Security researchers have described the malware as among the fastest-spreading mobile threats in recent years.

An international team of law-enforcement officials has successfully disrupted infrastructure associated with FluBot, an especially pernicious malware tool that threat actors have been using since at least December 2020 to steal passwords, bank account details, and other sensitive data from Android users.

Europol announced the takedown Wednesday, noting that FluBot's infrastructure was now under the control of law enforcement.

"An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date," Europol noted. "The investigation is ongoing to identify the individuals behind this global malware campaign."

Researchers first spotted FluBot (at that time referred to as Cabassous) targeting Android users in Spain in December 2020. Over the course of the next year, the malware spread like wildfire to what Europol described as a "huge number" of Android devices in multiple countries, including Germany, the UK, France, Finland, Australia, and New Zealand.

**A Fast-Spreading Viral Threat**

FluBot spreads via SMS phishing messages (smishing) that use various pretexts to try and get recipients to click on a link for downloading the malware to their smartphones. In the early days of the malware, the SMS messages purported to be from delivery companies such as FedEx and DHL attempting to drop off a package. Users who were tricked into clicking on the link — ostensibly to reschedule delivery — ended up with the malware, disguised as a mobile app from the delivery company, downloaded to their Android devices.

Once installed, the malware seeks specific access privileges on the device that, if granted, it would use to steal payment-card data, bank account information, and other sensitive data. The malware was also designed to intercept and read text messages, open pages, disable Google Play Protect, and uninstall various apps from an infected device.

In addition, FluBot copies the infected device owner's contact list and sent SMS messages with infected links to all the numbers — a factor that likely contributed to its rapid spread, according to security vendor Bitdefender. The authors of the malware likely sold it as a service to different threat actors, too, contributing to its viral spread.

Over the course of 2021, threat actors used different SMS messages to try and trick users to click on the malicious link, including one that purported to be from a friend wanting to share a photo and another that tried to get users to listen to a fake voicemail message. Researchers from Bitdefender even observed attackers sending SMS phishing messages that ironically enough warned recipients about their devices being infected with FluBot and to take remedial action by clicking on the message link. In a report this January, Bitdefender identified Australia as the country most hit by FluBot, followed by Germany, Poland, Spain, and Austria.

Researchers from Proofpoint who tracked FluBot last year reported observing FluBot SMS messages in both English and German. The vendor said it had identified more than 700 unique domains that FluBot actors used for the English-language campaign alone.

**Android Threats Continue to Surge**

The FluBot takedown eliminates — temporarily — one of the biggest threats to Android device users in recent years. However, numerous other similar malware tools in the wild continue to present a serious threat. A recent report from ThreatFabric identified a continued increase in Android malware families such as Joker that enable fraudulent transactions being initiated from an infected device. Other examples include Alien, Cerberus, Hydra, and Octo.

The increase in Android malware families has also been accompanied by an increase in the number of malware droppers disguised as legitimate apps on Google's official Play mobile app store, ThreatFabric said. Among them is an app called NanoCleaner, which has been downloaded more than 10,000 times. In actuality, NanoCleaner is a dropper for Hydra.

Similarly, another app called Pocket Screencaster, with more than 10,000 installs, is a dropper for Octo, and another called Fast Cleaner, with more than 50,000 installs, is really a dropper for Alien and Octo.

"Threat actors continue to consider droppers on Google Play as one of the most effective ways to deliver malware to victims," ThreatFabric said.

FluBot Android Malware Operation Disrupted, Infrastructure Seized

Organizations leverage the platform-driven, human-delivered service to measure and continuously improve the efficacy of detective controls and MSSP coverage.

MINNEAPOLIS, June 1, 2022 /PRNewswire/ -- NetSPI, the leader in penetration testing and attack surface management, today announced new Breach and Attack Simulation (BAS) enhancements to meet increased market demand for improved threat detection. With the combination of the AttackSim cloud-native technology platform _and_ hands-on counsel from NetSPI's expert penetration testing team, organizations can continuously test their detective controls against real-world attack tactics, techniques, and procedures (TTPs).

