Turkorat-poisoned packages sat in the npm development library for months, researchers say.

Two code packages named "nodejs-encrypt-agent" in the popular npm JavaScript library and registry recently were discovered containing the open source information-stealing TurkoRat malware.

Researchers from ReversingLabs, who discovered the malware-ridden packages, say the attackers behind them attempted to have the packages impersonate another legitimate package — agent-base version 6.0.2 — which has been downloaded over 20 million times.

Their findings underscore an emerging trend of threat actors taking advantage of how npm has for years failed to account for certain types of typosquatting, potentially leading enterprises to inadvertently download malware, which Checkmarx recently flagged in a report.

ReversingLabs' researchers said the discovery of the latest malicious packages, including irregularities in the package version numbers, were a red flag: in this case, a "strangely high version number" (6.0.2) that was used to try and bait developers into downloading what appeared to be the latest release of the package.

"The malicious actors were clearly hoping one of those millions of developers would be fooled into downloading the malicious package instead of the benign one," ReversingLabs said in its report.

The TurkoRat package — which has been removed from the npm library — utilized the npm package "pkg" to bundle files into a single executable, with the files stored in a virtual file system accessible during runtime.

The nodejs-encrypt-agent was discovered to closely resemble the agent-base module it was based on, except for the inclusion of a malicious portable executable (PE) file, which executed right after the package was run, using hidden malicious commands in the index.js file.

The malicious behaviors included writing to and deleting from Windows system directories, executing commands, and tampering with DNS settings.

**How You Can Spot Malicious npm Packages**

Lucija Valentić, software threat researcher with ReversingLabs, explains there are many ways to identify malicious packages.

"Since package repositories contain source code, one of the simplest ways is to inspect it manually," she says. "Packages can also be installed and executed in an isolated environment and inspected for unusual behavior."

Any kind of out-of-place content or behavior which isn't advertised or expected for a particular package (e.g., network requests in non-network-related packages), should be double-checked and verified.

"Always check if you need an external dependency to implement a particular functionality — if it's something simple, it might be better to handle it yourself than to introduce unverified code in your project," Valentić adds. "If you really need to use a library, check its name and reputation, and review the code to make sure you're including the correct library."

**Software Supply Chain Threat**

Meantime, the malicious nodejs-encrypt-agent was downloaded approximately 500 times in two months, and nodejs-cookie-proxy-agent had fewer than 700 downloads.

"Still, the malicious packages were almost certainly responsible for the malicious TurkoRat being run on an unknown number of developer machines," the report cautioned. "The longer-term impact of that compromise is difficult to measure."

The escalation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and the threats to open source software supply chains. The use of automated processes to create the packages and user accounts is making it hard for security teams to identify and take down the packages.

In March, more than a dozen components in the .NET code repository were discovered impersonating other legitimate software, such as Coinbase and Microsoft ASP.NET, and running a malicious script upon installation, with no warning or alert.

Back in July 2022, analysts with ReversingLabs uncovered a widespread campaign that used more than 24 malicious npm packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps.

Tech giants including Google are taking steps to shore up security in the open source software supply chain through deps.dev API, which helps developers with information about the packages they are thinking of using, and Assured OSS, which lets organizations incorporate the same open source packages Google secures and uses into their own developer workflows.

Once Again, Malware Discovered Hidden in npm

Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.

**ATLANTA****,** **May 17, 2023** **/PRNewswire/ --** LexisNexis® Risk Solutions today released the results of its annual Cybercrime Report, an analysis of data from 79.8 billion transactions processed through its LexisNexis® Digital Identity Network® throughout 2022. The report, _Trust and Collaboration as Foundations to Fight Fraud_, shows that the global digital attack rate increased 20% year over year (YOY) compared to 2021, continuing the trend of digital fraud rising as economies re-open following the pandemic.

The LexisNexis® Identity Abuse Index, which records the percentage of attacks per day, shows attack rates fell in the fourth quarter of 2022 although the picture varies by region, with sizeable spikes in APAC, LATAM and North America at the end of the year. 

Despite the effects of economic uncertainty, inflation and the war in Ukraine, digital transactions in 2022 went up by 24% YOY primarily driven by increasing transactions in financial services (29%) and ecommerce (17%).

Organizations are looking to establish consistent digital identity insights across all digital channels and end-customer touch points to mitigate rising fraud levels. They are striving to increase the level of trust with their customers, as well as identifying risk more easily. The report showed that the percentage of transactions classified as trusted in the Digital Identity Network® platform increased by 9% YOY, allowing organizations to provide a smoother customer journey.

