Category: Cyber


The Evolving Role of the CISO

Curtis Simpson, CISO at Armis, discusses the top qualities that all CISOs need to possess to excel.

Digital technologies have infused every aspect of a business, especially with the shutdown of the physical workplace. The increased interdependence between the physical, digital and cybersecurity worlds demand a leadership position that combines both the technical know-how and the ability to recognize security priorities from a business perspective. Paired with the slew of new threats impacting businesses amid a global pandemic, and the increased scope of what needs to be secured, the past year has propelled the evolution of the CISO.
Specifically: While CISOs were once known solely as the security risk managers, CISOs are now expected to be business enablers of an organization.
Top Qualities of a CISO
Cybersecurity is a highly dynamic field. The need for rapid, experiential decision making, organized thinking and the ability to strategically communicate to a non-security audience are almost second nature to many CISOs.
In order to truly succeed as a CISO in today’s digital world, here are some top qualities that all CISOs need to possess to excel:
Matchmakers: It’s integral for CISOs to understand the big-picture mission and to make strategic decisions that align security goals with overall business goals. Executives expect that CISOs are not securing the organization at the detriment of the business but rather to its benefit. With that, it’s important to remember that the power of the consolidated set of technologies and services in our security stack can deliver many benefits to our stakeholders beyond the traditional. The ability to connect our efforts to both tactical and strategic benefits to business operations or even the bottom line that go above and beyond traditional risk reduction is critical to the success of the role, the team and the program overall.
Relationship Builders: The CISO’s job may seem hyper-focused on security, but success is truly determined by relationships. This may come as somewhat of a surprise, being that security professionals are commonly associated with their technical skills vs. their social skills. Resonating, communicating and understanding the needs and concerns of business units and their stakeholders within an organization is the most crucial aspect of the CISO role. The true power lies in the combined understanding of the needs and challenges faced by stakeholders, security and compliance risks that we need their help with addressing, and the breadth of technical and operational capabilities at our disposal. Stakeholders that we can help today will help our cause tomorrow, particularly those that are commonly allies of security (legal, enterprise resource management, internal audit). True change for the sake of business risk reduction typically comes through the voices of a network of change agents, not only the lone voice of a CISO “punching up.”
Servant Leadership: Set the strategy, manage priorities at the “epic level” (side note: if you’re not practicing agile, consider doing so), clear a path for your team and guide as required. Don’t manage the details, lead on the outcomes and let the team figure out how they get there. As the team bubbles up risks and challenges, take advantage of your relationships to knock them down, enabling the team to make iterative progress towards the top risks and objectives. As noted above, CISOs no longer have the time to manage every facet of the program but rather, must enable the team to push strategic efforts forward.
Advocates: At the end of the day, CISOs need to advocate for proper cybersecurity infrastructures that will actually protect their organizations. This is no easy feat, as business leaders are often skeptical when it comes to investing funds in cybersecurity when they can’t physically see the threats in motion. CISOs must communicate the importance of quality cybersecurity and advocate for tools that will, as a result, save businesses money in the long run. CISOs must serve as the lobbyists for the security organization, fighting for what’s needed to stay protected under any circumstance.
Future Forecast: Where is the CISO Role Headed?
Traditionally, CISOs focused on security strategy. They worked with stakeholders and direct reports to understand and stack rank risks and related threats, and established and grew programs and capabilities to stop them. Whenever a breach or significant security exposure was identified, their job was to lead the charge in fixing the problem. Now, CISOs need to proactively think about not just security strategy, but long-term business strategy.
In the era of the digital workplace, CISOs must not only focus on preventing threats, but create systems that work for the business and still keep everyone protected. Constant innovation, creation and implementation of unique strategies are already part of the CISOs job description. It is about thinking not just about the threats in front of you, but the threats to come, and how to stay ahead of them while keeping the goals of the business at the forefront. Decision-making that ties business strategy and security processes into a firm knot is the only way to stand straight amidst the faced-paced, ever-changing storm of digital services.
The role of the CISO is evolving faster than ever, and becoming the jack of all security and business trades. On Monday, they’re the superheroes keeping the cybercriminals out. On Tuesday, they’re improving the organization’s security posture. By the end of the week they’re C-suite ambassadors and innovating the concept of security, all while delivering positive business value.
As the role continues to evolve and the CISO’s depth and breadth of knowledge regarding the business, its underlying technology and its core risks, the role will continue to elevate outside of IT and be seen as a peer of the CIO. As enterprises continue to evolve, a growing number of effective CISOs will be asked to inherit enterprise risk-management or infrastructure responsibilities. The future remains bright for the CISO role, as long as we remain focused on truly aligning with the business and managing risk around what truly matters most.
Curtis Simpson is CISO at Armis.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.


