C-level executives, diplomats, and high-ranking IT managers usually have access to sensitive information, huge amounts of data, finances, or a combination of all these things. And adversaries know it.

Anticipating all the precious data and access rights, cybercriminals and state-sponsored advanced persistent threat groups (APTs) are willing to invest a lot of time and money to orchestrate attacks that could compromise VIP devices and accounts. In this case, backdoors are particularly dangerous, because typically they have the capability to send files to the host computer, execute files and commands there, and exfiltrate (send) files and documents back to the attacker.

One of the latest examples of such an attack features several sophisticated and previously unknown backdoors called LunarWeb and LunarMail, which were recently described by ESET researchers and presented at the ESET World 2024 conference. Using advanced obfuscation techniques, they were deployed to spy on an undisclosed European ministry of foreign affairs. The attack is attributed with medium confidence to the Russia-aligned APT group Turla.

To protect against such attacks, organizations need to be proactive. This means not only training staff and deploying a reliable cybersecurity solution, but also having comprehensive cyberthreat intelligence helping them stay ahead of adversaries.  

According to a 2023 study conducted by BlackCloak and Ponemon Institute, senior-level corporate executives are increasingly being targeted by sophisticated cyberattacks. These include email compromise, ransomware, malware infection, doxing, extortion, online impersonation and even physical attacks, such as swatting.

Around 42% of surveyed organizations stated that their senior executive or an executive’s family member was attacked over the past two years. Attackers often went for sensitive company data, including financial information and intellectual property.

Cybercriminals did not hesitate to strike when their targets were the most vulnerable – at home with their loved ones. In one-third of reported cases, hackers reached executives through insecure home-office networks used during remote work.

Business email compromise (BEC) is one of the most used tactics against VIPs. It usually comprises a sophisticated scam targeting individuals performing transfers of funds and seeks to compromise legitimate business email accounts through social engineering and/or computer intrusion techniques.

According to the FBI’s Internet Crime Complaint Center (IC3) annual reports, BEC is among the costliest types of crime. In 2023, IC3 received 21,489 BEC complaints with adjusted losses of over $2.9 billion. Only investment crimes (such as pyramid schemes, real estate investment scams, or cryptocurrency investment scams) accumulated more losses than BEC in that year, with $4.7 billion reported stolen.

ESET research on the Lunar toolset demonstrates how such carefully crafted spying can look.

The initial attack vector is not known, but recovered installation-related components and attacker activity suggest possible spearphishing with a malicious Word document and abuse of both a misconfigured network and the application monitoring software Zabbix.

Once access is gained, the backdoor installation process follows. It consists of dropping both a loader and a blob containing either LunarWeb or LunarMail, as well as setting up persistence.

From that point forward, data exfiltration can start. For example, the LunarWeb backdoor gathers data such as the OS serial name, environment variables, network adapters, a list of running processes, a list of services, or a list of installed security products, and sends them to a C&C server.

LunarWeb communicates with a C&C server using HTTP(S) underneath which is a custom binary protocol with encrypted content. ESET researchers only found LunarWeb deployed on servers, not user workstations.

LunarMail is similar, but instead of HTTP(S) it uses email messages for communication with its C&C server. This backdoor is designed to be deployed on user workstations, not servers – because it is persistent and intended to run as an Outlook add-in.

The APT group also has several tricks up its sleeve to conceal the malicious activities of deployed backdoors.  

• The loader uses RC4, a symmetric key cipher, to decrypt path to the blob and reads encrypted payloads from it.
• It also creates a decryption key derived from the DNS domain name, which it verifies. Using DNS domain name decryption means that the loader correctly executes only in the targeted organization, which may hinder analysis if the domain name is not known.
• LunarWeb limits initial contact attempts with the C&C server, assessing the backdoor’s lifespan, and checking C&C server accessibility. If any of the safety conditions fail, LunarWeb self-removes, deleting its files, including the loader and the blob.
• To hide its C&C communications, LunarWeb impersonates legitimate-looking traffic, spoofing HTTP headers with genuine domains and commonly used attributes. Notable examples of impersonation include Windows services (Teredo, Windows Update) and updates of ESET products.
• Both LunarWeb and LunarMail can receive commands hidden in images.
• To exfiltrate stolen data, LunarMail embeds them in a PNG image or PDF document. For PNG files, a template matching the compromised institution’s logo is used.
• LunarMail deletes email messages used for C&C communications.
• Both LunarWeb and LunarMail can uninstall themselves.

Being high-priority targets, VIPs should have an adequate high-priority protection in both office and home environments.

