Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.

Infrastructure as code (IaC) has gained rapid popularity for its ability to automate the management and provisioning of IT infrastructure by replacing manual processes with machine-readable configuration (definitions) files that contain specifications that are simple to edit, maintain, and distribute.

This approach is especially appealing and efficient when standing up and modifying infrastructure-as-a-service (IaaS) instances in cloud application environments.

But, like any technology, these gains aren't without some pain. One of the most formidable tasks is dealing with IaC management and security. While it's now incredibly fast and convenient to propagate changes across multiple production environments, errors and vulnerabilities can also spread like wildfire. This includes misconfigurations and incorrect default settings, all of which can potentially expose sensitive data, intellectual property (IP), and trade secrets.

As a result, it's wise to establish a framework — including the right strategy and technology tools — that can identify misconfigurations, fix incorrect values, and automate the sometimes-daunting process of checking IaC.

**Cracking the Code on IaC**

One of the things that makes infrastructure-as-code so appealing is the ability to automate infrastructure deployment processes as part of the development life cycle. This practice is usually referred to as creating a CI/CD pipeline — continuous development and continuous deployment. Manually provisioning, configuring, and managing systems is a time-consuming and error-prone task. IaC is an essential component for automating these processes. With the click of a button, it's possible to set up, delete, or make widespread changes to an existing environment across multiple cloud platforms using APIs

It's also possible to gain visibility into all these changes. So, if it is necessary to roll back a system to a particular date or configuration, the task is reasonably easy to manage. Because IaC typically has built-in support for things like declarative and imperative language, filters, and rules and settings, it's possible to create a standard deployable configuration file that tells a cloud provider exactly what resource to provision.

Eliminating manual processes doesn't prevent problems. IaC environments remain vulnerable to configuration errors. In many cases, IaC definition files mitigate the risk of introducing security misconfigurations due to human errors such as applying the wrong user access policy or important security settings. However, when human-made mistakes happen, they will affect all resources that are using the same definition files and may impact thousands of resources.

In fact, it's remarkably easy to miss configuration issues in IaC, especially when a large and complex cloud infrastructure is provisioned. And once the problem exists in the production environment it's usually a lot more difficult and time-consuming to fix. As a result, organizations should implement a shift-left approach to IaC security that's designed to fix issues directly when code is written or modified.

**Finding the Fix**

Addressing the problem involves scanning new IaC files for errors and fixing them before they are released to production, as well as discovering misconfigurations already deployed in cloud environments and modifying the IaC files. This requires following a clearly defined three-step process:

*   **Identify the misconfigurations.** This "hygiene" starts with state and resource aware scanning of configuration files to identify errors or policy violations that need to be fixed. These processes should scan the cloud runtime environment and take into account the plan and state outcomes. Once problems have been identified, it's critical to fix code for all files that touch the cloud environment. In some cases, thousands of configuration files might exist.
*   **Create a staging environment for testing.** One of the big advantages of IaC is that you can quickly create many instances of your entire infrastructure, it's simple to create a staging environment and a production environment. Once the review process is complete in the staging environment, transferring it to a live setting is a process that takes place at the push of a button.
*   **Inspect an IaC environment before provisioning to production so that it aligns with security policies.** The inspection process should include a review that ensures that a policy is correctly translated into a control, and the control is correctly embedded in the configuration file. For example, an organization might check to see that any sensitive data isn't stored in clear text or secrets are not exposed. It's critical to conduct a thorough review so that a new setting or configuration doesn't introduce a new issue.
*   **Add the correct values.** The next step is to fix the actual problem. This may be something as straightforward as encrypting a database that was previously unencrypted or something as complicated as changing a specific setting in all the virtual machines or storage devices in a particular region or country. Once this analysis is complete, it's possible to update configuration files or create new ones.
*   **Deploy the new or updated code.** After you have made the necessary changes, it's time to push out the new or updated configuration files. While IaC makes this task much easier, it's important to ensure that the update is going to the right place and that it will be deployed as intended, as part of a managed CI/CD process.

While IaC provides huge advances for deploying and managing today's highly complex cloud and IT environments, it does not address security issues and configuration errors that will inevitably occur. However, with the right processes, procedures, and tools it's possible to automate the detection and remediation of security risk in even the largest IaC deployments.

Understanding Infrastructure-as-Code Risks in the Cloud

**DUBLIN****,** **Jan. 4, 2023** **/PRNewswire/ --** The "Global Mobile Biometrics Market Size, Share & Industry Trends Analysis Report By Industry, By Technology, By Authentication Mode (Single Factor and Multi Factor), By Component (Hardware, Software and Service), By Regional Outlook and Forecast, 2022 - 2028" report has been added to  ResearchAndMarkets.com's offering.

The Global Mobile Biometrics Market size is expected to reach $91.9 billion by 2028, rising at a market growth of 21.8% CAGR during the forecast period.  
Mobile biometric authentication uses biometrics to recognize and confirm a person's identity when they attempt to access any mobile application. Authentication can be carried out using these mobile biometric devices in a number of different ways, including face recognition, fingerprint readers, voice recognition, and others. Mobile biometrics solutions straddle the line between identity and connectivity.  
They make use of smartphones, tablets, other forms of handheld devices, wearable technologies, and Internet of Things devices for their flexible deployment capabilities. Controlling access to information, locations, and systems have become more and more necessary over time. Many businesses currently use cards, PINs, or passwords to verify users' identities before granting access. However, there are significant problems with this conventional method.  
In recent years, biometric technology has gained popularity on mobile devices. The technology improved in terms of user-friendliness and consumer affordability. This biometric solution is a method used to authenticate a person who is in possession of a mobile device and uses it as a distinctive biometric identifier. Single-factor authentication (SFA) and multi-factor authentication (MFA) are the two different authentication mechanisms used by mobile biometric systems.  
These systems operate using a variety of techniques, including Deep Neural Networks and Keystroke Dynamics. Together, these procedures form a mobile biometrics system that provides coordinated security for mobile devices. The demand for this effective security solution typically increases significantly. In order to determine similarity, biometric authentication compares data for a person's features to that person's biometric "template".  
**COVID-19 Impact Analysis**  
The pandemic had a positive impact on the mobile biometrics market. This was due to a significant shift toward the rise of digital stores and e-commerce platforms, which has led to an increase in the use of online payments. The potential for an increase in cyberattacks in the form of fraud and identity theft also guided the market. Secure authentication services for different banking and financial applications, like client KYC and money transfer, are required in such a situation, and the usage of top-notch security tools is crucial.  
**Market Growth Factors**

**Increase In Platforms Using Biometric Authentication**  
The demand for biometric solutions has increased over the past few years as digital media and internet content delivery have grown. Traditional methods of authentication, like signatures and text-based credentials, have been shown to be more difficult for users to use because they are so vulnerable to contemporary cyberattacks. Furthermore, customers really need to develop faster methods of authentication due to the growing quantity of digital services.  
**Assurance Of Higher Security With Biometrics Usage**  
One of the key factors propelling the growth of mobile biometrics is the increasing demand for intelligence security devices in mobile devices to secure the data saved in the devices, such as bank account information, photos, recordings, contacts, and other personalized data. By confirming a physical, real-world characteristic that is (typically) specific to that person, such as fingerprints, facial features, voice articulation, and others, biometric solutions can give providers a higher level of assurance that the person is real.  
**Market Restraining Factors**

**Wrong And Inaccurate Results Through Biometrics**  
False positives and inaccuracy are two of the most significant challenges. Biometric authentication procedures rely on insufficient data to confirm a user's identity. For instance, during the enrollment step, a mobile biometric device will scan a whole fingerprint and turn it into data. Future fingerprint biometric authentication, however, will only require a portion of the print to confirm identity, making the process speedier overall.

**Scope of the Study**

**Market Segments Covered in the Report:**

**By Industry**

*   Public Sector
*   BFSI
*   Healthcare
*   IT & Telecommunication
*   Others

**By Technology**

*   Fingerprint Recognition
*   Face Recognition
*   Voice Recognition
*   Others

**By Authentication Mode**

*   Single Factor
*   Multi Factor

**By Component**

*   Hardware
*   Software
*   Service

**By Geography**

*   North America
*   US
*   Canada
*   Mexico
*   Rest of North America
*   Europe
*   Germany
*   UK
*   France
*   Russia
*   Spain
*   Italy
*   Rest of Europe
*   Asia Pacific
*   China
*   Japan
*   India
*   South Korea
*   Singapore
*   Malaysia
*   Rest of Asia Pacific
*   LAMEA
*   Brazil
*   Argentina
*   UAE
*   Saudi Arabia
*   South Africa
*   Nigeria
*   Rest of LAMEA

**Key Market Players**

**List of Companies Profiled in the Report:**

*   3M Company
*   Apple Inc.
*   NEC Corporation
*   BIO-key International, Inc.
*   Fujitsu Limited
*   HID Global Corporation
*   Precise Biometrics AB
*   M2SYS Technology, Inc.
*   Aware, Inc.