Critical Juniper Bug Allows DoS, RCE Against Carrier Networks

Telecom providers, including wireless carriers, are at risk of disruption of network service if the bug in SBR Carrier is exploited.

A critical remote code-execution vulnerability in Juniper Networks’ Steel-Belted Radius (SBR) Carrier Edition lays open wireless carrier and fixed operator networks to tampering.
The SBR Carrier server is used by telecom carriers to manage policies for how subscribers access their networks – by centralizing user authentication, delivering the appropriate level of access and ensuring compliance with security policies. It allows carriers to offer differentiated levels of service, multiply their revenue models and manage network resources.
The bug (CVE-2021-0276) affects SBR Carrier versions 8.4.1, 8.5.0 and 8.6.0 that use extensible authentication protocol. Juniper issued a patch on Wednesday. It rates 9.8 out of 10 on the CVSS vulnerability-severity rating scale.

It’s a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially crafted packets to the platform, causing the RADIUS daemon to crash, according to Juniper’s advisory. This can result in RCE, and also denial-of-service (DoS) that would prevent phone subscribers from having a network connection.
The bug is just one of many that the networking giant patched this week across its carrier and enterprise product lines, including several high-severity bugs that could be exploited to carry out DoS attacks.
A Second RCE/DoS Bug
One of these can also be used for RCE, Juniper said. That bug (CVE-2021-0277, with an 8.8 CVSS rating) is an out-of-bounds read vulnerability afflicting Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), and Junos OS Evolved (all versions).
Junos OS and Junos OS Evolved are network operating systems that power Juniper’s enterprise routers and switches. The former runs on FreeBSD, while the latter runs a version of Linux.
The issue exists in the processing of specially crafted LLDP frames by the Layer 2 Control Protocol Daemon (l2cpd). LLDP is the protocol that network devices use to broadcast their identity, capabilities and neighbors on a local area network (usually over wired Ethernet).
“Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued Thursday.
In addition to the patch, this bug has a few workarounds. For instance, users can configure a device to not load the l2cpd daemon. However, if it’s disabled, certain protocols (RSTP, MSTP, VSTP, ERP, xSTP and ERP, among others) won’t work.
A second option is to configure target interfaces on the device to disable LLDP packet processing Or, for most switching platforms, it’s possible to implement packet filters via a firewall to discard LLDP packets with an EtherType of 0x88cc, according to the advisory.
Lastly, to reduce the risk of exploitation, users can implement off-system intrusion-detection systems and/or firewall filtering methods. These include “disallowing LLDP EtherType to propagate completely on local segments, or by filtering broadcast addressed LLDP packets or unicast addressed LLDP packets not originated from trusted sources targeted to trusted destinations,” the vendor explained.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

Windows 0-Days Used Against Dissidents in Israeli Broker’s Spyware

Candiru, aka Sourgum, allegedly sells the DevilsTongue surveillance malware to governments around the world.

