Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.

It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023.

The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained.

Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees.

"Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained. "There is no evidence suggesting the threat actor accessed the Zendesk instance of your coiningy.zendesk.com account at any time."

Besides applauding Coinigy's decision to publicly share the compromise details, security researcher Jake Williams was not as encouraged by Zendesk's response.

"The disclosure is vague and references 'unstructured data from a logging platform' which could be just about anything," Williams tells Dark Reading. "The disclosure simply doesn't give enough information for any organization to evaluate what (if anything) they need to do in response."

There's been no word yet as to whether other customers of Zendesk beyond Coinigy are affected.

Zendesk did not respond to Dark Reading's request for comment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Compromised Zendesk Employee Credentials Lead to Breach

Orca Security is one of the companies integrating conversational AI technology into its products.

While there are some concerns about how generative AI chatbots such as ChatGPT can be used maliciously — to craft phishing campaigns or write malware — several companies are harnessing the power of conversational AI technology to enhance their product capabilities, including for security.

ChatGPT, a large language model (LLM) developed by OpenAI, uses GPT 3 LLM and relies on large test data sets culled from multiple sources. ChatGPT, which can understand human language, provides detailed answers to simple questions and can handle complex tasks such as creating documents and writing code in response to user queries. It's an example of how conversational AI can be used to organize large volumes of information and enhance user experience and communications.

For instance, a conversational AI tool — whether that's ChatGPT or something else — could serve as the back end of an information concierge that automates the use of threat intelligence in enterprise support, according to IT research and advisory firm Into-Tech Research.

That's the approach Orca Security appears to be taking with Orca Security Platform. The company incorporated OpenAI's GPT3 API, specifically the "Da-Vinci-03" series, to enhance the platform's ability to generate contextual and accurate remediation plans for security alerts, Lior Drihem, Orca's director of innovation, and Itamar Golan, head of data science, wrote in the announcement. 

The new pipeline takes a security alert and preprocesses the data, such as basic information about the risk and its contextual environment — such as affected assets, attack vectors, and potential impact — before feeding the pieces as input to GPT3. The AI then generates a detailed explanation of the best and most practical ways to remediate the issue, Golan and Drihem wrote. These remediation steps can also be embedded in tickets, such as Jira tickets, for teams to reference and implement.

While the AI model can provide inaccurate information (or vague results), "the benefits of utilizing GPT3's natural language generation capabilities outweigh any potential risks, and have seen significant improvements in the efficiency and effectiveness of our remediation efforts," according to Drihem and Golan.

This isn't the first time Orca Security has been working with language models. The company recently integrated GPT3 into its cloud security platform to enhance the remediation information customers receive regarding infosec risks. 

"By fine-tuning these powerful language models with our own security data sets, we have been able to improve the detail and accuracy of our remediation steps — giving you a much better remediation plan and assisting you to optimally solve the issue as fast as possible," Golan and Drihem wrote.

**Harnessing AI & LLM for Applications**

Orca Security joins other companies incorporating language models into its product portfolio. Earlier this week, Gupshup launched Auto Bot Builder, which harnesses GPT-3 to help enterprises build their own advanced conversational chatbots. Auto Bot Builder builds chatbots tailed to the enterprise's specific requirements by using content from the enterprise website, documents, message logs, product catalogs, databases, and other corporate systems, processing the information using GPT-3 LLM (Large Language Model), and fine-tuning it with proprietary industry-specific models. Enterprises can use Auto Bot Builder to build chatbots for marketing lead generation activities, product discovery, product recommendations, shopping advice, troubleshooting, and customer support.

These chatbots differ from ChatGPT, a general-purpose chatbot, but like ChatGPT, they have an "exceptionally high degree of language capability" to engage with end users, according to Gupshup.

The cryptocurrency community is also using ChatGPT to create applications such as trading bots and crypto blogs, Jerrod Piker, a competitive intelligence analyst at Deep Instinct, wrote in an email. Examples include using ChatGPT to write a sample smart contract, and a trading bot that identifies entry and exit points to help automate the process of buying and selling cryptocurrencies.

