Surveillance malware targets Libyan government entities, with possible links to a 2019 Egypt attack campaign.

A wave of advanced persistent threat (APT) attacks aimed at Libyans has been detected, using malware that conducts surveillance functions.

Spotted by Check Point Research, the Stealth Soldier malware primarily conducts surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information. This malware also adds an undocumented, custom modular backdoor, with the researchers claiming the most recent version was likely to have been delivered in February.

Check Point researchers said the oldest version was compiled last October, and believe the command-and-control (C2) network is part of a larger set of infrastructure, used for spear-phishing campaigns against government entities.

There are indications that the malware C2 servers are related to a larger set of domains, the company noted, and these servers are likely used for phishing campaigns. Some of the domains also masquerade as sites belonging to the Libyan Foreign Affairs Ministry.

Sergey Shykevich, threat intelligence group manager at Check Point, says the delivery mechanism of the downloader is currently unknown, but phishing messages were the most likely tactic being used. Looking at the infrastructure, he says that the researchers “saw emphasis on targeting the Libyan government.”

**Links to the Past?**

The Stealth Soldier infrastructure has some overlaps with infrastructure used in the "Eye on the Nile" campaign, which operated against Egyptian targets in 2019. Researchers believe this is the first possible reappearance of this threat actor since then. Shykevich confirms there has been no detection of attacks on Egyptian users using the Stealth Soldier malware.

However, version 8 of the C2 in the Stealth Solder malware was also resolved by multiple Eye on the Nile domains, according to Check Point researchers, while several infrastructure overlaps with known Eye on the Nile domains were also spotted.

Asked if he believes that the Eye on the Nile and Stealth Soldier malware types are being used by the same attackers or if it's just the same potentially rented C2s and malware used, Shykevich says the evidence only "gives us medium confidence of the link between the current campaign to Eye on the Nile: Based just on the overlaps we saw, it is difficult to claim with 100% confidence that it is the same group, but there is a good chance it is."

The researchers acknowledged that Libya is not often the focus of APT reports, but the investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and the significant network of phishing domains to conduct surveillance and espionage operations against Libyan targets.

"Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future," the researchers said in the advisory.

'Stealth Soldier' Attacks Target Libyan Government Entities With Surveillance Malware

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.

That's according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) "Volt Typhoon." It's a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.

While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," according to the analysis.

The first signs of compromise emerged in telecom networks in Guam, according to a New York Times report ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the Chinese spy balloon was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.

**A Shadow Goal? Laying Groundwork for Disruption**

The discovery of the activity is playing out against the backdrop of the US' frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russia's invasion of Ukraine could spur China to do the same in Taiwan.

In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the country's ability to come to Taiwan's aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.

"These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming," he said in an emailed statement. "A far more reliable indicator for \[a\] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict."

Dubbing such preparations "contingency intrusions," he added that China is certainly not alone in conducting them — although notably, China-backed APTs are typically far more focused on cyber espionage than destruction.

"Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect," Hultquist noted. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque."

**An Observed Focus on Stealth & Spying**

To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes (Microsoft is still examining how they're being breached in this case). Once inside the box, the APT uses the device's privileges to extract credentials from Active Directory account and authenticate to other devices on the network.

Once in, the state-sponsored actor uses the command line and living-off-the-land binaries "to find information on the system, discover additional devices on the network, and exfiltrate data," according to the analysis.

To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.

The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem advisory on Volt Typhoon (PDF) with details on how to hunt for the threat.

'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs

The new software-led solution enables organizations to defend against cybersecurity threats in their operational technology (OT) environments.

**ATLANTA, May 23, 2023 –** Honeywell (**Nasdaq: HON**) today announced the release of its operational technology (OT) cybersecurity solution, Honeywell Forge Cybersecurity+| Cyber Insights, to assist customers in improving the availability, reliability and safety of their industrial control systems and operations.

Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities and threats, allowing the customer to manage their compliance strategy, thereby helping reduce their overall cybersecurity risks.

Companies with OT systems face challenges in obtaining the necessary information to reduce the likelihood and impact of cyberattacks and to stay compliant with standards and regulations that may be applicable to them. These challenges are compounded by the shortage of available cybersecurity skills in operational technology, with a cyber security workforce gap of more than 3.4 million people.\[1\]Despite attempts to implement various solutions, success is difficult to achieve due to the complexity of the tools, the overwhelming volume of security data generated, and the lack of solutions specifically designed for OT.