"Businesses remain vulnerable to transactional fraud during this time of accelerated digitalization," said Stephen Topliss, vice president of fraud and identity strategy for LexisNexis Risk Solutions. "Despite heightened regulatory scrutiny, technological innovations and higher public awareness, there are persistent challenges in preventing fraud. This trend is likely to endure as consumers continue adopting digital channels. As fraud levels and its sophistication increase, relying on multi-factor authentication alone as a defense is inadequate in today's digital world. Organizations, industries and countries must collaborate and identify the interconnected signals of complex fraud attacks because criminal networks working in a structured way are here to stay. Addressing the latest scams requires targeted machine learning models that can consume the latest digital intelligence insights, behavioral biometrics signals and mule account indicators."

**Key findings from** _The LexisNexis Risk Solutions Cybercrime Report, January to_ December 2022**:**

*   **Mobile Channels Increasingly Popular** **–** Mobile transactions have reached a record high of 77% of all observed transactions in the Digital Identity Network, with the mobile app channel making up 82% of all mobile interactions.
*   **Attack Rate Continues to Rise** **–** The global attack rate continues to increase, driven by an uptick in the financial services and ecommerce industries at 31% and 29% respectively. The report shows that criminals continue to target the communications, mobile and media industries more than any other sector. However, a noticeable decline of 27% YOY in the overall attack rate suggests criminals are changing focus. 
*   **Vulnerabilities in Payments –** Across all desktop and mobile channels, attack rates on digital payments increased 27% YOY. Alternative payment methods, such as digital wallets, QR code payments and peer-to-peer transfers, continue to gain popularity, particularly in APAC. The shift has contributed to the 32% YOY growth in payment transactions in that region, yet criminals are also fast at exploiting vulnerabilities. The report shows a 50% YOY increase in APAC's payment attack rate.
*   **Lucrative Avenue for Cybercrime –** Automated bot attacks in the ecommerce space have grown 195% globally. Almost half of these attacks focused on the U.S., where ecommerce focused bot attacks increased by 127% YOY. Bot attacks increased 112% in the U.S. gaming and gambling industry, while the sector grows due to legalization in more states.

Download a copy of _Trust and Collaboration as Foundations to Fight Fraud: The_

**Methodology**

The LexisNexis Risk Solutions Cybercrime Report is based on cybercrime attacks detected by the Digital Identity Network platform. It processed 92 billion transactions in 2022, including common attack types such as new account creation, account login and payment fraud. It analyzes transactions for legitimacy based on device identification, geolocation, history and behavioral analytics in near real-time, providing insight into global digital identities. Customers benefit from global risk views and custom-tuned policies. The report covers "high-risk" transactions scored by global customers. Digital Identity Network does not include transaction data from all countries in the world.

**About LexisNexis Risk Solutions**

LexisNexis® Risk Solutions includes seven brands that span multiple industries and sectors. We harness the power of data, sophisticated analytics platforms and technology solutions to provide insights that help businesses and governmental entities reduce risk and improve decisions to benefit people around the globe. Headquartered in metro Atlanta, Georgia, we have offices throughout the world and are part of RELX (LSE: REL/NYSE: RELX), a global provider of information-based analytics and decision tools for professional and business customers. For more information, please visit www.risk.lexisnexis.com and www.relx.com.

LexisNexis Risk Solutions Cybercrime Report Reveals 20% Annual Increase in Global Digital Attack Rate

New retainer provides expert support starting in the first 72 hours of the incident response process to contain the attack and improve preparedness for the future.

**Helsinki, Finland – May 17, 2023:** The first 72 hours of an attack are a crucial window for incident response teams. To support organizations in preparing a swift, efficient response to incidents while minimizing their impact on operations, WithSecure™ (formerly known as F-Secure Business) is offering a new range of incident readiness and response packages.  

Incident response is more challenging than ever. Cloud services complicate IT security, skills are scarce, and responsibilities are shared with cloud service providers.   

Based on his experience, Cyber Security Advisor Paul Brucciani says that in spite of cyber attacks’ ubiquity, many mid-market organizations find themselves unprepared for incidents when they occur.

“Today, only about one in five organizations have an incident response plan–typically enterprises with well-developed cyber security. Mid-market companies don’t have these resources and if there is any service fit to be outsourced, it is incident response. Our new offering brings industry-leading incident response services to the mid-market to make it more resilient to cyber-attacks, covering both traditional on-premise and cloud IT,” he said.  

WithSecure™ has a strong record of providing incident response services to organizations large and small throughout the globe. It has over 30 years of experience in helping organizations prepare for, respond to, and recover from data breaches. Its incident response capability is assured by government agencies in Germany and the UK.

The new range of incident response offerings include three different but related services:  

*   Incident Readiness
*   Incident Response Retainer
*   Emergency Incident Response Support  
    

"The first 72 hours of an attack are vital for limiting the damage. Not just to mitigate direct damages, but it’s also important for GDPR compliance, as organizations are required to report certain incidents within that time frame. Without an effective response during that window, organizations will struggle to understand the scope of the damages and what steps to take next,” added Brucciani.    

More information on WithSecure's range of incident response services is available at

**About WithSecure™**

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.  

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

WithSecure Launches New Range of Incident Response and Readiness Services

As ChatGPT adoption grows, the industry needs to proceed with caution. Here's why.

With ChatGPT making headlines everywhere, it feels like the world has entered a _Black Mirror_ episode. While some argue artificial intelligence will be the ultimate solution to our biggest cybersecurity issues, others say it will introduce a whole slew of new challenges.

I'm on the side of the latter. While I recognize that ChatGPT is an amazing piece of technology, it is also an enabler for hackers, commoditizing nation-state capabilities for the benefit of the "script kiddies" — aka unsophisticated hackers. In addition to writing text, the technology opens up a scary scenario where a computer can be guided to look for information within images that humans can't immediately pick up but machines are sensitive enough to see. Examples would be reflections of passwords on glass, or people who appear in photos that would not appear in them without the help of AI.

As ChatGPT adoption grows, I believe the industry needs to proceed with caution, and here's why. There are three types of capabilities hackers can use ChatGPT for: mass phishing, reverse engineering, and smart malware. Let's take a look at each one of these in detail.

**Mass Phishing**

Because ChatGPT is so powerful, it can reduce the amount of time it takes to create handcrafted, personalized emails to a list of people from a few days to just minutes. And with just the click of a button, ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security personnel experts. Because ChatGPT can also translate text into any style of writing or proofread at a very high level, once a list of employees and their details are attained, it's easy to mass create emails where a hacker is pretending to be someone else to increase the chances of a successful attack.

Phishing is an essential part of hacking organizations, whether it be to gain access to the servers of an organization or to attempt to convince people to transfer money. To combat this, business leaders must educate employees on the security implications of ChatGPT and how to spot potential attacks. I think employees should be especially critical of text and never assume something is coming from an authentic source. Instead of just blindly trusting anyone, employees should put their trust in other mechanisms, like paying close attention to whether an email/code came from the company server or whether it includes the proper signature. My biggest advice is for employees to use other means of verification besides the style of the text itself.

**Reverse Engineering**

ChatGPT is amazing at understanding code, or even machine code. By providing either binary code or obfuscated code of a system, ChatGPT can explain how the code works and what it does in a way that makes it easy for hackers to manipulate the piece of software and enable them to gain access to the company's servers.

Reverse engineering used to be a very rare and highly lucrative skill; historically, only nation-states could incorporate it into their operations. This is now something that can be done by the most basic hackers.

**Smart Malware**

ChatGPT can function as a mini-brain for malware, making it completely autonomous. Nowadays, sophisticated malware allows the hacker to tunnel through a company's servers to observe the hacked network and servers, and send commands on how to extract information. This operation usually involves a hacker connecting to malware he or she has managed to install somewhere within the hacked company's network or servers.

With ChatGPT, the malware can make decisions autonomously so it understands where the interesting data is, where passwords might be stored locally, and even how to connect to the data sources and extract the data automatically. ChatGPT can sift through much more data than a human — in some cases, even do it better — making the risk of a malware using ChatGPT much more dangerous than would be the case with simple malware that allows hackers to connect and operate it. Since it is completely autonomous — there's no longer a need for a hacker to control the malware and manually direct it to the right place — it is not only more dangerous, but it could be more common. This means more companies are at risk for being sporadically attacked, instead of being specifically targeted.

We've already seen Samsung fall victim to one of the first cyberattacks using ChatGPT, and it surely won't be the last to do so. This serves as a good reminder that companies across all industries must stay vigilant, training their employees to understand the cybersecurity risks of ChatGPT — not only when they are using it themselves, but when somebody else may be using it against them. Over time, I expect (and encourage) investment priorities to change so that privacy and security teams can ensure their organizations are not vulnerable to the negative ramifications of ChatGPT.

3 Ways Hackers Use ChatGPT to Cause Security Headaches

AI-powered cyber defense service protects against phishing attacks for businesses on unlimited handset plans.

**SAN FRANCISCO****,** **May 17, 2023** **/PRNewswire/ --** ActZero®, a leading cybersecurity provider for small and mid-sized enterprises, announced it is teaming with UScellular, making it the first and only wireless carrier to offer the ActZero Managed Detection and Response (MDR) service. Together the two organizations make it easier for businesses to secure mobile devices from ransomware and phishing attacks. UScellular Business Ultimate and Business Premium unlimited handset plans now include ActZero MDR for Mobile.

"UScellular and ActZero share a common goal: to bring better performance and better security to businesses at a fair price," said Sameer Bhalotra, chief executive officer for ActZero. "With ActZero's on-device cyberdefense technology plus 24x7 security operations staff, UScellular business customers can stop mobile threats quickly, before they spread into the corporate network."

With 24/7 threat coverage, ActZero stops breaches on mobile devices and networks, with a 90% block rate and response time of 15 minutes for critical alerts. Customers can easily deploy ActZero MDR for Mobile within minutes to their employees' iOS, Android, or Chrome mobile phones, tablets, and laptops. On-device protection and real-time notifications eliminate delays if a mobile device is compromised. ActZero's patent-pending AI means better cyberdefense and fewer false alarms.

"ActZero delivers a powerful and affordable cybersecurity service businesses need to prioritize threat and vulnerability management," said Kim Kerr, senior vice president, enterprise sales and operations for UScellular. "Our customers often don't have the IT resources to ensure they are protecting their network and devices from malware, phishing, and ransomware attacks. The unique artificial intelligence and machine learning from ActZero intelligently pinpoints threats so less time is spent filtering noise and more time is focused on the action that should be taken, when it's truly important."

**About ActZero**

ActZero is a Gartner-recognized provider of Managed Detection and Response (MDR) services that delivers a powerful and affordable cybersecurity service to protect small and mid-sized enterprises against ransomware attacks. By continuously testing defenses against the latest attack techniques and variants, ActZero ensures AI detections and human threat hunters quickly stop threats. The company brings deep roots and expertise in cybersecurity to deliver measurable ransomware defense, reducing false alerts and responding quickly on a customer's behalf. Combined with exceptional service, ActZero empowers businesses with confidence that the company and customers are protected. For more information, please visit actzero.com.

**About UScellular Business** 

UScellular is the fourth-largest full-service wireless carrier in the United States, providing national network coverage and industry-leading innovations designed to elevate the customer experience. The Chicago\-based carrier provides a strong, reliable network supported by the latest technology and plays a critical role in helping businesses of all sizes navigate the wireless ecosystem, delivering advanced technology, increased network security and reliability. To learn more about UScellular's business solutions, visit one of its retail stores or uscellular.com/business.

ActZero Teams Up With UScellular to Secure Mobile Devices From Ransomware Attacks

Launched in partnership with Immunefi, bounty to promote Web3 security.

**VANCOUVER, BC****,** **May 17, 2023** **/PRNewswire/ --** LayerZero Labs, the team that launched the leading cross-chain messaging protocol LayerZero, today announced that it has launched a $15 million bug bounty in partnership with Immunefi, the leading bug bounty and security services platform for Web3, protecting over $60 billion in user funds.

The bug bounty will be the largest in the history of the software industry and shows LayerZero's undying commitment to security as well as the developers and users in the LayerZero ecosystem. LayerZero Labs is offering a maximum reward of $15M for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level. With this incentive, LayerZero Labs is setting a new bar for bug bounties across all areas of the software industry.

"With the launch of the largest bug bounty in the world we hope that LayerZero's commitment to Web3 security and the individuals who make the community stronger is clear," commented Bryan Pellegrino, CEO of LayerZero Labs. "We care deeply about building the safest, most used messaging protocol in the world."

"We're thrilled to partner with LayerZero to launch the world's biggest bounty and help ensure the safety of its ecosystem," said Mitchell Amador, Founder and CEO at Immunefi. "We've paved the way to reach the highest security standards in the industry and worked to provide projects with the necessary structure and access to the strongest security talent. LayerZero's bounty is a testament to what we should continue moving towards, and that's an undeniable commitment to security."

Immunefi has facilitated the most significant bug bounties in the software industry, with over $75 million in rewards paid out. It is the largest and most widely adopted bug bounty platform in Web3, where a massive community of leading security talent review projects' blockchain and smart contract code, find and responsibly disclose vulnerabilities, and get paid for making the ecosystem safer.

The terms and conditions of the bug bounty, including eligibility criteria, can be found here: https://immunefi.com/bounty/layerzero/. Vulnerabilities must meet the criteria determined by LayerZero Labs at its sole discretion.

**About Immunefi**

Immunefi is the leading bug bounty and security services platform for Web3, which features the world's largest bounties. Immunefi guards over $60 billion in user funds across projects like Synthetix, Chainlink, SushiSwap, Polygon, Bancor, MakerDAO, TheGraph, Optimism, and others. The company has paid out the most significant bug bounties in the software industry, amounting to over $75 million, and has pioneered the scaling Web3 bug bounties standard.

For more information, please visit https://immunefi.com

**About LayerZero Labs**

LayerZero Labs is the team that launched the leading blockchain messaging protocol LayerZero. LayerZero's advanced messaging infrastructure seamlessly connects over 30 blockchains and facilitates transparent and secure cross-chain messaging from one easy-to-use interface. Since going live in March 2022, the LayerZero protocol has processed more than 10 million messages with thousands of mainnet contracts being deployed by thousands of developer teams. Backed by leading venture capital firms including a16z, Sequoia, Binance Labs, Christie's, Lightspeed, Opensea, Bond, Samsung Next, and GBV, LayerZero was recently valued at $3 billion. Developers building on LayerZero can create interoperable, omnichain dApps, which will lead to the establishment of a unified digital asset ecosystem.

For additional information on LayerZero, visit: https://layerzero.network/

LayerZero Labs Launches $15M Bug Bounty; Largest in the World

SECOM CO., LTD, a $15B enterprise and one of the largest security integration companies in the world, invests in the two global cloud physical security leaders, accelerating the use of AI and improving safety and security.

**AUSTIN, Texas, BETHESDA, Maryland — May 17, 2023** — Eagle Eye Networks, the global leader in cloud video surveillance and Brivo, the global leader of cloud-based access control and smart space technologies, today announced one of the largest investments to date in cloud physical security. SECOM CO., LTD, one of the largest security integration companies in the world, according to Forbes Global 2000, has made a primary equity investment of $192 million in the two companies, $100M in Eagle Eye Networks and $92M in Brivo.

Eagle Eye Networks and Brivo are independent companies majority owned by Dean Drako. Drako founded Eagle Eye Networks in 2012 and serves as CEO; he acquired a majority stake in Brivo in 2015 and is chairman. 

“The SECOM investment underscores that cloud and AI are the future of physical security,” said Drako. “Both Eagle Eye and Brivo will use a significant portion of the investment to further develop AI that dramatically improves the security of enterprises and businesses globally. The Eagle Eye and Brivo open platforms provide customers with choice, efficiencies, and innovation, all of which this investment will accelerate.” 

As independent, open platform companies, Eagle Eye Networks and Brivo integrate with many third-party technology providers, including the leading property management and Proptech platforms. In addition, Eagle Eye and Brivo provide a fully integrated solution that global businesses use to manage risk, identify threats, and respond.The companies’ joint capabilities deliver real-time AI-enabled video and access control events analysis, optimizing safety and security.

Eagle Eye Networks will use the investment for continued development of its AI-based analytics capabilities such as Eagle Eye Smart Video Search, Smart Alarms, and Vehicle Intelligence, and to expand its worldwide operations. 

Brivo will use the investment to grow sales and marketing, accelerate product development and scale support and operational functions, and evaluate strategic acquisitions. Brivo will also use the additional investment to continue expanding in Europe, Latin America, and Asia Pacific, and enhance the smart spaces and AI functionality in the Brivo Access Platform for its enterprise, multifamily, and commercial real estate customers. 

“SECOM has a proud history of innovation going back to Japan's first online security system for commercial use in 1966,” said Sadahiro Sato, SECOM Managing Executive Officer. “We’re committed to delivering services and systems that deliver safety, peace of mind and business efficiency. Our investment in Eagle Eye Networks and Brivo, the market leaders in cloud physical security, is an investment in the mission our three companies share: to provide the best technology possible to keep businesses and communities safe.”

**About Eagle Eye Networks**

Eagle Eye Networks is the global leader in cloud video surveillance, delivering cyber-secure, cloud-based video with artificial intelligence (AI) and analytics to make businesses more efficient and the world a safer place. Businesses of all sizes utilize the Eagle Eye Cloud VMS (video management system) to centralize their video surveillance and obtain better security and operations. Purpose built for the cloud and AI, the Eagle Eye Cloud VMS addresses customers’ security and operational needs with unlimited scalability, simple usage-based subscription pricing, advanced analytics, integrated AI, and an open RESTful API platform delivering flexibility. Eagle Eye sells through a global network of resellers and integrators. Founded in 2012, Eagle Eye is headquartered in Austin, Texas, with offices in Amsterdam, Bangalore, and Tokyo. Learn more at www.een.com. 

**About Brivo** 

Brivo, Inc., created the cloud-based access control and smart spaces technology category over 20 years ago and remains the global leader serving commercial real estate, multifamily residential, and large distributed enterprises. The company’s comprehensive product ecosystem and open API provide businesses with powerful digital tools to increase security automation, elevate employee and tenant experience, and improve the safety of all people and assets in the built environment. Brivo’s building access platform is now the digital foundation for the largest collection of customer facilities in the world, protecting over 450 million square feet across 60 countries. Learn more at www.Brivo.com. 

**About SECOM**

SECOM CO., LTD., a pioneer in Japan’s security services industry, was established in 1962. Since then, the Company has sought to create innovative services that benefit society as a whole, in line with its mission of helping achieve a society free from concerns. Today, SECOM, comprising the parent company and the companies of the SECOM Group, strives to create services and systems that deliver safety and peace of mind, as well as make life more comfortable and convenient, whenever and wherever necessary, for anyone and everyone, and in so doing to realize its Social System Industry vision, which describes a framework of distinctive, integrated services and systems. The Company’s extensive business portfolio currently encompasses security services, fire protection services, medical services, insurance services, geospatial information services, business process outsourcing and information and communications technology (BPO and ICT) services, and other services.

Eagle Eye Networks and Brivo Announce $192M Investment — One of the Largest Ever in Cloud Physical Security

Lemon Group's Guerrilla malware model an example of how threat actors are monetizing compromised Android devices, researchers say.

Millions of Android phone users around the world are contributing daily to the financial wellbeing of an outfit called the Lemon Group, merely by virtue of owning the devices.

Unbeknownst to those users, the operators of the Lemon Group have pre-infected their devices before they even bought them. Now, they're quietly using their phones as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.

Lemon Group itself has claimed it has a base of nearly 9 million Guerrilla-infected Android devices that its customers can abuse in different ways. But Trend Micro believes the actual number may be even higher.

**Building a Business on Infected Devices**

Lemon Group is among several cybercriminal groups that have built profitable business models around pre-infected Android devices in recent years.

Researchers from Trend Micro first began unraveling the operation when doing forensic analysis on the ROM image of an Android device infected with malware dubbed "Guerrilla." Their investigation showed the group has infected devices belonging to Android users in 180 countries. More than 55% of the victims are in Asia, some 17% are in North America and nearly 10% in Africa. Trend Micro was able to identify more than 50 brands of — mostly inexpensive — mobile devices.

In a presentation at the just concluded Black Hat Asia 2023, and in a blog post this week, Trend Micro researchers Fyodor Yarochkin, Zhengyu Dong, and Paul Pajares shared their insights on the threat that outfits like Lemon Group pose to Android users. They described it as a continuously growing problem that has begun touching not just Android phone users but owners of Android Smart TVs, TV boxes, Android-based entertainment systems, and even Android-based children's watches.

"Following our timeline estimates, the threat actor has spread this malware over the last five years," the researchers said. "A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users."

**An Old but Evolving Malware Infection Issue**

The issue of Android phones being shipped with malware pre-installed on them is certainly not new. Numerous security vendors — including Trend Micro, Kaspersky, and Google — have reported over the years on bad actors introducing potentially harmful applications at the firmware layer on Android devices.

In many instances, the tampering has happened when an Android OEM, looking to add additional features to a standard Android system image, outsourced the task to a third-party. In some instances, bad actors have also managed to sneak in potentially harmful applications and malware via firmware over-the-air (FOTA) updates. A few years ago, most of the malware found preinstalled on Android devices were information stealers and ad servers.