A generative AI chatbot that can answer questions is not a new concept, but ChatGPT stands out from the others because of the breadth of topics it can handle and its ease of use, says Casey Ellis, founder and CTO of Bugcrowd.

GPT Emerges as Key AI Tech for Security Vendors

Serious security flaws go unpatched, and ransomware attacks increase against manufacturers.

More than three-quarters of manufacturing organizations harbor unpatched high-severity vulnerabilities in their systems, a study of the sector found.

New telemetry from SecurityScorecard shows a year-over-year increase in high-severity vulns in those organizations.

In 2022, some "76% of manufacturing organizations, SecurityScorecard observed unpatched CVEs on IP addresses our platform attributes to those organizations," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.

Nearly 40% of these organizations — which include metals, machinery, appliance, electrical equipment, and transportation manufacturing — suffered malware infections in 2022.

Almost half (48%) of critical manufacturing organizations received a ranking between "C" and "F" on SecurityScorecard's security ratings platform.

The platform includes ten groups of risk factors, including DNS health, IP reputation, Web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence.

The severity of cyberattacks against manufacturers is noteworthy, Yampolskiy says.

"Many of these incidents have involved ransomware where the threat actor, usually in the form of a criminal group, sets out to make money through extortion," he says. "While the ransomware problem is global, we’ve seen a rising number of attacks on critical infrastructure come from nation-state actors in pursuit of various geopolitical objectives."

Meanwhile, incident response investigations by teams at Dragos and IBM X-Force overwhelmingly showed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware.

**"Democratized" Cybersecurity**

Sophisticated state-sponsored actors such as Russia target several different critical infrastructure organizations across the US, from healthcare to energy to telecommunications, Yampolskiy says.

The good news? "Globally, governments are already taking steps to strengthen cybersecurity," he notes.

Take the US Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring critical infrastructure to report certain cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA).

Other agencies, such as the Federal Energy Regulatory Commission, the Securities and Exchange Commission, and the Treasury Department, are also in various stages of rulemaking for entities under their regulatory jurisdiction.

Yampolskiy says policymakers should continue working with industry to have a greater and continuous understanding of the security postures of the organizations and industries that directly impact essential services for citizens, or the US economy in general.

"A more democratized, integrated, and collaborative approach to cybersecurity resilience that provides continuous visibility of the global threat landscape and convenes public and private sectors is essential to protect the world's critical infrastructure" he says, further noting that better information-sharing between government and industry is key.

Critical Manufacturing Sector in the Bull's-eye

Head off account takeover attacks by being proactive about IoT security. Start with designing and building better security protocols into IoT devices, always change weak default configurations, and regularly apply patches to ensure that IoT devices are secure.

Account takeover attacks are like the widely told campfire story about a babysitter that receives a series of threatening phone calls that are traced from "inside the house."

Fear of the unknown hits too close to home. Initial access brokers are closely related to account takeover attacks, and both are linked to ransomware. Now, it seems likely that initial access brokers (IABs) and account takeover attacks will set their sights on Internet of Things-enabled devices. Instead of the call coming from inside the house, the attack is coming from inside the phone (VoIP-enabled, of course).

**The Role of Initial Access Brokers in Ransomware Attacks**

The rise of remote work has contributed to the increase in ransomware attacks in recent years. With more employees working from home, organizations have had to rely on remote access technologies, such as remote desktop protocol (RDP) and virtual private networks (VPNs), which provide attackers with an easy way to gain initial access to a network.

Account takeover attacks are often used as a means of gaining initial access to a network to carry out a ransomware attack. In an account takeover attack, the attacker typically uses stolen or purchased login credentials to gain unauthorized access to a victim's online accounts.

IABs, also known as breach brokers, provide access to hacked or compromised computer systems to other individuals or organizations. The use of IABs has become increasingly common in recent years, as this allows cybercriminals to easily and quickly gain access to a range of targets without having to spend time and resources on hacking them themselves.

