Money-lending apps built using the Flutter software development kit hide a predatory spyware threat and highlight a growing trend of using personal data for blackmail.

An Android malware campaign dubbed MoneyMonger has been found hidden in money-lending apps developed using Flutter. It's emblematic of a rising tide of blackmailing cybercriminals targeting consumers — and their employers stand to feel the effects, too.

According to research from the Zimperium zLabs team, the malware uses multiple layers of social engineering to take advantage of its victims and allows malicious actors to steal private information from personal devices, then use that information to blackmail individuals.

The MoneyMonger malware, distributed through third-party app stores and sideloaded onto victims' Android devices, was built from the ground up to be malicious, targeting those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme and promising quick money to those who follow a few simple instructions.

In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive a loan. These permissions are then used to collect and exfiltrate data, including from the contact list, GPS location data, a list of installed apps, sound recordings, call logs, SMS lists, and storage and file lists. It also gains camera access.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.

While the open source user interface (UI) software kit Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

In this case, MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis, Zimperium researchers explained in a Dec. 15 blog post.

**Risk to Enterprises Stems from Wide Range of Data Collected**

Richard Melick, director of mobile threat intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but by the nature of this threat and how attackers steal sensitive information for blackmail, they are also putting their employers or any organization they work with at risk, too.

"It’s very easy for the attackers behind MoneyMonger to steal information from corporate email, downloaded files, personal emails, phone numbers, or other enterprise apps on the phone, using it to extort their victims," he says.

Melick says MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

"Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device," he says. "Victims of this predatory loan might be compelled to steal to pay the blackmail or not report the theft of critical enterprise data by the malicious actors behind the campaign."

Melick says that personal mobile devices represent a significant, unaddressed attack surface for enterprises. He points out that malware against mobile only continues to get more advanced, and without the threat telemetry and critical defense in place to stand up against this growing subset of malicious activity, enterprises and their employees are left at risk.

"No matter if they are corporate-owned or part of a BYOD strategy, the need for security is critical to stay ahead of MoneyMonger and other advanced threats," he says. "Education is only part of the key here and technology can fill in the gaps, minimizing the risk and attack surface presented by MoneyMonger and other threats."

It's also important to remember to avoid downloading apps from unofficial app stores; official stores, like Google Play, do have protections for users, a Google spokesperson emphasized to Dark Reading.

"None of the identified malicious apps in the report are on Google Play," he said. "Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

**Resurgence of Banking Trojans**

The MoneyMonger malware follows the resurgence of the Android banking Trojan SOVA, which now sports updated capabilities and an additional version in development that contains a ransomware module.

Other banking Trojans have resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by a joint international task force in January 2021.

Nokia's 2021 "Threat Intelligence Report" warned that banking malware threats are sharply increasing, as cybercriminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

**Blackmailing Threats Expected to Continue in 2023**

Melick points out blackmail is not new to malicious actors, as has been seen in ransomware attacks and data breaches on a global scale.

"The use of blackmail on such a personal level, targeting individual victims, though, is a bit of a novel approach that takes an investment of personnel and time," he says. "But it is paying off and based on the number of reviews and complaints around MoneyMonger and other predatory loan scams similar to this, it is only going to continue."

He predicts market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.

"Just as we saw predatory loan scams rise up in the last recession," he says, "it is almost guaranteed we will see this model of theft and blackmail continue into 2023."

Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps

It's time for on-the-record answers to questions about data destruction in cloud environments. Without access, how do you verify data has been destroyed? Do processes meet DoD standards, or do we need to adjust standards to meet reality?

These days, most big companies and many midsize ones have some form of a data-governance program, typically including policies for data retention and destruction. They have become an imperative because of increasing attacks on customer data and also state and national laws mandating protection of customer data. The old mind set of "Keep everything, forever" has changed to "If you don't have it, you can't breach it."

In some ways, managing data-retention policies has never been easier to implement in the cloud. Cloud vendors often have easy templates and click-box settings to retain your data for a specific period and then either move it to quasi-offline cold digital storage or straight to the bit bucket (deletion). Just click, configure, and move on to the next information security priority.

**Just Click Delete?**

However, I'm going to ask an awkward question, one that has been burning in my mind for a while. What really happens to that data once you click "delete" on a cloud service? In the on-premises, hardware world, we all know the answer; it would simply be deregistered on the disk it resides on. The "deleted" data still sits on the hard drive, gone from the operating system view and waiting to be overwritten when the space is needed. To truly erase it, extra steps or special software are needed to overwrite the bits with random zeros and ones. In some cases, this needs to be done multiple times to truly wipe out the phantom electronic traces of the deleted data.

And if you do business with the US government or other regulated entities, you may be required to comply with Department of Defense standard 5220.22-M, which contains specifics on data destruction requirements for contractors. These practices are common, even if not required by regulations. You don't want data you don't need any more coming back to haunt you in the event of a breach. The breach of the Twitch game-streaming service, in which hackers were able to gain access to basically all of its data going back almost to the inception of the company — including income and other personal details about its well-paid streaming clients — is a cautionary tale here, along with reports of other breaches of abandoned or orphaned data files in the last few years.

**Lack of Access to Verify**

So, while the policies are easier to set and manage in most cloud services versus on-premises servers, assuring it is properly done to the DoD standard is much harder or impossible on cloud services. How do you do a low-level disk overwrite of data on cloud infrastructure where you don't have physical access to the underlying hardware? The answer is that you can't, at least not the way we used to do it — with software utilities or outright destruction of the physical disk drive. Neither AWS, Azure, or Google Cloud Services offer any options or services that do this, not even on their dedicated instances, which run on separate hardware. You simply don't have the level of access needed to do it.

Outreach to the major services either was ignored or answered with generic statements about how they protect your data. What happens to data that is "released" in a cloud service such as AWS or Azure? Is it simply sitting on a disk, nonindexed and waiting to be overwritten, or is it put through some kind of "bit blender" to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or be willing to say on the record.

**Adjust to New Reality**

We must develop a cloud-compatible way of doing destruction that meets the DoD standards, or we must stop pretending and adjust our standards to this new reality.

Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided. It would probably be cheaper than fees charged by some of the companies providing certified physical-destruction services.

Amazon, Azure, Google, and any major cloud service (even software-as-a-service providers) need to address these issues with real answers, not obfuscation and marketing-speak. Until then, we will just be pretending and hoping, praying some brilliant hacker doesn't figure out how to access this orphaned data, if they haven't already. Either way, the hard questions on cloud data destruction need to be asked and answered, sooner rather than later.

Data Destruction Policies in the Age of Cloud Computing

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

The feds' mobile service provider guidance details cybersecurity threat vectors associated with 5G network slicing.

A working group pulled together by the US National Security Agency (NSA) has issued a report outlining the cybersecurity threats related to mobile broadband 5G network slicing.

Network slicing allows operators to bring together several network attributes or components, potentially across multiple operators, that support specific applications or services for 5G users, the report explains. While efficient for delivering services, 5G network slicing casts a wide threat net that includes potential weak points in policy and standards, the supply chain, and more.

"Although network slicing is not solely unique to 5G, it is a critical component because 5G specifications call for network slicing as a fundamental component and therefore require network operators to adopt security practices that can mitigate threats like those described in this paper," the report said.

Potential threats include denial of service (DoS), man-in-the-middle (MitM) attacks, and configuration attacks, it added.

The NSA, along with the Cybersecurity and Infrastructure Security Agency (CISA), assembled members of the public and private sectors to address 5G slicing security concerns. The resulting 5G network slicing cybersecurity report looks toward how the architecture will play a role in enabling emerging technologies, including autonomous vehicles, and how to secure it.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA Slices Up 5G Mobile Security Risks

The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.

The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.

**BOSTON****,** **Dec. 14, 2022** **/PRNewswire-PRWeb/** -- Cybereason, the XDR company, today issued a new global threat alert warning public and private sector organizations about the emergence of the Royal Ransomware Group and the unique tactics, techniques and procedures they are deploying in attacks to evade detection. Companies should be on high alert for ransomware attacks during the holiday season and on weekends, as a recent Cybereason study shows attackers preying on vulnerable organizations.

The Royal Ransomware Group first emerged earlier this year, and so far has victimized dozens of companies around the world. The group appears to be operating under the supervision of other well known ransomware gangs, including Conti Group. The threat level from Royal attacks is HIGH and organizations should have precautionary steps to avoid falling victim.

Key Report Findings

*   Unique approach to evade anti-ransomware defenses: Royal ransomware expands the concept of partial encryption, which means it has the ability to encrypt a predetermined portion of the file content and base its partial encryption on a flexible percentage encryption, which makes detection more challenging for anti-ransomware solutions.
*   Multi-threaded ransomware: Royal ransomware employs multiple threads in order to accelerate the encryption process.
*   Global ransomware operation: Royal ransomware operates around the world, and reportedly on its own. The group doesn't appear to use ransomware-as-a-service or to target a specific sector or country.
*   High Severity: Cybereason assesses the threat level from Royal Ransomware to be HIGH given the rapid increase in attacks coming from this group over the past 60-90 days.

Ransomware attacks can be stopped. Cybereason offers the following recommendations to organizations to reduce their risk:

*   Practice good security hygiene: For example, implement a security awareness program for employees and ensure operating systems and other software are regularly updated and patched.
*   Confirm key players can be reached at any time of day: Critical response actions can be delayed when attacks occur over holidays and weekends.
*   Conduct periodic table-top exercises and drills: Include key stakeholders from other functions beyondsecurity, such as Legal, Human Resources, IT, and top executives, so everyone knows their roles and responsibilities to ensure as smooth a response as possible.
*   Implement clear isolation practices: This will stop any further ingress on the network and prevent ransomware from spreading to other devices. Security teams should be proficient at things like disconnecting a host, locking down a compromised account, and blocking a malicious domain.
*   Consider locking down critical accounts when possible: The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
*   Deploy EDR on all endpoints: Endpoint detection and response (EDR) remains the quickest way for public and private sector businesses to address the ransomware scourge.

About Cybereason 

Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Learn more: https://www.cybereason.com/

Follow us: Blog | Twitter | Facebook

SOURCE Cybereason

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Editors' Choice

Tyler Farrar, CISO, Exabeam

Jai Vijayan, Contributing Writer, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started
*   A Roadmap to Zero Trust: Steps for Meaningful Progress Amongst the Hype

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   Enterprise Cybersecurity Plans in a Post-Pandemic World
*   Forrester Total Economic Impact Study: Team Cymru Pure Signal Recon
*   SANS 2021 Cloud Security Survey

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   State of Email Security
*   Ransomware Resilience and Response: The Next-Generation
*   State of Ransomware Readiness: Facing the Reality Gap
*   How Hybrid Work Fuels Ransomware Attacks

Events

*   Black Hat USA - August 5-10 - Learn More
*   Black Hat Asia - May 9-12 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

More Insights

Webinars

*   Network Segmentation and Microsegmentation: Keys to the Next Generation of Enterprise Defense
*   Zero Trust Security 101: What You Need to Know Before Getting Started

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Cybereason Warns Global Organizations Against Destructive Ransomware Attacks From Black Basta Gang

**SANTA ROSA, Calif.--**(BUSINESS WIRE)--Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, announced the new APS-M8400 Modular Network Cybersecurity Test Platform, which provides data center network equipment manufacturers (NEM) and operators with the industry’s highest density 8-port 400GE Quad Small Form Factor Pluggable Double Density (QSFP-DD) network security test platform.

Data center operators and service providers are facing exponential growth in encrypted traffic volumes and security threats driven by increases in video streaming, cloud computing, artificial intelligence (AI), machine learning (ML), and internet of things (IoT) devices. In addition, with the introduction of 400GE, critical infrastructure is placed under even greater demand as these growing volumes of encrypted traffic are being delivered at unprecedented speed. To meet these requirements, data center NEMs and operators need tools that can validate that their products and services support hyperscale loads without compromising security and usability.

Keysight’s APS-M8400 addresses this challenge by delivering a modular, 400GE network security test platform that aggregates compute and field programmable gate array (FPGA) resources to deliver hyperscale application and cybersecurity test and validation.

The APS-M8400 test platform offers the following benefits:

*   **Industry leading 400GE port density:** The APS-M8400 offers the ability to test 8 x 400GE QSFP-DD, supporting industry moves from 100GE to 400GE without the need for additional switches or infrastructure.
*   **Ease of management:** The APS-M8400 provides a centralized, “single pane of glass” management of up to 16 compute nodes reducing the management learning curve and simplifying system upgrades and maintenance.
*   **Flexible testing options:** The APS-M800 offers flexible aggregation of compute and FPGA resources to optimize the performance and scalability requirements for any simulated workload, using one or multiple 400GE test interfaces.
*   **Hyperscale performance:** The APS-M8400 can drive hyperscale application and cybersecurity test performance, including encrypted traffic loads, to effectively emulate the rigorous demands put upon data center and service provider infrastructure. This platform can generate up to 3+ Tbps of Layer 4-7 traffic, 5+ billion concurrent connections, 2.4 Tbps of transport layer security (TLS) traffic, and 2.4 million TLS connections per second.
*   **Scalable solution:** The APS-M8400 is designed as a “pay-as-you-grow" solution, allowing users to build out a system that supports today’s test needs and spending constraints, with the flexibility to add capacity as requirements change and budgets allow.

