Newly discovered malware linked to Vietnamese threat actors targets users through a LinkedIn phishing campaign to steal data and admin privileges for financial gain.

Newly discovered malware linked to Vietnamese threat actors targets users through a LinkedIn phishing campaign to steal data and admin privileges for financial gain.

A new malware is hijacking high-profile Meta Facebook Business and advertising platform accounts through a phishing campaign that targets LinkedIn accounts. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said.

Researchers from WithSecure, formerly F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat actors, they wrote in a report published Tuesday. The campaign itself appears to have been active since at least the second half of 2021, while the threat actors behind it may have been on the cybercriminal scene since 2018, researchers said.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote in a blog post accompanying the report.Ducktail actors have very specific targets in mind—that is, individuals within companies operating on Facebook’s Business and advertising platform that have high-level access to the account. These include people with managerial, digital marketing, digital media, and human  
resources roles in targeted companies, researchers said.

“These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar,” researchers wrote.

To infiltrate accounts, actors are targeting LinkedIn users with a phishing campaign that lures victims using keywords related to brands, products and project planning into downloading an archive file containing the malware executable alongside related images, documents and video files, researchers reported.

****Malware Components****

Researchers took a deep dive into the novel malware, which in its latest samples is written exclusively in .NET Core and compiled via its single-file feature, something “not commonly seen in malware,” they noted.

Ducktail operates using six key components once it infects a system. It first does Mutex creation and check to ensure that only a single instance of the malware is running at any given time, researchers said.

A data storage component stores and loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft.

Ducktail also has two components dedicated to stealing info from victims, one that’s more general, stealing non-Facebook related information, and another that steals info specifically related to Facebook Business and advertising accounts as well as hijacks those accounts, researchers said.

The first general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox and, for each one it finds, extracts all stored cookies, including any Facebook session cookie.

The component of Ducktail dedicated to extracting data from Facebook Business/Ads accounts directly interacts with various Facebook endpoints—either direct Facebook pages or API endpoints–from the victim’s machine using a stolen Facebook session cookie, researchers said. It also other security credentials obtained from the cookie to extract information from the victim’s Facebook account, they said.

Specific info that the malware steals from Facebook includes: security credentials, personal account identification info, business details and advertising account info.

Ducktail also allows threat actors to take full administration control over Facebook Business accounts, which can give them access to a user’s credit card or other transactional data for financial gain, researchers said.

****Telegram C&C and Other Evasion Tricks****

A final component of Ducktail exfiltrates data to a Telegram channel used as the threat actors’ command and control (C&C), researchers said. This allows the actor to evade detection by limiting the commands it sends from C&C to the victim’s machine, researchers said.

Moreover, the malware does not establish persistence on a machine, which also allows means it can get in and do its dirty work without alerting the user or flagging Facebook security, researchers said. However, different versions of Ducktail observed by threat actors performed this lack of persistence in various ways, they said.

“Older versions of the malware simply executed, did what they were designed to do, and then exited,” researchers wrote. “Newer versions run an infinite loop in the background that performs exfiltration activities periodically.”

Ducktail also has inherent features in Facebook data-stealing component that is designed to circumvent Meta security features by making any request for data to Facebook entities appear to be coming from the victim’s primary browser. This would make these actions appear benign to Meta security, researchers said.Attackers also can use information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information, to cloak and impersonate the victim, researchers said.

Novel Malware Hijacks Facebook Business Accounts

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.

The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.

According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.

The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.

****Phishing By the Numbers****

Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).

Click to Enlarge

Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.

The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.

“Phishing attacks are more sophisticated than ever,” wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.

“Hackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,” he wrote.

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

While data breaches and ransomware are still considered among the more significant concern for businesses, the threats sometimes come from a direction we weren’t expecting. Cybercriminals use botnets for various malicious purposes, most significantly for DDoS attacks against targets. The most important change is now the bot armies are increasingly made of IoT devices.

As the total installed base of IoT devices worldwide is expected to reach 30.9 billion by 2025, the IoT botnet threat and its overall power continue to expand.

Attackers seized the opportunity to create large botnets, to large complex DDoS attacks to disable or knock offline a target website. Although the IoT botnets can steal confidential data, as seen in the instance of the Torri botnet, most of the botnets have been used for DDoS attacks.

This is a dangerous warning for an online business to ensure they have effective anti-DDoS protection and bot takeover prevention.

**High-Level Anatomy of IoT DDoS Attack**

So, what is a botnet? – A botnet is a group of infected computers under the control of attackers used to perform various scams and cyber-attacks. Here, the attackers use malware to take control of vulnerable IoT devices to block legitimate users from accessing internet services by executing DDoS attacks.

A simple principle governs a DDoS attack: it takes down websites offline by consuming more resources or occupying all available bandwidth. Attackers with more hijacked IoT devices can consume more resources and launch a more damaging attack. The three main goals of attackers include:

*   *   To cause consumption of limited resources
    *   To cause destructive changes to network devices
    *   To change or destroy configuration information

**Why Are IoT Devices Easy Prey for Botnet Malware?**

The increased proliferation of IoT devices has become an attractive target for attackers. Further, most IoT devices include serious security issues like weak passwords, open access to management systems, default administrative credentials, or weak security configurations. As millions of IoT devices and their numbers continue to increase, they are not constantly updated to patch against security vulnerabilities.

Botnet attacks seize the opportunity of IoT vulnerabilities to take control of the devices and lead to disruptions in online services. They’re most placed on networks that are not monitored for the attack, making it easy for attackers to access them. Further, in most cases, the network where they reside offers a high-speed connection that enables a large amount of DDoS attack traffic.

**Major IoT Botnet DDoS Attack Trends**

IoT botnet DDoS attacks are not new; Mirai was the most prevalent and has continued to target IoT devices since 2016. Mirai made its debut on September 20, 2016, with a DDoS attack against cybersecurity expert Krebs’s blog. The next notable IoT botnet DDoS attack was in October 2016 against Dyn, a major DNS (Domain Name Service). The Mirai botnet assaulted the victim with one terabit traffic per second, which made a new record in a DDoS attack.

According to the ENISA threat landscape report, in 2019, the Mirai variants increased by 57%. The Verizon data breach investigations report recorded 103 699 botnet incidents primarily targeting professional, financial, and information services industry verticals.

A new variant of Mirai called Mozi accounted for the most observed flooded traffic in late 2019 through 2020. The Mirai and its variant continue to pose a threat in 2021; they broadened their attack with its significant new capabilities.

Attackers use multiple botnets based on Mirai and Mozi botnets like Echobot, BotenaGo, Moonet, and Loli to target devices. According to Sam’s report on the IoT security landscape, more than 1 billion IoT security attacks took place in 2021, nearly 62 million of which were IoT-related DDoS attacks.

**How Can You Protect Against IoT Botnet DDoS Attacks Today?**

As the botnet landscape expands and highly sophisticated threats become inevitable, enterprises must move beyond legacy security solutions.

The first step to addressing these ongoing security challenges is moving to comprehensive risk-based security solutions. In addition, advanced, automated endpoint detection and protection solutions must offer complete visibility into IoT devices and their security state.

As always, prevention steps should be implemented to stay protected from such attacks:

*   Monitor incoming and outgoing traffic on your network for malicious activities with a web application firewall. Next-gen WAF like Indusface AppTrana can block bad bots from specific IPs while ensuring a smooth transfer of legitimate bot traffics.
*   Monitor login attempts and create a lookout for spikes
*   Keep IoT devices on protected networks
*   Perform continuous security testing on IoT devices

**The Closure**

DDoS attacks are the standard intent of an IoT botnet. DDoS may be an unavoidable part of the new reality, but you don’t need to take it as the new norm. Architect robust security solutions to properly secure your businesses.

IoT Botnets Fuels DDoS Attacks – Are You Prepared?

SecuriThings' CEO Roy Dagan tackles the sometimes overlooked security step of physical security maintenance and breaks down why it is important.

SecuriThings’ CEO Roy Dagan tackles the sometimes overlooked security step of physical security maintenance and breaks down why it is important.

