Group-IB has today published a new update into the APT (advanced persistent threat) group codenamed Dark Pink, revealing that a total of 13 organizations in 9 countries have now fallen victim to this malicious actor. Dark Pink’s operations were detailed in depth by Group-IB’s Threat Intelligence unit in a January 2023 blog post, and at this time, researchers linked the group to attacks on 7 organizations in the Asia-Pacific region and 1 in Europe. Group-IB experts have since discovered 5 new Dark Pink victims, and the geographic scope of the group’s operations is wider than previously thought, as organizations in Brunei, Thailand, and Belgium were all hit by Dark Pink attacks.

Continued analysis has revealed that this group is still active, as Dark Pink attacked a government ministry in Brunei this past January and a government agency in Indonesia as recently as April 2023. Additionally, Group-IB researchers were able to attribute three other attacks from 2022 to this particular APT group. The initial access vector for Dark Pink attacks continues to be spear-phishing emails, and Group-IB researchers noted in their January 2023 blog that the group utilized an almost-entirely custom toolkit to exfiltrate files and messenger data from infected devices and networks.

Since then, Group-IB experts can reveal that Dark Pink APT has updated many of these custom tools, changing their functionalities in order to allow the group to slip undetected past defense mechanisms of cybersecurity systems. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is still stored on the filesystem of infected devices, but it is now divided into two distinct parts — one that controls the device and the other that steals sensitive data. Dark Pink also continues to use an MSBuild utility to launch KamiKakaBot in the infection chain.

Group-IB’s Threat Intelligence unit has discovered Dark Pink’s new account on GitHub, which was created as soon as the first information about the APT group was published in the public domain this past January. The threat actors can issue commands to infected machines to download files from this GitHub account, and Group-IB researchers found 12 commits to the new account performed between January 9 and April 11, 2023.

Recent attacks have also seen the group exfiltrate stolen data over a HTTP protocol using Webhook service, and they have also leveraged functionalities of an MS Excel add-in to ensure the persistence of TelePowerBot (a simpler version of KamiKakaBot written in PowerShell). In line with Group-IB’s zero-tolerance policy to cybercrime, all confirmed and potential victims of Dark Pink attacks were issued with proactive warnings.

“Dark Pink APT shows no sign of slowing down,” Andrey Polovinkin, Malware Analyst at Group-IB, said. “APT groups are renowned for their responsiveness and ability to adapt their custom tools to continually avoid detection, and Dark Pink is no exception. The profile of the affected targets underscores the significant danger that Dark Pink poses for both public- and private-sector actors. Group-IB will continue to analyze all Dark Pink activity and ensure that confirmed and potential victims are informed.”

A new Barracuda Threat Spotlight shows how in March 2023 just under half (45.7%) of all HTML attachments scanned by the company were malicious. This follows a steady upward trend in the proportion of malicious HTML files since Barracuda’s last report on the threat in May 2022 when the proportion was less than half (21%) of the current value. In comparison, only 0.03% and 0.009% of the highly popular Microsoft Office and PDF file types were found to be malicious.

HTML stands for Hypertext Markup Language, and it is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm, or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.

The data follows analysis by Barracuda researchers of many millions of messages and files scanned by the company’s security technologies. “The security industry has been highlighting the cybercriminal weaponizing HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.

Barracuda’s analysis further shows that not only is the overall volume of malicious HTML attachments increasing, nearly a year since the company’s last report, but HTML attachments also remain the file type most likely to be used for malicious purposes. “Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages,” said Shi.

A10 Networks today published research, Global Communication Service Providers: Market Growth Fuels Security Investments, revealing the priorities, expectations, and perspectives of CSPs across the globe as they evolve and expand their services and infrastructure in an increasingly complex digital environment. The study was undertaken by an independent research organisation, Opinion Matters, among 2,750 senior IT professionals from a range of communication service providers across 11 regions around the world.