**John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said:** “The world’s fastest NGFWs need an equally nimble testing platform to validate their capabilities. Fortinet is the only vendor delivering 400GE interface speeds on a hyperscale firewall via the FortiGate 7121F, 4800F, and 3700F. Keysight’s groundbreaking 8x400GE APS-M8400 cybersecurity test platform delivers the port density, multi-terabit application and TLS throughput rates, and session scalability that help Fortinet test and validate the performance and real-time threat protection our customers expect.”

**Ram Periakaruppan, Vice President and General Manager, Keysight's Network Test and Security Solutions, said:** “Data center NEMs and operators face conflicting demands to produce solutions that support ever increasing data volumes and traffic speeds driven by new standards like 400GE, while protecting systems against a growing, dynamic cybersecurity threat landscape - all without breaking the bank. Keysight’s APS-8400 meets these teams where they are, delivering hyperscale application and cybersecurity test loads via an industry leading 8 x 400GE of test port density in a flexible solution that allows users to add test capacity as demands and budgets change."

**Resources**

*   APS-M8400 Network Cybersecurity Test Platform

**About Keysight Technologies**

Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world. Keysight’s dedication to speed and precision extends to software-driven insights and analytics that bring tomorrow’s technology products to market faster across the development lifecycle, in design simulation, prototype validation, automated software testing, manufacturing analysis, and network performance optimization and visibility in enterprise, service provider and cloud environments. Our customers span the worldwide communications and industrial ecosystems, aerospace and defense, automotive, energy, semiconductor and general electronics markets. Keysight generated revenues of $5.4B in fiscal year 2022. For more information about Keysight Technologies (NYSE: KEYS), visit us at www.keysight.com.

Additional information about Keysight Technologies is available in the newsroom at https://www.keysight.com/go/news and on Facebook, LinkedIn, Twitter and YouTube.

Keysight Announces 400GE Network Cybersecurity Test Platform

**BOILING SPRINGS, S.C.****,** **Dec. 14, 2022** **/PRNewswire/ --** Epic Management LLC ("Epic"), a healthcare management company, has learned of a data security incident that may have impacted data belonging to certain patients.

On September 2, 2021, Epic discovered unusual activity in its digital environment. Upon discovering this activity, Epic immediately took steps to secure the environment. Epic also engaged independent cybersecurity experts to conduct an investigation. As a result of this investigation, Epic learned that an unauthorized actor accessed certain files and data stored within its email tenant. Upon learning of the unauthorized access, Epic undertook a complex and time-consuming review of the potentially affected data. On December 9, 2022, Epic determined that personal information may have been affected.

While Epic has no evidence that any information potentially involved in this incident has been misused, out of an abundance of caution, Epic is informing affected individuals about the steps they can take to help protect their information. Epic is also providing credit and identity protection services to individuals whose Social Security numbers were impacted. The potentially affected information varies by individual, may have included the individuals' first and last names, dates of birth, Social Security numbers, health insurance information, medical information, drivers' licenses, passport numbers, financial account numbers and routing numbers, biometric data, usernames and passwords, and/or payment card numbers alongside its associated expiration date and/or security code.

Epic has taken steps in response to this incident and has made alterations to its cyber environment to help prevent similar incidents from occurring in the future. 

Epic has established a toll-free call center to answer questions about the incident and to address related concerns.  Call center representatives are available Monday through Friday between 8am to 8pm CST and can be reached at 1-833-896-7338.

Epic is located at PO Box 160038, Boiling Springs, SC 29316.

SOURCE Epic Management LLC

Epic Management Provides Notice of Data Security Incident

Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity.

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained in an advisory issued on Dec. 13. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

Code signing is used to provide a level of trust between the software and the operating system; as such, legitimately signed drivers can skate past normal software security checks, helping cybercriminals move laterally from device to device through a corporate network.

**SIM-Swap, Ransomware Attacks**

In this case, the drivers were likely used in a variety of post-exploitation activity, including deploying ransomware, the computing giant acknowledged. And Mandiant and SentinelOne, which along with Sophos jointly alerted Microsoft to the issue in October, have detailed the drivers' use in specific campaigns.

According to their findings, also issued on Dec. 13, the drivers have been used by the threat actor known as UNC3944 in "active intrusions into telecommunication, BPO \[business process optimization\], MSSP \[managed security service provider\], and financial services businesses," resulting in a variety of outcomes.

UNC3844 is a financially motivated threat group active since May that usually gains initial access to targets with phished credentials from SMS operations, according to Mandiant researchers.

"In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM-swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments," Mandiant detailed in a separate Dec. 13 blog post on the issue.

In service of those goals, the group was observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two pieces: Stonestop, a Windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Windows driver that uses Stonestop to initiate process termination.

SentinelLabs also observed a separate threat actor using the same driver, "which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling."

To combat the threat, Microsoft has released Windows Security Updates that revoke the certificate for affected files and suspended the partners' seller accounts.

"Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity," the company noted in the advisory.

Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Version 2.0 of the Common Security Advisory Framework will enable organizations to automate vulnerability remediation.

Today, nearly every party that issues security advisories uses its own format and structure. Plus, most security advisories are only human-readable, not machine-readable.

System administrators have to read each advisory, determine if they use the products and versions listed, and evaluate the potential risk and existing mitigations. Based on their system's exposure and the business value, they make a decision about if and when to patch.

It’s a time-consuming process that delays vulnerability remediation and increases risk. Vendors and providers of software and hardware need to disclose security vulnerabilities in a way that accelerates this process and empowers customers to use automation.

**The New Standard for Security Advisories**

The Common Security Advisory Framework (CSAF) 2.0 supports the automation of vulnerability management by standardizing the creation and distribution of structured machine-readable security advisories.

CSAF is an official standard of OASIS Open. The technical committee that developed CSAF includes numerous public- and private-sector technology leaders, users, and influencers.

Manufacturers can use CSAF to standardize the format, content, distribution, and discovery of security advisories. These machine-readable JSON documents enable administrators to automate the comparison of advisories against a user’s asset database or even a supplier's software bill of materials (SBOM) database.

The automated system can filter vulnerabilities based on the products of interest and prioritize based on business value and exposure. This dramatically speeds up the evaluation process and enables administrators to focus on managing risk and fixing vulnerabilities.

**CSAF, VEX, and SBOMs**

Vulnerability Exploitability eXchange (VEX) is a profile in CSAF. VEX was developed in the SBOM community as a way for manufacturers to easily convey that a product is not affected by issuing a so-called negative security advisory. VEX is designed to work with SBOMs, although it is not necessary to have an SBOM to use VEX documents.

A VEX document must include information about the disposition of each vulnerability as it impacts each product. A product can be marked as under investigation, fixed, known affected, or known not affected. For those products that are marked as known not affected, VEX requires that the publisher include a justification for that status.

Being able to communicate the various statuses of a vulnerability — including under investigation and not affected — means customers can get that information without calling the vendors or manufacturers, which will be a relief to customer support. Moreover, it enables customers to better manage vulnerability risk.

When paired with an SBOM, VEX documents enable administrators to use asset management systems to quickly determine what vulnerabilities are not exploitable, which frees them to focus on any vulnerabilities that could put their businesses at risk.

**Other CSAF Profiles**VEX is one of five profiles in the CSAF schema. Each profile has certain required fields and is designed to address a specific need.

The CSAF base profile serves as the foundation for all of the other profiles. It defines the default required fields for any CSAF document — primarily information about the document itself, such as who published it, when it was published, and if it has been revised.

The security advisory profile includes information that we see in most security advisories today — details about the vulnerability, products affected, and remediations.

The informational advisory profile can be used to provide information about a security issue that is not a vulnerability, such as a misconfiguration.

Finally, the security incident response profile can be used to provide information about a security breach or incident that happened at the company, or about the impact that an incident involving another party (like a contractor or component manufacturer) had on the company.

**CSAF Tools and Guidance**

CSAF defines conformance targets that help consumers and producers to find the right tool for their requirements. The OASIS CSAF technical committee also developed a suite of tools for using CSAF, including:

*   Secvisogram is an online editor to create, update, and view CSAF documents. It also can produce a human-readable version of the document.
*   CSAF CMS back end is a work-in-progress implementation of a CSAF content management system. The system will support producers of CSAF documents by providing workflows and automation of metadata creation.
*   CSAF validator service is a REST-based service that implements the CSAF full validator target. It tests a given CSAF file according to the specification.
*   CSAF Provider is an implementation of the role CSAF Trusted Provider and offers a simple HTTPS-based management service. It acts as a static site generator to present CSAF files as required by the standard.
*   CSAF Checker is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard. It checks requirements without considering the indicated role.
*   CSAF Downloader is a tool for downloading advisories from a CSAF provider.

To help issuing parties to write actionable CSAF documents, there is guidance for each field, which can be found here.

CSAF Is the Future of Vulnerability Management

Without many details, Apple patches a vulnerability that has been exploited in the wild to execute code.

The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. 

The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory. 

As for the active exploitation, the mobile giant noted that it is "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

Apple has been plagued by zero-day exploits over the past several months.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading