We’re Adding 30,000 Supply Chain Roles to Support Target’s Growth and Deliver Joy to Our Guests

Source: Target

For Target, 2021 has been all about growthOur team powered amazing results in Q1 and Q2, while delivering new services and experiences that keep Target at the cutting edge. (Hello, sortation center expansions and cool new in-store experiences). And we’re not done yet. That’s why we’re adding 30,000 new supply chain roles to help us deliver joy to our guests this holiday season and well beyond as ongoing members of the Target team. 

Our supply chain team members play a crucial role in Target’s day-to-day operations, including moving our products from suppliers to our stores to keep our shelves stocked. From hiring managers to warehouse and operational support staff, each of these new positions will have a direct role in delivering joy to our guests.  

We’re proud to offer the most rewarding careers for our team, and while they’re showing up for our guests each and every day, we’re supporting them with what they need to thrive at Target and beyond. That includes offering industry-leading wages and great benefits like our debt-free education assistance programtraining and career growth opportunities. And as front-line workers, our supply chain team members have also received recognition bonuses and expanded benefits throughout the pandemic

Don’t miss out on the latest Target news and behind-the-scenes happenings! Subscribe to our bi weekly newsletter and get the top stories from A Bullseye View delivered straight to your inbox!

Is Your Business Ready for the Cloud?

Source: SAP

Headline: Is Your Business Ready for the Cloud?

The cloud is no longer just a new idea that may happen in the future. It’s already here. And SAP Advisory Services can help put this technology to work so businesses can store and access personal data, consume the latest applications and services, and define their digital transformation journey.

When talking about the cloud, people often toss around terms like “software as a service” (SaaS) and “infrastructure as a service” (IaaS). However, very few understand the distinct differences between the two types.

SaaS is usable, off-the-shelf software – such as SAP SuccessFactors solutions or SAP Fieldglass solutions – made available in a public cloud. Meanwhile, IaaS stretches this cloud-based service by adding complementary IT services to operate a single cloud solution or a set of cloud solutions.

Another fundamental change in cloud technology is the opportunity to shift away from big release upgrades that typically happen every three years. Companies can now take advantage of a continuous deployment model to acquire new features and functionalities when and where needed. This approach may not impact daily operations, but it does allow organizations to rapidly apply and facilitate digital innovations.

Thanks to all these developments, native cloud-based applications can be designed and deployed considerably faster and at a lower cost than any internal IT department could accomplish. However, this also means that the pressure to innovate groundbreaking, sustainable innovations is relentless – and it’s not going away anytime soon.

To truly seize this moment to solve challenges quickly and stay ahead of the competition with less cost and risk, many SAP customers seek the expertise, tools, resources, and support of SAP Advisory Services. The portfolio features multiple services designed to support SAP customers and help safeguard their cloud deployments. They include digital discovery assessment, digital strategy planning, landscape strategy and architecture, organizational change management, quick-start implementations, and a straightforward process for adopting standardized solutions.

Define Long-Term Value First

Like any other IT project, the goal of a cloud migration and upgrade is to deliver more business value. Ideally, this “value” is defined and benchmarked long before a new solution is launched.

At the most basic level, SAP Advisory Services can help ensure that a migration or upgrade:

  • Reduces total cost of ownership
  • Prevents negative impacts on functionality and usage
  • Meets the needs of changing business and IT requirements
  • Replaces custom-developed codes, features, and interfaces with standard functionalities
  • Maintains the same level of performance and reliability experienced before the implementation, at a minimum
  • Sets a more agile foundation for future innovation and digital transformation

If these criteria sound familiar, you’re right.

For years, most organizations have relied on at least a couple of homegrown solutions to cover an administrative area, such as procurement, finance, controlling, human resources, digital marketing, sales, operations, and warehousing. But SAP Advisory Services can allow them to run various applications across single or multiple data centers or clouds by providing the support to help keep their system landscape current and operationally reliable.

Get the Advisory Support to Move Forward

The portfolio of cloud technology that’s available today has grown extensively over the last few years. In most cases, there is a cloud version of an on-premise solution. Just one look at the portfolio of cloud solutions from SAP is proof of that new reality.

With so many choices available and the constant pressure to evolve, it’s no longer feasible to explore and experiment with new technology, hoping an advantage reveals itself. With SAP Advisory Services, companies can gain the guidance to commit to a vision, a strategic plan, and an expert-led framework that helps bring simplicity and certainty to a cloud migration or upgrade.

For example, some of our customers rely on SAP Advisory Services to weigh which cloud technologies best match SaaS principles. During an expert-led design thinking workshop, they may learn that the standardized functionalities, features, and comprehensive processes delivered in a public cloud are a good fit for their business. Decision-makers can also discover the pros and cons of using a shared platform and data center managed by the software provider or implementation partner. More importantly, stakeholders are able to better understand the need to keep technology standardized to realize the full value of the cloud solution.

Other times, our customers may prefer the freedom to customize solutions as close to the on-premise version of the application as possible. In this scenario, they can still achieve the benefits of a cloud-native application, including continuous new features and functionalities. But as with their existing on-premise solutions, their IT organization must continue to maintain individualized, customized, or added functionalities.

Meanwhile, some companies have specific requirements – such as business process requirements or legal obligations – that might not allow the use of the shared platform structure of a public or private cloud. This may even include the use of a data center located in the same country. In this situation, organizations can consider a hybrid solution architecture that combines public and private clouds and on-premise solutions into one landscape.

Make the Right Decisions with Comprehensive Insight

Before our customers choose to move to a public or private cloud, remain on premise, or use a hybrid approach, SAP Advisory Services can lead them through a comprehensive investigation of each element of the initiative, including:

  • Technology: Ideate preconfigured innovations, IT model changes, and more intelligent technologies to exploit novel ways to transform.
  • SaaS or IaaS services: Rent or purchase cloud capabilities when needed, scale as needs change and the business grows, and gauge the cost of public cloud services.
  • Impact on business processes: Determine whether the business benefits from keeping application capabilities and content standardized or customized.
  • Aftereffects of implementation methodologies: Consider the opportunities and risks of near-instant consumption of predefined content.
  • Cloud landscape operations: Overcome the barriers of adoption and change by assessing legal constraints, demand for localization, interface complexity and variety, workforce readiness, and IT resource availability.
  • Migration planning: Evaluate whether a new implementation (greenfield) or a move that maintains many of the functions of the on-premise application (brownfield) is more advantageous and aligned with expected outcomes.

Throughout this process, our advisory experts can provide the knowledge and best practices necessary to help customers accelerate transformational innovation and optimize operations. The value of the cloud solution is measured in terms of potential gains and total cost of ownership, and changes to business and IT processes are detailed – long before the implementation project begins.

Shape the Future of Business Value with Cloud Innovation

Many companies are entertaining the benefits of transforming their solution landscape from historically homegrown, on-premise solutions into a cloud-based solution architecture. And the realized benefits are many, including continuous migration and upgrades, lower total cost of ownership, fast adoption of the latest technologies, and ongoing support.

According to Guido Schlief, senior vice president and head of Services in Middle and Eastern Europe at SAP, moving to the cloud is not unlike the migration projects of the past. Businesses still need expertise, tools, and resources to foster innovation, nurture new ideas, and build strong digital capabilities – all while reaping the value of their existing and new technology investments.

And for our customers, all that know-how is packaged and accessible through SAP Advisory Services. The portfolio can not only enable our customers and their implementation partners to understand the rules of engagement, but they can also identify innovations to help them stay competitive and continue to grow.

Find out how SAP Advisory Services can help you solve business challenges quickly with less cost and risk.

Matthias Uhrig is principal business consultant for Business Transformation Services at SAP.

GhostEmperor: From ProxyLogon to kernel mode

Source: Securelist – Kaspersky

Headline: GhostEmperor: From ProxyLogon to kernel mode

 Download GhostEmperor’s technical details (PDF)

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

The former is used to hide the user mode malware’s artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.

In an attempt to trace the duration of the observed attacks, we were able to see the toolset in question being used from as early as July 2020. Furthermore, we could see that the actor was mostly focused on South East Asian targets, with outliers in Egypt, Afghanistan and Ethiopia which included several governmental entities and telecommunication companies.

With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the underlying cluster GhostEmperor. Our investigation into this activity leads us to believe that the underlying actor is highly skilled and accomplished in their craft, both of which are evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques.

How were the victims initially infected?

We identified multiple attack vectors that triggered an infection chain leading to the execution of malware in memory. We noticed that the majority of the GhostEmperor infections were deployed on public facing servers, as many of the malicious artefacts were installed by the ‘httpd.exe’ Apache server process, the ‘w3wp.exe’ IIS Windows server process, or the ‘oc4j.jar’ Oracle server process. This means that the attackers likely abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.

It is worth mentioning that one of the GhostEmperor infections affected an Exchange server, and took place on March 4, 2021. This was only two days after the patch for the ProxyLogon vulnerability was released by Microsoft, and it is possible that the attackers exploited this vulnerability in order to allow them to achieve remote code execution on vulnerable Exchange servers.

Although GhostEmperor’s infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate command line utility by Microsoft originally called MpCmdRun.exe. The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.

Example of a GhostEmperor infection chain started by a side-loaded DLL

Lastly, some of the Demodex deployments were performed remotely from another system in the network using legitimate tools such as WMI or PsExec, suggesting that the attackers have infected parts of the victims’ networks beforehand.

Infection chain overview

The infection can be divided into several stages that operate in succession to activate an in-memory implant and allow it to deploy additional payloads during run time. This section provides a brief overview of these stages, including a description of the final payloads. The internals of these payloads can be found in a technical document that accompanies this publication.

The flow of infection starts with a PowerShell dropper. The purpose of this component is to stage the subsequent element in the chain by installing it as a service. Before doing so, it creates a couple of registry keys that it assigns encrypted data to, one of which corresponds to a payload that will be deployed in the later stages. It’s worth noting that the script itself is delivered in a packed form, whereby its complete execution is dependent on a command-line argument that is used as a key to decrypt the bulk of its logic and data. Without this key, it’s impossible to recover the flow that comes after this stage.

Initial stage comprised of encrypted PowerShell code that is decrypted based on an attacker-provided AES key during run time

The next stage, which is executed as a service by the former, is intended to serve as yet another precursor for the next phases. It is used to read the encrypted data from the previously written registry keys and decrypt it to initiate the execution of an in-memory implant. We identified two variants of this component, one developed in C++ and another in .NET. The latter, which appeared in the wild as early as March 2021, uses the GUID of the infected machine to derive the decryption key, and is thus tailored to be executed on that specific system. The C++ variant, on the other hand, relies on hardcoded AES 256 encryption keys.

The third stage is the core implant that operates in memory after being deployed by the aforementioned loader, and is injected into the address space of a newly created svchost.exe process. Its main goal is to facilitate a communication channel with a C2 server, whereby malicious traffic is masqueraded under the guise of communication with a benign service, based on a Malleable C2 profile embedded within its configuration. It is important to note that the implementation of the Malleable C2 feature, which is originally provided in the Cobalt Strike framework, is customized and most likely rewritten based on reverse engineering of Cobalt Strike’s code.

Another interesting technique used to conceal the malicious traffic is the malware’s usage of fake file format headers to encapsulate the data passed to the C&C server. To do so, the in-memory implant synthesizes a fake media file of one of the formats RIFF, JPEG or PNG and puts any data conveyed to the server in encrypted form as its body. Thus, the transmitted packet appears as either an image or audio file and blends with other legitimate traffic in the network.

Malleable C2 profile and fake header

The last stage is the payload injected to the winlogon.exe process by the aforementioned implant and used to provide remote control capabilities to the attackers. Such capabilities include initiation of a remote console or desktop session, with the latter supporting execution of sent mouse clicks and keystrokes on the target machine and retrieval of periodic screenshots that reflect the output of those actions. This stage can also allow the attackers to load arbitrary .NET assemblies or execute PowerShell commands, as well as fully control the victim’s filesystem in order to search, retrieve or push files to it.

In addition to the last stage payload, the core component is also capable of deploying a Windows kernel mode driver on the system. The purpose of this driver is to serve as a rootkit that conceals malware artefacts such as files, registry keys and network traffic, thus gaining stealth and ability to avoid detection by security products and forensic investigators. The upcoming sections elaborate on how this driver is deployed (namely how it bypasses Windows mitigations, given that it’s not digitally signed) and what particular features it provides to the user mode malicious implant.

Overview of the GhostEmperor infection chain

Rootkit loading analysis

On modern 64-bit Windows operating systems, it is generally not possible to load an unsigned driver in a documented way due to the Driver Signature Enforcement mechanism introduced by Microsoft. For this reason, attackers have abused vulnerabilities in signed drivers to allow execution of unsigned code to kernel space. A typical approach1 taken by many actors to date, and mostly in older versions of Windows, is to disable the Code Integrity mechanism by switching the nt!g_CiEnabled flag that resides within the CI.DLL kernel module after getting write and execution primitives via vulnerable signed drivers. After shutting down the Code Integrity mechanism, an unsigned driver can be loaded.

This approach was limited by Microsoft with the introduction of Kernel Patch Protection (a.k.a PatchGuard). This mechanism protects modification of specific data structures in the Windows kernel memory space, including the nt!g_CiEnabled flag. For this reason, the modification of this flag can now cause an invocation of a BSOD. This can be tackled by quickly setting the flag value, loading an unsigned driver and switching it back to the previous state before PatchGuard identifies a change, though this still introduces a race condition that can crash the system.

The approach used by the developer of this rootkit allows loading an unsigned driver without modifying the Code Integrity image and dealing with a potential crash. It abuses features of a legitimate and open-source2 signed driver named dbk64.sys which is shipped along with Cheat Engine, an application created to bypass video game protections and introduce cheats into them. This driver provides capability to write and execute code in kernel space by design, thus allowing it to run arbitrary code in kernel mode.