Infosec Insiders author Roy Dagan, CEO, SecuriThings

A crime occurs, police go to access video of the scene and then discover that crucial views are not available due to an outage or malfunction. This is precisely what the NYPD encountered in the recent subway shooting  in New York City this past April when multiple surveillance cameras and video feeds failed at subway stations where the shooter was active. Should this be happening in 2022?

Unfortunately, outages of surveillance video are more common than you might think. There are many incidents that happen every year where having a working physical security system could have helped catch the perpetrators early.

But in many cities and enterprises there is a startling  gap in maintenance of expensive security technology installed to protect the public. Equally surprising: this public safety problem is eminently fixable. In case after case, manual audits, planned periodic manual checks, and reliance on a variety of third parties simply don’t lead to accurate diagnostics or maintenance taking place.

The NYC case is not unique; it’s just the most recent high-profile example. The maintenance disconnect is seen in security systems nationwide. Investment in physical security for governments, transport systems, cities, hospitals, and many venues can reach millions of dollars per year. But what good is it to buy the equipment without organizing  maintenance to be effective – to actually _happen_? This massive industry problem is, by extension, also a public safety and law enforcement issue.

****Physical Security Doesn’t Get the Maintenance It Needs****

It’s striking that hundreds – perhaps thousands – of cases of physical security system failure happen each year and remain in the shadows. What happened with the New York’s subway surveillance is most notable for one reason: it made news because it may have impeded identification of a terror suspect.

Cyber criminals routinely attempt to compromise IoT devices like networked cameras as entry points to attack IT networks. That’s just one reason cybersecurity must extend to connected devices used for physical security. But modern physical security infrastructure needs additional 24/7 automated protection and cyber management – beyond blocking hackers – to maintain 99% uptime and fulfill its physical security function.

In Atlanta, the most-surveilled U.S. city (49 cameras per 1,000 inhabitants), a 2021 murder in a park went unrecorded because nine cameras were down. Atlanta tries to have each of its 25,000-odd cameras checked twice a week, but is hampered by having different maintenance agreements with various providers and camera vendors for different makes. To its credit, Atlanta managed to drive down its not-working ratio down from 18% to 10%, but that is still twice its stated target.

****Why Security Cameras Must Not Fail, and Why They Do****

Every camera counts. One camera being down can mean no criminal identification. Multiple views are often necessary to secure arrests and convictions – making them far more important than 14-megapixel resolution. For identification purposes, a wide-angle view is rarely definitive. Conclusive identification usually comes from a narrow-angle view, so area coverage requires numerous cameras or mobile units.

Multiple cameras allow seamless tracking of a perpetrator from a crime scene, tracing a person from camera to camera to camera. That can lead to a vehicle or positive ID, or even enable police to establish stalking and intent, and identify collaborators. Knock one camera out of action, and the chain of identification can be broken.

There is another obvious reason physical safety depends on having a sufficient number of cameras up and running to catch multiple views: minutes and seconds of delay in identifying matter a great deal.

If a security device malfunctions when most needed, the cost to the organization can be very high. The price in human terms could even be higher. An assault on company property that goes unseen and unstopped by security guards because a camera fails as a result of insufficient maintenance, could directly lead to tragic outcomes for victims, and of course, lawsuits.

Video loss on surveillance security cameras is common. The causes can include severe weather, network issues, bad power supply, cabling problems, defective hardware, software bugs, IP address conflicts, and misconfiguration. And malicious hacking – or plain old vandalism.

Despite the wide range of root causes, the #1 cause of non-working video is simple lack of maintenance. Resource-constrained organizations may underestimate maintenance needs and costs. The fact is, many NVR and DVR systems fail within three years, so predictive maintenance is key. Since the unpredictable happens, it’s essential that system operators have fast, remote outage detection and diagnostic capability.

Manual maintenance checks are not scalable, and they are expensive. Atlanta recently estimated its cost of maintenance at $600 annually per camera, which is high. This shows the high cost of farming out maintenance to third parties that may do sporadic manual checks, rather than having automated, centralized control of devices and visibility into diagnostics.

****In 2022, Maintenance of Physical Security Systems Should Not Be an Afterthought****

It’s time for all facility operators, not just New York’s MTA, to adopt the technology that can manage and scale with their camera installations, and answer the urgency of central monitoring of their operation and security. NYC has 10,000 cameras in its subway system; the city of San Francisco  has over 2,000 networked cameras overseen by neighborhood groups. Chicago has approximately  32,000 cameras.

Let’s picture this. After costly, laborious manual checks of surveillance cameras, a list of outages – often without accurate diagnostics – is handed upward, and is easily forgotten in a folder or desk drawer. By contrast, a centralized system that is constantly checking _every_ camera, and doesn’t forget to alert management with accurate diagnostics when problems arise, is hard to ignore. Moreover, when  it’s abundantly clear the system keeps track of just how long each camera was offline, quick action is incentivized. This type of management platform can also automate and carry out key security and maintenance operations such as firmware upgrades and password rotations that are essential to the health and uptime of each device.

These functions scale effectively when all the equipment is tracked and managed in one system; by contrast, a patchwork quilt of \[manual\] maintenance measures will have gaps and is proven ineffective..

For tasks like routine maintenance, full visibility is needed to know which cameras are down, and then determine why. Security staff and IT need remote diagnosis of malfunctioning units, to know whether an onsite technician visit is necessary.  Given the technology available to manage and protect them today, all security cameras in public-facing and urban settings and transit systems should be properly secured, maintained, and managed – and they should work. It’s just too risky and costly to keep doing what does not work.

_Roy Dagan is CEO and & Co-founder of SecuriThings—the provider of the first IoTOps solution designed to help organizations maximize their devices’ operational efficiency and security. He started the company after many years of building cyber security, risk management and intelligence systems. Prior to SecuriThings, Roy held multiple roles leading product management teams in a range of companies including RSA, The Security Division of EMC and NICE Systems._

Why Physical Security Maintenance Should Never Be an Afterthought

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.

Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.

“\[A.I.G.\] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.

The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.

****Unique Business Model****

This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.

“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.

A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.

Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.

****Anatomy of a Threat Group****

Researchers took a deep dive into how A.I.G. operates, communicates and manages its operations, as well observed the specific cybercriminal services it offers.

DDoS seems to be the group specialty, with Atlas providing solid proof of execution to customers for as little as 20 euros per victim, researchers said. The group also offers a popular data-leak services that focuses on anything that might be valuable to potential buyers, Gihon said.

A.I.G. has published leaked databases from all over the world for sale, with a starting price from 15 euros, researchers said. The group targeted various sectors in the breaches, including education, finance, government entities, manufacturing and technology, they said.

A.I.G. also has premium services that demand more skill and demonstrate the group’s sophistication, researchers said. One of these products is hacked panels and initial access to organizations, with prices for these services starting from about $1,000.

The group also offers “VIP services” that claim ties to people in law-enforcement positions across Europe that can give customers access to sensitive information about specific individuals, researchers said.

****Multi-Channel Communication****

Telegram is the communication platform of choice for A.I.G., with the group operating three different Telegram channels with thousands of subscribers, researchers said. One is a database marketplace for selling leaked databases, and another is a commercial channel that also includes announcements and updates from the group, they said.

Atlas also operates a unique Telegram channel in which Mr. Eagle and the group’s administrators publish the contracts that the group offers to those hired to perform attacks. This allows subscribers to sign up depending on what they can offer and helps the group recruit various cybercriminals, such as red teamers, social engineers and malware developers, researchers said.

Atlas sells its services primarily on an e-commerce store on the site Sellix.io, a forum that offers payment with cryptocurrency and acts as a broker, providing the privacy-conscious group with an extra layer of anonymity, Gihon said.

“Observing the behavior of the group in general and the leader in particular, it seems that operation security (OpSec) is a top priority,” he wrote.

****The (Mr.) Eagle Has Landed****

Indeed, the group’s leader is an enigmatic figure who appears to run a tight ship in terms of his overall maturity and professionalism, exhibiting logical and meticulous decision-making and behavior that leaves “no room for errors,” Gihon wrote.

“Mr.Eagle tends to have very strict rules in the management of the group, including banning and throwing \[out\] scammers and other threat actors that try to advertise their products,” he wrote. “It seems that Mr.Eagle maintains very high reliability among the group.”