A set of unique spyware strains created by an Israeli firm and allegedly used by governments around the world to surveil dissidents has been defanged by Microsoft, the software giant said.
The private company, called variously Candiru, Grindavik, Saito Tech and Taveta (and dubbed “Sourgum” by Microsoft), reportedly sells its wares exclusively to governments, according to Citizen Lab, which first analyzed the malware and flagged it for Microsoft. The code, collectively known as “DevilsTongue,” has been used in highly targeted cyberattacks against civil society, according to an advisory issued Thursday – making use of a pair of zero-day vulnerabilities in Windows (now patched).
The victims number more than 100, and include politicians, human-rights activists, journalists, academics, embassy workers and political dissidents, Citizen Lab and Microsoft said. The targets have been global, located in Armenia, Iran, Israel, Lebanon, Palestine, Singapore, Spain, Turkey, United Kingdom and Yemen.

“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure and internet-connected devices,” according to Microsoft’s tandem advisory. “These agencies then choose who to target and run the actual operations themselves.”
Citizen Lab researchers said that DevilsTongue can exfiltrate data and messages from various accounts, including Facebook, Gmail, Skype and Telegram. The spyware can also capture browsing history, cookies and passwords, turn on the target’s webcam and microphone, and take pictures of the screen.
“Capturing data from additional apps, such as Signal Private Messenger, is sold as an add-on,” according to the firm.
Microsoft noted that the stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering.
The code can infect and monitor Android phones, cloud accounts, iPhones, Macs and PCs, Citizen Lab researchers said, noting that DevilsTongue’s command-and-control (C2) infrastructure involves more than 750 websites, including “domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement as well as media companies.”
Millions of Euros
DevilsTongue as a kit goes for millions of Euros, according to a leaked proposal [PDF] obtained by Citizen Lab. It can be deployed in a number of attack vectors, including via malicious links,  attached files in emails and man-in-the-middle attacks. The cost depends on the number of concurrent infections a user would like to maintain.
“The €16 million project proposal allows for an unlimited number of spyware infection attempts, but the monitoring of only 10 devices simultaneously,” according to Citizen Lab. “For an additional €1.5M, the customer can purchase the ability to monitor 15 additional devices simultaneously, and to infect devices in a single additional country. For an additional €5.5M, the customer can monitor 25 additional devices simultaneously, and conduct espionage in five more countries.”
It added, “For a further additional €1.5M fee, customers can purchase a remote-shell capability, which allows them full access to run any command or program on the target’s computer. This kind of capability is especially concerning, given that it could also be used to download files, such as planting incriminating materials, onto an infected device.”
Use of DevilsTongue is restricted in a handful of countries, including China, Iran, Israel, Russia and the U.S. However, there are, apparently, loopholes.
“Microsoft observed Candiru victims in Iran, suggesting that in some situations, products from Candiru do operate in restricted territories,” Citizen Lab researchers said. “In addition, targeting infrastructure disclosed in this report includes domains masquerading as the Russian postal service.”
Zero-Day Exploits
The spyware exploits two elevation-of-privilege security vulnerabilities in Windows, CVE-2021-31979 and CVE-2021-33771, both of which were addressed in Microsoft’s July Patch Tuesday update this week. The attacks are carried out via “a chain of exploits that impacted popular browsers and our Windows operating system,” Microsoft noted.
Both bugs give an attacker the ability to escape browser sandboxes and gain kernel code execution, Microsoft said:

CVE-2021-31979: An integer overflow within Windows NT-based operating system (NTOS). “This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool,” according to Microsoft. “A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.”
CVE-2021-33771: A race condition within NTOS resulting in the use-after-free of a kernel object. “By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object,” explained Microsoft. “Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.”

To mitigate the attacks, Microsoft said that it “built protections into our products against the unique malware Sourgum created,” in addition to the patching.
“These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals,” according to Microsoft. “The protections we issued this week will prevent Sourgum’s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.”
Private brokers of cyberattack kits for government surveillance have been publicized mainly thanks to another Israeli firm, NSO Group, which created the Pegasus spyware that enables customers to remotely exploit and monitor mobile devices. NSO Group has long maintained that its kit is meant to be a tool for governments to use in fighting crime and terror, and that it’s not complicit in any government’s misuse of it. However, critics say that repressive governments use it for more nefarious purposes to track dissidents, journalists and other members of civil society — and that NSO Group assists them. In December, Pegasus added an exploit for a zero-day in Apple’s iMessage feature for iPhone.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

Microsoft: New Unpatched Bug in Windows Print Spooler           

Another vulnerability separate from PrintNightmare allows for local elevation of privilege and system takeover.

Microsoft has warned of yet another vulnerability that’s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.
The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.
The vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations,” according to Microsoft.

Attackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.
To work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.
Slightly Less of a ‘PrintNightmare’
The vulnerability (CVE-2021-1675) is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.
Indeed, Baines told BleepingComputer that while the bug is print driver-related, “the attack is not really related to PrintNightmare.” Baines plans to disclose more about the little-known vulnerability in an upcoming presentation at DEF CON in August.
The entire saga surrounding Windows Print Spooler began Tuesday, June 30, when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.
The response to the situation soon turned into confusion. Though Microsoft released an update for CVE-2021-1675 in it its usual raft of monthly Patch Tuesday updates, fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.
However, soon after it became clear to many experts that Microsoft’s initial patch didn’t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC offered its own mitigation for PrintNightmare that Microsoft has since adopted — advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.
To further complicate matters, Microsoft also last Thursday dropped a notice for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appeared to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.
Eventually, Microsoft last Wednesday released an emergency cumulative patch for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.
However, that fix also was incomplete, and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

Zero-Day Attacks on Critical WooCommerce Bug Threaten Databases

The popular e-commerce platform for WordPress has started deploying emergency patches.

A critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been under attack as a zero-day bug, researchers have disclosed.
The exploitation prompted WooCommerce to release an emergency patch for the issue late on Wednesday. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
WooCommerce, a popular open-source e-commerce platform for websites running on WordPress, is installed on more than 5 million websites globally. It allows online merchants to create storefronts with various customizable options such as payment types accepted, shipping features, sales tax calculations and so on.

The related plugin affected by the bug is the WooCommerce Blocks feature, which is installed on more than 200,000 sites. It helps merchants display their products on webpages.
The bug (CVE pending) was originally reported by HackerOne security researcher Thomas DeVoss (dawgyg), who said via Twitter that he was able to pull together a working proof-of-concept exploit, but that he wouldn’t release details of the bug until after there’s been time for merchants to apply the patch.
So, technical details are scant apart from the fact that it allows SQL injection – a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database. Usually this is carried out by inserting malicious SQL statements into an entry field for execution.
Exploitation in the Wild
The extent of in-the-wild exploitation remains somewhat unclear.
“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site…If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.”
According to researchers at Wordfence, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”
That said, one user noted in the comments section of the WooCommerce advisory that unusual activity had been observed.
“Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.”
To forensically determine if a site has been impacted, Wordfence researchers suggested that a review of log files may show indications:
“Look for a large number of repeated requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files,” they noted. “Query strings which include %2525 are an indicator that this vulnerability may have been exploited on your site.”
The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin. Lebens said that the company has created a patch fix “for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.”
However, that automatic deployment is not instantaneous, and users in the advisory’s comments section were reporting not getting the updates as of Thursday afternoon, so “we’re urging everyone check and manually update if needed just in case,” WooCommerce said. The advisory includes a table listing all 90 patched versions.
“Store owners using older versions can update to the latest version in their branch,” advised Wordfence researchers. “For example, if your storefront is using WooCommerce version 5.3, you can update to version 5.3.1 to minimize the risk of compatibility issues.”
WooCommerce is also recommending administrative password resets after updating to provide additional protection.
The open-source platform is no stranger to security bugs: Last fall, it patched two high-severity cross-site scripting flaws, in a process that took three bites at the apple to get the fix right.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.


Fake Zoom App Dropped by New APT ‘LuminousMoth’

First comes spear-phishing, next download of malicious DLLs that spread to removable USBs, dropping Cobalt Strike Beacon, and then, sometimes, a fake Zoom app.

