MITRE Corporation released findings Wednesday from its latest round of ATT&CK evaluations, assessing the capabilities of enterprise cybersecurity solutions against some of the most prevalent ransomware tactics and North Korean malware.

The sixth such evaluation from the nonprofit research organization measured 19 different vendors’ ability to protect enterprise systems by evaluating them against two prominent ransomware strains -—Cl0p and LockBit — as well as North Korean-linked malware targeting macOS systems. For the latter, MITRE’s evaluation used advanced multi-stage malware emulations that highlighted sophisticated tactics, such as exploiting legitimate macOS utilities and stealthily exfiltrating sensitive data.

According to William Booth, the general manager of MITRE’s ATT&CK evaluations, the results revealed significant disparities between vendors’ detection rates and their ability to accurately distinguish malicious activity from benign system behavior.

“Some vendors had higher false-positive rates than detection rates, which indicates a need to better distinguish legitimate activity from malicious activity,” Booth told CyberScoop. 

How the tests were conducted 

The evaluation is conducted in multiple stages.

First, MITRE runs an initial emulation plan to assess the vendors’ baseline detection capabilities. This means they execute a series of malicious activities and see which ones the vendors can detect without any prior knowledge.

After this initial detection test, MITRE gives vendors a day to make configuration changes to their products. This could involve things like adding new detection logic, updating user interfaces, or making other adjustments to improve product performance.

The purpose of this configuration change period is to allow the vendors to enhance their products based on the initial test results. MITRE wants to see if the vendors can improve their detection and protection capabilities by making targeted changes.

In the second phase of testing, MITRE runs a separate emulation plan focused on the protection capabilities of the vendors’ products, complete with a new set of malicious activities that the vendors haven’t seen before.

By separating the detection and protection tests, and allowing the configuration changes in between, MITRE can assess how well the vendors can adapt and improve their security controls in response to new threats.

What the results show 

The organization explicitly states that “the evaluations do not rank vendors and their solutions, but instead provide insights” for organizations to make their own decisions based on their unique IT systems and threat models. However, Booth told CyberScoop there were surprising findings from the evaluation’s data. 

One of the most striking discoveries was that some vendors had higher false-positive rates than actual detection rates. Booth explained that this indicates a significant need for vendors to improve the specificity of their detection and blocking capabilities.

“There are certain vendors where you’ll see, yes, they had 100% detections, but their false-positive rate was also 90%,” Booth said. “That’s really interesting when you start to look at, OK, how can [vendors] determine what needs to be detected versus what is just noise?”

Another surprising finding was the difficulty vendors faced in protecting against threats in the post-compromise stage. Booth noted that MITRE’s evaluation placed a strong emphasis on assessing vendors’ ability to detect and mitigate ransomware activities after the initial breach, rather than just the initial infection.

“The assumption that you’re always going to block on the first piece of activity is not the case,” Booth said. “We’re focused on what happens after that initial compromise.”

Many vendors seemed to struggle with this post-compromise focus, as ransomware can often mimic normal system and file encryption behaviors. 

Booth also highlighted the varied approaches vendors are taking when it comes to detection, noting some key differences between machine learning-based methods and more heuristic-based techniques.

“There’s certainly some that are using AI, applying the language models on the raw data, and then there’s others that are using more of a heuristic approach,” Booth explained.

The evaluation revealed that these differing detection strategies can lead to vastly different results, both in terms of detection rates and false-positive rates.

A first for Mac

Booth told CyberScoop the inclusion of macOS in this latest evaluation round presented some unique challenges, noting that evaluating Mac-based threats required a different approach compared to previous Windows-focused assessments.

“MacOS was a bit tougher because there’s not a lot of public CTI [Cyber Threat Intelligence] on that,” Booth said.

That lack of public threat intelligence on Mac-targeted malware campaigns made it more challenging for MITRE to construct realistic, evidence-based emulation scenarios for the evaluation.

“There’s a lot that goes into formulating [the evaluation], in terms of our discussions with many different groups and organizations to get input into doing that. But Mac was hard because there’s not a lot of public CTI,” Booth acknowledged.

Despite these difficulties, MITRE included macOS in this round of testing to better reflect the evolving threat landscape. As more organizations adopt Apple devices, understanding the security capabilities of products against Mac-based attacks has become increasingly important.

Full list of vendors

The full cohort of products that MITRE evaluated included: 

• AhnLab
• Bitdefender
• Check Point
• Cisco Systems
• Cybereason
• Cynet
• ESET
• HarfangLab
• Microsoft
• Palo Alto Networks
• Qualys
• SentinelOne
• Sophos
• Tehtris
• ThreatDown
• Trellix
• Trend Micro
• WatchGuard
• WithSecure

The evaluation results are publicly available on MITRE’s ATT&CK evaluation website. 

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations’ telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore’s largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations’ networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

“All countries need to assume they are affected,” he says. “The impact [of these attacks are] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of ‘over the top’ encrypted communications applications for official government communications.”

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country’s economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

“As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown,” he says, adding that they “know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long.”

From Singapore to India and Beyond

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry’s Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

“General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done,” he says. “More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation.”