“Organizations should leverage technology to address worker shortages, while at the same time gaining clear visibility into their OT facilities’ cybersecurity posture to help them make faster decisions and reduce cyber risk,” said Michael Ruiz, vice president and general manager, Honeywell OT Cybersecurity Innovation. “Cyber Insights is a tool designed to provide customers with detection and insights so that cybersecurity leaders can better understand and monitor their then current security profile, while also being able to detect and mitigate the latest threats.”

Cyber Insights brings a tailored approach by providing a purpose-built cybersecurity solution for OT environments and users. It is designed to offer a site-level view of a facility’s cybersecurity posture and provide insights into security events, vulnerabilities, active threats and to manage compliance. Cyber Insights is designed to help organizations strengthen their cyber resilience and to respond faster to incidents through access to critical information at the right time.

Cyber Insights is pre-configured for OT use, with already available customization options designed to address certain needs specific to different industrial environments, while being vendor agnostic so that it can be deployed on Honeywell control systems as well as many other systems. It is also deployed, supported and maintained by Honeywell Cyber Care services during the applicable subscription license term, to help customers maintain continuous tuning and optimization as required for any system to run in peak form.

“Honeywell has successfully positioned itself as a ‘one-stop shop’ system integrator and solution provider across different spectrums of operational technology (OT) cybersecurity for over 20 years,” said Avimanyu Basu, senior lead analyst at ISG. “Being vendor-agnostic, Honeywell is well-equipped to work on almost any device and provide the necessary services for assessment and remediation.”

To learn more about Honeywell OT Cybersecurity solutions, visit us at www.becybersecure.com.

**About Honeywell**

Honeywell (www.honeywell.com) delivers industry-specific solutions that include aerospace products and services; control technologies for buildings and industry; and performance materials globally. Our technologies help aircraft, buildings, manufacturing plants, supply chains, and workers become more connected to make our world smarter, safer, and more sustainable.

Honeywell Forge is intelligent operations software that connects assets, people, and processes, enabling operational performance, sustainability, and quality improvement.

For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

_This document may contain statements including future product direction and does not create any binding obligations on us to develop or sell any product, service or offering. Any descriptions of future product direction, intended updates or new or improved features or functions are intended for informational purposes only and are not binding commitments on us and the sale, development, release, locations of availability, or timing of any such products, updates, features or functions is at our sole discretion._

Honeywell Releases Cyber Insights to Better Identify Cybersecurity Threats and Vulnerabilities

**CANTON, Mass.****,** **May 23, 2023** **/PRNewswire/ --** On April 17, 2023, Point32Health, the parent organization of Harvard Pilgrim Health Care ("Harvard Pilgrim") and Tufts Health Plan, identified a cybersecurity ransomware incident on its computer systems and is working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation. 

Unfortunately, the investigation identified signs that data was copied and taken from Harvard Pilgrim systems between March 28, 2023, and April 17, 2023. Harvard Pilgrim is taking this incident extremely seriously and deeply regrets any inconvenience this incident may cause. 

Harvard Pilgrim determined that the files at issue may contain personal information and/or protected health information belonging to current and former subscribers and dependents, and current contracted providers. The investigation revealed that the following information could potentially be in the files at issue: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names). At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources.  

The notice includes information on steps individuals can take to protect themselves against potential fraud or identity theft. Harvard Pilgrim is also offering complimentary identity protection and access to two (2) years of credit monitoring services for potentially affected individuals. Harvard Pilgrim recommends that individuals regularly monitor their credit reports, account statements and benefit statements and promptly report any suspicious or fraudulent activity to the entity with which the account is maintained and the proper law enforcement authorities, including the police and their state attorney general.  

In response to this incident, Harvard Pilgrim is taking steps to implement additional data security enhancements and safeguards to better protect against similar events in the future. Harvard Pilgrim is, and has always been, committed to prioritizing the security of the data entrusted to it.  