After dropping the dbk64.sys driver with a randomly generated filename to disk and loading it, the malware issues documented3 IOCTLs to the driver that allow shellcode to be run in kernel space through the following sequence of actions:

  • First, a memory buffer is allocated in the kernel space non-paged pool by issuing IOCTL_CE_ALLOCATEMEM_NONPAGED.
  • A successfully allocated memory buffer will be then shared between the user mode malware process and kernel address spaces using a direct I/O approach, whereby the kernel mode buffer’s address is mapped to a different address in user space. This is achieved by locking the buffer’s pages in physical memory so that they cannot be paged out (which is possible since they are allocated in the non-paged pool) following which an MDL for the buffer is created and a call to the MmMapLockedPagesSpecifyCache API function is made. All of this is implemented in the handler of IOCTL_CE_MAP_MEMORY.
  • At this point the malware can access the buffer in user mode through the provided pointer from the previous IOCTL and write to it. The written data will in turn be reflected in the same buffer in kernel space. This is used to write the shellcode into the buffer.
  • After the writing is done, the buffer is unmapped from user space by issuing IOCTL_CE_UNMAP_MEMORY.
  • The written shellcode now resides only in kernel space and can be run by issuing IOCTL_CE_EXECUTE_CODE.

The purpose of the shellcode is to replace the dbk64.sys IOCTL dispatcher with an alternative one that in turn allows the loading of an unsigned driver. The alternative dispatcher is also implemented as position-independent code and is bundled with the shellcode. To replace the original dispatcher, the shellcode maps the code of the new dispatcher in memory and patches the pointer to the IRP_MJ_DEVICE_CONTROL routine in the dbk64.sys driver object. At this point, the IRP_MJ_DEVICE_CONTROL pointer is set to the new dispatcher’s address and any IOCTL issued to the driver will pass through it.


The alternative dispatcher provides the same core capabilities as the original one, with the addition of a few that allow it to load a new driver to kernel space. The functionality that makes it possible to achieve this goal is exposed through a set of IOCTL handlers that are called in succession, finally leading to the load of the malware’s kernel mode rootkit. Below is a table of these IOCTLs with descriptions, arranged in the order they are invoked by the malware’s user mode logic in charge of deploying the rootkit.

IOCTL Code Description
0x220180 Processes a buffer provided by the user mode malware component by verifying its size is 272 bytes and then decodes it by negating its bytes. This IOCTL is in fact not invoked by the user mode code.
0x220184 Allocates a buffer in kernel space, locks its pages, creates an MDL and maps the buffer to a user mode address using the MmMapLockedPagesSpecifyCache API. This is essentially equivalent to the chaining of functionalities in IOCTL_CE_ALLOCATEMEM_NONPAGED and IOCTL_CE_MAP_MEMORY from the original dispatcher.
After this call, the user mode code has access to a kernel mode buffer and can write to it using a pointer in user mode, as was the case for writing the shellcode. This time, however, the malware manually loads the rootkit’s PE image into the allocated buffer.
0x2201B4 Since the malware’s user mode code is in charge of loading the rootkit’s image manually in IOCTL 0x220184, it has to resolve some function addresses in kernel space that appear as dependencies in the image’s Import Address Table. This IOCTL allows the function names to be received from user space as strings, retrieving their address with the MmGetSystemRoutineAddress API and providing it back to the user mode code. The latter places the resolved address in the corresponding IAT entry of the loaded image.
0x220188 Unmaps the address of the kernel mode buffer from user space so it’s only accessible through its kernel mode pointer.
0x2201B8 Creates a new driver object using the IoCreateDriver function, assigning the driver initialization function pointer to a position-independent stub that is delivered with the shellcode and, once invoked, calls the loaded rootkit’s DriverEntry function.

It is worth mentioning that the malware’s service makes use of a Cheat Engine utility called kernelmoduleuloader.exe (MD5: 96F5312281777E9CC912D5B2D09E6132) during the loading of the dbk64.sys driver. The driver is dropped along with the utility and a .sig file, with the latter being used as a means of authenticating the component calling dbk64.sys by conveying a digital signature that is associated with its binary.

As the malware is not a component of Cheat Engine, it runs kernelmoduleunloader.exe as a new process and injects it with a small shellcode that merely opens a handle to the dbk64.sys device with the CreateFileW API. The value of the handle is written as the second QWORD in the injected buffer, read by the malware’s process and gets duplicated using the DuplicateHandle API. From this point on, the malware’s service can call the driver as if it was a signed Cheat Engine component.

An outline of the rootkit’s loading phases

Demodex rootkit functionality

The loaded rootkit, which we dubbed Demodex, serves the purpose of hiding several artefacts of the malware’s service. This is achieved through a set of IOCTLs exposed by the rootkit’s driver that are in turn called by the service’s user mode code, each disguising a particular malicious artefact. To access the rootkit’s functionality, the malware ought to obtain a handle to the corresponding device object, after which the following IOCTLs are available for further use:

  • 0x220204: Receives an argument with the PID of the svchost.exe process which runs the code of the malicious service and stores it within a global variable. This variable is used by other IOCTLs later on.
  • 0x220224: Initializes global variables that are later used to hold data such as the aforementioned svchost.exe PID, the name of the malware’s service, the path to the malware’s DLL and a network port.
  • 0x220300: Hides the malware’s service from a list within the services.exe process address space. The service’s name is passed as an argument to the IOCTL, in turn being sought in a system-maintained linked list. The corresponding entry is being unlinked, thus hiding the service from being easily detected. The logic in this handler is reminiscent of the technique outlined here.
  • 0x220304: This IOCTL is used to register a file system filter driver’s notification routine by using the IoRegisterFSRegistrationChange API. The notification routine invoked upon registration of a new file system verifies if it is an NTFS-based one and if so, creates a device object for the rootkit which is attached to the subject file system’s device stack. Additionally, both the file system’s device object and the associated rootkit device object are registered in a global list maintained by the rootkit’s driver. Subsequent attempts to retrieve information from, access or modify the file will fail and generate error codes such as STATUS_NO_MORE_FILES or STATUS_NO_SUCH_FILE.
  • 0x220308: Hides TCP connections that make use of ports within a given range from utilities that list them, such as netstat. This is done through a known4 method whereby the IOCTL dispatch routine of the NSI proxy driver is hooked and the completion routine is set to one that inspects the port of a given connection. If the underlying connection’s port falls within the given range, its entry is removed from the system’s TCP table. The two ports that constitute the range are passed as arguments to the IOCTL.
  • 0x22030C: Hides malware-related registry keys by hooking several registry operations through the CmRegisterCallback API. The registered callback checks the type of operation and acts according to the following logic:

    • For operations of the type RegNtPostEnumerateKey or RegNtPostEnumerateValueKey (enumeration of a key or subkey) it verifies if there is an attempt to enumerate the driver related key under HKLMSYSTEMControlSet0**Services and if so, sets the return status of the operation to STATUS_NO_MORE_ENTRIES in order to indicate there is no data to provide for the requested enumeration.
    • For operations of the type RegNtPreOpenKeyEx (attempt to open a key) on SOFTWAREMicrosoft{EAAB20A7-9B68-4185-A447-7E4D21621943} it clears all the driver’s internal global variables, which is equivalent to resetting its operation. That’s because this key is used by the malware’s uninstaller PowerShell script, mentioned in previous sections.
    • For any attempt to change a key under HKLMMACHINESYSTEM via an operation with code RegNtPreSaveKey or lower, it sets that return status to the application error 0xC0000043.

Interestingly, the pointer passed to CmRegisterCallback does not contain the direct address of the function handling the logic above, but instead an address at the end of the executable section of the pci.sys driver’s image, which is originally filled with zeros as a means to align the section in memory. Before passing the callback pointer to CmRegisterCallback, such a section is sought within the pci.sys driver and the corresponding bytes within it are patched so as to invoke the call to the actual callback handling the above logic, as outlined below. This allows all intercepted registry operations to appear as if they are handled by code that originates in the legit pci.sys driver.

Code used to patch a section in the pci.sys image in memory in order to write it with a short shellcode stub that jumps into a registry inspection callback

It is worth mentioning that the Demodex rootkit supports Windows 10 by design, and indeed appears to work according to our tests on Windows 10 builds. This is evident in the driver’s code in multiple places where different flows of the code are taken based on the underlying operating system’s version. In such checks it is possible to observe that some flows correspond to the latest builds of Windows 10, as outlined in the code snippet below.

Obfuscation and anti-analysis methods

The authors of the malware components used in the GhostEmperor cluster of activity have made some development choices that have implications on the forensic analysis process. To demonstrate some of the hurdles that investigators face, we will limit the discussion to two common analysis tools – WinDbg and Volatility. Other tools may encounter similar drawbacks when dealing with the implants in question.

First, due to the way Demodex is loaded, its driver is not properly enlisted in WinDbg along with other system modules that are loaded in a documented way. That said, it is still possible to find the rootkit’s driver object by referring to its name (driverdump_audio_codec0), thus being able to list its associated device objects as well:

Driver object name listed in WinDBG

Similarly, when trying to list system modules with the Volatility3 widows.driverscan module, the Demodex driver is absent from the output. However, the framework does indicate that an anomaly is detected in the process of scanning the kernel’s memory space in search for the driver:

Anomaly while listing the Demodex driver with the windows.driverscan Volatility3 module

In addition, the malware authors have made a deliberate choice to remove all PE headers from memory-loaded images in both the third stage of the malware and the rootkit’s driver. This is done by either introducing the image with a zeroed-out header to begin with (as is the case in the third stage) and relying on a custom loader to prepare it for execution or by replacing the header of the image after its loaded with the 0x00 value, as is the case with the rootkit’s driver.  From a forensic perspective, this impedes the process of identifying PE images loaded to memory by searching for their headers.

As mentioned in previous sections, the developers implemented a trampoline within the pci.sys legitimate driver in order to mask the source of callbacks that are invoked for registry-related operations. Thus, analysts that try to track such callbacks may miss out on some because they will appear to be benign calls. As demonstrated in the WinDbg listing of the Cm* callbacks below, one of them is associated with the symbol pci!ArbLibraryDeinitialize+0xa4; however, if we look at the code at the same address we can see that it is in fact a small piece of shellcode emitted by the rootkit in order to jump to the actual malicious callback that hides the malware’s registry keys.

Listing of Cm* callbacks and shellcode found within a seemingly benign code invoked from the pci.sys driver

Apart from the above, the developers introduced more standard methods of obfuscation that typically slow the static analysis of the code and are evident across multiple malware components. An example of this is a pattern of string obfuscation whereby each string is decoded with a set of predefined arithmetic and logic operations, such that different operands (e.g., shift offsets) are chosen for each string. This suggests that each string is obfuscated during compilation and that the authors have established a form of SDK that aids in uniquely obfuscating each sample during build time.

String decoding logic used to obtain clear-text strings from hardcoded blobs through a set of arithmetic and logic operations

Similarly, it is possible to observe multiple instances of API call obfuscation in the code. This is done by replacing inline calls to API functions with other stub functions that build the requested API name as a stack string, resolve it using GetProcAddress and call it while passing the arguments provided in a special struct to the stub function. The struct has a bigger size than required to pass the argument data, and most of it is filled with junk, such that only particular fields have meaningful data that gets encoded before being passed to the stub. Those fields get decoded within the stub function and in turn passed to the API function.

Example of a stub used for API call obfuscation

It is worth noting that as in the case of string obfuscation, each stub is uniquely built and makes use of an argument struct of a different size where the fields that are occupied with actual argument data are chosen at random. The order in which the stack string is initialized is also random and each stub function is used only once as a replacement for a single inline API function call. In other words, the same API function used in different places in the code will have different stubs for each place with different argument structs. This reinforces the observation that the authors were using a designated obfuscation SDK in which the API call obfuscation is yet another feature.

Finally, it is possible to see that some variants appeared in both obfuscated and non-obfuscated form. For example, we managed to view the C++ version of the second stage loader in two forms – one form that has no obfuscation at all and another that is heavily obfuscated (MD5: 18BE25AB5592329858965BEDFCC105AF). In the figure below we can see the same function in the two variants: one has the original flow of the code as produced by a compiler without obfuscation, while the other has its control flow flattened to the point where it is impossible to track the order of actions.

Example of the same function used in two variants of the second stage loader; one is non-obfuscated and the other’s control flow was flattened

Post-exploitation toolset

Once the attackers gain access to the compromised systems through the aforementioned infection chain, they use a mix of legitimate and open-source offensive toolsets to harvest user credentials and pivot to other systems in the network. This includes common utilities from the Sysinternals suite used to control processes (e.g., PsExec, PsList and ProcDump), as well as other tools like WinRAR, CertUtil and BITSAdmin. As for open-source tools, the attackers used tools such as mimkat_ssp, Get-PassHashes.ps1, Token.exe and Ladon. Internal network reconnaissance and communication is often carried out by NBTscan and Powercat.

A more comprehensive outline of these tools along with the actual command lines used by the threat actor to operate them can be found in the supplementary technical document.

Network infrastructure

For C2 communication, the attackers registered domains whose names appear to have been randomly generated, potentially not to attract any attention to the malicious traffic. GhostEmperor mainly used hosting services based in Hong Kong and South Korea, such as Daou Technology or Anchent Asia Limited.

  • newlylab[.]com
  • reclubpress[.]com
  • webdignusdata[.]com
  • freedecrease[.]com
  • aftercould[.]com
  • datacentreonline[.]com
  • newfreepre[.]com

We also observed additional IP addresses used for downloading some of the malicious samples, or for C2 communication by the in-memory implant:

  • 223.135[.]214
  • 148.165[.]158
  • 102.114[.]55
  • 102.113[.]57
  • 102.113[.]240

Who were the targets?

The majority of GhostEmperor’s victims were government entities and telecommunication companies in South East Asia, with multiple high-profile entities targeted in Malaysia, Thailand, Vietnam and Indonesia. We also observed additional victims of a similar nature from countries such as Egypt, Ethiopia and Afghanistan. Even though the latter cluster of victims belongs to a different region from the one in which we saw GhostEmperor to be highly active, we noticed that some of the organizations within it have strong ties with countries in South East Asia. This means that the attackers might have leveraged those infections to spy on the activities in countries that are of geopolitical interest to them.

Who is behind the attacks?

We attribute this activity to a formerly unknown Chinese-speaking threat actor. This is due to the fact that the attackers made use of open-source tools such as Ladon or Mimikat_ssp that are popular among such actors, with additional data points such as version info found within the resource section of second stage loader binaries that included a legal trademark field with a Chinese character: ‘Windows庐 is a registered trademark of Microsoft Corporation.’

Version info of loader binary with a Chinese character

On the same note, we observed that one of the decryption keys provided in a command line by the attackers and used to decode the first stage PowerShell scripts was ‘wudi520’. Looking it up in publicly available sources led us to a GitHub account under the same name. Although we cannot confirm this account is indeed connected to the GhostEmperor attackers, it has forked multiple code repositories with descriptions in Chinese or that are otherwise authored by Chinese-speaking developers.

“wudi520” GitHub account

In addition, we noticed some similarities between the features of Demodex and those of the Derusbi rootkit, which was publicly described in the past and also attributed to a Chinese-speaking actor. The purpose of both is to hide malicious artefacts, where notably both have an almost identical flow for hiding TCP connections by hooking the nsiproxy.sys IOCTL dispatcher. The implementation of this filtering in the Demodex sample we analyzed is nearly identical to one seen in an older Derusbi sample (MD5: 24E9870973CEA42E6FAF705B14208E52) to the point that both use the same device control code for this action and receive an IOCTL input of the same size. That said, it is worth noting that while Derusbi used a hardcoded range of 1025 to 1777 for the targeted ports to hide, Demodex allows for an arbitrary range that can be configured by the attackers through the user mode malware.

Comparison of a similar IOCTL in the Demodex and Derusbi rootkits

It is worth noting that in one of the victim systems we observed two instances of malicious samples being dropped via a web shell. One led to the initiation of an infection chain consisting of the first stage PowerShell dropper and second stage .NET service DLL, and another was a drop of two binaries5 of the Netbot malware, formerly seen being used6 by the Lucky Mouse group. Though we cannot attest to the fact that the very same web shell was used to drop both files, the proximity of events which occurred in the course of two days, may suggest that underlying actor indeed deployed both samples and that it has a possible connection to the Lucky Mouse group, whether through shared development resources or reused tools.


GhostEmperor is an example of an advanced threat actor that goes after prominent targets and aims to maintain a long standing and persistent operation within their environments. We observed that the underlying actor managed to remain under the radar for months, all the while demonstrating a finesse when it came to developing the malicious toolkit, a profound understanding of an investigator’s mindset and the ability to counter forensic analysis in various ways.

Additionally, while rootkits are generally considered a deprecated method of attack, this case and other recent ones show that with a creative approach they can still be leveraged to gain a considerable level of stealth. As we have seen, the attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver. This suggests that rootkits still need to be taken into account as a TTP during investigations and that advanced threat actors, such as the one behind GhostEmperor, are willing to continue making use of them in future campaigns.

Indicators of compromise

Stage 1 – PowerShell Dropper

012862165EC105A44FEA14FACE53492F – u_ex200822.ps1

Stage 2 – Service DLL

6A44FDD66AB841C33949620666CA847A – RAudioUniConfig.dll

1BC301AA9B861F762CE5F376228E992A – svchosts.exe

Stage 4

0BBFBA106FBB9E310330DC87C32CB6D1 – Payload DLL
6685323C61D8EDB4A6E35796AF34D626 – Remote Desktop Control DLL


BE38D173E4E9118BDC2E83FD5F90BE3B – kekeo.exe
F078AC9B012C503D35254AF9629D3B67 – debugall.vbs



File paths


PDB paths


Service name and DLL path

MsMp4Hw – C:WindowsSystem32msmp4dec.dll
Msdecode – C:ProgramDataMicrosoftNetworkConnectionsmsdecode.dll
AuthSvc – C:WindowsSystem32AuthSvc.dll

Registry keys for encrypted buffer


Domains and IPs



1 This approach is well documented and demonstrated in the DSEFix public repository: https://github.com/hfiref0x/DSEFix

2 The source code of the driver can be found on GitHub.

3 They are outlined in the IOPLDispatcher.c source code within the Cheat Engines repository.

4 A technique similar to the one observed in the Demodex rootkit is outlined in this code: https://github.com/bowlofstew/rootkit.com/blob/master/cardmagic/PortHidDemo_Vista.c

5 Those binaries had the MD5s: 145FF08E736693D522F8A09C8D3405D6, 7A162C26D56B0C55E6CD81CD953F510B

6 https://securelist.com/ksb-2019-review-of-the-year/95394/, detailed analysis of the Netbot malware as part of Lucky Mouse campaigns is available to customers of our APT reporting service.

Samsung Introduces New High-End Ultrasound System ‘V8’

Source: Samsung

Samsung Medison, a global medical equipment company and an affiliate of Samsung Electronics, today introduced the V8, a new high-end ultrasound system that provides enhanced image quality, usability and convenience for all medical professionals.
“It’s very meaningful to launch the V8, a new high-end medical device that addresses many customer needs,” said Won-Chul Bang, Vice President, Head of Customer Experience Team, Samsung Medison. “We expect V8 to become a flagship product of high-end ultrasound systems as it is uniquely designed to cover different medical specialties.”
V8’s “V” stands for “Versatile,” meaning that the advanced functions from premium ultrasound systems dedicated to specific departments such as obstetrics, radiology, orthopedics and cardiology have been implemented.
Several diagnostic assistance functions of a premium ultrasound system for obstetrics and gynecology include MV-Flow which is suitable for observing the presence of microvascular blood flow, low-velocity blood flow and LumiFlow which provides three-dimensional visualization of blood flow in a two-dimensional image, allowing the medical staff a more realistic assessment of the vascular structures and flow.
For radiology, V8 is equipped with S-Shearwave Imaging which provides information about tissue stiffness as a result of disease using ultrasonic transverse elasticity. V8 also features S-Fusion which allows synchronous alignment of medical images of ultrasound with one or more cross-sectional studies such as MRI which are instantly reconstructed in the corresponding plane.
On the other hand, it is also expected to be equipped with a NerveTrack which has been cleared by the U.S. Food and Drug Administration (FDA) as an AI medical device and can be used to treat musculoskeletal diseases that track nerve locations in pain areas in real time.
In addition, by introducing a 23.8″ LED monitor and a 14″ high-sensitivity touch panel, user convenience has been enhanced to perform various procedures.

The screen that automatically tracks the nerve’s location on the wrist in real time with the NerveTrack function is executed.

About Samsung Medison
Samsung Medison is a global leading medical device company, specializing in diagnostic imaging devices. With a mission to bring health and well-being of people’s lives, the company is committed to create a new future for medical professionals and patients around the world across various medical fields. In 2011, Samsung Medison became an affiliate company of Samsung Electronics, integrating world’s best IT, image processing, semiconductor and communication technologies into medical devices.

[Interview] The Design Behind the Story – How the Bespoke AirDresser Came to Satisfy a Broad Range of Global Consumers

Source: Samsung

With people spending an increased amount of time at home these days, it stands to reason that they would be looking to decorate the insides of their homes differently and more expressively. In particular, this has led to many going with an interior aesthetic that revolves around bright colors.
In May, Samsung Electronics introduced the Bespoke Home, which expanded the idea of Bespoke from the flagship Bespoke refrigerators to other appliances in the kitchen, then to appliances throughout the home.
The Bespoke AirDresser, the latest addition to the Bespoke lineup, has brought Bespoke design and smart features to Samsung’s innovative clothing care device. The product offers six different panel options in various finishes, spanning from Crystal Mirror to Cotta Charcoal, to allow users the freedom to find just the right fit for their home aesthetic.

Samsung Newsroom met with AirDresser product designers Jinsook Park and Jaejin Lee, and UX designers Haeyoon Park and Seungwoo Choi, to hear about how they designed an AirDresser with a Bespoke touch.
Accounting for the Preferences of Users Around the World
It’s not easy coming up with a design that will suit the tastes of such a broad range of users. The designers of the Bespoke AirDresser, in particular, had to put great thought into designing a final product that would captivate users from different cultures with varying values and living conditions.
The designers thus surveyed users, asking questions like where they would install the Bespoke AirDresser, how each member of their household would use it and what types of garments they would maintain with it. The insights gained from the surveys were then used to design the AirDresser’s clothing care experience. Samsung was also able to analyze clothing management experiences across different countries and generations from a total of 6,000 global users.
“People from different countries have different methods for taking care of their clothes. The global usage data for the first model laid the groundwork for the Bespoke AirDresser’s main features,” said Haeyoon Park. “We conducted interim assessments on not just the aesthetics, but also the convenience of the control panel and whether the option names and different clothing care cycles made sense to everyone.”

The designers also took accessibility into account to ensure they were creating a product that would be easy for anyone to use. “We did an ergonomic analysis and determined where the control panel should be, based on users’ average height and the viewing angle,” said Seungwoo Choi. “We also incorporated braille into the control panel for visually impaired users, and added different default audio tones for each option and process step in order to assist hearing-impaired consumers.”
Balancing Usability and Aesthetics
But for a solution to truly represent the best in home appliances, its beauty must be complemented by convenience. “We had to balance aesthetics and functionality while designing the Bespoke AirDresser’s range of accessories, such as the hangers that are made to maintain the form and fit of garments,” related designer Jinsook Park. “When outstanding usability is guaranteed, the beauty that the designers have established is accentuated all the more.”
It is also important to establish the right UX design. For instance, something as minor as the text being the wrong color or the sequence of information being slightly off can make the product difficult to use. “We’ve been working with GUI (Graphical User Interface) and UI (User Interface) designers since the planning stage to ensure that the product delivers information logically and consistently,” said Seungwoo Choi. “While working on the design, we conducted usability tests and strived to maintain a balance between usability and aesthetic appeal by studying whether design elements are affected by personal tastes, whether they affect usage patterns, and so on.”
Allowing the AirDresser to Become a Part of Day-to-Day Life

With its meticulous and detailed design, the Bespoke AirDresser is sure to be a fit with users’ interior spaces. The product’s door is designed to take up less space, while its replaceable front panel creates a feeling of spaciousness.
The panel is available in six different colors1 and materials that include crystal mirror, glam and cotta. “If you need a mirror or are going for a gorgeous interior aesthetic, then go for the glam glass,” recommended designer Jaejin Lee. “If you would like to establish calm tones in your home, I recommend cotta.”
And the Bespoke AirDresser’s interface is a great complement to users’ day-to-day lives as well. The interface provides recommended cycles and automatic settings for each user so that they don’t have to worry about which cycle option to choose. For instance, if the user usually wears shirts on weekdays and outdoor clothing during the weekends, then the Bespoke AirDresser will display the shirt cycle first on weekdays and the outdoor clothing cycle first on weekends. “The Bespoke AirDresser recommends cycles using information like season, and also provides AI features to allow the users’ garments to be dried in the Bespoke AirDresser once they are done being washed,” said Haeyoon Park. “The more the Bespoke AirDresser is used, the more personalized and capable of fitting the user’s unique lifestyle it becomes.”
Making Home Appliances Fun
Even after the product has been launched, the designers are still working to make the Bespoke AirDresser captivating to everyone. “Home appliances provide convenience, but they can also come with stress because they are related to doing chores,” said Haeyoon Park. “We are continuing to analyze whether users experience any inconvenience in our quest to establish a product that makes consumers’ lives more convenient while also making using home appliances enjoyable.”

“Design trends are changing all the time, so I study trends in fields like fashion and furniture in order to better reflect users’ tastes,” said Jinsook Park. “I focus especially on furniture design, because it is a great reference for structure and design elements. I’d like to utilize this knowledge to come up with a design that provides convenience and meets users’ needs.”
These designers have strived to deliver both convenience and aesthetic beauty in the Bespoke AirDresser by delving deep into the lifestyles of consumers and analyzing their usage. Going forward, they will continue going to great lengths to provide users with the best possible experiences.
1 Color and material options may differ by country.

Samsung Electronics Launches Its First-Ever MENA Newsroom

Source: Samsung

Samsung Electronics today announced the launch of Samsung Newsroom Middle East and North Africa (MENA), which will serve as the official news source of Samsung Electronics for MENA media and consumers. This launch comes in line with the company’s mandate to cater to customers and keep them informed about Samsung’s latest updates and announcements in Arabic in order to resonate more with audiences in nine MENA countries.1
The first Samsung Newsroom in the MENA region will feature a wide range of content, from press releases and features of Samsung’s products to high-quality images and videos as well as announcements on product launches and company initiatives. The newsroom will incorporate customized Arabic content for the broader audience in the MENA region, feature Samsung MENA spokespeople and highlight regional topics, initiatives and activities.
The newly launched newsroom is the 33rd Samsung Electronics Newsroom to launch around the world. For more information about Samsung’s activities in the MENA, visit https://news.samsung.com/mena.

1 Algeria, Egypt, Iraq, Jordan, Kuwait, Morocco, Saudi Arabia, Tunisia and UAE

Samsung Moves Ahead in Mobile SoC Technologies With Its Comprehensive 5G VoNR Solution

Source: Samsung

Samsung Electronics announced that it has developed its comprehensive VoNR (Voice over New Radio) solution for 5G voice call service, available for global mobile device manufacturers and network providers. With the comprehensive solution for VoNR, Samsung offers more streamlined SoC development and 5G VoNR service deployment.
VoNR technology supports both voice call and data service using the 5G network while the current 5G network approach switches into 4G network when making voice calls. Without the need for switching between networks, VoNR provides a higher chance of maintaining connection in voice call as well as faster call connection times. Users can also enjoy true 5G speeds when playing high-performance games or streaming high-quality videos even while staying on a call.
Samsung’s VoNR solution includes key technologies such as an IP Multimedia Subsystem (IMS), Quality of Service (QoS), and handover.

The Exynos Chip, which applied the comprehensive VoNR solution

IMS is the key technology for VoNR that enables all multimedia services – such as audio, video, and extensive data services – within a single IP (internet protocol) network. Samsung’s 5G NR (New Radio) communication protocol stack for the IMS used in 4G voice calls (VoLTE) is designed for stable compatibility with VoNR services as well. The protocol stack is an aggregation of software layers that implement the communication protocols needed for different devices to communicate data with each other.
Samsung has also developed the QoS that provides stable support for 5G VoNR and the technology that assists uninterrupted handover between nearby network base stations. QoS analyzes the flow of data using the network and determines the priority of services in real-time. Additionally, Samsung’s protocol stack places the highest priority on voice calls anytime, anywhere, thereby enhancing the quality of VoNR.
“With a surge in the number of 5G smartphone users, there is a higher demand for various 5G technologies and services,” said Jonghan Kim, Vice President of System LSI Business at Samsung Electronics. “We will continue to deliver next-generation mobile communication technologies, including VoNR service support, that will bring users together, faster.”
Samsung’s prolific journey in 5G includes the launch of the Exynos Modem 5100 in 2018, which was the industry’s first multi-mode chip that is fully compliant with the 5G telecommunication standard (5G NR Release-15). The momentum continued in January this year, with the launch of the Exynos 2100, Samsung’s first premium mobile SoC with an integrated 5G modem.
Being a part of the industry’s first commercial VoNR deployment in Singapore back in July and building on that momentum, Samsung is currently providing its 5G VoNR-integrated solution to global mobile device manufacturers while conducting focused localization and automation tests for VoNR deployment with global network companies.

Unlock a New Experience: Galaxy Users Can Now Use Secure Digital Key With the Genesis GV60

Source: Samsung

Samsung Electronics today announced that Galaxy users will be able to use their smartphone1 as a digital car key for the first time with the newly launched luxury EV, Genesis GV60.2 With Samsung Digital Key, powered by NFC and ultra-wideband (UWB) technology, you will be able to lock and unlock your car securely with your smartphone, and even safely share the key with friends and family.3
At its Galaxy S21 Unpacked event earlier this year, Samsung announced a series of partnerships with automakers. The Genesis GV60 will become the first vehicle to showcase the innovative new technology when it launches in September, starting in Korea.
Samsung’s digital key is powered by advanced UWB technology, a short-range, wireless communication protocol that uses radio waves to operate, much like Bluetooth and Wi-Fi. However, UWB transmits radio waves at a much higher frequency, enabling highly accurate spatial awareness and directional capabilities that allow mobile devices to understand their surroundings better.
UWB enables passive entry, so you can say goodbye to digging through your pockets and bags in search of your keys. You’ll be able to lock and unlock your car, start the engine, open the trunk and even activate personalized settings like adjusting your seat and mirror position before you enter the car — all through your smartphone and without pushing a button. If you’re lending your car to a friend or family member for a short period, you can easily share the digital key and even set a time limit on how long the shared key will be available to them.4
The solution uses Samsung’s embedded Secure Element (eSE), designed to protect your most sensitive information and encryption keys, so you never have to worry about your keys falling into the wrong hands. The precision of UWB technology also potential relay attacks, where the radio signal is jammed or intercepted. Samsung’s digital key is fully compliant with the digital key standard as defined by the Car Connectivity Consortium (CCC), in which Samsung has been one of the driving members.
“We are proud to partner with Genesis as part of our mission to create exciting new mobile experiences that can make people’s everyday lives easier,” said TM Roh, President and Head of Mobile Communications Business at Samsung Electronics. “As we continue to drive advancements in mobile technology like UWB, our priority is now to bring these new experiences to as many people as possible, in collaboration with our trusted ecosystem partners.”
“GV60 will set the bar for luxurious electric vehicle representing the electrification of the Genesis brand,” said Albert Biermann, President and head of R&D division at Hyundai Motor Group. “The partnership with Samsung Electronics will strengthen our efforts to provide truly differentiated experiences for our customers to interact with Genesis vehicles.”
Samsung’s digital key will be available in NFC and UWB with the Genesis GV60 initially in Korea by the end of this year. The UWB digital key is compatible with Galaxy S21+ and Ultra, Note20 Ultra and Z Fold2 and 3. For more information, please visit www.samsung.com/levant/apps/samsung-pass/ or www.genesis.com/worldwide/en/models/luxury-suv-genesis/gv60/highlights.html.
About Genesis
Genesis is a global luxury automotive brand that delivers the highest standards of performance, design, safety and innovation while looking towards a more sustainable future. Genesis designs customer experiences that go beyond products, embodying audacious, progressive and distinctly Korean characteristics within its unique “Athletic Elegance” design identity. With a growing range of luxury models — including the G90, G80, G70, GV60, GV70, and GV80 — Genesis aims to lead the age of electrification by focusing on a dual electrification strategy involving fuel-cell and battery EVs, starting with its G80 and GV60 electric models. Genesis has stated its commitment to becoming a 100% zero emission vehicle brand by 2030 and to pursuing carbon neutrality by 2035. Since its initial launch in Korea, Genesis has emerged in key global markets including North America, Europe, China, Australia, Russia, and the Middle East, establishing a strong relationship with customers around the world. For more information, please visit the official website at https://www.genesis.com.
1 Eligible Galaxy smartphone with Android OS R and above
2 Digital key feature will be available within this year.
3 Digital key is shared via Samsung Pass app. Those who do not have Samsung Pass app on the device should install Samsung Pass app prior to use. Key sharing is only available in eligible Galaxy smartphones with Android R and above. UWB is only available in Galaxy S21+ and Ultra, Note20 Ultra and Z Fold2 and 3.
4 Digital key is shared via Samsung Pass app. Those who do not have Samsung Pass app on the device should install Samsung Pass app prior to use. Key sharing is only available in eligible Galaxy smartphones with Android R and above. UWB is only available in Galaxy S21+ and Ultra, Note20 Ultra and Z Fold2 and 3.

When Red Meets Purple: Samsonite Red Launches “BTS x Samsonite Red” Collection

Source: Media Outreach

Collection features 11 products that reflects the retro pop mood of BTS’s “Dynamite” Concept

HONG KONG SAR – Media OutReach – 30 September 2021 – Samsonite RED, the global contemporary business casual bag brand launches ‘BTS X Samsonite Red’ collection, combining the musical theme of BTS’ song ‘Dynamite’ and the ‘From Red to Purple’ campaign together.

Inspired by their hit song ‘Dynamite’, this collection features a total of 11 products including suitcases, backpacks, crossbody bags and travel accessories, reflecting the retro pop music theme showcased from the song and music video. ‘Dynamite’, BTS’ first No.1 song on Billboard ‘Hot 100’ songs chart, received worldwide attention by delivering a message of hope to global fans in the pandemic with energetic rhythm and lively performance. The song also made it on the list of the ‘500 Greatest Songs of All Time’ by prestigious U.S. magazine Rolling Stone.

As purple become the symbolic color of BTS, the BTS X Samsonite Red collection also features the alike Sheer Violet as key theme color. The luggage, which are launched in 18-inch and 22-inch sizes respectively, come with a sliver plate in the front and are engraved with both the ‘Dynamite’ logo and silhouettes of the seven members dancing. Each suitcase comes equipped with graphic-inspired luggage stickers featuring lyrics of ‘Dynamite’ such as ‘Tonight’, ‘Ping Pong’, and ‘Stars’, allowing fans to customize the cover of the luggage. The interior features a pastel-toned sky-blue color that echoes with the ‘Dynamite’ artwork.

The collection also features a mini carry-on bag that can either be hand-carried or attached to the carry handle of luggage, and a mini case that can be hooked onto a bag or luggage. The mini carry-on bag comes with a strap embroidered with ‘Dynamite’ logo and can be transformed into a crossbody bag. The spacious storage makes it an ideal companion for occasions such as short-haul trips and camping!

Available in limited quantities only in Korea, the more special backpacks and crossbody bags are embroidered with ‘Dynamite’-inspired artwork. The backpack consists of a dedicated laptop compartment that fits 15.6-inch laptop model, and a smart sleeve that can fit onto the luggage trolley handle, making it more convenient. Various travel accessories such as card holders, pouches, name tags, passport covers and neck pillows that drew on the ‘Dynamic’ concept, are also launched to suit individual tastes and needs of consumers. In addition, the entire interior lining of the product (except neck pillow and name tag) is equipped with antimicrobial technology by Microban®.

Paul Melkebeke, President, Asia Pacific & Middle East, Samsonite said, “The red of Samsonite Red and the purple of BTS are the first and last colors of the rainbow. This ‘BTS X Samsonite Red’ collection consists of a wide range of products too, aiming to satisfy the tastes of the generation Z which is diverse like rainbow. In the ‘From Red to Purple’ campaign video, the light beam shows both red and purple along with disco pop background music. It represents the beautiful encounter between Samsonite Red and BTS.”

The ‘BTS X Samsonite Red’ collection will debut in Korea on Sep 30, 2021, with a special pop-up store at Hyundai Department Store’s Sinchon branch until the end of October. In addition to the pop-up store, the collection can be purchased at the official online mall and Hyundai H-Mall on the same day and can also be purchased at the Samsonite Red stores from October 8 (Fri).

The collection will be launching officially in November in Hong Kong, Macau, Indonesia, Malaysia, Singapore, Philippines, Taiwan, Thailand, Vietnam and Cambodia.

– Published and distributed with permission of Media-Outreach.com.

Cyber risks and the integrity of digital finance

Source: European Central Bank

Introductory remarks by Fabio Panetta, Member of the Executive Board of the ECB, at the sixth meeting of the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB)

Frankfurt am Main, 30 September 2021

The pandemic is fundamentally changing how we work, how we conduct business, and even how we live and interact with one another. It is influencing how we pay for goods and services, accelerating the trend towards cashless and contactless payments.[1]

Throughout the pandemic, financial market infrastructures and their related ecosystem have supported the economy’s resilience and adapted to new needs. They have accompanied the digital transformation. This process will continue after the pandemic.

Central banks are playing an active role in this change. The ECB is promoting and offering instant payments, investigating the possibility of launching a digital euro, and supporting the G20’s work on making cross-border payments faster, cheaper, more transparent and more inclusive while maintaining their safety and security.

But digitalisation also brings with it risks to the payment system, to monetary sovereignty and to the financial system as a whole. In response to these developments, the ECB is adapting its oversight framework.[2] And the European Commission, in turn, has launched regulatory initiatives on crypto-assets and digital operational resilience.[3]

But there will be no integrity of digital finance and payments without protection against cyber risk. Today I will discuss how cyber risks are evolving and the key role of the Euro Cyber Resilience Board (ECRB) in addressing them.

A more complex cyber threat landscape

The increasing use of digital services and the widespread reliance on technology, together with the growing use and interconnectedness of third-party products and services, are increasing financial market infrastructures’ vulnerability to cyberattacks. Financial experts single out cyberattacks as the number one risk for the global financial system.

The cyber threat landscape is complex (Figure 1) and steadily evolving. For instance, attackers took advantage of the pandemic to lure victims with coronavirus-themed phishing emails and to exploit weaknesses associated with remote working.

Figure 1

Cyber threat landscape for financial market infrastructures in Europe

Note: Threats (right-hand column) are ordered by degree of assessed severity (most severe threats at the top).

Cyber criminals have also been innovative in finding lucrative ways of stealing money from their targets. Ransomware attacks are usually combined with requests for ransom payments in the form of crypto-assets. Attackers are increasingly exploiting vulnerabilities in the supply chain and third-party providers with a view to compromising or stealing data, disrupting services or demanding ransom payments.

Cyberattacks are becoming more sophisticated and more frequent, and their potential impact has been constantly growing. Supply chain threats to IT service providers and vendors are a source of particular concern. Attackers target these service providers and IT vendors to reach other institutions which use their services or software. Supply chain attacks are often used to compromise a large number of institutions and then demand a ransom from them.

If the institutions affected only detect or learn about such attacks with a delay, the consequences can be immense. We therefore need to monitor all the software and hardware in our IT environments – no matter how small – and not focus solely on our most critical third-party providers. And we need to exchange critical information and tackle this threat.

The contribution of the Euro Cyber Resilience Board

We need to remain vigilant to the evolving threat landscape and continuously maintain the highest level of resilience. This focus cannot be compromised: although the monetary cost of improving cyber resilience may seem high, the costs of successful attacks – in terms of both financial damage and reputational impact – are far higher.

We need to further intensify our efforts. The ECRB provides a unique forum for public-private dialogue and common initiatives. This is first and foremost in the interest of ECRB members, but also in the broader interest of the European financial sector, households and businesses. As I have emphasised before, the resilience of the sector relies on the resilience of all of its components. We must help each other in identifying weak links so that we can strengthen the financial system as a whole.

In our last meeting, I spoke about the success and timeliness of the Cyber Intelligence and Information Sharing Initiative (CIISI-EU). I am pleased that it is fully operational, which has allowed us to make significant progress in terms of sharing information during the pandemic.

CIISI-EU has become a powerful tool for sharing threat intelligence, information and best practices. It acts as an early warning system for threats and ongoing cyberattacks within the community, raising awareness of the cyber risk landscape. We should strive to build on this pooling of information.

I am also glad that the CIISI-EU model has been adopted in Ireland, where it will be used to share cyber information between the Central Bank of Ireland and critical domestic financial entities. We may see other countries adopt the model in a similar way in the future. Looking ahead, I see value in identifying other CIISI-like initiatives and forming partnerships to share threat and intelligence information.


Despite the progress towards addressing cyber risk, we need to remain proactive in tackling cyber threats. We will need to remain fully committed to protecting cyber resilience in view of the increasing threat level.

The ECRB is a critical forum to achieve this goal. It allows us to share information, address common cyber threats and risks, strengthen crisis management and coordination, and support recovery capabilities. It will evolve as we identify new work priorities. But its foundation will remain the same: trust and collaboration against a common threat.