Categories: News
Categories: Personal
Stalkerware-type app LetMeSpy has been hacked, with the attacker taking user data with it, the service has announced.



(Read more...)




The post Spyware app LetMeSpy hacked, tracked user data posted online appeared first on Malwarebytes Labs.

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

> On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.
> 
> As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner's knowledge. That's because LetMeSpy is often invisible to the phone's owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can't tell it's there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner's movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

*   26,000+ email addresses of the tool's "operators" along with hashes of their passwords.
*   16,000+ text messages, including passwords and codes for various services
*   Telephone numbers of people who had contacted the tracked phones
*   Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
*   Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it's unlikely they're going to let the people they are spying on know that their data has been taken.

**How to prevent spyware and stalkerware-type apps**

*   Set a screen lock on your phone and don't let anyone else access it
*   Keep your phone up-to-date. Make sure you're always on the latest version of your phone's software.
*   Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you're sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

**Coalition Against Stalkerware**

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Spyware app LetMeSpy hacked, tracked user data posted online

If you have an IoT network powered by Pepper, you can now insure it through Embedded Insurance — even if your business is too small to support a SOC.

Consumers and small-to-midsize businesses (SMBs) that use Internet of Things (IoT) devices to manage smart homes and businesses have a new option for obtain cyber insurance — providing their service providers are using the Pepper IoT Platform-as-a-Service (PaaS) back end. The service, announced on June 28, allows users to opt for a minimum of $10,000 per device in coverage from their providers for each device without requiring them to submit cyber insurance applications. The insurance is available either as an add-on at the time of the sale from the service provider, or it can be purchased later.

Pepper CEO Scott Ford says that consumers currently have very few options to obtain comprehensive cyber insurance for their IoT devices. While individuals have some options to reduce their risk and become better candidates for cyber insurance, many do not know how to do so. Offering an actual cyber insurance policy — not just a rider to an existing home policy that might offer nominal coverage — provides real and measurable coverage for common cyber threats, he says.

While the consumer market is the primary target for this partnership, Ford says that SMBs that use surveillance cameras and similar IoT devices also can benefit from this low-cost cyber insurance alternative.

**Consumers Need Simple**

Toby Coleridge, chief product officer at Embedded Insurance (EI), which is Pepper's cyber insurance broker, says the process of obtaining a policy through his company — without the need to fill out long applications that must be processed through underwriting — is easy for the clients to understand. EI's policies are underwritten by Chubb, the top-ranking cyber insurance carrier in 2023.

Coleridge notes that these are real cyber insurance policies that are specifically designed to be simple to purchase. Unlike corporate cyber insurance policies — where rates and terms are based on an organization's existing cybersecurity controls, audits, penetration tests of networks, and negotiations with corporate boards, corporate counsels, and CISOs — these policies are off-the-shelf packages that are preconfigured and priced accordingly, much like purchasing an automobile policy.

"We haven't needed to look at putting in restrictions," he adds. "That's the complexity of SMB insurance versus the residential policy that we're using here. Ultimately, the whole point of this is to keep it as simple as possible."

Among the coverages offered are cyber financial fraud, cyber extortion (including ransomware coverage up to the policy's limits), identity theft, data restoration, device replacement, and cyber bullying. Policies are available starting at $5.28 per month per device. For higher limits, such as coverage up to $100,000 per device, the price could rise to $20 per device per month or more.

Coleridge sees personal cyber insurance as a growing market going forward. As social engineering attacks increase against individuals, the need for personal cyber insurance will increase as well, he says. "It's about protecting you against some of those threats that most consumers are probably naive to today," he adds.

**Security and Insurance Are Natural Partners**

Ford notes that in 2022 State Farm Insurance invested some $1.2 billion into the electronic alarm-monitoring security firm ADT, adding that the insurer could offer better rates to customers who proactively add security controls and thus become lower insurance risks. Similarly, Pepper late last year acquired Comcast business unit Notion, a smart property monitoring sensor system and app that enables home and small-business owners to monitor and reduce loss from costly property damage. In both cases, the acquired firms provide the new parent with on-the-ground intelligence that lowers the user's vulnerability to losses.