For more information about this report visit https://www.researchandmarkets.com/r/vwb2z6

Insights On the Mobile Biometrics Global Market To 2028 - Increase In Platforms Using Biometric Authentication Drives Growth

Adopting post-quantum cryptography is something that has been discussed for years; it's time for organizations to get to work.

2022 has been a big year for quantum computing. Over the summer, National Institute of Standards and Technology (NIST) unveiled four quantum computing algorithms that will be eventually turned into a final quantum computing standard, and governments around the world boosted investments in quantum computing. 2023 may be the year when quantum finally steps into the limelight with organizations preparing to begin the process of implementing quantum computing technologies into existing systems. It will also be the year to start paying attention to quantum computing-based attacks.

"In 2023, we'll see both the private and public sector's increased awareness around the challenges associated with quantum resilience, and we'll see efforts begin to take hold more significantly to prepare for quantum computing," says Jon France, CISO of (ISC)2.

McKinsey recently noted the amount of money different countries have allocated for quantum computing to date — China leads the pack with $15.3 billion in public funds in quantum computing investments. The European Union governments combined have invested $7.2 billion, which dwarfs the US with $1.9 billion.

That doesn't mean the US has been standing still. A key effort — the list of four NIST-approved algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON and SPHINCS+) — will help organizations future-proof current data security measures against harvest-now/decrypt-later (HNDL) attacks. These attacks refer to adversaries hanging on to encrypted items until a time when quantum computing technology that can decrypt them become available. And last month, US president Joe Biden signed the Quantum Computing Cybersecurity Preparedness Act (HR 7535) into law to give the Office of Management and Budget authority to begin implementing NIST-approved quantum algorithms throughout the executive branch.

The new law highlights the importance of implementing quantum computing technologies into existing systems now, but it doesn't address the necessity of monitoring for threats, says Yudong Cao, co-founder and CTO of Zapata Computing. "We should be actively monitoring the threat by sponsoring cybersecurity research activities into various methods, exact or heuristic, for compromising the current encryption schemes," Cao says.

There is also a lot of investment activity in the private sector, with start-ups focused on quantum technologies collecting $1.4 billion in funding in 2021 alone, McKinsey said. Nearly half (49%) of those private investments are in companies in the United States, compared to just 6% in China, the analysts noted.

"Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago ... but now is the second best time," France says. However, for both private and public sector organizations, the process of making infrastructure "quantum-resilient" will be a difficult and slow one.

"Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing," France says.

In a recent survey from Deloitte, enterprises said without external pressure — such as regulatory and compliance requirements — they won't be prioritizing quantum security initiatives.

2023 Will See Renewed Focus on Quantum Computing

The popular PyTorch Python project for data scientists and machine learning developers has become the latest open source project to be targeted with a dependency confusion attack.

An unknown attacker slipped a malicious binary into the PyTorch machine learning project by registering a malicious project with the Python Package Index (PyPI), infecting users' machines if they downloaded a nightly build between Dec. 25 and Dec. 30.

The PyTorch Foundation stated in an advisory on Dec. 31 that the effort was a dependency confusion attack, in which an unknown entity created a package in the Python Package Index with the same name, _torchtriton_, as a code library on which the PyTorch project depends. The malicious library included the functions normally used by PyTorch but with a malicious modification: It would upload data from the victim's system to a server at a now-defunct domain.

The malicious function would grab a variety of system-specific information, the username, environment variables, a list of hosts to which the victim's machine connects, the list of password hashes, and the first 1,000 files in the user's home directory.

"Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository," the advisory stated. "This design enables somebody to register a package by the same name as one that exists in a third party index, and \[the package manager\] will install their version by default."

The attack is the latest software supply chain attack to target open source repositories. In mid-December, for example, researchers discovered a malicious package disguised as a client from cybersecurity firm SentinelOne that had been uploaded to PyPI. In another dependency confusion attack in November, attackers created more than two dozen clones of popular software with names designed to fool unwary developers. Similar attacks have targeted the .NET-focused Nuget repository and the Node.js Package Manager (npm) ecosystem.

**Same Name, Different Packages**

In the latest attack on PyTorch, the attacker used the name of a software package that PyTorch developers would load from the project's private repository, and because the malicious package existed in the PyPI repository, it gained precedence. The PyTorch Foundation removed the dependency in its nightly builds and replaced the PyPI project with a benign package, the advisory stated.

The group also removed any nightly builds that depend on the _torchtriton_ dependency from the project's download page and says it plans to take ownership of the _torchtriton_ project on PyPI.

Fortunately, because the _torchtritan_ dependency was only imported into the nightly builds of the program, the impact of the attack did not propagate to typical users, Paul Ducklin, a principal research scientist at cybersecurity firm Sophos, said in a blog post.

"We're guessing that the majority of PyTorch users won't have been affected by this, either because they don't use nightly builds, or weren't working over the vacation period, or both," he wrote. "But if you are a PyTorch enthusiast who does tinker with nightly builds, and if you've been working over the holidays, then even if you can't find any clear evidence that you were compromised, you might nevertheless want to consider generating new SSH key pairs as a precaution, and updating the public keys that you've uploaded to the various servers that you access via SSH."

The PyTorch Foundation confirmed that users of the stable version of the PyTorch library would not be affected by the issue.

**Mistaken Intentions?**

In a widely circulated _mea culpa_, the attacker claimed that they are a legitimate researcher and that the issue resulted from their investigation into dependency confusion issues.

"I want to assure that it was not my intention to steal someone's secrets," the person wrote, claiming to have notified Facebook on Dec. 29 of the issue and made reports to companies using the HackerOne crowdsourcing platform. "Had my intents been malicious, I would never have filled \[sic\] any bug bounty reports, and would have just sold the data to the highest bidder."

Because of the statement, some experts considered the PyTorch advisory to be a "false alarm," but there have been other attackers that have donned the mantle of a misunderstood researcher.

Moreover, the impact of the attack could have exposed victims' sensitive information, even if the person behind the malware had good intentions, Sophos' Ducklin wrote in a blog post about the software supply chain attack.

"How is this a 'false alarm'? " he also said in a tweet. "This malware deliberately steals your data… and transmits it scrambled, not encrypted ... so anyone on your network path who recorded it can trivially decode it."

Cyberattackers Torch Python Machine Learning Project

**JERUSALEM, ISRAEL (PRWEB)** **JANUARY 03, 2023 --** C2A Security, a leading provider of automated cybersecurity solutions for connected, autonomous, and electric vehicles will showcase its flagship product, EVSec, during the Consumer Electronics Show (CES 2023) taking place in Las Vegas, January 5-8, 2023. EVSec’s innovative automated cybersecurity DevOps platform helps C2A Security customers and partners including Thundersoft, NTT Data, Marelli, MIH, and more, manage software at scale.

As electric and software-defined vehicles become more popular on the roads, governments are instituting regulations, and OEMs, tier-1, and tier-2 suppliers are seeking ways to keep up with this new, ever-evolving industry landscape. C2A Security’s EVSec - Cybersecurity DevOps platform - was built to automate the compliance process for current and emerging cybersecurity standards and regulations. EVSec enables developers to focus on innovation and enhancements, such as new products and features, so automotive companies can stay competitive and provide more business value to the end customer while getting built-in, efficient, and streamlined cybersecurity at scale.

With automotive regulations in Europe and the US promoting the future sales of EVs to rise, cyber threats are inevitable, making C2A’s EVSec solution critical to maintaining the safety of not only the drivers but critical infrastructures as well. Growing its sales funnel by 15 times this past year, and creating strategic partnerships with European, US, and Asian-based OEMs and Tier-One suppliers, C2A Security’s award-winning solution has proven a necessity for the future of the global EV ecosystem.

Partners include:

Thundersoft\- C2A provides the necessary tools for OEMs and suppliers in China to enable the development of intelligent connected and electric vehicles and to effectively identify and respond to cyberattacks and provide full lifecycle security protection for the automotive industry.

"We have deeply felt the growth of the intelligent connected vehicle business and cybersecurity is an indispensable part of the intelligent connected vehicle," says Wenguang Wu, Executive President of ThunderSoft. "The cooperation with C2A Security provides cybersecurity solutions for the whole lifecycle of connected vehicles in China. We look forward to expanding the cooperation globally and bringing the vehicle industry to a safer future."