However, as organizations better secure RDP, VPN, and other IT credentials, attackers will have to turn their attention to new targets. IoT devices are a logical choice because of their widespread deployment — more than a quarter of devices in every organization are IoT devices, regardless of industry, and that number is expected to continue to increase. Unfortunately, many of these devices are vulnerable to attack, making them an attractive target.

**Three Reasons IoT Devices Are Vulnerable to Attack**

Although there are many reasons that IoT devices are vulnerable to attack, three main reasons are that they are often used with default configurations, patch management is difficult, and they were not designed with security in mind.

Default credentials are easy targets — Access:7 research identified entire product lines of IoT devices that shared hardcoded credentials for remote access.

Specialized IoT firmware may remain unpatched — Project Memoria identified more than 100 vulnerabilities in TCP/IP stacks that affected several devices, but many were not patched by the manufacturers.

Many IoT devices lack authentication and encryption — OT:ICEFALL research has demonstrated how insecure protocols in operational technology are easily exploited by attackers.

Of course, vulnerabilities tell only half of the story. For organizations to understand the nature of the threat, they also need to understand how IoT devices are currently under attack.

**IABs for IoT**

There are many examples of advanced persistent threats (APTs) that have used corporate IoT for initial access into organizations. For instance, the Russian state-sponsored actor Strontium has leveraged VoIP phones, office printers, and video decoders, while Chinese state-sponsored actors have exploited vulnerabilities on IP cameras to infiltrate US organizations.

Attack techniques tend to trickle down from APTs to less-sophisticated actors, and there are already cybercriminal gangs, such as the Conti, Deadbolt, and Lorenz ransomware groups, which have targeted IP cameras, NAS devices, and VoIP for initial access. In addition, there are groups that trade IoT exploits on Dark Web markets — the logical next step is an IAB market for IoT.

An IAB for IoT would likely act in a similar way to hacktivists that have been targeting IoT/OT. They would scan target organizations using tools such as Shodan and Kamerka, enumerate vulnerabilities or discover credentials, and use those for initial access.

One of the main differences between IABs that focus on RDP/VPN and those that target IoT devices is that the latter could also leverage vulnerabilities in IoT devices, which tend to remain unpatched for much longer. This means that they would be able to gain access to organizations in a more stealthy and persistent way, making them a more attractive target for cybercriminals.

**Mitigating the Risk of IABs for IoT**

Although IABs for IoT are different from those targeting RDP/VPN credentials, the good news is that organizations can still take a similar approach to cybersecurity. The discovery of new devices on the network, the continuous monitoring of network traffic, and the use of appropriate network segmentation are all best practices to mitigate the risk of an attack — regardless of if it leverages an IT or an IoT device.

To address the issues unique to IoT devices, manufacturers and organizations need to take a proactive approach to IoT security. This means changing default weak configurations and regularly applying patches to ensure that devices are secure. In addition, protocols used in specialized IoT devices should be designed with security in mind, including basic security controls such as authentication and encryption. By taking these steps, we can improve the security of IoT devices and reduce the risk of attacks.

The Evolution of Account Takeover Attacks: Initial Access Brokers for IoT

The credential-stuffing attack, likely fueled by password reuse, yielded personal identifiable information that can be used to verify the authenticity of previously stolen data.

Nearly 35,000 PayPal user accounts fell victim to a recent credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks.

PayPal submitted a breach disclosure that revealed that the attack began on Dec. 6, 2022 and continued until it was discovered on Dec. 20, 2002. As a result, the names, addresses, Social Security numbers, tax identification numbers, and/or dates of birth for 34,942 users were exposed.

"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," PayPal explained in a letter sent to affected users. "There is also no evidence that your login credentials were obtained from any PayPal systems."

PayPal added that once the attack was discovered, account passwords were reset, and additional security controls were put in place. The payment platform is offering Equifax identity theft monitoring for victims.

**Stolen Credential Ecosystem**

The credential-stuffing attack on PayPal was likely a way for threat actors to validate username and passwords they had already obtained; now that they've been checked against breached PayPal accounts, those verified credentials will be sold to another threat actor, according to Jason Kent, hacker in residence with Cequence Security.

