The US Treasury Department linked the notorious cybercrime gang to Russian Intelligence Services because cyberattacks that disrupted hospitals and other critical infrastructure align with Russian state interests.

The US and the UK have issued joint sanctions against alleged members of the TrickBot cybercrime gang for their role in cyberattacks against critical infrastructure.

Trickbot, as a malware, began life as a lowly banking Trojan before its authors started adding modules for other forms of malicious activity. It thus evolved into a multifaceted cyber-Swiss Army knife, often used as a first- or second-stage implant that, once ensconced on a victim machine, fetches ransomware or other payloads. The group ultimately grew into to acting as a ransomware affiliate for Conti and other groups. 

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," according to an announcement from the US Treasury Department. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

The announcement, intriguingly, ties the seven sanctioned people to Russian Intelligence Services, since the 2020 attacks "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the US government and US companies." Trickbot has previously been widely considered to be a financially motivated cybercrime gang, Russian-speaking but not Russia-sponsored.

The sanctioned individuals are:

*   Vitaly Kovalev, aka Bentley or Ben
*   Maksim Mikhailov, aka Baget
*   Valentin Karyagin, aka Globus
*   Mikhail Iskritskiy, aka Tropa
*   Dmitry Pleshevskiy, aka Iseldor
*   Ivan Vakhromeyev, aka Mushroom
*   Valery Sedletski, aka Strix

The sanctions mean that the government can seize any assets that they may have in the US or UK, and it prevents US- and UK-based organizations and individuals from doing business with them. All seven perps remain at large, presumably under the comforting protection of the Russian state, which continues to look the other way when it comes to cybercriminals residing within its borders.

"These sanctions are a welcome sight although they may be academic," Timothy Morris, chief security adviser at Tanium, tells Dark Reading. "What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdiction cooperation."

As for the gang itself, a law-enforcement takedown in 2020 saw its activity slowly "wither," according to a report last year from Intel 471, with the malware's operators instead turning to the Emotet botnet to continue its incursions into businesses.

"We've not seen any Trickbot activity since the Feb. 2022 blog post," Michael DeBolt, chief intelligence officer at Intel 471, said in an emailed statement. "It is highly likely that Trickbot won't be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project."

Trickbot Members Sanctioned for Pandemic-Era Ransomware Hits

**FARGO, N.D.** **and** **LONDON****,** **Feb. 10, 2023** **/PRNewswire/ --** Integreon, a trusted worldwide provider of tech-enabled legal and business outsourced services, announced today the development of CyberHawk-AI, an advanced automated technology that utilizes artificial intelligence (AI) to streamline the process of extracting and analyzing sensitive data following cyber breaches. This industry-first technology will be integrated into their cyber response workflow to significantly reduce the manual effort in preparation for breach notification. Integreon also announced its partnership with RadarFirst, a leader in privacy incident management whose patented risk assessment technology automates privacy risk assessments to deliver consistent, actionable breach notification guidance for all relevant regulations.

Integreon's CyberHawk-AI is a machine learning-based BoT designed to expedite the review process for potentially compromised data while improving accuracy and overall efficiency. This solution, developed by Integreon's i-Lab technology enablement team, learns and subsequently identifies patterns of frequently compromised information. The BoT quickly highlights these patterns and automates the first pass review of documents to identify personally identifiable information. Automated first-pass review, followed by next-level review and quality checks conducted by cyber review experts, allows Integreon to reduce turnaround times while ensuring accuracy. This new software is the first technology in the cyber incident response space to utilize machine learning, human-in-the-loop (HITL) and a reinforced training module.

"This groundbreaking technology helps Integreon better address our clients' concerns and demands, advances the tech-enablement of our services and drives greater innovation," said Subroto Mukerji, Chief Executive Officer of Integreon. "As technology and our industry continue to evolve, we will lead the way and maintain the high quality of services that we are known for."