Harvard Pilgrim has established a dedicated call center for individuals to contact with questions. The call center can be reached at (888) 220-5517 (toll free), Monday through Friday from 9:00 a.m. to 9:00 p.m. ET, excluding U.S. holidays. Additional information is also posted on Harvard Pilgrim's website at https://www.harvardpilgrim.org/. 

SOURCE Harvard Pilgrim Health Care

Harvard Pilgrim Health Care Notifies Individuals of Privacy Incident

DryRun security seeks to bridge the gap between developers and security professionals by automating security analysis in code reviews before deployment.

**Austin Texas, May 23, 2023 –** DryRun Security emerged from stealth with the mission to fix the disconnect between security and developers, with the premise being that all developers fundamentally care about security. The company, founded by technology veterans James Wickett and Ken Johnson, is creating a new security analysis tool  to find potential bugs sooner than any other security solution on the market while being better aligned to how developers actually work. 

Co-founders James Wickett and Ken Johnson created DryRun Security after observing that in the past 20 years software security has become misaligned with the way developers build.  The arc of the industry has created silos where legacy security solutions have  been geared towards security professionals rather than those who write the software.   

This leads to three significant gaps.  The first is testing for security issues after it’s been deployed leads to wasted developer and security team cycles when problems are discovered. The second is many of the bugs being identified are not even relevant,  resulting in false-positives. Finally, the third is application security teams lack an accurate picture of which code reviews require their expertise. This is further exacerbated by the sheer velocity and number of daily and weekly code updates. All of these problems lead to inaccurate, delayed, and often incorrectly prioritized security testing and ultimately , an overall less-secure codebase.   

DryRun Security fixes the disconnect between security and developers by performing Contextual Security Analysis which runs where developers work. As a developer writes code, they dry-run security testing and analysis  and get results back in near real time, which is where the name “DryRun” comes from.  This type of testing builds the security context of the code and provides feedback to developers whenever they make changes or write new code.

“The disconnect between engineers and security testers is due to a lack of security context making it back to developers” said James Wickett, CEO and Co-Founder of DryRun Security, “DryRun Security was created to address this fundamental disconnect under the assumption that developers truly care about the security of the products they are building. With that assumption, we believe that security should be an integral part of the software development process.  That’s why it’s our mission to provide engineers with a tool that makes it easy to identify and fix potential security bugs while the developer is working on that section of code.”

“At DryRun Security, we understand that once a developer can see the security context of their changes, they can make better decisions and create more secure applications. This is different from  the way that testing has been happening over the past two decades which has made fixing bugs inefficient, driving up costs and creating unnecessary hurdles for developers and security professionals.” Said Ken Johnson, Co-Founder and CTO of DryRun Security. “I experienced these headaches firsthand, which is why I started DryRun Security with James. Our belief is that the solution we provide will give developers the ability to integrate contextual security analysis into their development workflow and fix issues before they become bigger problems.”

DryRun Security is currently running a private beta for their product, and they are accepting signups to the list. Please visit https://dryrun.security to signup and join the early access list. 

**About DryRun Security**

DryRun Security is a software security company that provides automated security reviews for developers as they write code. Founded by James Wickett and Ken Johnson, the company takes a unique approach using Contextual Security Analysis, which is a proprietary approach they’ve developed by training over 10,000 developers on security testing and code reviews. Using this approach, developers and security teams are able to bridge the gaps of mainstream security testing approaches and fix potential bugs before deployment. For more information, please visit https://dryrun.security.

Technology Veterans James Wickett and Ken Johnson Launch DryRun Security to Bring Security to Developers

New capability streamlines automated testing of cybersecurity and anti-fraud features in android and iOS apps in virtual and cloud testing suites.

**REDWOOD CITY, Calif.****,** **May 23, 2023** **/PRNewswire/ --** Appdome, the mobile app economy's one and only Cyber Defense Automation platform, today announced Build-to-Test which enables mobile developers to streamline the testing of cybersecurity features in mobile apps.

The new capability allows Appdome-protected mobile apps to recognize when automated mobile app testing suites are in use and securely completed without interruption by a vendor, logging all security events for the developer to track and monitor. The Build-to-Test service is part of Appdome's Dev2Cyber initiative and will accelerate the delivery of secure mobile apps globally.