• Educate them and the rest of the staff – Technology alone cannot fully safeguard an organization, and the human element will always play a role. Only 9% of cybersecurity professionals participating on the Ponemon survey were highly confident that their CEO or executives would know how to protect their personal computer from viruses, and only 22% trusted them when it comes to securing personal emails.
• Secure their remote working – Because many VIPs are targeted in their home environment, it is necessary to secure their corporate devices, personal devices used for work, and home networks. This includes a use of strong passwords or passphrases, 2FA, regular updating, patching, and backing up data.
• Adopt a zero-trust approach – Take measures to efficiently screen every single point of access, both employee and device – internal and external. Naturally, CEOs and high-ranking managers need a lot of access to perform their duties, but it does not have to be unlimited. Evaluate how much privilege they really need to protect your institution’s data in cases when VIPs’ accounts are compromised.
• Deploy reliable cybersecurity – As the Lunar toolset shows, current cyberthreats operate above the security threshold of traditional firewalls, and more sophisticated security measures need to be adopted. Protection of C-level officials should include multilayered security and proactive defense benefiting from cyber threat intelligence.

ESET Threat intelligence monitors APT groups such as Turla, observing their tactics, techniques, and procedures (TTPs) in order to help organizations prepare for APTs’ new tricks and to also understand their motives. Thanks to comprehensive ESET reports and curated feeds, organizations can anticipate threats and make faster, better decisions.

VIPs are prized trophies for cybercriminals and APTs, be they for financial gain or political reasons. Therefore, they often bring their biggest guns to compromise targets’ accounts and devices.

This means that organizations need to build an awareness culture among their employees and protect their devices with the latest technology. ESET solutions and services can help with that.

We are in the middle of a major transformation of how companies go to market, but relationships remain key.

Given market uncertainties, changes in partnering, and the surge in subscription models, most companies are now considering partnership ecosystems as the key ingredient to survival and success, according to Alastair Edwards, chief analyst at Canalys, who spoke on the State of the Channel at the ESET WORLD 2024 conference. 

“Increasingly, vendors co-selling, co-marketing, co-developing, and co-delivering with partners are becoming more important to delivering joint value to the customer,” Mr. Edwards told ESET after the conference.

In the interview with ESET, Mr. Edwards described the current situation with emerging hyperscale cloud marketplaces, the challenges that cybersecurity partnerships face, and the role of AI in the evolving world of cybersecurity.

What role do partners play in the world of emerging hyperscaler cloud marketplaces where vendors can approach customers directly?

While the initial assumption was that hyperscaler marketplaces would cut out channel partners, in fact the opposite is true. Partners will have an increasingly important role in this sales motion, as customers procure a greater proportion of software and cybersecurity through the cloud marketplaces of AWS, Microsoft, and Google Cloud in particular. Customers are able to use their committed cloud spend with the hyperscalers to buy third-party products through the marketplaces, which can be very attractive when core IT budgets are under pressure. They can take advantage of consolidated monthly or annual billing for all their purchases, which simplifies the billing process.

But beyond the transactions, customers will rely more than ever on partners, particularly as they purchase more complex solutions through these marketplaces. A marketplace is ultimately just a catalog of products and solutions. But end-customers need advice on the right technologies to buy, support for those technologies, integration, and management, which only trusted partners can provide. At the same time, vendors selling through these marketplaces continue to need partners to provide customer support, technical expertise, and complex services.

What do these marketplaces mean for vendor-partner-customer relationships?

These models create new dynamics for vendors, partners, and customers. But relationships remain key. Hyperscalers and vendors have recognized the importance of enabling partners to continue supporting customers directly, for example, through offering customized listings to customers through the marketplaces. The hyperscalers are investing in co-selling with both partners and vendors to drive momentum. There is a risk to the channel of course — those channel partners that don’t embrace this model will find themselves being overtaken by those that do. Even those that embrace this will need to continue showing value — and that value will change in future. But Canalys expects the share of hyperscaler marketplace business via channel partners to increase significantly over the next few years.

When preparing the latest Canalys Global Cybersecurity Leadership Matrix, Canalys worked with Channel Partner feedback collected over 12 months. What are the key lessons to take from it?

ESET’s Partners are generally very positive about their relationship with ESET and the support they receive. They are particularly positive about ESET’s ongoing commitment to partners (and channel-led strategy), ease of doing business, the quality of account management and technical support, and ESET’s ability to plan centrally and execute locally. This is why ESET achieved Champion status in this year’s global Cybersecurity Leadership Matrix report.

Based on this feedback, channel partners seek to prioritize relationships with vendors that align with the transformation in their business models and vendors offering products that partners can wrap their own services and solutions around. What does it mean for security vendors? What should they prioritize to create and maintain long-term relationships with partners?

In some ways, the same things apply to building long-term partner relationships: minimizing sales conflict, investing in partner profitability through effective partner programs, building trusted relationships between vendors and partners, and equipping partners with the skills to sell and support the vendor’s technologies.

But in addition to this, vendors must build greater flexibility into their programs and engagement strategies to support an increasingly diverse partner base and partners operating multiple business models, whether those are resell, managed services, consulting, development, etc. Increasingly, vendors co-selling, co-marketing, co-developing, and co-delivering with partners are becoming more important to delivering joint value to the customer. And recognizing customers will work with multiple partners throughout their technology life cycles — and that most partners lack the resources to specialize in every area — vendors must support effective collaboration between partners.

How important is it for cybersecurity vendors to bring innovations such as AI-powered services?

Of course, this is incredibly important. AI is moving to the center of a new cyber arms race between bad actors — cybercriminals that are weaponizing AI to launch more effective attacks — and the cybersecurity industry that is using AI to enhance cyberdefenses, augment existing capabilities, and improve predictions and remediation times. Vendors must be at the forefront of this race or risk falling behind. Canalys expects AI to usher in a whole new suite of advanced cybersecurity technologies. Channel partners and customers will choose to work with vendors that are staying ahead of a rapidly evolving landscape. At the same time, there is a danger that AI becomes overused in terms of vendor product launches and marketing, which will damage credibility and add to customer confusion when most are unclear about the value of AI. Avoiding this risk is critical to long-term success.

On the other hand, there are still some people who see cybersecurity as one single product, such as antivirus, and are surprised when they get a question about how many endpoints they have and what their network looks like. How to earn the trust of such potential partners and show them that cybersecurity is a much more complex topic?   

Many customers still don’t place enough strategic importance on cybersecurity, and these customers are most likely to only think of one product, like antivirus. But they are also the most vulnerable. Cyber resilience needs to become a business hygiene factor, not a nice-to-have. Government regulations will play a bigger role in forcing that. The reality is that building effective cyber resilience as a customer means addressing a plethora of new threats and an expanded surface area that needs to be protected. For companies that understand this, the biggest challenge they face is managing an exponential increase in cybersecurity complexity. One way to do this is to work with a single managed services partner who takes on the management of this complexity on behalf of the customer. MSPs are seeing the fastest growth in the market as a result.

What are the benefits of having a long-term relationship with a leading cybersecurity vendor such as ESET?

Maintaining a long-term vendor relationship is important to ensuring consistency but also efficiency, in terms of the cost and complexity of managing that relationship … partners and customers don’t have to constantly retrain on different vendors’ products and processes, for example. But while there is a growing trend toward ‘platformization’ in the cybersecurity industry (concentrated around a few big cybersecurity vendors), the reality is that no vendor can do everything effectively in security. So, integration with other (specialist) vendors also becomes key to success.

According to Canalys, many partners rank visibility and community involvement highest of their criteria for vendor partnership — even higher than product or pricing. Why is that so?

We are in an ecosystem-led world, in which partners differentiate through specialist skills, customer focus, and business model. Vendors who empower partners within a broader ecosystem, who promote their partners’ skills, and drive collaboration between partners will provide more value to partners than those that just focus on product or pricing.

In the current world when almost everything is cloud-based or XaaS, is it still important for vendors to maintain local offices providing support to their partners?

Yes, local support will remain key. Even in a cloud-based world, relationships still matter. Cloud and AI can be used to augment those relationships and improve efficiency and productivity. But this is a highly competitive world, and those vendors who see the cloud as a way to step away from their partner relationships will suffer from a loss of relevance and share.

Currently companies and their IT admins are battling alert and portal fatigue. How important is it for cybersecurity vendors to help their partners with simplifying alert management and what are the current trends? 

Extremely important. Customers are struggling to stay on top of the scale of cyber threats and the speed with which they emerge. Finding and retaining the skilled staff to do this is a constant struggle. One of the biggest trends in the market is the role of MSPs in managing that on behalf of customers. Vendors who empower their MSPs with tools like simplified alert management or use AI to automate certain low-level support functions will benefit (through enhanced chatbots, etc.) and ultimately this should enable them to deliver a higher level of support for their customers.

Is the pricing/billing system an important consideration in a partnership? What are the current trends? Do customers favor flexible daily billing or flat rates with long-term commitment?

With the shift to subscriptions, the biggest demands from customers in terms of billing and pricing are simplicity and predictability, when the complexity of managing multiple vendor subscriptions is increasing, with different start and end points, contract lengths, and billing models. This can make it extremely difficult to manage budgets, spending, and planning. Customers as much as possible want partners to help them eliminate that complexity. At the same time, they want flexibility to consume and pay in the way that aligns with their business models. The most successful cybersecurity vendors will help to simplify these models for customers and provide this flexibility to meet the needs of different customers.