According to NetSPI data, only 20% of common attack behaviors are caught by out-of-the-box detective controls (EDR, SIEM, MSSPs) – leaving organizations with a false sense of security. The updates to NetSPI's Breach and Attack Simulation allow detection engineers to measure their ability to detect common adversary behaviors and ultimately prioritize detection development as well as investments.

Following the initial collaborative assessment with NetSPI's experts, the AttackSim technology platform is provided to organizations for continuous testing and improvement. The platform features many new updates including:

*   **Seamless use, regardless of skill level:** An enhanced user experience (UX) and a refined user interface (UI) can be used by experts and novices alike.
*   **New automated plays and playbooks:** Detailed manual procedures for reproducing attacker behavior, as well as consistently updated security playbooks, allow organizations to better strengthen their security posture. With the latest updates, NetSPI has nearly 300 attack plays that can be used to test detective controls.
*   **Enhanced reporting:** Security teams now have additional data and metrics to work with, such as peer comparison, year-over-year reporting, and telemetry flow analysis. New reports that support programmatic, tactic, technique, and procedure (TTP) summary metrics are also now available.

"Indicators of Compromise have become less useful as the threat landscape evolves at a breakneck speed," said Cody Chamberlain, Head of Product at NetSPI. "To stay ahead of malicious actors, organizations must shift their gaze to detect attackers _before_ something bad happens. The NetSPI AttackSim platform, combined with the power of our skilled team of penetration testers, lets organizations continuously simulate real attack behavior, providing better insight into the efficacy of their detective controls."

"Small and medium-sized organizations with limited personnel often rely on MSSPs to implement detections and operate similarly to a security operations center (SOC)," said Scott Sutherland, Senior Director, Adversary Simulation and Infrastructure Testing at NetSPI. "We built Breach and Attack Simulation not only to improve detections, but also to enable organizations to validate MSSP coverage and better understand the scope of their agreements."

NetSPI will be demoing the AttackSim platform and its new capabilities during RSA Conference 2022 at booth #4605 in the North Expo Exhibit Hall. Schedule a meeting with the team.

To learn more about Breach and Attack Simulation, email \[email protected\] or visit https://www.netspi.com/security-testing/breach-and-attack-simulation/.

**About NetSPI**

NetSPI is the leader in penetration testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world's five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.

NetSPI's New Breach and Attack Simulation Enhancements Help Organizations Achieve Behavior-Based Threat Detection

New operational analytics and AI/ML platform drives contextual intelligence and prioritized actions to anticipate risky behaviors, disrupt threats and insure business resilience.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Netenrich, a leading security and operations analytics SaaS company, today announced that the company will showcase its new Resolution Intelligence platform® at the 2022 RSA Conference on June 6-9 at the Moscone Center in San Francisco. Netenrich will feature product demos and present platform details in the Google Cloud Security Booth #1943, South Expo Hall.

**Netenrich at RSA 2022  
**Netenrich invites security professionals and conference attendees to learn how they can optimize their security operations with analytics leveraging Google Chronicle. Managed service providers (MSSPs, MSPs, GSIs) benefit by plugging into the data analytics platform to quickly build innovative services and transform their business at service-provider scale.

Netenrich will share the latest advances in security operations, as well as the strategies and solutions security professionals need to secure their data against the most critical issues and behaviors. Visit booth #1943 during the times listed below:

*   Tuesday, June 7 from 10:00 AM – 12:00 PM PDT
*   Wednesday, June 8 from 4:00 PM – 6:00 PM PDT
*   Thursday, June 9 from 10:00 AM – 12:00 PM PDT

**Theater Presentation in booth**

*   Thursday, June 9 at 11:45 AM PDT

**Netenrich + Chronicle Happy Hour**

RSA attendees are invited to the Netenrich + Chronicle Happy Hour at the Monarch club on Wednesday, June 8, from 6 – 9 pm PDT. Come enjoy music, drinks, and live entertainment.