"The value in the list is that it is verified," Kent said in a statement provided to Dark Reading. "My guess is the usernames and passwords were sourced by some other breach that pointed to the possibility of the accounts having PayPal access."

**Password Reuse the True Culprit**

Even the strongest, most complex passwords can't keep data secure if they're reused across accounts. The PayPal accounts might have been protected in this case if they'd had unique passwords, noted Erich Kron, security awareness advocate at KnowBe4.

"This is what allows credential-stuffing attacks to be so successful," Kron said in a statement about the incident. "Bad actors will take credentials scavenged from other data breaches and attempt to use them on other likely services such as banks, online shopping sites, social media, and in this case, online payment sites."

While a password manager isn't a "silver bullet," Kron added, it's an important added layer of protection against credential-stuffing attacks like that on PayPal.

"Remembering all of these passwords can be nearly impossible; however, through the use of password managers which can generate and store completely unique passwords, this can be achieved without a significant amount of effort," Kron said. "In addition, the application of multi-factor authentication can be very helpful in these cases of account takeovers."

PayPal Breach Exposed PII of Nearly 35K Accounts

Multiple misconfigurations in a service that underpins many Azure features could have allowed an attacker to remotely compromise a cloud user's system.

An attack chain exploiting misconfigurations and weak security controls in a common Azure service is highlighting how lack of visibility impacts the security of cloud platforms.

The "EmojiDeploy" attack chain could allow a threat actor to run arbitrary code with the permission of the Web server, steal or delete sensitive data, and compromise a targeted application, Ermetic stated in its Jan. 19 advisory. An attacker could use a trio of security issues affecting the common Source Code Management (SCM) service — a cloud service used by many Azure applications without an explicit indication to the user, according to Ermetic.

The issues demonstrate that the security of cloud platforms are undermined by the lack of visibility into what those platforms do under the hood, says Igal Gofman, head of research for Ermetic.

"Azure and cloud service consumers — enterprises — must be familiar with each service and its internals, and not trust \[that the\] default settings provided by cloud providers are always secure," he says. "Even though cloud providers spend millions of dollars on securing their cloud infrastructure, misconfigurations and security bugs will happen."

The EmojiDeploy research joins other attack chains recently discovered by security researchers that could have resulted in data breaches on cloud platforms or otherwise compromised cloud services. In October 2022, for example, researchers found two vulnerabilities in Atlassian's Jira Align, an agile project management application, that could have allowed threat groups to attack the Atlassian service. In January 2022, Amazon fixed two security issues in its Amazon Web Services (AWS) platform that could have allowed a user to take control of another customer's cloud infrastructure.

An attacker only needs to take an average of three steps — often starting, in 78% of cases, with a vulnerability — to compromise sensitive data on cloud services, one analysis found.

"Cloud systems are highly complex," Ermetic stated. "Understanding the complexity of the system and environment you are working in is crucial to defending it."

**Source Code Manager Exploit**

The attack found by Ermetic made use of the insecurity of a specific cookie configuration for the Source Code Manager (SCM). The Azure service set two controls — cross-site scripting (XSS) prevention and cross-site request forgery (XSRF) prevention — to a default of "Lax," according to Ermetic's advisory.

After further investigating the implications of those settings, Ermetic researchers found that those who use any of three common Azure services — Azure App Service, Azure Functions, and Azure Logic Apps — could be attacked through the vulnerability. The attack was made possible because these three major services all use the Source Code Management (SCM) panel to allow development and Web teams to manage their Azure application. Because SCM relies on the open source Kudu repository management project, which is a .NET framework similar to Git, a cross-site scripting vulnerability in the open source project also affects Azure SCM.

Unfortunately, the security setting is not obvious, Ermetic stated, adding that many Azure Web Services customers would not even know of the existence of the SCM panel.

A single vulnerability is not enough, however. The researchers paired the lax cookie security with a specially crafted URL that bypasses the cloud service's check that every component of the website came from the same origin. Combining the two components allows a full cross-origin attack, Ermetic stated in its advisory. A third weakness allowed specific actions or payloads to be incorporated into the attack as well.

**Shared Responsibility Means Configuration Transparency**

The attack chain underscores that cloud providers need to make their security controls more transparent and default to more secure configurations, says Ermetic's Gofman. While shared responsibility has long been the mantra of cloud security, cloud infrastructure services have not always offered easy access or integration to security controls.

"Awareness of default service settings and configurations is important since the cloud uses a shared responsibility model for security between the provider and the customer," he says. "Applying the principle of least privilege and being aware of the shared responsibility model is very important."

Emetic notified Microsoft of the attack chain in October, and the vendor issued a global fix for Azure by early December, according to the advisory.

"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," Ermetic stated in its advisory. "Effectively applying the principle of least privilege can significantly limit the blast radius."

EmojiDeploy Attack Chain Targets Misconfigured Azure Service

Mainly Apple iOS in-app ads were targeted, injecting malicious JavaScript code to rack up phony views.

A sprawling new adware campaign that abused the Vast video ad server template to rack up fraudulent digital advertising views on an enormous scale has been shut down.

At its peak, the adware effort hit more than 12 billion requests per day.

Human Security's Satori threat intelligence team uncovered the adware campaign, touting it as the largest find in the cybersecurity research group's history. Following the discovery, Satori said it led a takedown of the ad fraud operation, which they dubbed as Vastflux.

The team added in its report that, in all, Vastflux spoofed more than 1,700 apps, targeted 1,200 publishers, and displayed ads on applications running on about 11 million devices.

"What was technically impressive and incredibly concerning about Vastflux \[were\] the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted," Gavin Reid, Human's CISO, said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Massive Adware Campaign Shuttered

The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.

Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.

The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.

Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet's FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.

**BoldMove Backdoor**

Mandiant said the malware it discovered in December — and is tracking as "BoldMove" — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.

The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.

Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.

"The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices," Read says. "Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices."

The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. "The Windows sample we have is 32-bit, so \[it\] should run on most modern versions of Windows but could be compiled to run on 64-bit machines," Read says. It would not run on a Fortinet device, however.

**Tech Chops**

The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.

Developing exploits for these technologies can be challenging and require substantial resources and technical chops.

With BoldMove, "the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.

While Fortinet's products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.

**Schooled in FortiOS**

Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a "generic" Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet's IPS engine on compromised systems.

Among the malware's more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said.

According to Fortinet, developing the exploit would have required the threat actor to have a "deep understanding" of FortiOS and the underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.

Attackers Crafted Custom Malware for Fortinet Zero-Day

**Woburn, MA – January 19, 2023 –** Today Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the infamous Roaming Mantis campaign. Cybercriminals have demonstrated they can use compromised public Wi-Fi routers to try to infect more Android smartphones with the campaign’s Wroba.o malware. Attackers used the new technique against users in South Korea, but it could be soon implemented in other countries as well. 

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and cryptomining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

**New DNS changer functionality to attack more users via public routers**

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader), the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country (see the Table 1). 

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7,000 downloads each. Germany, Turkey, Malaysia and India rounded out the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well. 

**Country**  

**Number of downloaded malicious APK** 

Japan

24,645

Austria

7,354

France

7,246

Germany

5,827

South Korea

508

Turkey

381

Malaysia

154

India

28

_Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022_

According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). 

“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” said Suguru Ishimaru, senior security researcher at Kaspersky. “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.” 

To read the full report on newly implemented DNS changer functionality, please visit Securelist.com.

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:

*   Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.

*   Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.

*   Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.

*   Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.

*   Consider installing a mobile security solution, such as Kaspersky, to protect your devices from these and other threats.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers

Traditional compliance and IAM are insufficient to secure the modern enterprise. We must shift left with modern access controls to avoid costly data breaches.

**What Does It Mean to "Shift Left"?**

"Shift left" is a powerful concept that prioritizes catching and resolving issues earlier in a process, thereby minimizing defects and increasing quality output. In security, the methodology is being used to find vulnerabilities that are traditionally addressed in detection and remediation cycles, and preemptively address those problems upstream. While popularized in the AppSec domain, an equally powerful application of shifting left is evolving in identity management. Identity is the new security perimeter in the cloud-native world. We need to explore a new access control paradigm to reduce risk, one defined by the use of policy and automation.

**Today's World: Checkbox Compliance and IAM for the Sake of Productivity**

There's no shortage of identity-based attacks making headlines, from privilege escalation to unauthorized access, among others. Compliance, while a good signal of general security practices, isn't always an indication of real risk reduction. Quarterly or yearly access reviews "discover" overprovisioned and non-off-boarded users with sensitive access, leaving security gaps in place for months at a time. While quarterly timing might be enough to "check the box," real risk reduction would require running timely and more frequent reviews for most applications (whether they are connected to your identity provider or not). The growing number of SaaS and IaaS offerings, the impact of group sprawl, and the level of manual effort required for this makes more frequent reviews cost-prohibitive for most businesses.

We are rooted in a world that traded security for productivity. We grant as much birthright access as possible so we can avoid managing access changes downstream, but still periodically check in on this access as required by compliance. When access changes are needed, they are thrown over the wall via help-desk tickets that sit in queues for days or weeks. From a security standpoint, a lot of energy is spent on compliance and managing access, yet we're barely scratching the surface on risk reduction.

**Change Your Thinking: Access Controls That Actually Reduce Risk**

Better security outcomes in compliance and IAM necessitate that we automate like engineers and take new approaches. Alerting, quarterly reviews, and ticketing are heavy-handed detection and remediation tactics that identify and address overprivilege after it has already happened. In order to shift left, we need to modernize how access is controlled. Architecting modern access controls will require an identity-centric view into any and all technology, democratized access decision-making, the ability to define least privilege policy as code, and above all, automation wherever we can get it. A first principles-based approach to securing access is required: Users should have access for as long as they need it to do their job, and no longer. Implementing this is hard, but here are a few starters:

1\. **Democratization of access management, but central enforcement of control policy.** System owners have the best information and context for why users need access, and IT doesn't enjoy being the ticketing middleman. Access decisions made by system owners should be balanced with a centrally defined policy for managing access based on classifications. Policy should be defined in code, if possible, and managed through change management processes.

2\. **Justification for access and time-limited access.** Users only need access while they're doing a job, performing a function, contributing on a team, working on-call, and so forth. Justification is the context for why a user needs specific access at that moment. Without that justification, the access is not required and is automatically removed.

3\. **Automating user access reviews (UARs).** UARs are extremely effective at reducing standing privileges and identifying inappropriate accounts and access. The problem is that manual UARs are too time and labor intensive to run frequently, which means delays in identifying and revoking expired accounts and privileges. With automated user access reviews, we find 10% to 25% of access is regularly marked as overprovisioned, inappropriate, or unused, and is subsequently removed.

4\. **Self-service and just-in-time access provisioning.** Employees should be able to request access right when they need it from comprehensive app and resource catalogs. Accounts and permissions should be provisionable without manual touches, whether it's connected to the SSO provider or not. Policy should drive the process, so low-privilege access can be granted automatically without a human in the loop, and higher-privilege access can be routed to the correct approvers quickly and efficiently.

**Moving Forward, Shift Left With Least-Privilege Thinking, Tools, and Automation**

We need to recognize that access is messy and embrace that reality with the principle of least privilege and the automation to enforce it. We should not focus on rigidity and centralization, but rather on policy and delegation. Users change roles and teams. Sometimes you need temporary access and permissions. Employees come and go. What's important is that your environment, governed by policy and run by automation, always and predictably reverts to the minimum level of sensitive access necessary for your team. Only then can you reduce the attack surface area of identity and move from detecting breaches to avoiding them in the first place.

**About the Author**

    

Alex Bovee is co-founder and CEO of ConductorOne, a technology company focused on modern identity governance and access control. With a background in security and identity, he most recently led Okta's zero-trust product portfolio and prior to that, enterprise device security products at Lookout Mobile Security. He co-founded ConductorOne to help companies become more secure and productive through identity centric automation and access control. In his spare time, he enjoys playing guitar and shuttling his kids around to activities.

Source

DARKReading