Integreon applies cyber-specific processes and best-in-breed technology to offer a true end-to-end cyber incident response (CIR) solution that spans data mining, review, consolidated entity list (CEL) preparation, notification preparation applying jurisdictional requirements and breach notification. RadarFirst uses software as a service (SaaS) technology to automate privacy risk assessment and maps a risk of harm analysis directly to relevant jurisdictions with clear breach notification obligations, notification timelines and applicable points of contact, replacing significant manual effort by breach counsel.

With the integration of RadarFirst, Integreon automatically uploads the Consolidated Entity List (CEL) and enters information about the breach into RadarFirst's SaaS software, and based on jurisdictional notification requirements, the platform highlights and creates a notification prioritization. This joint offering arms breach coaches with a powerful tool to cost-effectively and quickly give clients a roadmap to meet their post breach obligations. Previously, significant time and resources were spent analyzing the data to then determine compliance with regulatory jurisdictions. Given it significantly reduces manual effort, law firms will be able to assume more client work and avoid resource shortfalls. Insurance companies are promoting its use given the significant impact on costs.

"The integration of RadarFirst's industry-leading privacy incident management solution with Integreon's CyberHawk-AI technology has created a powerful, end-to-end solution solving for the growing demands on global privacy teams." Don India, CEO of RadarFirst said. "RadarFirst and Integreon both understand the complexities of data breach resolution and are committed to streamlining incident management. This is a natural partnership where we will be able to increase accessibility to our solution – helping organizations of all sizes accelerate efficiency and build customer trust."

**About Integreon**

Integreon is the trusted, global provider of creative, business, and legal outsourced services to corporations and law firms seeking to expand their capabilities and transform their performance. The company's 3,500+ professionals provide expert support across a range of managed services—from creative design, content delivery and administrative support to legal and compliance. With global delivery centers on three continents, Integreon delivers round-the-clock service in 50+ languages and is deeply committed to client success, consistently delivering innovative, tech-enabled solutions that improve agility and efficiency to drive business performance. Integreon is owned by EagleTree Capital, a leading New York\-based private equity firm that has invested approximately $2.7 billion of equity capital since inception.

**About RadarFirst**

RadarFirst offers innovative software solutions to data privacy challenges in today's increasingly complex and changing privacy regulations. With RadarFirst's patented SaaS-based incident management platform, organizations make consistent, defensible breach notification decisions in a fraction of the time. The Radar Breach Guidance Engine™profiles and scores data privacy incidents and generates incident-specific notification recommendations to help ensure compliance with data breach laws and contractual notification obligations. Privacy leaders around the globe rely on RadarFirst for an efficient, consistent, and defensible solution for privacy incident management. To learn more about simplifying your incident management visit radarfirst.com.

For more information about Integreon's range of services, email \[email protected\], visit www.integreon.com and follow Integreon at LinkedIn, Twitter and Facebook.

SOURCE Integreon

Integreon Launches Cyber Incident Response Offering with Development of AI-Based Review and Integration of RadarFirst

The authentication bypass used by the Nobelium group, best known for the supply chain attack on SolarWinds, required a massive, real-time investigation to uncover, Microsoft says.

Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group. 

The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.

The eight investigators were not focused "so much \[on\] a whodunit as a how-done-it," Microsoft's Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.

"Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs)," the company stated. "Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch."

The attack underscores the increasing sophistication of APT groups, which have increasingly targeted technology supply chains, such as the SolarWinds breach, and identity systems. 

**A "Masterclass" in Cyber Chess**

MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of .NET infrastructure, Microsoft said.

MagicWeb, which Microsoft first described in August 2022, was built on previous post-exploitation tools, such as FoggyWeb, which could steal certificates from AD FS servers. Armed with these, the attackers could make their way deep into organizational infrastructure, exfiltrating data along the way, breaking into accounts, and impersonating users.

The level of effort needed to uncover the sophisticated attack tools and techniques shows that the upper echelons of attackers require companies to be playing their best defense, according to the Microsoft.

"Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess," the company stated. "In fact, Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia."

**Limit Privileges for Identity Systems**

Companies need to treat AD FS systems and all identity providers (IdPs) as privileged assets in the same protective tier (Tier 0) as domain controllers, Microsoft stated in its incident response advisory. Such measures limit who can access those hosts and what those hosts can do on other systems. 

In addition, any defensive techniques that raise the cost of operations for cyberattackers can help prevent attacks, Microsoft stated. Companies should use multifactor authentication (MFA) across all accounts throughout the organization and make sure they monitor the authentication data flows to have visibility into potential suspicious events.

MagicWeb Mystery Highlights Nobelium Attacker's Sophistication

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

Event organizers should be exercising various cyberattack scenarios to ensure they have the proper checks and balances in place to respond accordingly and maintain resilience.

When Super Bowl LVII between the Kansas City Chiefs and Philadelphia Eagles kicks off in Phoenix on Feb. 12, most everyone's eyes will be on the gridiron. But farther afield, malicious actors and cyberattackers may be looking to score their own kind of touchdown — by shutting down systems, perpetuating ransomware, or carrying out hacktivism.

The 2022 FIFA World Cup tournament held in Doha, Qatar, over the winter raised similar operational concerns, and cybersecurity experts note that large-scale events in general offer a very broad attack surface area to threat actors of all stripes, thanks to the sheer number of systems involved in carrying it off.

"The thing that's tricky for security teams is that it’s not just one entity or single network they must look after," says James Campbell, CEO and co-founder of Cado Security. "An event like the Super Bowl involves numerous suppliers, media companies, and so on, all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run."

Campbell adds that one of the biggest disruptions to the Super Bowl would be preventing it from being televised. With millions of people worldwide watching, and given the advertising and revenue generated from the Super Bowl, if a threat group wanted to get a certain point across, restricting the ability to broadcast it live would do the trick.

"That would probably have the biggest impact, other than physically ensuring the Super Bowl doesn't \[actually take place\] — a harder task," he says.

**Critical Steps for Securing the Super Bowl**

Bud Broomhead, CEO at Viakoo, points out that the large number of third parties involved in the event from a technical perspective means that ensuring that multiple networks are segmented from each other is a crucial first step in protecting the event — so that if one system is breached (Rihanna's microphones), the threat actors can't reach another system (video surveillance, for instance).  
He adds the large number of Internet of Things (IoT) devices and ad hoc networks that third parties will bring to the party — by stakeholders as varied as caterers and sound engineers — means multiple points of failure. Thus, layers of testing for worst-case scenarios will be important leading up to the event.

"There will need to be overall testing of those systems ahead of the event to ensure sufficient redundancy exists," Broomhead says. "Security for a big event like the Super Bowl must also have a focus on resiliency — if bad things happen, is there an already established plan to minimize the impact?"

Darren Guccione, CEO and co-founder at Keeper Security, notes that on the IoT front, many physical control systems are "smart" — i.e., Internet-facing; as such, they should be of particular concern.

He poses a hypothetical: The broadcast network equipment and servers sitting in the data room in the Super Bowl may be hardened with up-to-date patches, firewalls, and other defenses, but what about the building management system? This might be a separately controlled network — and not as well secured.

"Suppose threat actors attack IoT and turn off the air conditioning in the building management system," he says. "In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 20 minutes."

The scenario of an attack via the HVAC system is familiar from the infamous Target breach of 2014 — all it takes is one employee falling for a phish.

"Leading up to the big game, IT professionals should be on the lookout for phishing attacks, malware and viruses, and social engineering attacks as threat actors attempt to gain access to the computer systems used to manage the event," Guccione advises.

Despite the what-ifs, the good news is that cybersecurity is firmly on the radar screen for this upcoming weekend: In addition to preparations on the part of the event organizers and all of the third-party stakeholders involved, a variety of government organizations also have thorough cyber-defense plans in place for the event, including the Arizona Cyber Command and the Federal Aviation Administration.

Attacker Allure: A Look at the Super Bowl's Operational Cyber-Risks

Bridging the divide between developers and security can create a culture change organically.

Over the past few years, organizations have dramatically expanded their use of cloud environments by more than 25%. This expansion came as organizations shifted toward hybrid workforces, where employees needed to access business-critical applications from their kitchen, local coffee shop, or halfway across the world. There is no debate today that the majority of applications have moved to the cloud and cloud-native development will continue to gain popularity, with developers able to build and deploy new applications within minutes. In fact, Gartner estimates that by 2025, more than 95% of new cloud workloads will be deployed on cloud-native platforms, up from 30% in 2021.

However, if you ask any developer what the one aspect to application development/deployment that slows them down is, they'll give you one word: security. There has been a long-standing and well-known disconnect between application developers and security teams — a constant tug and pull where developers don't want their applications slowed down or user experience to be altered by security protocols.

Meanwhile, security teams are working to ensure these applications won't open their organizations to increased risk. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of chief information security officers (CISOs) agree that security slows down DevOps in their organizations. So, how do we satisfy both groups and have them work together to deliver secure applications? 

By setting and pursuing shared goals, your organization's security and DevOps teams can reinforce each other's success rather than working in silos. Here are a few ways each team can better work together to deliver secure applications that do not impact user experience or time to deployment.

**Define Your Shift-Left Security Strategy Together**

Create a mutual understanding of what shifting left means to the organization. In its simplest form, it means embedding security at the forefront of application development rather than at the end. With this approach, organizations shift from reactive to proactive, where security vulnerabilities can be addressed early on, when they are less complex and costly. This mutual understanding can mean developing a document that outlines the vision, ownership/responsibility, milestones, and metrics. This way, both security and DevOps teams commit to one another that security is not an afterthought and both are aligned to create a more holistic approach to application security.

**Understand Where and How Software Is Created in Your Organization**

One of the biggest challenges of shifting security left is understanding how and where software is created within the organization. This is shaped by various variables, including the company's size and whether the work is outsourced to multiple vendors. For example, a large organization will likely spend more than a few months digging, and require additional time to review contracts. Key items to identify are people, process, and technology: 

*   People = who is developing the code
*   Process = the flow from development laptops to production
*   Technology = systems used to enable the process

**Developer-Friendly Security Tools**

Providing and implementing developers with friendly tools from the beginning of development ensures that security teams are empowering DevOps teams with the right set of tools to take ownership for the security posture of their applications. Practical and unobtrusive security tools dramatically increase developers' willingness and ability to inject security into their pipelines. As security professionals, we must equip them with tools that do not hinder their processes but, rather, empower them to build with the confidence that their applications are secure.

Implementing these steps within your organization is the start of bridging the divide between developers and security teams. If done correctly and there is complete buy-in from both sides, a culture change will occur organically. Security teams will begin to trust developers to take ownership for security, while developers will continue to operate with speed and agility. By shifting left, both teams put themselves in a position to better protect the organization and strengthen the overall security posture.

Addressing the Elephant in the Room: Getting Developers & Security Teams to Work Together

Members of the Health-ISAC can ingest threat indicators directly into Chronicle to investigate whether the threat is present in their environment.

In a bid to help healthcare organizations defend themselves from threats, Google Cloud announced it will be integrating the healthcare threat intelligence feed with its Chronicle platform.

Healthcare and life sciences organizations connect and share threat intelligence as part of the Health Information Sharing and Analysis Center (Health-ISAC). Members share threat indicators – forensic artifacts such as suspicious files, URLs, email addresses, network addresses, sampled traffic, and activity logs – through the Health-ISAC Indicator Threat Sharing (HITS) feed. The crowd-sourced approach allows other members to use the shared information to investigate whether the same threats are present in their environment and update defenses as needed.

HITS shares cyber threat intelligence through machine-to-machine automation. Google Cloud security engineers worked with Health-ISAC Threat Operations Center to develop an open sourced integration that connects HITS directly with the Chronicle Security Operations information and event management. This way, members can ingest the shared threat indicators into Chronicle and use that information to automate threat analysis decisions. There are setup instructions for STIX/TAXII feeds on GitHub.

"The integration with Chronicle can help Health-ISAC members discover threats more rapidly, and can also assist in evicting malicious actors from their infrastructure," Taylor Lehmann, director in the Office of the CISO, and Adam Licata, a product manager, said in the announcement.

The latest Chronicle integration is part of Google Cloud's investment as an Ambassador partner – a way for non-healthcare organizations to share experts (Google Cybersecurity Action Team) and resources (Threat Horizon Report) with the members of the ISAC.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Cloud Connects Chronicle to Health ISAC Feed

Reddit code, internal documents, dashboards, and business systems were compromised in the cyberattack.

Reddit announced that its internal systems were breached on Feb. 5 as the result of an employee credential compromise.

The company said a "sophisticated and highly-targeted" phishing attack was able to trick a single employee into giving up their login information.

The cyberattackers then gained access to code and some internal data, including advertiser and employee information. Reddit user data was not affected, however, the company said.

"Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit's information has been published or distributed online," the company said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Reddit Breached With Stolen Employee Credentials

A sophisticated cyber-espionage attack against high-value targets attending a maritime technology conference in Pakistan this weekend has been in the works since last year.

A novel threat actor that researchers have dubbed "NewsPenguin" has been conducting an espionage campaign against Pakistan's military-industrial complex for months, using an advanced malware tool. 

In a blog post on Feb. 9, researchers from Blackberry revealed how this group carefully planned out a phishing campaign targeting visitors to the upcoming Pakistan International Maritime Expo & Conference (PIMEC).

PIMEC will take place over the course of this coming weekend. It is a Pakistan navy initiative that, according to a government press release, "will provide opportunities to maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level."

Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations."

**How NewsPenguin Goes Phishing for Data**

NewsPenguin attracts its victims using spear-phishing emails with an attached Word document, purporting to be an "Exhibitor Manual" for the PIMEC conference.

Though the file name was quite a red flag — "Important Document.doc" — its contents appear to be ripped straight from the actual event's materials, featuring government seals and the same aesthetic as other media published by the organizers.

The document first opens in a protected view. The victim must then click "enable content" to read the document, which triggers a remote template injection attack.

Remote template injection attacks cleverly avoid easy detection by planting malware not in a document but in its associated template. It's "a special technique that allows the attacks to fly under the radar," Dmitry Bestuzhev, threat researcher at BlackBerry explains to Dark Reading, "especially for the \[email gateways\] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective."

**NewsPenguin's Evasion Techniques**

The payload at the end of the attack flow is an executable with no differentiating name, referred to in the blog post as "updates.exe." This never-before-seen espionage tool is perhaps most notable for just how far it goes to resist detection and analysis.

For example, to avoid making any loud noises in a target network environment, the malware operates at a snail's pace, taking five minutes between each command.

"That delay is intended to not cause too much network activity," Bestuzhev explains. "It stays as silent as possible, with fewer footprints for detection systems to pick up on."

The NewsPenguin malware also performs a series of actions to check whether it's deploying in a virtual machine or sandbox. Cybersecurity professionals like to trap and analyze malware in these environments, which isolate any malicious impacts from the rest of a computer or network. Hackers, in turn, know to avoid these isolated environments if they don't want to be caught out.

The researchers counted a few different evasive methods in updates.exe, which "includes using GetTickCount" — a Windows function that reports how long it's been since the system was started up — "to identify sandboxes bypassing sleep functions, checking the hard drive size, and requiring more than 10GB of RAM," according to the report.

**The Morsels That NewsPenguin Wants**

The researchers couldn't connect NewsPenguin to any known threat actors. That said, the group has already been working for some time now.

The domains associated with the campaign were registered all the way back in June and October of last year, despite PIMEC only occurring this weekend.

"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization," the authors of the report observed. "This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while."

In that time, the authors added, NewsPenguin has been "continuously improving its tools to infiltrate victim systems."

Between the premeditated nature of the attack, and the profile of the victims, the bigger picture starts to become clear. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."

NewsPenguin Goes Phishing for Maritime & Military Secrets

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Source

DARKReading