77% of security leaders fear we’re in perpetual cyberwar from now on
Also, Charming Kittens from Iran scrape email inboxes, France could fine Google again, and more
In brief A survey of cybersecurity decision makers found 77 percent think the world is now in a perpetual state of cyberwarfare.
In addition, 82 percent believe geopolitics and cybersecurity are "intrinsically linked," and two-thirds of polled organizations reported changing their security posture in response to the Russian invasion of Ukraine.
Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyberattack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.
The survey, organized by security shop Venafi, questioned 1,100 security leaders. Kevin Bocek, VP of security strategy and threat intelligence, said the results show cyberwarfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," he added.
According to Bocek, it's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, Bocek said, everyone is a target and there's no military or government method for protecting everyone.
Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.
Late on Friday, Facebook agreed in principle to settle a US lawsuit seeking damages for letting third parties, including Cambridge Analytica, access the private data of users. The terms of the settlement have yet to be finalized.
Googlers uncover Charming email scraping tool
Researchers at Google's Threat Analysis Group (TAG) have detailed email-stealing malware believed to be from Iranian APT Charming Kitten.
The tool, which TAG has dubbed Hyperscrape, is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine, and is able to iterate through the contents of a targeted inbox and individually download messages. To hide its tracks, it can, among other things, delete emails alerting users to possible intrusions.
Not to be confused with Rocket Kitten, another APT believed to be backed by Iran, Charming Kitten has been hijacking accounts, deploying malware, and using "novel techniques to conduct espionage aligned with the interests of the Iranian government" for years, TAG said.
In the case of Hyperscrape, it appears the tool is either rarely used, or still being worked on, as Google said it's only seen fewer than two dozen instances of the software nasty, all located within Iran.
The malware is limited in terms of its ability to operate, too: it has to be installed locally on a victim's machine and has dependencies that, if moved from its folder, will break its functionality. Additionally, Hyperscrape "requires the victim's account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired," Google said.
While its use may be rare and its design somewhat restrictive, Hyperscrape is still dangerous malware that Google said it has written about to raise awareness. "We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry," Google security engineer Ajax Bash wrote.
Security professionals can find the indicators of compromise data for Hyperscrape in Google's report.
French agency may investigate Google – again
A French governmental agency that has twice fined Google over violations of data privacy regulations and the GDPR has been tipped off by the European Center for Digital Rights (NOYB) about another potential bad practice: dressing up adverts to look like normal email messages.
According to NOYB, Google makes ads appear in Gmail user's inboxes that appear to be regular emails, which would be a direct violation of the EU's ePrivacy directive, as folks may not have technically signed up or consented to see this stuff.
"When commercial emails are sent directly to users, they constitute direct marketing emails and are regulated under the ePrivacy directive," NOYB said.
Because Google "successfully filters most external spam messages in a separate spam folder," NOYB claims, when unsolicited messages end up in a user's inbox it gives the impression it was something they actually signed up for, when that's not the case.
"EU law already makes it quite clear: the use of email, for the purpose of direct marketing, requires user consent," NOYB said, referencing an EU Court of Justice press release [PDF] from 2021 that outlines rules surrounding inbox advertising.
"It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider," said NOYB lawyer Romain Robert.
France's Data Protection Authority (CNIL) has ruled in opposition to Google's past behavior before. In February, Google was found to be breaching GDPR regulations by transmitting data to the US. Google has also been fined by the French Competition Authority for not paying French publishers when using their content.
NOYB said in its complaint [PDF] to CNIL that, because it accuses Google of violating the ePrivacy directive and not GDPR, the watchdog has no need to cooperate with, or wait for, the actions of other national data privacy authorities to decide to fine or otherwise penalize the American web giant.
Nobelium is back with a new post-compromise tool
Microsoft security researchers have described custom software being used by Nobelium, aka Cozy Bear aka the perpetrators of the SolarWinds attack, to maintain access to compromised Windows networks.
Dubbed MagicWeb by Redmond, this malicious Windows DLL, once installed by a high-privileged intruder on an Active Directory Federated Services (ADFS) server, can be used to ensure any user attempting to log in is accepted and authenticated. That'll help attackers get back into a network if they somehow lose their initial access.
Microsoft noted that MagicWeb is similar to the FoggyWeb malware deployed in 2021, and added that "MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly."
This isn't a theoretical malware sample, either: Microsoft said it found a real-world example of MagicWeb in action during an incident response investigation. According to Microsoft, the attacker had admin access to the ADFS system, and replaced a legitimate DLL with the MagicWeb DLL, "causing malware to be loaded by ADFS instead of the legitimate binary."
MagicWeb is a post-compromise malware that requires the attacker to already have privileged access to their target's Windows systems. Microsoft recommends treating ADFS servers as top tier assets and protecting them just like one would a domain controller.
Additionally, Microsoft recommends domain administrators enable Inventory Certificate Issuance policies in PKI environments, use verbose event logging, and look out for Event ID 501, which indicates a MagicWeb infection.
Redmond said organizations can also avoid a MagicWeb infection by keeping an eye out for executable files located in the Global Assembly Cache (GAC) or ADFS directories that haven't been signed by Microsoft, and adding AD FS and GAC directories to auditing scans.
Anti-cheat software hijacked for killing AV
It turns out role-playing game Genshin Impact's anti-cheat software can be, and is being, used by miscreants to kill antivirus on victims' Windows computers before mass-deploying ransomware across a network.
TrendMicro said it spotted mhyprot2.sys, the kernel-mode anti-cheat driver used by Genshin, being used kinda like a rootkit by intruders to turn off end-point protection on machines. The software is designed to kill off unwanted processes, such as cheat programs.
You don't have to have the game installed on your PC to be at risk, as ransomware slingers can drop a copy of the driver on victims' computers and use it from there.
It has the privileges, code signing, and features needed by extortionists to make their roll out of ransomware a cinch, we're told. TrendMicro recommends keeping a look out for unexpected installations of the mhyprot2 driver, which should show up in the Windows Event Log, among other steps detailed in the link above. ®