In continuous integration, continuous delivery (CI/CD) pipelines, mobile app quality assurance is done via automated testing services so the functionality of the mobile app can be validated across hundreds of real-world mobile devices and OS versions. However, automated testing services can also leverage methods and tools that violate cybersecurity policies or that cybersecurity professionals find problematic and dangerous such as emulators, virtualization, resigning, debugging, dual spaces, Magisk and more. Once protections are added to a mobile app, security features detect these methods and tools, and the resulting cyber defense may prevent testers from using parts of these testing services.

The new Build-to-Test option on Appdome extends Appdome's support for automated mobile app testing services and allows Appdome-protected mobile applications to recognize the testing vendor and securely complete testing runs without interruption.

"We've always supported automated testing," said Chris Roeckl, Chief Product Officer at Appdome. "Build-to-Test solves one of the last operational challenges of testing mobile applications at scale and maintains end-to-end security in the mobile DevSecOps pipeline."

Appdome-protected mobile apps have always been testable on devices made available through automated mobile application testing vendors. Advantages of the new Build-to-Test feature include:

*   Fully automated testing for Appdome-protected mobile apps;
*   Fully automated mobile app testing services to validate cyber defenses in Appdome protected mobile apps;
*   Reduced complexity when testing protected mobile apps in automated environments;
*   Eliminate the need to test protected and unprotected builds separately; and
*   Protect test builds with Appdome defenses to ensure improved DevSecOps compliance.

"Mobile developers want to test complete Android and iOS builds that include cyber and anti-fraud defenses," said Jamie Bertasi, Chief Customer Officer at Appdome. "Our goal is to remove every ounce of friction that stands in the way of protecting the mobile app economy."

Appdome's Built-to-Test option is available with Appdome-DEV and Appdome-SRM licenses and compatible with all major mobile app testing services including Microsoft App Center, Sauce Labs, BitBar, LambdaTest and BrowserStack to reduce time to market, improve app quality and increase pipeline efficiency.

For more information on how to use Appdome Build-to-Test, please see this knowledge base article.

**About Appdome** 

Appdome's mission is to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry's only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money, and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, mobile anti-bot, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Learn more at www.appdome.com.

SOURCE Appdome

Appdome Launches Build-to-Test, Automated Testing Option for Protected Mobile Apps

Attackers primarily target on-premises IT infrastructures.

**FRISCO, Texas****,** **May 23, 2023** **/PRNewswire/ --** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the enterprise sector (organizations with more than 1,000 employees) from its annual global 2023 Hybrid Security Trends Report.

According to the survey, 65% of organizations in the enterprise sector suffered a cyberattack within the last 12 months, which is similar to the results among companies of all sizes (68%). The most common security incidents are also the same: phishing, ransomware and user account compromise.

However, larger organizations are a more frequent target for ransomware or other malware attacks: 48% of enterprises experienced this type of security incident on premises, compared to 37% among organizations of all sizes. Malware attacks are less common in the cloud: just 21% of respondents in the enterprise sector experienced one within the last 12 months.

"It is no surprise that the enterprise sector suffers malware attacks at a higher rate than smaller organizations. After all, ransomware operators want to maximize their profits, so they consider which organizations are most able to pay a ransom to reduce business downtime — and the larger an organization is, the costlier an operational disruption will be," says Dmitry Sotnikov, VP of Product Management at Netwrix. "On the other hand, larger organizations have more tools to spot the attack that might stay unnoticed for SMBs. In addition, enterprises have bigger infrastructure with more endpoints that statistically increases the chance of the security incident."

The enterprise sector also reports larger expenses as a result of cyberattacks than their smaller counterparts. Indeed, 28% of enterprises estimated their financial damage from cyberthreats to be $50,000 and higher, compared to just 16% among organizations overall.

"Smaller companies often underestimate their risk of attack, reasoning that cybercriminals tend to target enterprises because they store more intellectual property (IP) and other sensitive data. But our survey shows that organizations suffer cyberattacks with a similar frequency regardless of their size," says Dirk Schrader, VP of Security Research at Netwrix. "Every organization has valuable data, such as customer and employee information, and is therefore a target for attackers. What's more, SMBs are not only a target on their own but as a way into the larger enterprises that consume their services."

To learn more about how enterprises can overcome the ransomware challenge, visit the Netwrix ransomware protection page.