Researchers have spotted a weird one: A newly identified threat actor linked to China that’s first mass-attacking, but then cherry-picking, just a few targets to hit with malware and data exfiltration.
Kaspersky researchers said in a Wednesday writeup that they’ve named the advanced threat actor (APT) LuminousMoth.
The campaign, going back to at least last October and targeting first Myanmar and now mostly the Philippines, is both large-scale and highly active.

That’s not uncommon. What is atypical about the LuminousMoth campaign is that it’s not only showy, it’s also targeted with “almost surgical precision,” they said.
“It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.” —Kaspersky researchers
The noise of a high-volume attack is a red flag for researchers. Of course, that’s a downside for hackers, given that it blows their cover. The analysts suggested one possible rationale for the splashiness: It could have to do with how LuminousMoth spreads. Namely, it copies itself to removable USB drives.
“It is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading mechanism, as the malware propagates by copying itself to removable drives connected to the system,” according to the writeup. Then again, the higher hit rate in the Philippines could boil down to another, undetected infection vector being used solely in the Philippines, or it could simply be that the attackers are more keenly interested in going after targets there.
Mustang Panda Rides Again
The LuminousMoth actors are using a unique set of tools and malware propagation methods, but their network infrastructure shares parts with another notorious Chinese hacking group named Mustang Panda, a.k.a. HoneyMyte, TA416 or RedDelta.
There are also similarities in the tactics, techniques and procedures (TTPs) used by the two APTs: Namely, the deployment of the Cobalt Strike beacon as a payload, as was also noted by ESET last month. For its part, Avast last month attributed a supply-chain attack against the Myanmar president’s office website to Mustang Panda, showing that Mustang Panda was focusing on the same region as LuminousMoth.
“The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth,” Kaspersky analysts surmised.
They noted that the two APTs also share the TTPs of using DLL side-loading, as well as both using forms of stealers going after Chrome user-authentication cookies.
Connection between HoneyMyte and LuminousMoth C2s. Source: Kaspersky.
Targeted Regions
Luminous Moth was first going after important organizations in Myanmar, where researchers came across about 100 victims. The campaign ramped up in the Philippines, where they found nearly 1,400 targeted victims.
The true targets were only a subset of that. They represented a selection of high-profile government entities within the two targeted countries and abroad: Two such were Myanmar’s Ministry of Transport and Communications and the country’s Development Assistance Coordination Unit of the Foreign Economic Relations Department. Those were two of the names researchers found on archives inside two malicious DLL libraries.
Boobytrapped USBs Spread Fake Zoom
LuminousMoth has a few ways to break in.
First, the campaign sends a spear-phishing email to the victim. The email contains a Dropbox download link that fetches a RAR archive. That’s where a pair of malicious DLLs can be found, masquerading as a .DOCX file. After that initial infection, the second vector kicks in, with the DLLs being sideloaded by two executables to spread to removable devices and also download a copy of Cobalt Strike.
LuminousMoth’s first infection chain. Source: Kaspersky.
In some cases in the Myanmar attacks, the initial infection was followed by deployment of a signed, fake version of the popular Zoom app. That fake Zoom app was actually malware that enabled the attackers to exfiltrate files from compromised systems. The valid certificate is owned by Founder Technology, a subsidiary of Peking University’s Founder Group, located in Shanghai.
Valid certificate of the fake Zoom app. Source: Kaspersky.
It’s unclear whether the “sheer volume” of the attacks is due to the malware replicating through removable devices or whether it’s caused by something else, such as being spread on watering-hole websites or via a supply-chain attack, the researchers said.
What is clear: LuminousMoth is a new campaign coming from a Chinese-speaking actor that echoes Mustang Panda/HoneyMyte in that it spreads in large-scale attacks, but in actuality only targets a few of them. The newcomer bears monitoring, analysts said, given that it could just be Mustang Panda trying on new clothes, trying to rub out its tracks by re-tooling and coming up with new, unknown malware implants.
“This allows them to obscure any ties to their former activities and blur their attribution to known groups,” Kaspersky researchers concluded.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.