NTT Data Corporation \- A Japanese multinational player in the field of IT services: C2A Security’s EVSec platform will be sold globally by NTT DATA and is the first platform selected to be incorporated in the new Global Automotive Security Test Center of NTT Data. 

“We want to apply our expertise in cybersecurity to the connected car sector, thanks to our global Automotive Security Test Center and to our collaboration with C2A Security, NTT DATA will be an international reference point to protect connected cars from cyber-attacks and ensure the drivers' safety,” said Marco Garelli, Head of Automotive at NTT DATA Italy.

Marelli - C2A Security’s joint project with Marelli, a leading global Tier-1using EVSEC Attacker, intelligent system level, and security validation tool to shift left the system validation process using the information from the target to support more targeted, faster, and result-oriented testing which leads to smart and efficient validation. 

“Fuzz testing, with C2A’s solution, enables early discovery of vulnerabilities hence reducing the time needed to deliver SW and products,” said Cosimo Senni Guidotti Magnani Senior Manager Connected Vehicle Cyber Security of Marelli

MIH Consortium - C2A Security is the ambassador of the Foxconn-initiated MIH Consortium winning the MIH startup challenges and showing a strong alignment with the MIH open and agnostic EV platform built by MIH, C2A is an official MIH member and contributes to bringing cybersecurity as a full component of MIH projects. 

“C2A Security shares the same vision as MIH, in offering a seamless and holistic approach to automotive cybersecurity over the entire lifecycle,” said Jack Cheng, CEO of MIH Consortium

At CES, C2A’s executive team is scheduling appointments and demonstrations of EVSec at the Westgate Hotel to showcase the solution and the value it provides to its customers.

About C2A Security 

C2A provides automated cybersecurity solutions to enable the connected, autonomous, and electric mobility revolution. C2A Security's flagship product EVSec is a Cybersecurity DevOps platform, helping automotive companies remain competitive and provide more business value in the software-defined vehicle era, supporting the security lifecycle from development to operations and back and automating the process of complying with cybersecurity standards and regulations. Using EVSec, C2A’s customers get efficient and streamlined cybersecurity, managing software at scale while overcoming the shortage of professional cyber experts, reducing costs and time to deployment.

C2A Security To Showcase Automotive Cybersecurity DevOps Platform at CES In Las Vegas, January 5-8

Researchers who discovered the backdoor Linux malware say it may have been around for more than three years — and it targets 30+ plug-in bugs.

A newly identified Trojan backdoor program exploits some 30 vulnerabilities in WordPress plug-ins and themes in order to breach websites based on the WordPress content management system. It only needs to abuse one of those flaws to execute an attack.

Researchers from Doctor Web who discovered two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — said sites running outdated or unpatched versions of these WordPress tools are at risk of harboring malicious JavaScripts that redirect site visitors to nefarious websites, and should update those programs ASAP.

And here's a scary twist: "An analysis of an uncovered trojan application, performed by Doctor Web's specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage," the researchers wrote about the malware, which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.

Among the plug-ins and themes the Trojan's version 1 variant abuses are WP Live Chat Support Plugin; Yellow Pencil Visual Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Blog Designer WordPress Plugin; and WP Live Chat. Version 2 exploits other WordPress plugins, including Brizy WordPress Plugin; FV Flowplayer Video Player; WordPress Coming Soon Page; Poll, Survey, Form & Quiz Maker by OpinionStage; and Social Metrics Tracker.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to take over websites; they can be used for everything from phishing to ad fraud to malware distribution. Vulnerabilities are not uncommon. For instance, in December an SSRF vulnerability in the Google Web Stories plug-in was found that would allow a cyberattacker to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Sites Under Attack from Newly Found Linux Trojan

The Russian-speaking cybercrime gang said an affiliate violated its rules against attacks that could lead to bodily harm for medical patients.

After being hit by the LockBit ransomware-as-a-service (RaaS) apparatus, the Hospital for Sick Children (SickKids) received an unexpected holiday gift: A free decryptor and an apology from the cybercriminal group.

The children's hospital, located in Toronto, announced on Dec. 19 that it had just suffered a cyberattack that precipitated what it termed "Code Grey" — i.e., an internal systems failure. That forced clinicians to "transition to downtime procedures," it said, adding that it nonetheless believed the attack had only "impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages."

By Dec. 29, the story was a bit more dire: SickKids admitted that parents and patients were experiencing diagnostic and/or treatment delays — a reality that families should expect to continue, according to an update from the hospital. However, it had managed to restore about half of its affected footprint, it said.

Researcher Dominic Alvieri then tweeted that he had a posting from the LockBit gang's leak site apologizing for the hit, and blaming the attack on a rogue affiliate who was outside of the group's control. LockBit, like many other ransomware bigwigs, rents out its malware to affiliates who carry out the actual attacks in exchange for a 20% cut of the takings.

"We formally apologize for the attack…and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," according to the posting.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Holiday Spirit? LockBit Gives Children's Hospital Free Decryptor

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

The cybercriminals switch up carriers and SIM cards regularly, making it difficult for either mobile users or telecom companies to block the barrage of malicious calls and voicemails.

Chinese threat actors have been targeting Chinese-speaking students in the United Kingdom with a unique phone scam that aims to steal their personal information with repeated phone calls and voicemails that are hard for victims or carriers to block.

A group dubbed RedZei — or RedThief — calls victims once or twice a month from a unique UK-based phone number, leaving an "unusual" automated voicemail message if the receiver does not answer, revealed cybersecurity researcher Will Thomas in a blog post published just before the new year.

"I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK," he wrote in his post.

Thomas, who goes by BushidoToken on Twitter, said he's been tracking the campaign for more than a year, and has created a profile for the threat actors based on the calls and voicemails. RedZei chooses its targets carefully, seeming to know that these foreign students would be "a rich victim group that is ripe for exploitation," he wrote in the post.

What's more, once a victim is a target of the scam — which employs social engineering tactics to get students to give up personal information — it's difficult to block future attempts to compromise victims, Thomas said. That's because for each wave of scam calls, RedZei mainly uses a new pay-as-you-go UK-based phone number from one of the main mobile network operators, he explained.

"This essentially renders blocking the scammers phone numbers ineffective," Thomas wrote.

**The Scam Itself****

Phone call-based scams (aka "vishing" campaigns) are not unique in the cybercriminal world. Threat actors have been known to employ entire call centers to make malicious robocalls in attempts to defraud victims, impersonating banks and other trusted entities. In another version, scammers use emails or some other method of Internet-based contact to convince victims to make a phone call to, say, a bogus "tech support" number, where their personal information is harvested for malicious intent.

The RedZei campaign shares some similar tactics but also puts its own twist on the phone scam. It has used known enterprises, such as the Bank of China or China Mobile (CMLink), in socially engineered campaigns to try to fool the students to give up their personal details. But they use other scams as well, according to Thomas.

"Other themes exploited by RedZei includes the 'abnormal usage of your NHS number' and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK," he said.

Thomas doesn't speak Chinese and did not manage to have all the voicemails associated with the most recent campaign translated. He's posted the voicemails that he could not get verified by Chinese speakers to his SoundCloud account and included a GitHub link for people to use if they can translate the calls.

****Difficult to Mitigate****

Thomas included a list of numbers associated with the RedZei campaign in his post. The numbers are primarily +44 numbers — the country code for the United Kingdom — with one number from an Irish (+353) carrier and one from a Norwegian (+47) carrier.

O2 is the UK telecom carrier most often associated with the numbers the threat actors use to attempt to compromise victims, while EE and Three are also favored by RedZei. The Ireland-based number used a Tesco Mobile SIM card, while the Norwegian carrier used by the threat group was Telia, according to Thomas.

Just as victims are at a loss to do anything to stop the scam, carriers also are challenged to try to halt the activity because of the frequency with which RedZei changes carriers and thus SIM cards, Thomas noted.

There is also a language barrier, he said. "As the activity is also in Chinese, the carriers are less likely to investigate this campaign \[because of the\] additional effort required," Thomas wrote.

All in all, this does not bode well for victims of the scam, which won't see relief from the calls anytime soon, he said.

"The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future," Thomas wrote.

**

Chinese 'RedZei' Group Batters Victims With Incessant Vishing Effort

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Upside down. Right-side up. Everything is just a matter of perspective. Maybe that's how cyberattackers justify their dirty work. What do you think? Come up with a fitting caption for the cartoon, above. Our favorite will win a $25 Amazon gift card.  

The contest closes on Wednesday, Jan. 25, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge January 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations go to Daniel E., whose caption for December's contest, "Not Your Average Bear," tickled Dark Reading editors' funny bones. Your prize is on the way!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading