Categories: Ransomware
Categories: Threat Intelligence
Cl0p was the most used ransomware in March 2023, dethroning the usual frontrunner LockBit, after breaching over 104 organizations with a zero-day vulnerability.



(Read more...)




The post Ransomware review: April 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In a surprising turn of events for the ransomware landscape, Cl0p has emerged as the most used ransomware in March 2023, dethroning the usual frontrunner, LockBit. Indeed, while LockBit was still used in 93 successful attacks last month, it couldn't quite match the sheer force of Cl0p's sudden resurgence.

Contributing to Cl0p's rise to the number one spot was its extensive GoAnywhere campaign. The group successfully breached over 104 organizations by taking advantage of a zero-day vulnerability in the widely-used managed file transfer software, GoAnywhere MFT.

March has also seen some intriguing activity from other ransomware gangs like DarkPower, which appeared to be turning on and off throughout the month, as well as BianLian, which has shifted its focus from encrypting files altogether to pure data-leak extortion.

Known ransomware attacks by gang, March 2023

Known ransomware attacks by country, March 2023

Known ransomware attacks by industry sector, March 2023

Fortra, the company behind GoAnywhere MFT, released an emergency patch (7.1.2) for the vulnerability in early February—but by then, Cl0p had already used it to break into a myriad of networks and deploy ransomware.

Recent research by Malwarebytes highlighted the bias that ransomware gangs have for attacking English-speaking countries, and the Cl0p campaign follows the same trend. Between them, the Anglosphere countries of the USA, Canada, UK, and Australia accounted for 69% of known Cl0p attacks, with Canada and Australia suffering more attacks than countries with bigger populations and economies, like Germany and France.

Known ransomware attacks by Cl0p, March 2023

Cl0p's ability to exploit a zero-day to such effect is akin only in recent memory to the Kaseya VSA ransomware incident in July 2022. The Kaseya attack involved a malicious auto-update that pushed the REvil ransomware onto victims' machines, primarily targeting Managed Service Providers (MSPs), causing widespread downtime for over 1,000 companies.

The successful use of zero-day vulnerabilities by ransomware gangs like Cl0p and REvil is, thankfully, relatively rare. However, when it happens it can be devastating. Ransomware gangs are always looking for new tactics to help them maximize the impact of their attacks and, rare or not, we should all be concerned about the example Cl0p has set for weaponizing a newly discovered vulnerability and exploiting it before a patch is released or applied.

Known Cl0p victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Cl0p wasn’t the only gang we saw last month experiencing an unexpected surge in activity.

**BlackBasta and LockBit**

In January 2023, we noted a complete absence of activity from BlackBasta, a group which up to that point had usually ranked highly on our monthly charts. That trend continued into February, but in March it returned with a vengeance with over 40 known victims. It’s hard to tell why BlackBasta went underground for two months only to eventually burst back onto the scene, but it's possible that the group was working on developing new attack techniques or evading detection. Other possibilities are a sudden change in leadership, that the group wanted to lay low to avoid the attention of law enforcement, or it simply wanted a break. This kind of thing isn't unusual and the group's sudden re-emergence highlights the unpredictable nature of ransomware gangs and the need for constantly monitoring the latest threat intelligence. Just because a group is gone today doesn't mean it won't be back tomorrow.

Meanwhile, LockBit’s activity in March was headlined by a major ransomware attack on Essendant, a US-based distributor of office products. This attack, which is said to have begun on or around March 6, created severe ramifications for the organization, disrupting freight carrier pickups, online orders, and access to customer support.

In other LockBit news, a CISA advisory on LockBit 3.0 ransomware was released on March 16, 2023. LockBit 3.0, also called LockBit Black, was discovered in June 2022. While many of LockBit 3.0’s TTPs remain consistent with previous versions, the advisory sheds light on the updated and enhanced features in LockBit 3.0. These improvements include more advanced detection evasion methods and customization options that enable affiliates to modify the ransomware's behavior according to their requirements, making the ransomware harder to detect and counter.

**Dark Power**

March saw the rise of Dark Power, a new ransomware group that tallied 10 victims. Dark Power’s ransomware is interesting in that it is written in the relatively obscure Nim programming language.

Dark Power's approach to ransomware, despite being relatively basic, manages to create unique encryption keys for each targeted machine, making it difficult to develop a generic decryption tool. The ransomware effectively stops services and terminates processes, ensuring the encryption process is unhindered. It also clears logs, making it harder for analysts to investigate an attack.

The effectiveness of Dark Power ransomware underlines the fact that attackers do not always need advanced, novel techniques to succeed. A basic approach, executed well and combined with an adaptable programming language, can prove to be just as effective.

**BianLian**

BianLian, a ransomware gang that first appeared in July 2022 and has consistently hovered near the top of our monthly charts, has shifted its focus from encrypting files to data-leaks. The group's shift in focus can be attributed to the release of a decryption tool by Avast, which made encrypting files less effective for BianLian. Consequently, the group now focuses on threatening to leak stolen data to extort payments from victims instead.

BianLian's shift toward data-leak extortion demonstrates that RaaS gangs can be highly adaptable to changing circumstances, such as the emergence of decryption tools that undermine encryption-based ransomware. This strategic shift allows them to maintain a steady income stream, even as traditional methods lose their effectiveness.

As organizations face the daunting prospect of sensitive data leaks or security breach exposure, they are more likely to pay ransoms to avoid legal, financial, and reputational repercussions. Furthermore, the lingering threat of leaked data, even after recovering encrypted files, makes it harder for victims to resist paying ransoms. 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: April 2023

Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account.
"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,"

Mobile Security / Privacy

Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account.

"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement.

Called Device Verification, the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing the target to use the app without any interruption.

In other words, the goal is to deter attackers' use of malware to steal authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links.

This, in turn, is achieved by introducing a security-token that's stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an "invisible ping" from the server to a user's device.

The client is required to send the security-token every time it connects to the server. The security-token, for its part, is updated every time it fetches an offline message from the server.

An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.

Should there be no response from the client, the process is retried a "few more times," after which the connection will be blocked if the client still doesn't respond.

WhatsApp said Device Verification has been rolled out to all Android users and that it's in the process of being rolled out to iOS users.

The feature is part of a broader set of new enhancements that are designed to authenticate and verify users' identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.

Also launched by WhatsApp is a "Key Transparency" feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.

To do so, it's implementing a new Auditable Key Directory (AKD) that's based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.

"The AKD will enable WhatsApp clients to automatically validate that a user's encryption key is genuine and enables anyone to verify audit-proofs of the directory's correctness," the company said.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

Verification currently requires users in a chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.

The security code is nothing but a unique hash of both the public/private key pair that's generated to facilitate end-to-end encrypted messaging. It can change when users switch devices or reinstall WhatsApp.

Key Transparency streamlines the verification process by making use of an automated flow that maintains a record of public key changes in a directory, thereby allowing a client to check against it.

WhatsApp intends to make this feature live in the coming months, although it's already hosting and operating an Auditable Key Directory of all its users. "This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks

Categories: Ransomware
Categories: Threat Intelligence
In the last 12 months France was one of the most attacked countries in the world, and a favourite target of LockBit, the world's most dangerous ransomware.



(Read more...)




The post Ransomware in France, April 2022–March 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their dark web sites. In this report, "known attacks" are attacks where the victim opted not to pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.  
_

Between April 2022 and March 2023, France was one of the most attacked countries by ransomware gangs. During that period:

*   France was the fifth most attacked country in the world.
*   The government sector was attacked more often than in similar countries.
*   LockBit dominated the last twelve months, being used in 57% of known attacks.
*   There were almost twice as many LockBit attacks in France than either the UK or Germany.

In July 2022, La Poste Mobile, a mobile carrier owned by French postal company La Poste, suffered a LockBit ransomware attack, severely impacting its administrative and management services. After successfully reducing the ransom demand from $1.4 million to $300,000 in a five day negotiation, La Poste Mobile's negotiator announced on July 11, "Management doesn’t want to pay anymore ... it has reconsidered its decision." LockBit published the data it had stolen on its leak site, describing it as "the private information of more than a million and a half people in France."

The La Poste Mobile page on the LockBit leak site

In August 2022, attackers demanded $10 million after a ruthless assault on the Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital near Paris. The disruption to CHSF's computer systems resulted in patients having to be sent elsewhere, and surgeries having to be postponed.

A few months later, in mid-November, French defense and technology group Thales confirmed a data breach affecting contracts and partnerships in Malaysia and Italy. As with so many attacks in France in the last twelve months, the perpetrators used LockBit ransomware.

**France is a prime target**

In the 12 months from April 2022 to March 2023, France was a globally significant target for ransomware, and the fifth most attacked country by known attacks.

Known attacks in the ten most attacked countries, April 2022 - March 2023

Given the disparity between the USA and the rest of the world in terms of number of attacks it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. It is not. The size and nature of the US economy means that it has many more targets for ransomware gangs than the other countries in the top ten.

We can account for the difference in the size of countries' economies by dividing the number of known ransomware attacks by a country's nominal GDP, which gives us an approximate rate of attacks per $1T of economic output. On that basis, the difference between France and the USA is far smaller than the total number of known attacks would suggest. And while France and Germany suffered nearly identical numbers of known attacks, France appears to suffer a much higher rate of attacks per unit of economic activity than its neighbour.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per $1T GDP

The size of the countries in the top ten also vary enormously, and we can try to account for that by dividing known attacks by the size of each country's population. On that measure, again, the differences between countries are far smaller than a simple count of known attacks suggests.

In all the variations of our top ten, English-speaking countries occupy at least three of the top five positions, which suggests that ransomware gangs have a slightly bias for English-speaking targets. France sits just below the Anglosphere in a cluster of four advanced European economies suffering nearly identical rates of attacks per capita.

The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita

By any measure, France is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs. Unusually, government targets accounted for a significant proportion of those organisations in the last twelve months. It was the country's third most attacked sector, accounting for 9% of known attacks. By comparison, over the same twelve month period, 4% of known attacks in the USA and 3% of known attacks in Germany affected their government sectors, while just 20 miles across the English channel, the UK experienced none at all.

Known ransomware attacks by industry sector in France, April 2022 - March 2023

As is often the case, the reasons for this are not obvious. It is possible that this simply reflects the larger footprint of government in France—government spending accounts for a larger proportion of the economy in France than in either the UK or Germany. However, the difference is only a few percentage points.

Ransomware gangs often operate from the safe havens of Russia and the Commonwealth of Independent states, which can make it tempting to ascribe nationalistic or geopolitical motivations to their activity. However, the truth is they are businesses that choose targets that are easy to infiltrate and likely to pay substantial ransoms.

Unfortunately, the most likely explanation for the high proportion of government sector targets among the known attacks in France is that government institutions were easier targets in France than elsewhere.

**LockBit's hunting ground**

The most dangerous ransomware in the world right now, is LockBit, and LockBit loves France.

In 2022, LockBit was used in 31% of known attacks globally, 3.5 times more than its nearest competitor, ALPHV. (You can read much more about why LockBit is the number one threat to your business in our 2023 State of Malware report.) As you'd expect, given its global preeminence, LockBit was also the most widely used ransomware in France, Germany, and the UK in the last twelve months.

However, LockBit dominates in France in a way that it doesn't in its European neighbours. Between April 2022 and March 2023, LockBit accounted for an absolutely enormous 57% of known attacks in France. Over the same period, it accounted for 20% of known attacks in the UK and about 30% in Germany.

LockBit recorded 62 known attacks in France in the last twelve months, but no other gang registered more than seven. In the same period LockBIt was responsible for 33 known attacks in the UK while six other gangs also got into double digits.

Ransomware with two or more known attacks in France, April 2022 - March 2023

LockBit's outsized contribution to France's misery is most clearly seen by highlighting its contribution on a month-by-month basis. The number of monthly attacks in France has been highly volatile, showing far larger variation than the UK, despite its proximity and the similarity of their economies and populations. That volatility is almost entirely down to how many or how few LockBit attacks occurred each month. In the last twelve months only one other gang has registered three known attacks in a single month (Royal in March 2023), while LockBit has matched or exceeded that figure eight times, and exceeded ten attacks in a month twice.

Monthly ransomware attacks in France with LockBit highlighted, April 2022 - March 2023

The reasons for this aren't clear, but it may simply be that as the 800lb gorilla in the ransomware ecosystem, LockBit is best placed to exploit opportunities outside of the Anglosphere. Like a lot of ransomware, LockBit is sold as a service and attacks are carried out by independent criminal gangs, referred to as "affiliates", which pay the LockBit gang 20% of the ransoms they extract. The French economy is large enough to provide a fertile hunting ground for cybercriminals. It is possible that some of LockBit's 100 or so affiliates have decided to specialise there.

**Conclusions**

In the last 12 months, France was a globally significant hunting ground for ransomware gangs, and the country with the fifth highest total of known attacks. Within France, the government sector was over represented, suffering a higher proportion of known attacks than the government sector in the USA, Germany, and the UK. Much like the education sector in the UK, the French government sector should be alarmed that with an entire world of targets to choose from, it has attracted a disproportionate amount of attention.

France attracted enormous attention from gangs using LockBit, the most dangerous ransomware in the world. There were almost twice as many known LockBit attacks in France than in either Germany or the UK. In all, LockBit was used in 57% of known attacks in France, while the next most used ransomware, Vice Society, accounted for just 6%.

France does not so much have a ransomware problem as a LockBit problem.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware in France, April 2022–March 2023

An emerging Python-based credential harvester and a hacking tool named Legion are being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and

An emerging Python-based credential harvester and a hacking tool named **Legion** is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.

Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts.

The malware is suspected to be linked to another malware family called AndroxGh0st that was first documented by cloud security services providerLacework in December 2022.

Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services.

"Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt Muir told The Hacker News. "Developers of these tools often steal each other's code, making attribution to a particular group difficult."

Besides using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks like Laravel.

"It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal," Cado Labs said.

Some of the other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting opportunistic phishing campaigns.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting mass spam and opportunistic phishing campaigns.

The cybersecurity firm said it also discovered a YouTube channel containing tutorial videos on how to use Legion, suggesting that the "tool is widely distributed and is likely paid malware." The YouTube channel, which was created on June 15, 2021, remains active as of writing.

Furthermore, Legion retrieves AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers.com," security researcher Matt Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Furthermore, Legion can retrieve AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin by leveraging the stolen SMTP credentials.

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers\[.\]com," Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Another notable aspect of Legion is its ability to exploit well-known PHP vulnerabilities to register a web shell for persistent remote access or execute malicious code.

The origins of the threat actor behind the tool, who goes by the alias "forzatools" on Telegram, remain unknown, although the presence of Indonesian-language comments in the source code indicates that the developer may be Indonesian or based in the country.

"Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it's recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored," Muir said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Python-Based "Legion" Hacking Tool Emerges on Telegram

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

<drupal-media data-align="center" data-entity-type="media" data-entity-uuid="86dcee13-494e-41e0-a1ed-419306586e5d"></drupal-media>

<h3>What are Confidential Containers?</h3>

<p><strong><a href="https://github.com/confidential-containers">Confidential Containers</a></strong> (CoCo) is a new sandbox project of the <a href="https://www.cncf.io/">Cloud Native Comput

**What are Confidential Containers?**

**Confidential Containers** (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks **to help better secure user data in use**. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to **standardize** confidential computing at the container level and **simplify** its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

Latest posts

**What is the Confidential Containers project?****October 7, 2022 - Pradipta Banerjee, Christophe de Dinechin, Ariel Adam, Jochen Schroder, Martin Tessun**

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies…read more

**Understanding the Confidential Containers Attestation Flow****December 2, 2022 - Pradipta Banerjee, Samuel Ortiz**

This article describes the hardware-based attestation flows and processes that the Confidential Containers project is built upon. With hardware-based attestation, a confidential computing processor generates cryptographic evidence for a workload-running environment. Provided that the workload owner trusts that piece of hardware, they can then remotely verify that evidence and decide if the workload’s execution environment is trustworthy or not…read more

**How to use Confidential Containers without confidential hardware****March 6, 2023 - Wainer dos Santos Moschetta, Steve Horsman**

The CoCo community recognizes that not every developer has access to TEE-capable machines and we don't want this to be a blocker for contributions. So version 0.1.0 and later come with a custom runtime that lets developers play with CoCo on either a simple virtual or bare-metal machine. In this tutorial you will learn: How to install CoCo and create a simple confidential pod on Kubernetes, and the main features that keep your pod confidential…read more

Learn about Confidential Containers

**LEXINGTON, Mass.--(****BUSINESS WIRE****)--**VulnCheck, the vulnerability intelligence company, today announced it has been authorized by the CVE Program as a CVE Numbering Authority (CNA). The company also announced the launch of VulnCheck Advisories, a program designed to simplify how security researchers share vulnerabilities with vendors.

The CVE Program is sponsored by the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency with a mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. As a CNA, VulnCheck joins an elite group of over 280 partners in 36 countries authorized to assign CVE identification numbers to vulnerabilities and publish additional details in the associated CVE record.

"Our company offers the most comprehensive, real-time vulnerability, threat and exploit intelligence available on the market today,” said Anthony Bettini, CEO and Founder of VulnCheck. "Our products often uncover publicly disclosed vulnerabilities and exploits that have no CVE. To better serve the community, VulnCheck has taken on the task of coordinating CVE assignments for these issues. Now as a full partner in the CVE Program, we can expedite the rate at which we can address these problems. This is just the latest step we’ve taken to use our data to help security teams fight back against the growing tide of vulnerabilities they face each day.”

In conjunction with the authorization, the company also launched VulnCheck Advisories, a program designed to remove friction between researchers who identify and report vulnerabilities and the organizations that acknowledge and fix the flaws. The program enables researchers to share newly discovered vulnerabilities directly with VulnCheck. The intelligence company then takes over the submission process to the vendor and guarantees the vulnerability is published within 120 days, whether fixed or not.

“A lot of the time, researchers are at a disadvantage,” said Bettini. “Programs that buy vulnerabilities can be cumbersome and rife with restrictions. And if researchers choose to work directly with a vendor, they can often spend months just trying to get the company to acknowledge their report. With our program, researchers can submit their findings to VulnCheck and let the process run its course without all the hassle.”

The news comes just months after the company raised a $3.2 million seed round to increase hiring, bolster product development and help large enterprises, government agencies and cybersecurity solutions providers outpace adversaries by solving the vulnerability prioritization challenge.

To learn more about VulnCheck and the Advisories program, visit https://vulncheck.com/advisories.

**About VulnCheck**

VulnCheck is the vulnerability intelligence company helping enterprises, government organizations, and cybersecurity vendors solve the vulnerability prioritization challenge. Trusted by some of the world's largest organizations responsible for protecting hundreds of millions of systems and people, VulnCheck helps organizations outpace adversaries by providing the most comprehensive, real-time vulnerability intelligence that is autonomously correlated with unique, proprietary exploit and threat intelligence. Follow the company on LinkedIn. To learn more about VulnCheck, visit https://vulncheck.com/.

VulnCheck Named CVE Numbering Authority for Common Vulnerabilities and Exposures

The bizarre release of sensitive US government materials soon after their creation signals a potential shift to near-real-time unauthorized disclosures.

the United States government has been scrambling this week, thanks to a leak of sensitive Pentagon documents that include an array of recent intelligence updates and Joint Chiefs of Staff briefings. Notably, the documents seem to be very recent, dating from as early as January to early March. The trove was first posted to Discord a few weeks ago, before some of the documents got pickup more recently on Russian Telegram channels and then Twitter.

Initial reporting about the situation—including by _The New York Times_, which broke the story—has focused on roughly 100 documents, but some reports indicate that even more secret documents may have been shared on Discord over the past few months. The documents are photographs of printed-out presentation slides. Some of the papers had been folded and unfolded before being photographed, and some of the photos capture slivers of other objects that were on the desk with the papers.

Researchers say the leak ranks high among other prominent recent revelations about clandestine US government activity—a list that includes information from Edward Snowden about the NSA's bulk surveillance activity, details of the CIA's hacking capabilities in the Vault7 revelations published by WikiLeaks, and NSA hacking tools revealed in the Shadow Brokers leak. But this latest leak has some specific characteristics reflective of the current moment: It is relatively small and contains fresh information rather than a large trove of months- or years-old data. And while it is not yet clear who leaked the documents or what their motivation was, initial indications from Discord activity suggest that the leaker may have been trying to show off to their gaming friends, and might even be a teenager or young adult.

“I am intrigued by the idea of a small, pinpoint leak phenomenon,” says Dan Meyer, a partner at the law firm Tully Rinckey who works on federal employment and national security matters. Meyer was formerly a federal investigator and whistle-blowing expert within the US government. The use of “strategic leaks” has been a tactic of top officials “for a very long time,” Meyer says. “But now the technology issue is very real with phones and the ability to move these documents in ways the government didn’t anticipate.”

The latest leaked documents reveal details about the war in Ukraine, including information about the Ukrainian army's air defenses and plans for a future counteroffensive against Russia. Notably, the trove also reveals details about Russia's war effort and exposes the degree to which the United States intelligence community has penetrated Russia's military and intelligence services. 

As with any leak of state secrets, the most impactful revelations long-term generally relate to methods and access rather than specific information. That means Russian intelligence, for example, will likely make changes to its operations in response to the relvations to evade American operators. The leak also includes indications that the US has been spying on allies like South Korean and Israeli officials, a move that is not necessarily surprising but diplomatically embarrassing.

“We're still investigating how this happened, as well as the scope of the issue,” Chris Meagher, the US assistant to the secretary of defense for public affairs, told reporters on Tuesday. “There have been steps to take a closer look at how this type of information is distributed and to whom. We are also still trying to assess what might be out there.”

Analysts emphasize that the scale of the leak may be much larger than what has emerged publicly so far, and that the situation reflects concerning lapses in the Pentagon's systems for handling secrets.

“It seems like the Department of Defense thought they had sufficient controls in place to detect would-be leakers after incidents like Snowden,” says Jake Williams, a former NSA hacker and an analyst with IANS Research, a cybersecurity consultancy firm. “But obviously, whoever is doing this got around that or learned from past techniques and mistakes.”

As real-time accounts of everything from wars to natural disasters play out on social media and other digital communication platforms, it makes sense that leaking has increasingly become targeted and agile as well. So-called “hack and leak” operations have demonstrated this in recent years, with, for example, state-backed attackers leaking excerpts of government officials' digital communications or strategy documents from political campaigns. Hactivists have also increasingly used precision leaks around the world. Ukrainian advocates have, for example, repeatedly doxed Russian military officials and intelligence agents. And they've leaked data stolen from Russian government agencies and private companies since the Kremlin's full-scale invasion of Ukraine in February 2022. 

For now, as the US government aggressively investigates the latest Pentagon leaker and their motives, Meyer says his advice for US federal employees, contractors, or anyone with a US security clearance is to mind their business.

“Just because you have the ‘need to know,’ that doesn't mean you have the need to go look at it,” he says. “That person should not access these documents anywhere on the web. This stuff has now been identified as classified, and even if it's well intentioned, if you view classified information in a non-SCIF environment, you've committed a technical infraction. It’s a mess, don’t do it.”

Leaked Pentagon Documents May Herald a New Era of Revelations

**OSLO****, Norway** **,** **April 12, 2023** **/PRNewswire/ --** Opera (NASDAQ: OPRA) – the company behind the award-winning family of web browsers – is announcing the extension of its free browser VPN service to Opera Browser for iOS. Already available to some users for early access, the full rollout will be completed within the coming weeks. With this addition, Opera became the first web browser to offer a free built-in VPN across all major platforms, including Mac, Windows, Linux, Android, and iOS.

Staying private online is becoming increasingly challenging. When users browse the internet, they can be subject to data collection from websites and online services, many of which are not always transparent about how they store and use this data. Meanwhile, unsecure networks, such as some public Wi-Fi are vulnerable to attacks from bad actors, which can compromise sensitive personal data like web banking information or credit card details. VPNs, as a result, are an increasingly essential feature of life online – they help protect one's identity and activity so that users can peruse the internet privately, their personal information safe from prying eyes.

With the addition of its VPN service to iOS, Opera becomes the first browser company to offer a built-in, free VPN on every platform. Opera's VPN service requires no subscription, no logging into an account, and no additional extensions – users simply need to toggle a switch in the main menu to browse in peace, since the Opera Browser makes sure VPN traffic is encrypted and IP address is private.

"Opera has always been known for its unique feature set. We are proud to bring our free built-in VPN to all major platforms and to be the first browser company to do so. Our commitment to providing users with a secure browsing experience has led us to develop this feature over the years. We are excited to bring this vital tool to iOS users to ensure their online safety and privacy," said Jørgen Arnesen, EVP Mobile at Opera.

A no-log service, the VPN does not collect any personal data or information related to users' browsing history or originating network address, ensuring anonymity. Fast and secure, users have instant access to virtual locations around the world.

The Opera Browser for iOS is an award-winning browser that is enjoyed by millions of users worldwide. Featuring an interface that has garnered multiple design awards, the browser affords an unparalleled user experience. Designed to be used on the go, Opera's Fast Action Button gives users the full range of navigation tools within a thumb's reach. Users can additionally keep photos, articles, recipes, travel ideas, and links with them at all times with My Flow, which allows for seamless and secure file sharing between phones, tablets, and computers. The browser even integrates a native Crypto Wallet, enabling users to keep track of their digital assets at all times.

Apart from its convenience, the Opera Browser for iOS also offers unparalleled speed and security. It features, for example, a built-in ad blocker – speeding up the loading process as well as shielding users from unwanted advertisements – plus the Apple Intelligent Tracking Prevention, which blocks third party tracking cookies and cookie dialogue. The browser also boasts Opera's Cryptojacking Protection, which safeguards users from having their device's resources hijacked for crypto mining. The free VPN service will now complete the package, affording users protection as they browse the internet.

Concurrent with the ongoing rollout of the free VPN service, Opera Browser for iOS is also receiving a pair of additional upgrades. A Bookmarks feature will allow users to better organize their lives online, and coupled with Speed Dial ensure immediate access to what's most important. And for football fans, a new Live Scores feature lands on the browser's homepage. A scoreboard that displays the day's matches – whether they are upcoming, in progress, or the final whistle has already gone – Live Scores will help users stay on top of the action worldwide.

To start using the free VPN, users just need to download the Opera Browser for iOS and turn the VPN on in the app. The full rollout will be completed within the coming weeks, so VPN will become available for all users shortly. More information is available on the official website.

**About Opera for iOS**

Fast, safe and private, Opera Browser is a beautifully designed web browser with a Red Dot Award for its stunning user interface. Enjoyed by millions of fans across the world, it's built for people on the go and features a lightning fast web search for instant results. With built-in security features such as Apple Intelligent Tracking Prevention and Cryptojacking Protection – plus a native Crypto Wallet – Opera Browser offers users the optimal iOS experience. Opera Browser has a 4.7 star rating in the App Store and has been reviewed by more than 600,000 people worldwide.

**About Opera**

Opera is a web innovator building on more than 25 years of innovation that started with the Opera web browser. While Opera is leveraging its brand and engaged user base in order to grow and develop new products and services for people who seek a better internet experience, Opera's PC and mobile web browsers, content discovery platform Opera News, and apps dedicated to gaming, and Web3 are already the trusted choices of hundreds of millions of active and engaged users. Opera is headquartered in Oslo, Norway, and listed on the NASDAQ Stock Exchange under the OPRA ticker symbol. Download and access Opera's products and services from www.opera.com.

SOURCE Opera Limited

Opera Adds Free VPN to Opera for iOS

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

Tag

#intel