This type of leadership apparently comes in handy when delegating tasks to general administrators, of which A.I.G. appears to have at least four—dubbed El Rojo, Mr.Shawji, S41T4M4 and Coffee, researchers said. The administrators carry out day-to-day advertising tasks as well as management of group operations and communication channels, researchers said.\\

The hired contractors, or “mercenaries,” who carry out the nefarious activities of the group are the lowest rung of the A.I.G. structural ladder. This part of the group is a revolving door of cybercriminals who are hired to work only on a particular campaign based on their skillset, researchers said.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?

Any time conflict erupts, people tend to take sides, even when it comes to cybercrime. Since the beginning of the ongoing Russian-Ukrainian war, some bad actors have made their alliances known publicly.

The Conti Ransomware-as-a-Service (RaaS) group is one of the most notable – declaring in February that they were backing Russia and would use their arsenal accordingly.

Their latest target seems to be the entire country of Costa Rica, which expressed its opposition to the Russian invasion. This begs the question: Should other countries be concerned? Why is this happening now, and what does it portend?

**The rise of Conti**

The Conti ransomware group is behind many prominent attacks, including the one that took down the Irish healthcare service in May 2021. Conti was also ranked by the FBI (PDF) as the top ransomware variant targeting critical infrastructure in 2021. The bureau identified at least 16 attacks by Conti ransomware against U.S. healthcare and First Responder networks, including emergency medical services, law enforcement agencies and 9-1-1 dispatch centers last year.

Last year, Conti’s internal chat logs were leaked – essentially, their playbook was made public. And more internal records leaked earlier this year showed the group was essentially operating like a company. These documents – ironically leaked in retaliation for Conti’s pro-Russia stance – showed that the ransomware ring has a human resources department, offers bonuses and even names an employee of the month.

And since then, what we’re seeing and hearing seems to indicate that Conti is trying to overcome these reputational setbacks by setting out to prove they are legitimate, sophisticated and still very relevant. We’re seeing this in terms of how they recruit, too – going after other threat actors and holding, essentially, recruitment events not that different from what you might expect from big Silicon Valley companies (though obviously a bit more underground).

While we don’t think they’re a nation-state actor, they’ve certainly made their affiliation well-known and are acting accordingly. That said, the driving factor still always comes back down to money. and they’re trying to make sure they stay on top.

****The Evolution of Ransomware****

The attack on Costa Rica has cost the nation millions of dollars. Tax payments were disrupted and staff at the 27 affected government agencies had to revert to pen and paper as their computers remained useless. With this attack, there’s evidence that this is essentially an attempt by Conti to “rebrand” – with news coming not long after the attack that Conti was shutting down in its current form.

But the big takeaway here is – what do attacks like the one against an entire nation say about how ransomware is evolving? For one thing, while money is still obviously the driving factor, we’re seeing that notoriety and “fame-seeking” also plays a role. Conti has been direct in its desire to not only extort money but to overthrow the Costa Rican government – that’s a new wrinkle in ransomware that only adds to the attackers’ notoriety.

We’re also seeing attacks that seem primarily focused on destruction. FortiGuard Labs researchers recently uncovered a new variant of Chaos ransomware in which the attacker has no intention of providing a decryption tool or file instructions – it’s all about destroying whatever it can.

Bad actors are clearly trying to stoke fear about what could possibly happen. There is still the financial component of ransomware, but at the same time, they are trying to flex their muscles more. It’s quite possible that there are competing philosophical differences between the groups. But it’s definitely more about spreading fear so that companies will pay whatever attackers ask. As tensions rise, that can change daily.

What does this signify in terms of how malware and ransomware are evolving? We’re likely going to see much more destructive ransomware attacks with wiper malware, which will completely destroy data. We’re going to see more aggressive ransomware attacks using Wiper malware. What we’re seeing is that bad actors are now less afraid of using more sophisticated attacks – they’re no longer afraid to try those out – and, unfortunately, it’s going to be much harder to contain and detect them.

****Stay strong****

More recently, the Chaos ransomware variant has sided with Russia, leaving observers to wonder what this could mean from a cybersecurity standpoint. The implications for cyber proxy wars are huge, both for national governments and the profitable companies within their borders. Taking a stand could now unleash additional, digital consequences.

However, organizations don’t have to cower before ransom requests if they have the proper security strategy in place. This includes a comprehensive and integrated security mesh, current threat intelligence, a strong cyber hygiene program and top-notch employee training. Keep your ear to the ground and continue to execute on both advanced and basic security measures, and you’re likely to weather the ransomware storms.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Conti’s Reign of Chaos: Costa Rica in the Crosshairs

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

Magecart campaigns have been skimming payment-card credentials of unsuspecting customers using three online restaurant-ordering systems, affecting about 300 restaurants that use the services and compromising tens of thousands of cards so far, researchers have found.

Two separate ongoing Magecart campaigns have injected e-skimmer scripts into the online ordering portals of restaurants using three separate platforms: MenuDrive, Harbortouch, and InTouchPOS, researchers from Recorded Future revealed in a blog post this week. One appears to have begun last November, and the other in January, they said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

“Across all three platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis,” researchers from Recorded Future’s Insikt Group wrote in the report.

Magecart is a general term for cybercriminals who use card-skimming technology to steal credentials from payment cards used at point-of-sale (POS) or e-commerce systems. They typically end up selling these stolen credentials on hacker forums on the dark web.

The infections on the restaurants’ websites affected in the two campaigns observed by Recorded Future “often result in the exposure of customers’ payment card data and PII (their billing information and contact information),” researchers noted.

So far, researchers have identified more than 50,000 compromised payment card records from the campaigns posted for sale on the dark web, and they expect more stolen data to be posted in the future, they said.

****Campaign Specifics****

Researchers found that MenuDrive and Harbortouch were targeted by the same Magecart attacker, a campaign that resulted in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch.

“This campaign likely began no later than Jan. 18, 2022, and as of this report, a portion of the restaurants remained infected,” they noted in the post. However, the malicious domain used for the campaign, which researchers identified as authorizen\[.\]net, has been blocked since May 26, they said.

A separate and unrelated Magecart campaign targeted InTouchPOS even earlier, beginning no later than Nov. 12, 2021, researchers said. In that one, 157 restaurants using the platform were infected by e-skimmers, a portion of which remain this way, and the malicious domains associated with the campaign–bouncepilot\[.\]net and pinimg\[.\]org–remain active, they said.

Moreover, the tactics and indicators of compromise associated with the campaign targeting InTouchPOS are similar to those of other cybercriminal activity targeting 400 e-commerce websites that deal in different types of transactions since May 2020, according to Recorded Future. More than 30 of the affected sites in the related campaign remain compromised as of June 21, researchers said.

****Low-Hanging Fruit****

While centralized restaurant ordering platforms like Uber Eats and DoorDash dominate the market for such systems and are far more well-known than the ones affected by the campaigns, the hundreds of smaller platforms on the internet that serve local restaurants remain a valuable target for cybercriminals, researchers noted.

“Even small-scale platforms may have hundreds of restaurants as clients,” they said, which means targeting a smaller platform can expose scores of online transactions and payment-card info. Indeed, these platforms serve as low-hanging fruit for attackers, who tend to “seek the highest payout for the least amount of work,” researchers noted.

E-commerce sites in general face persistent challenges in securing their sites, and often contain vulnerable code from third-party or supply-chain partners that is easy for attackers to compromise and can have downstream effects, noted one security professional.

“This is another example of the web attack lifecycle–the cyclical and continuous nature of cyberattacks–where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take-over attacks on another site,” Kim DeCarlis, chief marketing officer at cybersecurity company PerimeterX, wrote in an email to Threatpost.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Magecart Serves Up Card Skimmers on Restaurant-Ordering Systems

Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.

Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.

Researchers have discovered four “high impact” security risks in the identity and access management (IAM) platform Okta, according to a Tuesday report.

The risks include cleartext password leakage via SCIM – the System for Cross-domain Identity Management – sharing of passwords and other data over unencrypted HTTP channels, default configurations which allow admins to invade other organizations’ IT environments, and mutable identity log spoofing.

Attackers who take advantage of these risks could steal authentication data, access sensitive personal and financial information and disrupt Okta-managed IT environments.

**The Risks in IAM**

IAM software organizes which individuals have access to which resources in an IT environment. Platforms like Okta also offer features like password management and single sign-on, allowing users to more seamlessly login and move from one software environment to another. In all, IAMs are quite convenient for users and administrators alike.

However, an insecure IAM is convenient for attackers for many of the same reasons. The newly discovered risks in Okta could allow hackers or malicious insiders to obtain passwords, take over administrator accounts, or even destroy an entire organization’s data.

Take, for example, the third risk outlined in the report.

For global and distributed organizations, Okta utilizes a hub and spoke architecture, where the parent company (“hub”) oversees and provides services for the smaller independent businesses (“spokes”) it controls. What the researchers discovered is that an admin in an Okta spoke “can impersonate any account in the hub and/or a downstream app connected to the hub.” The report lays out how this might occur, hypothetically:

> _A small company was acquired by a large Fortune 500. The corporation connected the small company’s Okta as a spoke to their main Okta which acts as their hub with the default configuration. A compromised admin from the acquired company’s spoke gains super admin privileges throughout their Okta hub by impersonating a super admin, and therefore achieves full, unlimited access to the corporate’s entire collection of apps and services._

The small company’s administrator could access other businesses’ IT environments – including the one belonging to the large Fortune 500 itself – to steal or destroy sensitive data, or leverage the data to do just about anything else.

**Are These Vulnerabilities?**

The researchers were careful to characterize their findings as “risks,” rather than outright vulnerabilities. When they reached out to Okta, Okta explained that “the features are performing as designed and should not be categorized as vulnerabilities.” How could that be?

Consider our earlier example. The small company admin can obtain unauthorized access to the hub and other spokes by creating a user with the same identifier as an admin in the hub. That two users in a giant hub and spoke environment can have the same username “is intentional and meant to make it easier to scale access controls across the organization while limiting the scope of control to a specific spoke.” However, in practice, they expose the hub to any rogue admin.

Okta offers a way to turn off username duplication, but “these controls are not set by default, making the user potentially insecure from the initial settings. Okta also does little in their guide to explain to their users that they may be at significant risk from these insecure default settings.”

“Okta has very good security practices in many areas,” the researchers noted, adding that “we are sure similar issues exist in other IAM providers.” So, in concluding their study, “our recommendation is that organizations take a proactive approach to implement independent security solutions for their IAM tools.”

Authentication Risks Discovered in Okta Platform

Threat actors offer victims what appear to be investment services from legitimate companies to lure them into downloading malicious apps aimed at defrauding them.

Threat actors offer victims what appear to be investment services from legitimate companies to lure them into downloading malicious apps aimed at defrauding them.

Threat actors have defrauded 244 U.S. investors of about $42 million through fake cryptocurrency apps that exploit people’s legitimate investments in digital currency, the FBI has revealed.

The agency observed a number of cybercriminal campaigns that duped people into downloading malicious apps through which threat actors extorted money from victims, the FBI said in a Private Industry Notification published Monday.

Threat actors used the names, logos and other identifying info of legitimate U.S. financial institutions to gain the trust of and fool investors into thinking they were interacting with an actual cryptocurrency-related firm, the agency said. They even went so far as to create fake websites using the info as part of their ruse to gain the trust of investors, according to the FBI.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Indeed, the rise of interest and investment in cryptocurrency also has made it a popular target for cyber thieves, who have invented creative ways to get people to trust them into falling for malicious campaigns.

In February of last year, hundreds of investors fell prey to a fake cryptocurrency scam that conned them out of $11 million through investments in a fake cryptocurrency called “Bitcoiin.” The campaign even had celebrity backing, as actor Steven Seagal was hired to promote the company called “Bitcoiin2Gen” or “B2G” that served as the front for the fraudulent activity.

The latest FBI warning also is not the first time the feds sounded an alarm over cybercriminals targeting investors. About a year ago the FBI warned that threat actors were posing as financial advisors to try to lure victims into various investment scams.

****Malicious Campaigns Uncovered****

In its warning, the FBI revealed the details of three specific cryptocurrency fraud campaigns observed between October 2021 and May 2022 that alone defrauded investors of more than $10 million.

In a campaign that occurred between 4 October 2021 and 13 May 2022, cybercriminals operating used the company name YiBit to steal about $5.5 million from at least four victims, according to the FBI.

Threat actors convinced victims to download a bogus  app and deposit cryptocurrency into wallets associated with their YiBit accounts. Once the deposits were made, 17 of the victims received an email stating they had to pay taxes on their investments before withdrawing funds. Four victims who were ultimately defrauded said that they could not withdraw funds through the app.

In a similar campaign that occurred between Dec. 22, 2021, and May 7, 2022, cybercriminals impersonated a a legitimate U.S. financial institution to steal about $3.7 million from at least 28 victims, according to the FBI.

Again, threat actors convinced victims to download an app that used the name and logo of the legitimate company and deposit cryptocurrency into wallets associated with the victims’ accounts on the app.

When 13 of the 28 victims attempted to withdraw funds from the app, they received an email stating they had to pay “taxes” on their investments first before making withdrawals. After proceeding to pay the bogus tax, they still couldn’t withdraw funds from the apps, according to the FBI.

Yet another investor-fraud campaign occurred between Nov. 1 and Nov. 28, 2021, with threat actors this time operating under the company name Supayos, also known as Supay. This campaign, which snared two victims, instructed targets to download the Supay app and make multiple cryptocurrency deposits into the crypto wallets associated with their accounts.

In November 2021, the cyber criminals told one victim without previous consent or knowledge that he was enrolled in a program requiring a minimum balance of $900,000; upon trying to cancel the subscription, attackers told the victim to deposit the requested funds or his assets would be frozen.

****Precautions Urged****

The FBI is urging both institutions and individuals alike to take some basic precautions to avoid being defrauded when dealing with cryptocurrency transactions.

Institutions should proactively warn customers about the potential for such activity and provide a way for their customers to report it. They also should inform customers about the specifics of their own cryptocurrency-related services—such as if the company actually has a cryptocurrency app–so clients can identify legitimate communications and transactions, the FBI said.

Institutions also should periodically conduct online searches for any unauthorized use of company name, logo or other identifying info to determine if cybercriminals are using it for nefarious purposes.

Investors themselves also can protect themselves by being wary of unsolicited requests to download investment applications, verifying if an app is legitimate before downloading it, and treating apps with limited and/or broken functionality with suspicion, according to the FBI.

The FBI is encouraging people to report any suspicious activity related to cryptocurrency fraud to their local field offices.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

FBI Warns Fake Crypto Apps are Bilking Investors of Millions

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Ingrao said he discovered eight applications on the site spreading Autolycos since June 2021 that had racked up several million downloads. The cybercriminals behind Autolycos are using Facebook pages and running ads on Facebook and Instagram to promote the malware, he said.

“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.

****Joker Rides Again****

Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services and stole SMS messages, among other nefarious activities.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Joker was the first major malware families hat specialized in in fleeceware, according to Malwarebytes. The trojan would hide in the advertisement frameworks utilized by the malicious apps propagating it; these frameworks aggregate and serve in-app ads.

After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge.

****Difference in Execution****

One difference between the original Joker and Autolycos, however, was pointed out by Ingrao.”No webview like #Joker but only http requests,” he tweeted.

“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao said of Autolycos in a tweet. “It then executes the URLs, for some steps it executes the URLs on a remote browser and returns the result to include it in the requests.”

Malwarebytes’ Artnz also explained this difference further in his post. While Joker used webviews—or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its dirty week, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests, he wrote.

This helps Autolycos evade detection even more adeptly than the original Joker, according to Malwarebytes’ Artnz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he wrote.

****Lag Time in Discovery and App Removal****

The eight apps in which Ingrao discovered Autolycos are:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.

While Ingrao discovered the offending apps in July 2021 and reported them to Google quickly, he told BleepingComputer that the company took six months to remove six of the apps. Moreover, Google only finally removed the last two on July 13, according to Malwarebytes.

Artnz was critical of the lag time between discovery and removal, though he did not speculate as to the reason why, noting only that “the small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”

“It’s possible \[the malicious apps\] would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.

Google did not immediately respond to request for comment on Monday. Indeed, the company has a storied history of struggling to keep malicious apps—in particular fleeceware-\-off its mobile app store for the Android platform.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Source

Threatpost