, strong authentication methods, and secure credentials is also highly recommended.

from SentinelOne