Research Saturday N2K Networks

Maxim Zavodchik from Akamai joins Dave to discuss their research on "Xurum: New Magento Campaign Discovered." Akamai researchers have discovered an ongoing server-side template injection campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server. 
The research states "The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component."
The research can be found here:
Xurum: New Magento Campaign Discovered

Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Manuel Hepfer from ISTARI shares his research on cyber resilience which includes discussions with 37 CEOs to gain insight into how they manage cybersecurity risk. ISTARI and Oxford University's Saïd Business School dive into the minds and experiences of CEOs on how they manage cybersecurity risk.
Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalisation of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune.
CEOs must formally answer to regulators, shareholders and board members for their organisation’s cybersecurity. Yet the majority (72%) of CEOs we interviewed as part of our research said they were not comfortable making cybersecurity-related decisions.
The research and associated article can be found here:

Research: The CEO Report on Cyber Resilience


Article: Make Cybersecurity a Strategic Asset



Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks.
This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved."
The research can be found here:
No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign

Learn more about your ad choices. Visit megaphone.fm/adchoices

Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.
Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals.
The research can be found here:
Threat Group Assessment: Muddled Libra

Learn more about your ad choices. Visit megaphone.fm/adchoices

Tal Skverer from Astrix Security joins to discuss their work on "GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts." Astrix’s Security Research Group revealed a 0-day flaw in Google’s Cloud Platform (GCP) on June 19, 2022, which was found to affect all Google users.
The research states "The vulnerability, dubbed “GhostToken”, could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim’s Google account infected with a trojan app forever." Google issued a patch to this vulnerability in April of this year, but researchers explain why this can be severe.
The research can be found here:
GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts

Learn more about your ad choices. Visit megaphone.fm/adchoices

Dmitry Bestuzhev from Blackberry joins to discuss their work on "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." Research suggests that the RomCom threat team has been tracked carefully following the geopolitical events surrounding the war in Ukraine, and are now targeting politicians in Ukraine who are working closely with Western countries.
This group is different from others in that their focus is more on secrets or information which can be useful in geopolitics and specifically the war in Ukraine, instead of financial gain. The research says "Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software."
The research can be found here:
RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine

Learn more about your ad choices. Visit megaphone.fm/adchoices