A Boost for Encryption

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

“Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries’ communications and that will also incentivize the adoption and use of encryption,” Nojeim says. “Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it.”

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry’s Wiseman says. “Many countries realized this earlier than the US [and] started widespread adoption of end-to-end app-based encrypted communications sooner,” he says. “The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries.”

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT’s Nojeim.

“One lesson of Salt Typhoon is that people who live in democracies can’t comfort themselves that their own government won’t listen in absent a good reason,” he says. “Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service.”

U.S. Senator Ron Wyden of Oregon announced a new bill to secure the networks of American telecommunications companies breached by Salt Typhoon Chinese state hackers earlier this year.

Wyden’s “Secure American Communications Act” will order the Federal Communications Commission (FCC) to issue binding cybersecurity rules and implement the security requirements demanded since 1994 by legislation that instructs telecom providers to secure their phone and wireless networks from breaches.

Telecom carriers will have to test their systems annually for security vulnerabilities, patch them, and document their findings and “all corrective measures.” They’ll also have to contract independent auditors for annual compliance audits with FCC cybersecurity rules and document any noncompliance findings.

“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules. Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security,” Wyden said today.

“Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.”

On Thursday, FCC Chairwoman Jessica Rosenworcel announced that the agency would also act “urgently” to ensure that American telecom carriers are required to secure their networks.

The Salt Typhoon telecom breaches

CISA and the FBI confirmed the hacks in late October following reports that Chinese threat actors had hacked multiple telcos, including T-Mobile, AT&T, Verizon, and Lumen Technologies.

Even though the timing of these breaches is still unclear, the Chinese hackers had access for “months or longer.” This reportedly allowed them to steal substantial internet traffic from carriers providing services to American businesses and millions of customers.

Last week, President Biden’s deputy national security adviser Anne Neuberger told reporters during a Wednesday press briefing that the Salt Typhoon hacking group breached eight U.S. telecoms and carriers in dozens of other countries.

The White House official said that “at this time, we don’t believe any classified communications have been compromised,” while a senior CISA official added in a Tuesday press call that they couldn’t “say with certainty that the adversary has been evicted.”

CISA and FBI officials also advised Americans to use encrypted messaging apps to minimize the risk of communications interception by Chinese hackers and released guidance to help telecom infrastructure system admins and engineers harden systems against Salt Typhoon attacks.

Also tracked as Earth Estries, Ghost Emperor, FamousSparrow, and UNC2286, the Salt Typhoon Chinese state-sponsored hacking group has been active since at least 2019, breaching government entities and telecom companies across Southeast Asia.

Dec 10, 2024Ravie LakshmananVulnerability / Threat Analysis

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems.

Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo’s LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution.

The security hole is tracked as CVE-2024-50623, with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code.

The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE pending), warning of a separate “unauthenticated malicious hosts vulnerability that could lead to remote code execution.”

The development comes after Huntress said the patches released for CVE-2024-50623 do not completely mitigate the underlying software flaw. The issue impacts the below products and is expected to be patched later this week –

• Cleo Harmony (up to version 5.8.0.23)
• Cleo VLTrader (up to version 5.8.0.23)
• Cleo LexiCom (up to version 5.8.0.23)

In the attacks detected by the cybersecurity company, the vulnerability has been found to be exploited to drop multiple files, including an XML file that’s configured to run an embedded PowerShell command that’s responsible for retrieving a next-stage Java Archive (JAR) file from a remote server.

Specifically, the intrusions leverage the fact files placed in the “autorun” sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software.

As many as at least 10 businesses have had their Cleo servers compromised, with a spike in exploitation observed on December 8, 2024, at around 7 a.m. UTC. Evidence gathered so far pins the earliest date of exploration to December 3, 2024.

Victim organizations span consumer product companies, logistics and shipping organizations, and food suppliers. Users are advised to ensure that their software is up-to-date to ensure that they are protected against the threat.

Ransomware groups like Cl0p (aka Lace Tempest) have previously set their sights on various managed file transfer tools in the past, and it looks like the latest attack activity is no different.

According to security researcher Kevin Beaumont (aka GossiTheDog), “Termite ransomware group operators (and maybe other groups) have a zero-day exploit for Cleo LexiCom, VLTransfer, and Harmony.”

Cybersecurity company Rapid7 said it also has confirmed successful exploitation of the Cleo issue against customer environments. It’s worth noting that Termite has claimed responsibility for the recent cyber attack on supply chain firm Blue Yonder.

Broadcom’s Symantec Threat Hunter Team told The Hacker News that “Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension.”

“Since we saw that Blue Yonder had an instance of Cleo’s software open to the internet via Shodan, and Termite has claimed Blue Yonder amongst its victims, which was also confirmed by their listing and open directory of files, I’d say that Gossi is correct in his statement,” Jamie Levy, Huntress’ Director of Adversary Tactics, told the publication.

“For what it’s worth, there have been some rumblings that Termite might be the new Cl0p, there is some data that seems to support this as Cl0p’s activities have waned while Termite’s activities have increased. They are also operating in some similar fashions. We’re not really in the attribution game, but it wouldn’t be surprising at all if we are seeing a shift in these ransomware gangs at the moment.”

(This is a developing story. Please check back for more updates.)

In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

An FBI wanted poster for Matveev.

Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.

Russia’s interior ministry last week issued a statement saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn’t name the accused, but the Russian state news agency RIA Novosti cited anonymous sources saying the man detained is Matveev.

Matveev did not respond to requests for comment. Daryna Antoniuk at TheRecord reports that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he’d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.

Matveev’s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after being identified as Wazawaka by KrebsOnSecurity in 2022, Matveev published multiple selfie videos on Twitter/X where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev’s X profile (@ransomboris) posted a picture of a t-shirt that features the U.S. government’s “Wanted” poster for him.

An image tweeted by Matveev showing the Justice Department’s wanted poster for him on a t-shirt. image: x.com/vxunderground

The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. “Mother Russia will help you. Love your country, and you will always get away with everything.”

Still, Wazawaka may not have always stuck to that rule. At several points throughout his career, Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars.

Cyber intelligence firm Intel 471 said Matveev’s arrest raises more questions than answers, and that Russia’s motivation here likely goes beyond what’s happening on the surface.

“It’s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,” Intel 471 wrote in an analysis published Dec. 2. “The country’s ingrained, institutional corruption dictates that if dues aren’t paid, trouble will come knocking. But it’s usually a problem money can fix.

Intel 471 says while Russia’s court system is opaque, Matveev will likely be open about the proceedings, particularly if he pays a toll and is granted passage to continue his destructive actions.

“Unfortunately, none of this would mark meaningful progress against ransomware,” they concluded.

Although Russia traditionally hasn’t put a lot of effort into going after cybercriminals within its borders, it has brought a series of charges against alleged ransomware actors this year. In January, four men tied to the REvil ransomware group were sentenced to lengthy prison terms. The men were among 14 suspected REvil members rounded up by Russia in the weeks before Russia invaded Ukraine in 2022.

Earlier this year, Russian authorities arrested at least two men for allegedly operating the short-lived Sugarlocker ransomware program in 2021. Aleksandr Ermakov and Mikhail Shefel (now legally Mikhail Lenin) ran a security consulting business called Shtazi-IT. Shortly before his arrest, Ermakov became the first ever cybercriminal sanctioned by Australia, which alleged he stole and leaked data on nearly 10 million customers of the Australian health giant Medibank.

In December 2023, KrebsOnSecurity identified Lenin as “Rescator,” the nickname used by the cybercriminal responsible for selling more than 100 million payment cards stolen from customers of Target and Home Depot in 2013 and 2014. Last month, Shefel admitted in an interview with KrebsOnSecurity that he was Rescator, and claimed his arrest in the Sugarlocker case was payback for reporting the son of his former boss to the police.

Ermakov was sentenced to two years probation. But on the same day my interview with Lenin was published here, a Moscow court declared him insane, and ordered him to undergo compulsory medical treatment, The Record’s Antoniuk notes.

The US Navy, Air Force, and Marine Corps have grounded their fleet of Boeing-Bell-made Osprey V-22s on safety grounds.

A spokesperson for the Naval Air Systems Command (NAVAIR) told The Register that the decision had been made following an incident where one of the aircraft made an emergency landing.

“Out of an abundance of caution, NAVAIR recommended an operational pause for all V-22 Osprey variants December 6. This decision comes following a recent precautionary landing of a CV-22. There were no injuries to the crew,” he explained.

“The safety of our V-22 aircrew is our top priority. We are committed to ensuring our Sailors, Airmen, and Marines are able to successfully complete their missions and return home safely.”

The move comes after a V-22, operating out of the Air Force Special Operations Command (AFSOC) in Florida, was forced to make a “precautionary landing,” its spokesperson told us. No one was injured in the incident.

The decision comes barely a year after the last grounding of the V-22 fleet, which came after a fatal crash by a V-22 operated by the Air Force which killed both pilots and six passengers. The cause of that crash was reportedly one of the two engines failed, and the fleet was grounded for three months of checks.

The aircraft’s tiltrotor design, while offering significant advantages in terms of speed, range, and short or vertical lift-off capability, is also incredibly complicated. The aircraft has gained a reputation for unreliability, with four crashes and 30 fatalities occurring during the nine-year testing period, and one ex-pilot has claimed the design was rushed through testing.

Last month an investigation by the Associated Press reported that the top three most serious types of incidents for the aircraft were up to 46 percent between 2019 and 2023, despite the total number of flying hours falling. Overall safety issues were up 18 percent in the same period.

The report suggests that the complex design of the Boeing-Bell aircraft, and the stresses and strains of flight, are causing parts to wear out more quickly than expected. Most of the accidents reported were related to engine issues and last month’s incident may have been more serious than the military is saying, otherwise why ground the entire fleet?

Nevertheless, the military isn’t giving up on the design. In 2022 the winner of the military’s Future Long-Range Assault Aircraft was announced and it’s another tiltrotor design — the Bell V-280 Valor. That aircraft is designed to replace the Black Hawk transport helicopter and is forecast to fly in 2027 at the earliest. ®