*   RSVP to secure your invite and bring your ID and RSA badge
*   **Monarch, 101 6th Street, San Francisco, CA 94114**

Follow Netenrich on Twitter , LinkedIn, and YouTube

SOURCE Netenrich

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Netenrich Debuts Resolution Intelligence Secure Digital Operations Platform at RSA 2022

The cloud instances were left open to the public Internet with no authentication, allowing attackers to wipe the data.

Cyberattackers are targeting misconfigured Elasticsearch cloud buckets exposed on the public Internet and stealing the wide-open data, then replacing it with a ransom note.

According to Secureworks Counter Threat Unit (CTU) researchers, more than 1,200 indexes have already been affected, with the attackers issuing 450 requests for Bitcoin payment in exchange for the return of the data. However, the ransom amounts are relatively low, researchers have pointed out: Taken together, all of the demands total just $280,000.

"The average ransom request was approximately $620 payable to one of two Bitcoin wallets," they noted in a Wednesday analysis. "As of this publication, both wallets are empty and do not appear to have been used to transact funds related to the ransoms."

Despite the lackluster follow-through on the part of attackers thus far, the situation highlights a serious issue: Misconfiguration of databases placed in the public cloud has reached epidemic proportions, with large numbers of enterprises mistakenly leaving storage buckets from Amazon Web Services, Google Cloud, and Microsoft Azure accessible with no authentication to read or write the data.

Often, these open instances are discovered by security researchers and locked down without incident — but system misconfigurations still drove an estimated 13% of overall malicious system breaches recorded in the recent Verizon's 2022 "Data Breach Investigations Report" (DBIR), with misconfigured cloud storage instances making up the bulk of those.

"Unsecured Elasticsearch instances are trivially easy to identify using the Shodan search engine," the CTU researchers noted. "The threat actor probably used an automated script to identify the vulnerable databases, wipe the data, and drop the ransom note."

They added, "the cost of storing data from 1,200 databases would be prohibitively expensive. It is therefore likely that the data was not backed up and that paying the ransom would not restore it."

In 2020, ESET researchers uncovered a similar attack that affected half of all exposed MongoDB instances, which were wiped and replaced with a ransom note.

12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists

In this Tech Talk, Darktrace's David Masson and Dark Reading's Terry Sweeney discuss the rise of destructive attacks against critical infrastructure.

For years government regulators and security experts have been sounding the alarm about attacks that could cripple critical infrastructure — the assets and systems that support the functioning of a modern society and economy — but it took the attack against Colonial Pipeline for people to really pay attention, says David Masson, director of enterprise security with Darktrace.

That ransomware attack showed people firsthand how a cyber threat actually stopped gas from coming out of the pump, says Masson in this Tech Talk conversation with Dark Reading's Terry Sweeney. It doesn't even matter that the attackers behind Colonial Pipeline likely did not intend that outcome.

Since then, several other critical infrastructure organizations have been hit by ransomware and other attacks. There is also a worrisome trend toward more destructive attacks, Masson said. As an example, he points to the Russians trying to take down the telecommunications network in Ukraine to disrupt communications within the country. When their attempts failed, the Russians shot missiles directly at the cell towers and destroyed them, Masson notes.

About 85% of critical national infrastructure is under private control in North America, Masson says, which makes regulating critical infrastructure a bit of a challenge. The shift to public-private partnership, where infrastructure operators share threat information and intelligence with government agencies, is essential to understand the scale of the threat, he says.

President Dwight D. Eisenhower famously said that plans are worthless, but planning is indispensable. That mindset should drive security preparations: Deploy technology that gives visibility into the network, train people to recognize attacks, and maintain good backups so you can rebuild the infrastructure when needed.

"Start practicing and get ready so you don't end up being a rabbit stuck in the headlights," Masson says.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Darktrace's David Masson on What Attacks on Critical Infrastructure Look Like

WeLeakInfo.to and two related domains let users search data stolen in more than 10,000 different breaches.

The Justice Department and FBI today announced that three separate Internet domains have been seized for offering access to stolen data and performing network attacks. 

The domains include WeLeakInfo.to, ipress.in, and ovh-booter.com, the announcement said. The sites reportedly offered users access to search engine for more than 7 billion records filled with stolen personal information including names, email addresses, usernames, phone numbers, and online account passwords, the agencies said. The compromised data was collected through more than 10,000 individual data breaches, according to the law enforcement statement. 

"These seizures are prime examples of the ongoing actions the FBI and our international partners are undertaking to disrupt malicious cyber activity," Special Agent in Charge Wayne A. Jacobs said about the illicit site seizures. "Disrupting malicious DDoS operations and dismantling websites that facilitate the theft and sale of stolen personal information is a priority for the FBI."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Seize Domains Dealing Stolen Personal Data

Contextual Intelligence derived with machine learning helps customers identify, assess and remediate threats from IoT devices on their networks, achieving full visibility and control.

**SANTA CLARA, Calif. – June 1, 2022 –** Netskope, the leader in Security Service Edge (SSE) and Zero Trust, today announced it has acquired WootCloud, an innovator in applying Zero Trust principles to IoT security. The acquisition brings to Netskope WootCloud’s award-winning HyperContext® Security Platform, which provides end-to-end visibility, context, and threat remediation for managed and unmanaged devices, and will extend Netskope’s acclaimed SSE and Zero Trust capabilities to protect enterprise IoT devices at scale.

The massive volume of Internet-connected devices continues to expand; by 2025, there will be 55.7 billion connected IoT devices (“things”), generating almost 80B zettabytes (ZB) of data\[1\]. WootCloud technology will enable Netskope customers to support both user- and device-centric policies with Zero Trust principles applied to govern access and interactions with critical data. As Gartner® notes, by 2026, 50% of organizations will prioritize advanced data security features for inspection of data at rest and in motion as a selection criterion for SSE, up from 15% in 2021\[2\].

Founded in 2016 in San Jose, Calif., WootCloud offers device discovery, classification, and control to help customers gain deep visibility and context into all devices on their networks (both managed and unmanaged) and provide a risk and threat assessment measurement for devices that can be leveraged within a broader IoT security strategy. WootCloud’s cloud-based platform is capable of collecting billions of daily measurements of device characteristics, and this telemetry data is further analyzed using proprietary AI/ML models for device classification, risk assessment, and threat detection.

WootCloud critical uses cases include:

*   **Device classification and visibility** to discover managed and unmanaged devices, classify and provide contextual information, and provide deep insights that “true-up” an asset inventory
*   **Device Risk,** dynamically ascertained bycontinuous real-time monitoring to detect malicious behavior, and exchange device attributes with security operations tools for remedial actions.
*   **Access control and segmentation** to offer dynamic asset grouping, automate network segmentation, and facilitate various actions using existing Network Access Control (NAC), firewalls, access points, and other technologies
*   **Cybersecurity asset management** to drive compliance with corporate policies and gain insights into license use, helping to optimize the total IT environment

“Securing a hybrid work environment includes the ability to establish adaptive zero trust across users, devices, networks, applications, and data— increasing confidence in policy enforcement everywhere,” said Sanjay Beri, CEO and co-founder of Netskope. “WootCloud’s innovative technology will further extend Netskope’s industry-leading SSE and Zero Trust capabilities, ensuring that critical data is protected from the network, to the cloud, to enterprise IoT devices.”

“Netskope is an unquestioned leader in Security Service Edge and Zero Trust, and it makes perfect sense to combine and extend our collective capabilities to protect enterprise IoT devices at scale,” said Amit Srivastav, CEO of WootCloud. “We are so proud of what we have achieved with WootCloud, and we are excited to join Netskope for this next stage of the growth journey.”

“WootCloud has been a fantastic partner to Dartmouth, designing and executing solutions to meet Dartmouth’s enterprise security needs,” said Mitchel Davis, Vice President and Chief Information Officer, Dartmouth College. “WootCloud’s decision to join Netskope will help the combined company continue to grow in a way that will prioritize scale while preserving the innovation that made WootCloud special. Netskope is a well-recognized security leader, and we are excited to continue this partnership.”

Zero Trust principles are critical to the implementation of Secure Access Service Edge (SASE), which converges critical security, networking, and business value requirements into one technology architecture. Gartner cites that, b​y 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020\[3\]. Properly implemented SSE, which describes the security stack needed to enable SASE architecture, fundamentally includes zero trust and transforms what enterprises can achieve for security at scale.

Financial terms of the acquisition are undisclosed. WootCloud CEO Amit Srivastav has joined Netskope as an Executive Advisor to the CEO, and all of the WootCloud engineering team, led by the original founding CEO Srinivas Akella, have joined Netskope’s engineering organization.

Visit Netskope.com for more on Netskope capabilities for SSE, IoT security and Zero Trust.

**About Netskope**

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

\[1\] IDC, “Future of Industry Ecosystems: Shared Data and Insights,” January 2021

\[2\] Gartner, “Critical Capabilities for Security Service Edge, John Watts, Craig Lawson, Charlie Winckless, Aaron McQuaid, 16 February 2022.

\[3\] Gartner 2021 Strategic Roadmap for SASE Convergence, Neil MacDonald, Nat Smith, Lawrence Orans, Joe Skorupa, March 25, 2021

Netskope Acquires WootCloud, Extending Zero Trust Capabilities to Enterprise IoT

Combined company creates world-class security operations platform to offer customers unmatched visibility and detection to defend against threats.

TAMPA, Fla., June 01, 2022 (GLOBE NEWSWIRE) -- ReliaQuest, a force multiplier of security operations, today announced that it has entered into an agreement to acquire Digital Shadows, a company that delivers threat intelligence for security teams, for $160 million. The acquisition combines ReliaQuest’s ability to extend detection and response across cloud, network, and endpoint environments with Digital Shadows' digital risk and threat intelligence technology. This gives security operations teams the ability to detect and respond to threats with real-time internal and external visibility.  

“Combining the internal visibility provided by ReliaQuest with the external threat intelligence and digital risk monitoring brought by Digital Shadows creates an end-to-end picture for enterprises around the world,” said Alastair Paterson, co-founder and CEO at Digital Shadows. “The complementary technical capability, shared cultural values, and geographic synergies offered by the combined companies make this a great opportunity for our customers and our partners.”

Security teams are stretched between investigating and responding to threats they can see while working to increase visibility across both security and business applications where they have limited visibility to detect and respond. The ability to extend and automate detection and response across both security and business applications is critical to a successful security program.

ReliaQuest and Digital Shadows will make security operations more effective by integrating the digital risk and threat intelligence that security leaders care about into a security operations platform that increases visibility, reduces complexity, and manages risk. The new offerings will drive down response time, provide context around threats and allow for an end-to-end view, all while decreasing the cost of visibility. Security operation teams can leverage automation with confidence to free up time to focus on the specific areas that matter the most.

“Alastair Paterson and James Chappell built a world-class team, technology, and culture in Digital Shadows and I am looking forward to our organizations working together to make security possible for organizations all over the world,” said Brian Murphy, founder and CEO at ReliaQuest. “The combination of ReliaQuest and Digital Shadows makes a lot of sense for our customers, our partners, and both of our teams. We have a responsibility and opportunity to leverage our collective expertise to continue to tackle what I believe to be the largest technical challenge of our generation, cybersecurity.”

ReliaQuest’s GreyMatter is a cloud native platform built on an Open XDR architecture, and delivered as a service, extending detection and response across a customer’s network, cloud, and endpoint for both security and business applications. Digital Shadows’ platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. The addition of Digital Shadows to ReliaQuest’s GreyMatter platform provides an important outside-in perspective to ReliaQuest’s already robust detection and response capability.

The transaction has received the approval of both companies’ Board of Directors and is subject only to customary closing requirements and regulatory approvals.

For more information about ReliaQuest, please visit our website.

**About ReliaQuest**  
ReliaQuest, the force multiplier of security operations, increases visibility, reduces complexity, and manages risk with its cloud native security operations platform, GreyMatter. ReliaQuest GreyMatter is built on an XDR architecture and delivered as a service anywhere in the world, any time of the day, by bringing together telemetry from tools and applications across cloud, on-premises and hybrid cloud architectures.

Hundreds of Fortune 1000 organizations trust ReliaQuest to operationalize security investments, ensuring teams focus on the right problems while closing visibility and capability gaps to proactively manage risk and accelerate initiatives for the business. ReliaQuest is a private company headquartered in Tampa, Fla., with multiple global locations. For more information, visit www.reliaquest.com.

**About Digital Shadows**  
Digital Shadows provides threat intelligence that delivers for every security team. Our platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. SearchLight focuses on digital risks that organizations care about, using a proven threat model that adapts to the organization risk profile and appetite. This approach delivers a low noise solution, allowing security teams to work faster and with less resources than ever before. To sign up for our free weekly threat intel digest or learn more about our platform, visit www.digitalshadows.com.

ReliaQuest to Acquire Digital Shadows

Password management solution delivers proactive, seamless approach to protecting privacy and login credentials for consumers and businesses; Password Management market expected to reach $3 billion by 2026.

**SAN FRANCISCO, June 1, 2022** — Lookout, Inc., a leading provider of endpoint and cloud security solutions, today announced it has acquired SaferPass, an innovative Password Management company that provides secure online identity solutions for both consumers and businesses. By adding Password Management technology to its suite of security solutions, Lookout is expanding on its mission to deliver proactive protection and safeguard customer data for individuals and businesses.

Whether shopping online, banking, or connecting to corporate applications and email, usernames and passwords have become the standard form of authentication to validate a user’s identity and enable access to sensitive information. Passwords can be difficult to use and incredibly insecure, especially in cases where a user has many accounts. On average, people have more than 100 accounts with an associated password to remember. In addition, human-generated passwords are often algorithmically weak; according to the Verizon Data Breach Investigations Report, 81% of data breaches leveraged weak, stolen or reused employee passwords, and every time a password is reused, it opens the door to a potential data breach. Additionally, nearly 64% of people reuse the same passwords across their online accounts. If login credentials are compromised, the consequences can be serious – including personal identity theft or stolen corporate information.

SaferPass delivers a robust, innovative solution for identity and password management to both consumers and businesses, enabling users to securely manage their passwords, banking and other sensitive information across devices. The SaferPass solution provides an encrypted digital vault that stores secure login information used to access services through mobile apps and web browsers. In addition to keeping a user’s identity, credentials and sensitive data safe, the product helps create strong, unique passwords through a password generator tool that ensures the individual is not using the same password in multiple places and that their password has not been compromised in a previous breach.

According to Mordor Intelligence, the Password Management market on its own, was valued at over $1.2 billion in 2020 and is expected to reach over $3 billion by 2026.

“We are pleased to welcome the SaferPass team to Lookout, and excited to combine our respective solutions to deliver better value to consumers and businesses alike,” said Jim Dolce, Lookout CEO. “Today, every password owned by an employee is a potential access point to organizations both small and large. At the same time, large scale data breaches have leaked billions of consumer emails and passwords on the dark web, putting individuals at risk of identity theft and financial fraud. The SaferPass team shares our vision for providing seamless security solutions that address all access points and protect personal and corporate data wherever it may reside. This is an exciting next step in Lookout’s evolution.”

The acquisition of SaferPass broadens the Lookout portfolio of security solutions and expands the opportunity for its carrier ecosystem and channel partners – it also expands Lookout’s footprint in Central Europe through its new location in Bratislava, Slovakia. SaferPass will now operate under the Lookout brand and leadership and the SaferPass team will be fully integrated into the Lookout organization. The financial terms of this transaction have not been disclosed.

****Additional Resources****

*   To learn more about Lookout for SMBs and Consumers, visit: https://protection.lookout.com/
*   To learn more about the Lookout Security Platform, visit: https://www.lookout.com/products/platform
*   Sign up for a free trial of Lookout.

Follow the Lookout blog and join the conversation on LinkedIn and Twitter.

Lookout Acquires SaferPass To Address The Rising Threat Of Identity Theft

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

Source

DARKReading