**About Netwrix**  

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Report: Enterprises Suffer More Ransomware and Other Malware Attacks Than Smaller Organizations

The company's ESG appliances were breached, but their other services remain unaffected by the compromise.

Email and network security solutions company Barracuda Networks is warning customers that threat actors have targeted its email security gateway (ESG) appliances for compromise, by way of an email attachment scanning module.

The issue, discovered on May 19, has since been addressed through two security patches applied worldwide on May 20 and 21, though Barracuda still warned its customers on May 23 that some of the ESG appliances remain compromised. In its investigation, the company found that the vulnerability "resulted in unauthorized access to a subset of email gateway appliances," though its other products, such as the software-as-a-service (SaaS) email security services, were not affected.

Because the investigation was limited specifically to the ESG, the company encourages those that have been affected to assess their network environments to ensure that their other devices on the network have not also been compromised.

Barracuda continues to monitor the situation and users who have been impacted have been notified through ESG appliances of what their next steps should be.

"If a customer has not received notice from us via the ESG user interface," the company said, "we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Threat Actors Compromise Barracuda Email Security Appliances

Security professionals warn that Google's new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.

Two new top-level domain names — .zip and .mov — have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss.

Google announced the domains in early May, kicking off a slow buildup of criticism from the security community as people became aware of the issues. In a widely circulated post on Medium, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place — downloading a zip file from a GitHub repository — but by using unicode slashes, an "@" sign, and the .zip domain, a potentially malicious URL could instead redirect users to an attacker's website.

While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.

"There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware," he says. "Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks."

In the three weeks since Google announced the new domains — along with .dad, .phd, and .foo — security researchers have pointed out the dangers of TLDs that match file extensions. On Tuesday, for example, Trend Micro became the latest security firm to warn users to fine-tune their ability to spot malicious links. In the advisory, the company pointed out that the Vidar info-stealer uses fake URLs to download a "Zoom.zip" file to the victim's computer — and that the .zip domain will make the attack much more effective.

Google did not answer questions about the tradeoffs between risk and utility for the new TLDs but did send a statement to Dark Reading, pointing to other confusing domains, such as 3M's command.com domain as a way of arguing that the issue is not novel.

"The risk of confusion between domain names and file names is not a new one," the company stated. "Applications have mitigations for this — such as Google Safe Browsing — and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip."

Whether the new domains will make phishing better is still a question for some, but the risk of making more effective links seems to outweigh any benefit of the domains, says Erich Kron, security awareness advocate at phishing and security education firm KnowBe4.

"It's the 'why are we doing this?' that kind of gets me, and frankly, it's just a bad idea, right?" he says. "Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with \[legitimate files\] ... we are really opening the doors to some some very easy trickery here."

**No Active Phishing Attacks so Far**

The domain names have already led to some mistakes, and not just on the part of humans. Some tools, such as Google's own malware identification service VirusTotal, are confusing filenames with the .zip extension with URLs with the .zip TLD, according to Johannes Ullrich, dean of research for education organization SANS Technology Institute. Ullrich is in the process of surveying existing .zip domains to see which are malicious.

He has found that evidence of in-the-wild campaigns is scant so far. "This opens up new avenues for more convincing phishing attacks," Ullrich said, with a caveat: "However, there are already many ways to create convincing phishing attacks, so the risk is more incremental."

The good news is that attackers have not yet picked up the technique en masse for real-world attacks, Trend Micro stated in its advisory.

"As of today, Trend Micro has not yet received URLs related to these new TLDs from internal and customer cases," the company stated. "However, we will continue to monitor any related URLs we come across and block them as needed in preparation for potential phishing campaigns."

At this point, the biggest "attack" so far involves "rickrolling" and parked domains, Ullrich says: At least 48 domains have been registered by people who then posted a video of singer Rick Astley and his song, "Never Gonna Give You Up."

**Awareness, Best Security Practices Remain Top Advice**

The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.

However, much will still rely on users, who should be careful about checking links, and companies, which can restrict new domain names until cybersecurity providers can assign them a reputation, DomainTools' Helming says.

"There are ways for very savvy users to spot these file paths visually," he adds, "but the most effective defenses are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains — in any TLD — and updated user awareness training."

_With reporting by Jaikumar Vijayan_

Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

Source

DARKReading