Of the 250 enterprise organisations surveyed in the Middle East (Saudi and UAE), it found that, 100% of service providers surveyed expect to see traffic volumes rise in the next 2-3 years. Almost half (44%) of the respondents expect to see traffic increase by up to 50% – 36% expect traffic to rise by over 50% up to 75%, with one in five (20%) believing it will soar by over 75% or more. The average increase in network traffic volume is expected to be 56%.

As a result, four key themes ran throughout A10 Networks’ second global CSP survey. These were: focusing on investment, preparing for growth, expanding services to meet underserved communities, and seizing opportunities to expand into new markets with new services.

Commenting on the positive growth levels, Amr Alashaal, Regional Vice President – Middle East at A10 Networks said, “These predictions align with the sustained traffic growth we’ve seen in recent years. Although the pandemic created a one-off burst in growth which we witnessed in our 2021 survey, we are now seeing more sustained patterns emerging which shows continuing growth at a considerable rate. Likewise, these positive growth levels are creating both the urgency and the confidence for CSPs to undertake substantial investment projects.”

The survey found that respondents’ top priorities for network security investments in the next 2-3 years are:

• 25% – Upgrading of firewalls and other security appliances for new threats and increased traffic volume
• 25% – DDoS detection and monitoring
• 24% – Ransomware and malware protection services
• 24% – DDoS cloud scrubbing
• 24% – Simplified, centralized management and analytics systems

Amr Alashaal continues, “Although upgrading firewalls and other security appliances came out top, this was less dominant than it was two years ago when we did our first CSP survey. This points to the fact that today’s network security strategy must be wide-ranging with a well-rounded approach that can handle the full spectrum of emerging threats to maintain a high quality, reliable and secure service for customers.”

Alongside investing in network security, CSPs are planning to expand their networks to reach unserved or underserved communities:

• 82% of respondents say they are expanding their networks to unserved/underserved communities.
  • 48% are planning to expand for an uplift of more than 10% on their current subscriber base.
  • 33% are expanding for an uplift of more than 50%.
• 16% are planning to build additional data centers and expand to provide additional capacity for other service providers.

Commenting on these findings, Amr Alashaal added, “Connecting communities is central to reducing inequality and supporting digital opportunities, so it is heartening to see this positive direction of travel. Combining this with robust security strategies will result in more people and communities in the region benefitting from safe, reliable digital services.”

Enterprise cloud migration has been a strong trend over the past decade, accelerated by the pandemic. The survey found that enterprises are now focusing on finding the right mix of cloud services to support future plans:

• Overall, 59% of respondents report a positive outcome related to their cloud transition.
  • 22% say that it has directly generated revenue.
  • 19% say that they have evolved to offer public cloud and managed data center services.
  • 18% now have differentiated services that have increased their relevance to customers.

Amr Alashaal comments: “It is interesting to see that nearly one in four CSPs say they have gained revenue as customers have distributed workloads and data center functions between private, on-premises, and public cloud. This cloud transition is also evident when it comes to key purchasing criteria for network equipment, as being in a cloud-native form factor was a must-have criterion, with 27% saying this.”

Top business challenges as networks evolve:

• 35% – Maintaining a quality service and avoiding service outages
• 31% – Increased risk from exposed APIs as a result of app modernisation, open source, and AI
• 27% – Maintaining application availability and security

This demand, as CSPs add more subscribers, has made IPv4 addresses scarce. Providers, therefore, need to plan for the transition to IPv6. However, the survey shows that only 32% expect to achieve this in the next 2-3 years.

• More than one-third (39%) are adopting a strategy of carefully managing their IPv4 pools and gradually transitioning to IPv6.
• 27% aim to run the two in parallel.

Amr Alashaal concludes, “This shows that CSPs are adopting a more cautious approach to IPv6 adoption, leveraging existing investment and carefully managing existing IPv4 addresses or running the two in parallel, rather than accelerating full transition plans. A10 Networks’ Global Communication Service Providers: Market Growth Fuels Security Investments report shows that CSPs are at a crucial point as they aim to capitalize on demand and seize opportunities to grow and diversify their business. To realise their full potential, service providers need to scale and protect their networks so the infrastructure they provide is secure and highly available.”