The partnership between Pepper and Embedded Insurance is similar to others. For example, earlier this month in the enterprise space, security operations center (SOC) and XDR vendor Arctic Wolf announced a similar program with cyber insurance carrier Cysurance. The Arctic Wolf model is designed for much larger enterprises that can support a SOC, as well as other enterprise-class security controls. As part of the program, Arctic Wolf customers can purchase up to $1 million worth of cyber insurance at an 80% discount from standard market rates.

Pepper and Embedded Insurance Partner on Cyber Insurance for Consumers, SMBs

Key findings from the research also show three of the four new malware threats on this quarter's top-ten list originated in China and Russia, living-off-the-land attacks on the rise, and more.

**SEATTLE – June 28, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q1 2023. Key findings from the data show phishers leveraging browser-based social engineering strategies, new malware with ties to nation states, high amounts of zero day malware, living-off-the-land attacks on the rise, and more. This edition of the report also features a new, dedicated section for the Threat Lab team’s quarterly ransomware tracking and analysis.

"Organizations need to pay more active, ongoing attention to the existing security solutions and strategies their businesses rely on to stay protected against increasingly sophisticated threats," said Corey Nachreiner, chief security officer at WatchGuard. "The top themes and corresponding best practices our Threat Lab have outlined for this report strongly emphasize layered malware defenses to combat living-off-the-land attacks, which can be done simply and effectively with a platform for unified security run by dedicated managed service providers."

Among its most notable findings, the Q1 2023 Internet Security Report reveals:

*   **New browser-based social engineering trends –** Now that web browsers have more protections preventing pop-up abuse, attackers have pivoted to using the browser notifications features to force similar types of interactions. Also of note from this quarter’s top malicious domains list is a new destination involving SEO-poisoning activity.
*   **Threat actors from China and Russia behind 75% of new threats in the Q1 Top 10 list –** Three of the four new threats that debuted on our top ten malware list this quarter have strong ties to nation states, although this doesn’t necessarily mean those malicious actors are in fact state-_sponsored_. One example from WatchGuard’s latest report is the Zusy malware family, which shows up for the first time in the top 10 malware list this quarter. One Zusy sample the Threat Lab found targets China’s population with adware that installs a compromised browser; the browser is then used to hijack the system’s Windows settings and as the default browser.
*   **Persistence of attacks against Office products, End-of-Life (EOL) Microsoft ISA Firewall –** Threat Lab analysts continue to see document-based threats targeting Office products in the most widespread malware list this quarter. On the network side, the team also noticed exploits against Microsoft’s now-discontinued firewall, the Internet Security and Acceleration (ISA) Server, getting a relatively high number of hits. Considering this product has long been discontinued and without updates, it is surprising to see attackers targeting it.
*   **Living-off-the-land attacks on the rise –** The ViperSoftX malware reviewed in the Q1 DNS analysis is the latest example of malware leveraging the built-in tools that come with operating systems to complete their objectives. The continued appearance of Microsoft Office- and PowerShell-based malware in these reports quarter after quarter underscores the importance of endpoint protection that can differentiate legitimate and malicious use of popular tools like PowerShell.
*   **Malware droppers targeting Linux-based systems –** One of the new top malware detections by volume in Q1 was a malware dropper aimed at Linux-based systems. A stark reminder that just because Windows is king in the enterprise space, this doesn’t mean organizations can afford to turn a blind eye to Linux and macOS. Be sure to include non-Windows machines when rolling out Endpoint Detection and Response (EDR) to maintain full coverage of your environment.
*   **Zero day malware accounting for the majority of detections –** This quarter saw 70% of detections coming from zero day malware over unencrypted web traffic, and a whopping 93% of detections from zero day malware from encrypted web traffic. Zero day malware can infect IoT devices, misconfigured servers, and other devices that don’t use robust host-based defenses like WatchGuard EPDR (Endpoint Protection Detection and Response).  
*   **New insights based on ransomware tracking data –** In Q1 2023, the Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to publish victims at an alarmingly high rate; some are well-known organizations and companies in the Fortune 500. (Stay tuned for more ransomware tracking trends and analysis as part of WatchGuard’s quarterly Threat Lab research in future reports!)

Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.   
New for this Q1 2023 analysis, the Threat Lab team has updated the methods used to normalize, analyze, and present the report findings. While previous quarterly research results have primarily been presented in the aggregate (as global total volumes), this quarter and going forward the network security results will be presented as “per device” averages for all reporting network appliances. The full report includes additional detail around this evolution and the rationale behind the updated methodology, as well as details on additional malware, network, and ransomware trends from Q1 2023, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.

For a more in-depth view of WatchGuard’s research, read the complete Q1 2023 Internet Security Report here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

_WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners._

WatchGuard Threat Lab Report Reveals New Browser-Based Social Engineering Trends

The new brand is launched alongside new product security platform capabilities such as a vulnerability management (VM) co-pilot and incident response investigation management, providing automation and workflows for the many teams involved in product security.

**TEL AVIV, Israel****,** **June 28, 2023** **/PRNewswire/ --** Cybellum, creator of the award-winning Product Security Platform for device manufacturers, unveiled today a new brand identity and new platform capabilities reinforcing its commitment to the product security community.

The new brand channels the company's focus on the multiple teams involved in today's product security operations.

Now more than ever, product security is a multi-team effort - from vulnerability management to software quality assurance, SBOM management, incident response, and compliance, each part of the workflow is governed by a different team, requiring a specialized, yet unified approach. The new brand, together with the new platform capabilities enables teams across the organization to automate and simplify the many security tasks they have, making the process more efficient and collaborative at the same time.

Some of the new platform capabilities include:

*   A new interface focusing on multi-team collaborative product security - from asset management and software assurance to incident response and cyber-compliance
*   Corporate Management dashboards provide visibility into the organization's product security readiness
*   New SBOM management capabilities including one-click SBOM and VEX report generation for entire products, so you no longer need to manually aggregate information from underlying components
*   The Vulnerability Management (VM) CoPilot focuses your team on the most pressing and relevant vulnerabilities by automating exploit analysis
*   A new Malware detection engine secures device software from malicious code, enhances supply chain cybersecurity, and facilitates compliance
*   A revamped Policy Engine with greater customization flexibility automates requirement validation, accelerating compliance with regulations and your own policies
*   A refined Incident Response module facilitates threat intelligence monitoring, automates relevancy assessment, and streamlines the investigation workflow for rapid remediation of post-market incidents

All of these new capabilities are built into the company's Product Security Platform, a centralized management platform for keeping connected devices cyber secure.

"Product security is still an evolving field, and Cybellum is committed to the success of the teams involved," says Shlomi Ashkenazy, Cybellum's Head of Brand. "Throughout the past year, we learned from our customers what are the main gaps they have in their product security process, and worked to close them."

"To us, working hand in hand with the product security community is the most important aspect of what we do," added Shlomi, "This new chapter in Cybellum's brand story echoes the vision and aspirations of that community, and further aligns the Cybellum story and mission with the challenges and needs of our customers."

**About Cybellum**

Cybellum is where teams do product security.

Device manufacturers such as Jaguar Land Rover, Supermicro, Danaher, and Faurecia use Cybellum's Product Security Platform and services to manage the main aspects of their cybersecurity operations across business units and lifecycle stages. From SBOM to Vulnerability Management, Compliance Validation, and Incident Response, teams ensure their connected products are fundamentally secure and compliant – and stay that way.

To learn more visit www.cybellum.com

Cybellum Unveils New Brand, Amplifying Commitment to Team-Centric Product Security

The company introduces a solution to restore trust in customers' existing cyber defense techstack.

**LAWRENCE, Kan.****,** **June 28, 2023** **/PRNewswire/ --** Invary, a cybersecurity pioneer focused on detecting hidden malware and preventing costly ransomware attacks, has raised pre-seed funding to launch its innovative solution. The investment was led by Flyover Capital, with additional participation from NetWork Kansas GROWKS Equity program, and the KU Innovation Park.

The pre-seed funding round will fuel the launch of Invary's flagship Runtime Integrity offering, designed to uncover and neutralize hidden threats that elude modern threat detection systems. This unique service debuts this summer, and will empower organizations to fortify their security postures and proactively safeguard their digital environment against high impact attacks.

Additionally, Invary's free Runtime Integrity Score (RISe) service is available now, allowing customers to spot-check their system's integrity and identify hidden malware.

The Invary leadership team brings decades of operational expertise in Trusted Computing research and reunites entrepreneurs with a successful history of collaboration. The company is spearheaded by CEO Jason Rogers, who has extensive experience building secure cloud-scale platforms, and scaling engineering & operations at category leader Matterport through IPO. The team's security credentials are further bolstered by founder Dr. Perry Alexander, a distinguished authority in Trusted Computing research and his protege and former student, Dr. Wesley Peck, the CTO of Invary, who obtained his PhD under Dr. Alexander's guidance.

The highly dynamic nature of today's threat landscape poses a significant challenge to the security posture of all organizations, including those with advanced defenses like XDR, SIEM and CNAPP solutions. The primary flaw within these defense layers stems from their assumption that the operating system remains uncompromised. This leaves a critical gap in the overall security infrastructure that threat actors can discreetly exploit to prepare a ransomware attack or data breach. This oversight is incredibly problematic because a staggering 72% of cyberattacks occur in production according to Datadog's latest State of Application Security report. 

Invary plugs this security gap at runtime by mandating continuous validation of the operating system - making it an indispensable component of a "trust nothing" Zero Trust architecture. Built on an exclusive intellectual property grant from the NSA, Invary's technology provides proven and superior protection for the digital environment, pinpointing compromise with high confidence, eliminating superfluous, noisy monitoring data.

Jon Broek, CEO of Tenfold Security, a leader in cloud security services, said, "Invary Runtime Integrity gives us an unfair advantage over the competition when deployed with our security solutions for cloud and virtual machines. It also provides a key component of keeping our customers secured end to end and preventing things like ransomware that are highly targeting our core customers in higher education."  

"We are thrilled to have secured this pre-seed funding, as it validates the need for  Invary's novel technology to shore up existing cyber defenses against high impact hidden threats," said Jason Rogers, CEO of Invary. "With the support of our investors, customers and partners, we are well-positioned to advance our mission of fortifying the security ecosystem by reinforcing Zero Trust principles."

The IT team at LMH Health said, "One of the key challenges in combating destructive ransomware is the hidden malware within operating systems that often serves as the foundation for such attacks. Invary Runtime Integrity gives visibility into a part of the system overlooked by most other security tools. We are able to gain confidence that the operating system has not been compromised, but if there are cases where anomalies are detected, a wealth of information is provided to help determine if they are benign, intentional or potentially malicious." 

"Ensuring the safety of our customers and cyber community is our #1 priority. Our pre-seed funding enables us to realize this dedication by continuously improving Invary's Runtime Integrity Service while also making our agent open source. We're proud to enhance operating system security for all by accelerating the industry's progress toward truly comprehensive Zero Trust Architectures," said Dr. Wesley Peck, CTO of Invary. 

The successful completion of the pre-seed funding round underscores Invary's commitment to pushing the boundaries of Runtime Security. With this significant investment, Invary is poised to accelerate its growth, enhance its technology and expand its reach in preventing data breaches and ransomware attacks.

For more information about Invary and its Runtime Integrity solutions, please visit www.invary.com.

**About Invary**

Invary is the leader in operating system runtime validation and security. The company's technology detects hidden, high impact threats to the operating system that are missed by other foundational defense systems including XDR, SIEM and CNAPP platforms. By securing the integrity of the operating system as a first class citizen in the "trust nothing" entity list of Zero Trust architectures, Invary becomes an indispensable part of modern cyberdefense. Based on an exclusive IP grant from the NSA and proven technology that has been deployed in real-world, critical infrastructure, Invary's proprietary technology ensures malware, ransomware and other hidden, high impact threats commonly found in operating systems are exposed — before they can cause downtime and expand the blast radius of attack.

Invary Raises $1.85M in Pre-Seed Funding to Close Critical Gap in Zero Trust Security

Virtual kidnapping is just one of many new artificial intelligence attack types that threat actors have begun deploying, as voice cloning emerges as a potent new imposter tool.

An incident earlier this year in which a cybercriminal attempted to extort $1 million from an Arizona-based woman whose daughter he claimed to have kidnapped is an early example of what security experts say is the growing danger from voice cloning enabled by artificial intelligence.

As part of the extortion attempt, the alleged kidnapper threatened to drug and physically abuse the girl while letting her distraught mother, Jennifer DeStefano, hear over the phone what appeared to be her daughter's yelling, crying, and frantic pleas for help.

But, those pleas ended up being deepfakes.

**Deepfakes Create Identical Voices**

In recounting details of the incident, DeStefano told police she had been convinced the individual on the phone had actually kidnapped her daughter because of how identical the alleged kidnapping victim's voice was to her daughter's.

The incident is one in a rapidly growing number of instances where cybercriminals have exploited AI-enabled tools to try and scam people. The problem has become so rampant that the FBI in early June issued a warning to consumers that criminals manipulating benign videos and photos are targeting people in various kinds of extortion attempts.

"The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content," the agency warned. "The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes." Scams involving deepfakes have added a new twist to so-called imposter scams, which last year cost US consumers a startling $2.6 billion in losses, according to the Federal Trade Commission.

In many instances, all it takes for attackers to create deepfake videos and audio — of the kind that fooled DeStefano — are very small samples of biometric content, Trend Micro said in a report this week highlighting the threat. Even a few seconds of audio that an individual might post on social media platforms like Facebook, TikTok, and Instagram is all that a threat actor requires to clone that individual's voice. Helpfully for them, a slew of AI tools is readily available — with many more on the way — that allow them to do voice cloning relatively easily using small voice biometrics harvested from various sources, according to Trend Micro researchers.

"Malicious actors who are able to create a deepfake voice of someone's child can use an input script (possibly one that's pulled from a movie script) to make the child appear to be crying, screaming, and in deep distress," Trend Micro researchers Craig Gibson and Josiah Hagen wrote in their report. "The malicious actors could then use this deepfake voice as proof that they have the targeted victim's child in their possession to pressure the victim into sending large ransom amounts."

**A Plethora of AI Imposter Tools**

Some examples of AI-enabled voice cloning tools include ElevenLabs' VoiceLab, Resemble.AI, Speechify, and VoiceCopy. Many of the tools are only available for a fee, though some offer freemium versions for trial. Even so, the cost to use these tools is often well less than $50 a month, making them readily accessible to those engaged in imposter scams.

A great deal of videos, audio clips, and other identity-containing data is readily available on the Dark Web that threat actors can correlate with publicly available information to identify targets for virtual kidnapping scams like DeStefano experienced and other imposter scams, Trend Micro noted. In fact, specific tools for enabling virtual kidnapping scams are emerging on the Dark Web that threat actors can use to hone their attacks, the researchers say in emailed comments to Dark Reading.

AI tools such as ChatGPT allow attackers to fuse data — including video, voice, and geolocation data — from disparate sources to essentially narrow down groups of people they can target in voice cloning or other scams. Much like social network analysis and propensities (SNAP) modeling allows marketers to determine the likelihood of customers taking specific actions, attackers can leverage tools like ChatGPT to focus on potential victims. "Attacks are enhanced by feeding user data, such as likes, into the prompt for content creation," the Trend Micro researchers say. "Convince this cat-loving woman, living alone who likes musicals, that their adult son has been kidnapped," they say, as one example. Tools like ChatGPT allow imposters to generate in a wholly automated way the entire conversation that an imposter might use in a voice cloning scam, they add.

Expect also to see threat actors use SIM-jacking — where they essentially hijack an individual's phone — in imposter scams such as virtual kidnapping. "When virtual kidnappers use this scheme on a supposedly kidnapped person, the phone number becomes unreachable, which can increase the chances of a successful ransom payout," Trend Micro said. Security professionals can also expect to see threat actors incorporate communication paths that are harder to block, like voice and video in ransomware attacks and other cyber-extortion schemes, the security vendor said.

**Cloning Vendors Cognizant of the Cyber-Risks**

Several vendors of voice cloning themselves are aware of the threat and appear to be taking measures to mitigate the risk. In Twitter messages earlier this year, ElevenLabs said it had seen an increasing number of voice-cloning misuse cases among users of its beta platform. In response, the company said it was considering adding additional account checks, such as full ID verification and verifying copyright to the voice. A third option is to manually verify each request for cloning a voice sample.

Microsoft, which has developed an AI-enabled text-to-speech technology called Vall-E, has warned of the potential for threat actors to misuse its technology to spoof voice identification or impersonate specific speakers. "If the model is generalized to unseen speakers in the real world, it should include a protocol to ensure that the speaker approves the use of their voice and a synthesized speech detection model," the company said.

Facebook parent Meta, which has developed a generative AI tool for speech called VoiceBox, has decided to go slow in how it makes the tool generally available, citing concerns over potential misuse. The company has claimed technology uses a sophisticated new approach to cloning a voice from raw audio and an accompanying transcription. "There are many exciting use cases for generative speech models, but because of the potential risks of misuse, we are not making the Voicebox model or code publicly available at this time," Meta researchers wrote in recent recent post describing the technology.

AI-Enabled Voice Cloning Anchors Deepfaked Kidnapping

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021.
Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a

The Iranian state-sponsored group dubbed **MuddyWater** has been attributed to a previously unseen command-and-control (C2) framework called **PhonyC2** that's been put to use by the actor since 2021.

Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News.

What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers.

"It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection."

MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber espionage group that's known to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS) since at least 2017.

The findings arrive nearly three months after Microsoft implicated the threat actor for carrying out destructive attacks on hybrid environments, while also calling out its collaboration with a related cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral movement.

"Iran conducts cyber operations aiming at intelligence collection for strategic purposes, essentially targeting neighboring states, in particular Iran's geopolitical rivals such as Israel, Saudi Arabia, and Arabic Gulf countries, a continued focus observed in all operations since 2011," French cybersecurity company Sekoia said in an overview of pro-Iranian government cyber attacks.

Attack chains orchestrated by the group, like other Iran-nexus intrusion sets, employ vulnerable public-facing servers and social engineering as the primary initial access points to breach targets of interest.

"These include the use of charismatic sock puppets, the lure of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions," Recorded Future noted last year. "The use of social engineering is a central component of Iranian APT tradecraft when engaging in cyber espionage and information operations."

Deep Instinct said it discovered the PhonyC2 framework in April 2023 on a server that's related to broader infrastructure put to use by MuddyWater in its attack targeting Technion earlier this year. The same server was also found to host Ligolo, a staple reverse tunneling tool utilized by the threat actor.

The connection stems from the artifact names "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1," which Microsoft described as customized PowerShell backdoors used by MuddyWater and which are dynamically generated via the PhonyC2 framework for execution on the infected host.

PhonyC2 is a "post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain,'" Kenin said, calling it a successor to MuddyC3 and POWERSTATS.

Some of the the notable commands supported by the framework are as follows -

*   **payload**: Generate the payloads "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1" as well as a PowerShell command to execute db.ps1, which, in turn, executes db.sqlite
*   **droper**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.sqlite" by reaching out to the C2 server and writing the encoded contents sent by the server to the file
*   **Ex3cut3**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.ps1" -- a script that contains the logic to decode db.sqlite -- and the final-stage
*   **list**: Enumerate all connected machines to the C2 server
*   **setcommandforall**: Execute the same command across all connected hosts simultaneously
*   **use**: Get a PowerShell shell on a remote computer
*   **persist**: Generate a PowerShell code to enable the operator to gain persistence on the infected host so it will connect back to the server upon a restart

Muddywater is far from the only Iranian nation-state group to train its eyes on Israel. In recent months, various entities in the country have been targeted by at least three different actors such as Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

As cloud adoption grows, organizations need to rethink their approaches to securing hybrid cloud and multicloud environments.

Cloud technology is a powerful tool that facilitates collaboration among distributed workforces and allows businesses to quickly scale their digital workloads. According to a Microsoft survey, 95% of respondents said cloud technology was critical to their organizations' successes, and 86% planned to increase their investments in hybrid cloud and multicloud tech. 

However, cloud technology also comes with increased risks. The lack of visibility and coverage across hybrid and multicloud environments can make it difficult for security teams to identify and resolve risks. Security teams are also being asked to monitor fragmented tools across different clouds, which can make it difficult to create a unified view of their comprehensive security posture. 

Microsoft research from earlier this year found that 86% of surveyed decision-makers believed their current cybersecurity strategies were not sufficient to secure their multicloud environments. So how should organizations adapt their security approach?

**Create a Single-Pane-of-Glass View**

Cloud technology enables businesses to quickly scale their digital workloads because they are not constrained by managing physical devices or IT infrastructure. However, this agility can also make it difficult for them to keep track of their various workloads, data streams, and applications because they are scattered across a mix of different cloud platforms and on-premises locations. Securing a hybrid or multicloud environment requires organizations to have visibility and cross-platform control in a single-pane-of-glass view. That way they can visualize the security posture of multiple workloads at once, regardless of location.

**Use CNAPP For Code-to-Cloud Context**

For many organizations, security and compliance used to be distinct silos — making it difficult for development and security teams to protect applications in the cloud. More than half (54%) of enterprises do not integrate security into their DevOps pipelines, according to Microsoft's "Enterprise DevOps Report." Cloud-native application protection platforms (CNAPPs) integrate these silos into a single, easy-to-reference platform to help organizations secure and protect cloud-native applications.

Strong security hygiene means being able to monitor and remediate code within the same pane-of-glass view that organizations use to manage their overall cloud security posture. CNAPPs enable increased collaboration and integration between development and security teams while also reducing the possibility of code issues being moved into the cloud. By intaking all infrastructure-as-code scanning signals and combining them with data sensitivity, identity, and runtime intelligence, CNAPPs enable security teams to make recommendations and prioritize risks within the context of the entire hybrid or multicloud network.

**Fortify Security Hygiene With Threat Detection and Response**

Active threat detection is a critical component of securing the cloud environment against potential cybersecurity breaches. For example, organizations should examine the connections among applications, data stores, and workstreams to anticipate how threat actors could conceivably move through their environments to compromise operations.

When protecting workloads, it's critical that developers, security administrators, and security operations center analysts are all on the same page. It's also important that organizations take a cohesive, collaborative approach to cloud security by ensuring that all of the key players are working together to build security integrations that cover the full scope of your threat landscape. This can look like embedding anti-malware scanning tools into DevOps to ensure a company's code is protected against malware or preventing attackers from entering its network by hardening container security.

_— This article was written by Yuri Diogenes, a member of the Microsoft Security Team._

3 Tips to Increase Hybrid and Multicloud Security

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Tag

#intel