Typically, such tampering has involved inexpensive devices from mostly unknown and smaller brands. But on occasion, devices belonging to bigger vendors and OEMs have been impacted as well. Back in 2017 for instance, Check Point reported finding as many as 37 Android device models from a large multi-national telecommunication company, pre-installed with such malware. The threat actor behind the caper added six of the malware samples to the device ROM so the user couldn't remove them without re-flashing the devices.

**Pre-Installed Malware Gets More Dangerous**

In recent years, some of the malware found pre-installed on Android devices have become much more dangerous. The best example is Triada, a Trojan that modified the core Zygote process in the Android OSa. It also actively substituted system files and operated mostly in the system's RAM, making it very hard to detect. Threat actors behind the malware used it to, among other things, intercept incoming and outgoing SMS messages for transaction verification codes, display unwanted ads and manipulate search results.

Trend Micro's research in the Guerrilla malware campaign showed overlaps — in the command-and-control infrastructure and communications for instance — between Lemon Group's operations and that of Triada. For instance, Trend Micro found the Lemon Group implant tampering with the Zygote process and essentially becoming a part of every app on a compromised device. Also, the malware consists of a main plugin that loads multiple other plugins, each with a very specific purpose. Those include one designed to intercept SMS messages and read OTPs from platforms such as WhatsApp, Facebook, and a shopping app called JingDong.

**Plugins for Different Malicious Activities**

One plugin is a crucial component of a SMS phone verified account (SMS PVA) service that Lemon Group operates for its customers. SMS PVA services basically provides users with temporary or disposable phone numbers they can use for phone number verification when registering for an online service, for instance, and for receiving two-factor authentication and one-time passwords for authenticating to them later. While some use such services for privacy reasons, threat actors like Lemon Group use them to enable customers to bulk register spam accounts, create fake social media accounts, and other malicious activities.

Another Guerrilla plugin allows Lemon Group to essentially rent out an infected phone's resources from short periods to customers; a cookie plugin hooks to Facebook-related apps on the user's devices for ad-fraud related uses; and a WhatsApp plugin hijacks a user's WhatsApp sessions to send unwanted messages. Another plugin enables silent installation of apps that would require installation permission for specific activities.

"We identified some of these businesses used for different monetization techniques, such as heavy loading of advertisements using the silent plugins pushed to infected phones, smart TV ads, and Google play apps with hidden advertisements," according to Trend Micro's analysis. "We believe that the threat actor's operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme."

Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise

Organizations can focus on these key considerations to develop their cybersecurity testing programs sustainably.

The importance for organizations to understand who their adversaries are and how they operate against their enterprise environments cannot be understated. An organization's approach to cybersecurity testing and resilience improvements in the face of an increasingly volatile threat landscape must be underpinned around this perspective.

The core elements of a well-designed cybersecurity testing program should help the organization identify and remediate vulnerabilities, continuously challenge detection and response capabilities, refine threat intelligence-gathering priorities, and enhance overall incident preparedness through continuous stress-testing of response plans. IBM's "Cost of a Data Breach 2022" report shows that organizations that regularly test their incident response plans save $2.66 million (circa £2 million), which is the cost of an average breach.

Although there is no one-size-fits-all solution, here are five key considerations that organizations can focus on while developing an overarching strategy to build and maintain a cybersecurity testing program.

**1\. Collaborate Across Teams**

Collaboration is where the organization's strength lies, so security teams should focus on building out internal relationships with different groups. Security teams should remember that the human component is critical and define a clear process to effectively allow representatives from the security operations center (SOC), risk/compliance, vulnerability management (VM), cyber threat intelligence (CTI), and security testing functions to drive collaboration.

Where possible, encourage these teams to have in-person discussions. This will create an opportunity for cross-team rapport at a personal level and develop a sense of camaraderie that will go a long way in achieving a common goal.

Creating a governance framework that defines clear responsibilities and promotes transparent communications between these teams to share findings quickly will allow for better decision-making, faster incident response, and a well-rounded appreciation of the organization's cyber capabilities.

Collaboration allows for an enhanced appreciation of each other's techniques and methods, as well as the exchange of knowledge and expertise to improve threat detection and mitigation strategies.

**2\. Follow an Intelligence-Led and Risk-Based Approach to Scope Definition**

A process to continuously curate threat intelligence should enable organizations to build and maintain a comprehensive, up-to-date library of baseline attack scenarios. First, determine which threat actor groups are likely motivated to target the organization. Overlaying this with established baseline scenarios will help define a comprehensive list of tactics, techniques, and procedures (TTPs).

Organizations often have several assets in their environments, which makes identifying risk points and assessing where and how much money should be spent on vulnerability identification and remediation difficult. It may not be realistic from a timing perspective to assess the full list of identified TTPs against all of the assets in scope.

A more risk-based approach is to carve out a plausible subset of TTP sequences and creatively mix-and-match infrastructure and software details, without being bound to an extensive checklist. This creates targeted sub-scenarios for the attack simulation team to initially focus on.

This approach will help CISOs more granularly measure the strength of practical mitigations that exist and identify high-priority areas across critical business services, while optimally using existing resources.

**3\. Perform Continuous Stress-Testing of Cyber-Defense Controls**

Leverage the scenarios and prioritized list of TTPs defined to constantly exercise the organization's technical and business response. The scenarios subset should increase in complexity as the incident response program matures. Where the security team failed previously, these scenarios must be repeated so the organization can improve the process in the event of a real attack.

It is important to select "low-and-slow" tactics that the SOC can detect and the VM team can remediate — but don't make things too easy. Carefully selecting TTPs that are harder for the SOC to defend against encourages this team to constantly sharpen their technique, as well as push the organization to update response strategies.

The choice between complexity, stealth, and speed will be driven by the organization's risk profile and threat priorities that have contributed to shaping the specific scenario for testing.

**4\. Set Metrics for Shared Understanding and Improvement Tracking**

Success criteria need to be defined and tracked to demonstrate overall risk reduction to organizational assets. Metrics such as reduced detection and/or response times, a decrease in successful attacks, and so on are useful to effectively articulate improvements to the board.

It is useful to compare results of previous and subsequent penetration tests, red-team exercises, and/or targeted attack simulations, focusing on the number of high-risk vulnerabilities identified and exploited, as well as the overall success rate for the testers.

Being able to analyze changes in the threat landscape and demonstrate an increased ability to mitigate current and evolving threats will help CISOs demonstrate improved risk reduction.

**5\. Establish Feedback Channels to Drive Process Improvements**

Break down test observations against executed TTPs along with actionable mitigations identified along the attack chain. Test results will also provide an improved understanding of which vulnerabilities are most likely to be exploited and can help refine risk prioritization in the VM process.

Sharing these results in real time to the CTI team allows them to monitor for potential threats that may exploit vulnerabilities, improves theoretical understanding of documented threats, and provides insight into previously unknown vulnerabilities, as well as helps prioritize areas for further research and analysis.

A centralized dashboard to aggregate test outputs in real time from the field, which can provide the relevant SOC team stakeholders with gaps identified in security monitoring tools and alerting systems, is extremely useful.

Providing a training range to practice and validate incident response plans, and to identify areas where response times must be improved, is useful to improve overall incident preparedness.

**The End Goal**

The World Economic Forum's "Global Cybersecurity Outlook 2023" report states that 43% of business leaders believe that their organizations are likely to be hit by a major attack within the next two years. An all-encompassing change to cybersecurity testing, through increased collaboration and improved risk management processes, enhances resilience to cyberattacks.

5 Ways Security Testing Can Aid Incident Response

CISA urges small and midsized organizations as well as critical infrastructure to implement mitigations immediately to shield themselves from further data exfiltration attacks.

In an advisory this week, the US Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning organizations of attacks made by the ransomware developer and data extortion group known as BianLian. 

BianLian has been active since 2022. In the past, the ransomware gang has focused on using a double-extortion model where they encrypt victims' systems and steal data, threatening to release the acquired data if the payment is not received. In January though, BianLian shifted its attack methods to focus primarily on exfiltration-based extortion rather than leading with encryption, the alert warned.

The group uses stolen remote desktop protocol (RDP) credentials to access victims' networks, as well as open-source tools and command-line scripting to move around the network. Then it exfiltrates data through File Transfer Protocol (FTP), Rclone, or Mega. After this is completed, the group goes on to extort its victims.

Cybersecurity service provider \[redacted\] released research on the group in March detailing its high-level operational security and skill penetration, and its continued growth while operating as a ransomware organization. It's these tactics, techniques, and procedures (TTPs) that have allowed the gang to target critical infrastructure organizations in the US and Australia as well as professional services and property development organizations.

"More often than not, extortion via data leak is the modus operandi of choice," says Tom Kellerman, senior vice president of cyberstrategy at Contrast Security, in response to the advisory. "The shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it."

CISA urges organizations to implement the mitigations it has provided in the advisory, such as auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging, in light of these attacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading