The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.
Microsoft has attributed the threat actor to Iran's Ministry of

Ransomware / Endpoint Security

The Iranian threat actor known as **Agrius** is leveraging a new ransomware strain called **Moneybird** in its attacks targeting Israeli organizations.

Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.

Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020.

In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong.

These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.

"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.

The infection sequence begins with the exploitation of vulnerabilities within internet-exposed web servers, leading to the deployment of a web shell referred to as ASPXSpy.

In the subsequent steps, the web shell is used as a conduit to deliver publicly-known tools in order to perform reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate data.

Also executed on the compromised host is the Moneybird ransomware, which is engineered to encrypt sensitive files in the "F:\\User Shares" folder and drop a ransom note urging the company to contact them within 24 hours or risk getting their stolen information leaked.

"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts," the researchers said. "Despite these new 'covers,' the group continues to follow its usual behavior and utilize similar tools and techniques as before."

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Agrius is far from the only Iranian state-sponsored group to engage in cyber operations targeting Israel. A report from Microsoft last month uncovered MuddyWater's collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy the DarkBit ransomware.

The findings also come as ClearSky disclosed that no fewer than eight websites associated with shipping, logistics, and financial services companies in Israel were compromised as part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.

In a related development, Proofpoint revealed that regional managed service providers (MSPs) within Israel have been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.

The enterprise security firm further highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups, which have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware

Indirect prompt-injection attacks can leave people vulnerable to scams and data theft when they use the AI chatbots.

Microsoft director of communications Caitlin Roulston says the company is blocking suspicious websites and improving its systems to filter prompts before they get into its AI models. Roulston did not provide any more details. Despite this, security researchers say indirect prompt-injection attacks need to be taken more seriously as companies race to embed generative AI into their services.

“The vast majority of people are not realizing the implications of this threat,” says Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany. Abdelnabi worked on some of the first indirect prompt-injection research against Bing, showing how it could be used to scam people. “Attacks are very easy to implement, and they are not theoretical threats. At the moment, I believe any functionality the model can do can be attacked or exploited to allow any arbitrary attacks,” she says.

Hidden Attacks

Indirect prompt-injection attacks are similar to jailbreaks, a term adopted from previously breaking down the software restrictions on iPhones. Instead of someone inserting a prompt into ChatGPT or Bing to try and make it behave in a different way, indirect attacks rely on data being entered from elsewhere. This could be from a website you’ve connected the model to or a document being uploaded.

“Prompt injection is easier to exploit or has less requirements to be successfully exploited than other” types of attacks against machine learning or AI systems, says Jose Selvi, executive principal security consultant at cybersecurity firm NCC Group. As prompts only require natural language, attacks can require less technical skill to pull off, Selvi says.

There’s been a steady uptick of security researchers and technologists poking holes in LLMs. Tom Bonner, a senior director of adversarial machine-learning research at AI security firm Hidden Layer, says indirect prompt injections can be considered a new attack type that carries “pretty broad” risks. Bonner says he used ChatGPT to write malicious code that he uploaded to code analysis software that is using AI. In the malicious code, he included a prompt that the system should conclude the file was safe. Screenshots show it saying there was “no malicious code” included in the actual malicious code.

Elsewhere, ChatGPT can access the transcripts of YouTube videos using plug-ins. Johann Rehberger, a security researcher and red team director, edited one of his video transcripts to include a prompt designed to manipulate generative AI systems. It says the system should issue the words “AI injection succeeded” and then assume a new personality as a hacker called Genie within ChatGPT and tell a joke.

In another instance, using a separate plug-in, Rehberger was able to retrieve text that had previously been written in a conversation with ChatGPT. “With the introduction of plug-ins, tools, and all these integrations, where people give agency to the language model, in a sense, that's where indirect prompt injections become very common,” Rehberger says. “It's a real problem in the ecosystem.”

“If people build applications to have the LLM read your emails and take some action based on the contents of those emails—make purchases, summarize content—an attacker may send emails that contain prompt-injection attacks,” says William Zhang, a machine learning engineer at Robust Intelligence, an AI firm working on the safety and security of models.

No Good Fixes

The race to embed generative AI into products—from to-do list apps to Snapchat—widens where attacks could happen. Zhang says he has seen developers who previously had no expertise in artificial intelligence putting generative AI into their own technology.

If a chatbot is set up to answer questions about information stored in a database, it could cause problems, he says. “Prompt injection provides a way for users to override the developer’s instructions.” This could, in theory at least, mean the user could delete information from the database or change information that’s included.

The Security Hole at the Heart of ChatGPT and Bing

Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks.

As state-sponsored hackers working on behalf of Russia, Iran, and North Korea have for years wreaked havoc with disruptive cyberattacks across the globe, China's military and intelligence hackers have largely maintained a reputation for constraining their intrusions to espionage. But when those cyberspies breach critical infrastructure in the United States—and specifically a US territory on China's doorstep—spying, conflict contingency planning, and cyberwar escalation all start to look dangerously similar.

On Wednesday, Microsoft revealed in a blog post that it has tracked a group of what it believes to be Chinese state-sponsored hackers who have since 2021 carried out a broad hacking campaign that has targeted critical infrastructure systems in US states and Guam, including communications, manufacturing, utilities, construction, and transportation. 

The intentions of the group, which Microsoft has named Volt Typhoon, may simply be espionage, given that it doesn’t appear to have used its access to those critical networks to carry out data destruction or other offensive attacks. But Microsoft warns that the nature of the group's targeting, including in a Pacific territory that might play a key role in a military or diplomatic conflict with China, may yet enable that sort of disruption.

"Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," the company's blog post reads. But it couples that statement with an assessment with "moderate confidence" that the hackers are “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Google-owned cybersecurity firm Mandiant says it has also tracked a swath of the group's intrusions and offers a similar warning about the group's focus on critical infrastructure “There's not a clear connection to intellectual property or policy information that we expect from an espionage operation,” says John Hultquist, who heads threat intelligence at Mandiant. “That leads us to question whether they’re there _because_ the targets are critical. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attack.”

Microsoft’s blog post offered technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices  that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.

Blending in with a target's regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors' approach in recent years, says Marc Burnard, a senior consultant of information security research at Secureworks. Like Microsoft and Mandiant, the Secureworks has been tracking the group and observing the campaigns. He added that the group has demonstrated a “relentless focus on adaption” to pursue its espionage.

US government agencies, including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the Justice Department published a joint advisory about Volt Typhoon's activity today alongside Canadian, UK, and Australian intelligence. “Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies wrote.

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States—even over decades of data theft from US systems—the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country's infrastructure in preparation for a potential conflict. Two years ago, CISA and the FBI also issued an advisory that China had penetrated US oil and gas pipelines between 2011 and 2013. China’s Ministry of State Security hackers have gone much further in cyberattacks against the country’s Asian neighbors, actually crossing the line of carrying out data-destroying attacks disguised as ransomware, including against Taiwan’s state-owned oil firm CPC.

This latest set of intrusions seen by Microsoft and Mandiant suggests that China’s critical infrastructure hacking continues. But even if the Volt Typhoon hackers did seek to go beyond espionage and lay the groundwork for cyberattacks, the nature of that threat is far from clear. State-sponsored hackers are, after all, often assigned to gain access to an adversary’s critical infrastructure as a preparatory measure in case of a future conflict, since gaining the access  necessary for a disruptive attack usually requires months of advanced work.

That ambiguity in state-sponsored hackers’ motivations when they penetrate another country’s networks—and its potential for misinterpretation and escalation—is what Georgetown professor Ben Buchanan has called “the cybersecurity dilemma” in his book by the same name. “Genuinely attacking and building the option to attack later on,” Buchanan told WIRED in a 2019 interview as cyberwar tensions rose between the US and Russia, “are very hard to disentangle."

Drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is an even harder exercise with China, says Mandiant’s Hultquist, given the limited instances of the country pulling the trigger on a digitally disruptive event—even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. “China’s disruptive and destructive capabilities are extremely opaque,” he says. “Here we have a possible indication that this might be an actor with that mission.”

China Hacks US Critical Networks in Guam, Raising Cyberwar Fears

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.

That's according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) "Volt Typhoon." It's a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.

While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," according to the analysis.

The first signs of compromise emerged in telecom networks in Guam, according to a New York Times report ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the Chinese spy balloon was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.

**A Shadow Goal? Laying Groundwork for Disruption**

The discovery of the activity is playing out against the backdrop of the US' frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russia's invasion of Ukraine could spur China to do the same in Taiwan.

In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the country's ability to come to Taiwan's aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.

"These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming," he said in an emailed statement. "A far more reliable indicator for \[a\] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict."

Dubbing such preparations "contingency intrusions," he added that China is certainly not alone in conducting them — although notably, China-backed APTs are typically far more focused on cyber espionage than destruction.

"Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect," Hultquist noted. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque."

**An Observed Focus on Stealth & Spying**

To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes (Microsoft is still examining how they're being breached in this case). Once inside the box, the APT uses the device's privileges to extract credentials from Active Directory account and authenticate to other devices on the network.

Once in, the state-sponsored actor uses the command line and living-off-the-land binaries "to find information on the system, discover additional devices on the network, and exfiltrate data," according to the analysis.

To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.

The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem advisory on Volt Typhoon (PDF) with details on how to hunt for the threat.

'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs

The new software-led solution enables organizations to defend against cybersecurity threats in their operational technology (OT) environments.

**ATLANTA, May 23, 2023 –** Honeywell (**Nasdaq: HON**) today announced the release of its operational technology (OT) cybersecurity solution, Honeywell Forge Cybersecurity+| Cyber Insights, to assist customers in improving the availability, reliability and safety of their industrial control systems and operations.

Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities and threats, allowing the customer to manage their compliance strategy, thereby helping reduce their overall cybersecurity risks.

Companies with OT systems face challenges in obtaining the necessary information to reduce the likelihood and impact of cyberattacks and to stay compliant with standards and regulations that may be applicable to them. These challenges are compounded by the shortage of available cybersecurity skills in operational technology, with a cyber security workforce gap of more than 3.4 million people.\[1\]Despite attempts to implement various solutions, success is difficult to achieve due to the complexity of the tools, the overwhelming volume of security data generated, and the lack of solutions specifically designed for OT.

“Organizations should leverage technology to address worker shortages, while at the same time gaining clear visibility into their OT facilities’ cybersecurity posture to help them make faster decisions and reduce cyber risk,” said Michael Ruiz, vice president and general manager, Honeywell OT Cybersecurity Innovation. “Cyber Insights is a tool designed to provide customers with detection and insights so that cybersecurity leaders can better understand and monitor their then current security profile, while also being able to detect and mitigate the latest threats.”

Cyber Insights brings a tailored approach by providing a purpose-built cybersecurity solution for OT environments and users. It is designed to offer a site-level view of a facility’s cybersecurity posture and provide insights into security events, vulnerabilities, active threats and to manage compliance. Cyber Insights is designed to help organizations strengthen their cyber resilience and to respond faster to incidents through access to critical information at the right time.

Cyber Insights is pre-configured for OT use, with already available customization options designed to address certain needs specific to different industrial environments, while being vendor agnostic so that it can be deployed on Honeywell control systems as well as many other systems. It is also deployed, supported and maintained by Honeywell Cyber Care services during the applicable subscription license term, to help customers maintain continuous tuning and optimization as required for any system to run in peak form.

“Honeywell has successfully positioned itself as a ‘one-stop shop’ system integrator and solution provider across different spectrums of operational technology (OT) cybersecurity for over 20 years,” said Avimanyu Basu, senior lead analyst at ISG. “Being vendor-agnostic, Honeywell is well-equipped to work on almost any device and provide the necessary services for assessment and remediation.”

To learn more about Honeywell OT Cybersecurity solutions, visit us at www.becybersecure.com.

**About Honeywell**

Honeywell (www.honeywell.com) delivers industry-specific solutions that include aerospace products and services; control technologies for buildings and industry; and performance materials globally. Our technologies help aircraft, buildings, manufacturing plants, supply chains, and workers become more connected to make our world smarter, safer, and more sustainable.

Honeywell Forge is intelligent operations software that connects assets, people, and processes, enabling operational performance, sustainability, and quality improvement.

For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

_This document may contain statements including future product direction and does not create any binding obligations on us to develop or sell any product, service or offering. Any descriptions of future product direction, intended updates or new or improved features or functions are intended for informational purposes only and are not binding commitments on us and the sale, development, release, locations of availability, or timing of any such products, updates, features or functions is at our sole discretion._

Honeywell Releases Cyber Insights to Better Identify Cybersecurity Threats and Vulnerabilities

New capability streamlines automated testing of cybersecurity and anti-fraud features in android and iOS apps in virtual and cloud testing suites.

**REDWOOD CITY, Calif.****,** **May 23, 2023** **/PRNewswire/ --** Appdome, the mobile app economy's one and only Cyber Defense Automation platform, today announced Build-to-Test which enables mobile developers to streamline the testing of cybersecurity features in mobile apps.

The new capability allows Appdome-protected mobile apps to recognize when automated mobile app testing suites are in use and securely completed without interruption by a vendor, logging all security events for the developer to track and monitor. The Build-to-Test service is part of Appdome's Dev2Cyber initiative and will accelerate the delivery of secure mobile apps globally.

In continuous integration, continuous delivery (CI/CD) pipelines, mobile app quality assurance is done via automated testing services so the functionality of the mobile app can be validated across hundreds of real-world mobile devices and OS versions. However, automated testing services can also leverage methods and tools that violate cybersecurity policies or that cybersecurity professionals find problematic and dangerous such as emulators, virtualization, resigning, debugging, dual spaces, Magisk and more. Once protections are added to a mobile app, security features detect these methods and tools, and the resulting cyber defense may prevent testers from using parts of these testing services.

The new Build-to-Test option on Appdome extends Appdome's support for automated mobile app testing services and allows Appdome-protected mobile applications to recognize the testing vendor and securely complete testing runs without interruption.

"We've always supported automated testing," said Chris Roeckl, Chief Product Officer at Appdome. "Build-to-Test solves one of the last operational challenges of testing mobile applications at scale and maintains end-to-end security in the mobile DevSecOps pipeline."

Appdome-protected mobile apps have always been testable on devices made available through automated mobile application testing vendors. Advantages of the new Build-to-Test feature include:

*   Fully automated testing for Appdome-protected mobile apps;
*   Fully automated mobile app testing services to validate cyber defenses in Appdome protected mobile apps;
*   Reduced complexity when testing protected mobile apps in automated environments;
*   Eliminate the need to test protected and unprotected builds separately; and
*   Protect test builds with Appdome defenses to ensure improved DevSecOps compliance.

"Mobile developers want to test complete Android and iOS builds that include cyber and anti-fraud defenses," said Jamie Bertasi, Chief Customer Officer at Appdome. "Our goal is to remove every ounce of friction that stands in the way of protecting the mobile app economy."

Appdome's Built-to-Test option is available with Appdome-DEV and Appdome-SRM licenses and compatible with all major mobile app testing services including Microsoft App Center, Sauce Labs, BitBar, LambdaTest and BrowserStack to reduce time to market, improve app quality and increase pipeline efficiency.

For more information on how to use Appdome Build-to-Test, please see this knowledge base article.

**About Appdome** 

Appdome's mission is to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry's only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money, and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, mobile anti-bot, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Learn more at www.appdome.com.

SOURCE Appdome

Appdome Launches Build-to-Test, Automated Testing Option for Protected Mobile Apps

Attackers primarily target on-premises IT infrastructures.

**FRISCO, Texas****,** **May 23, 2023** **/PRNewswire/ --** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the enterprise sector (organizations with more than 1,000 employees) from its annual global 2023 Hybrid Security Trends Report.

According to the survey, 65% of organizations in the enterprise sector suffered a cyberattack within the last 12 months, which is similar to the results among companies of all sizes (68%). The most common security incidents are also the same: phishing, ransomware and user account compromise.

However, larger organizations are a more frequent target for ransomware or other malware attacks: 48% of enterprises experienced this type of security incident on premises, compared to 37% among organizations of all sizes. Malware attacks are less common in the cloud: just 21% of respondents in the enterprise sector experienced one within the last 12 months.

"It is no surprise that the enterprise sector suffers malware attacks at a higher rate than smaller organizations. After all, ransomware operators want to maximize their profits, so they consider which organizations are most able to pay a ransom to reduce business downtime — and the larger an organization is, the costlier an operational disruption will be," says Dmitry Sotnikov, VP of Product Management at Netwrix. "On the other hand, larger organizations have more tools to spot the attack that might stay unnoticed for SMBs. In addition, enterprises have bigger infrastructure with more endpoints that statistically increases the chance of the security incident."

The enterprise sector also reports larger expenses as a result of cyberattacks than their smaller counterparts. Indeed, 28% of enterprises estimated their financial damage from cyberthreats to be $50,000 and higher, compared to just 16% among organizations overall.

"Smaller companies often underestimate their risk of attack, reasoning that cybercriminals tend to target enterprises because they store more intellectual property (IP) and other sensitive data. But our survey shows that organizations suffer cyberattacks with a similar frequency regardless of their size," says Dirk Schrader, VP of Security Research at Netwrix. "Every organization has valuable data, such as customer and employee information, and is therefore a target for attackers. What's more, SMBs are not only a target on their own but as a way into the larger enterprises that consume their services."

To learn more about how enterprises can overcome the ransomware challenge, visit the Netwrix ransomware protection page.

**About Netwrix**  

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Report: Enterprises Suffer More Ransomware and Other Malware Attacks Than Smaller Organizations

Security professionals warn that Google's new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.

Two new top-level domain names — .zip and .mov — have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss.

Google announced the domains in early May, kicking off a slow buildup of criticism from the security community as people became aware of the issues. In a widely circulated post on Medium, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place — downloading a zip file from a GitHub repository — but by using unicode slashes, an "@" sign, and the .zip domain, a potentially malicious URL could instead redirect users to an attacker's website.

While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.

"There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware," he says. "Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks."

In the three weeks since Google announced the new domains — along with .dad, .phd, and .foo — security researchers have pointed out the dangers of TLDs that match file extensions. On Tuesday, for example, Trend Micro became the latest security firm to warn users to fine-tune their ability to spot malicious links. In the advisory, the company pointed out that the Vidar info-stealer uses fake URLs to download a "Zoom.zip" file to the victim's computer — and that the .zip domain will make the attack much more effective.

Google did not answer questions about the tradeoffs between risk and utility for the new TLDs but did send a statement to Dark Reading, pointing to other confusing domains, such as 3M's command.com domain as a way of arguing that the issue is not novel.

"The risk of confusion between domain names and file names is not a new one," the company stated. "Applications have mitigations for this — such as Google Safe Browsing — and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip."

Whether the new domains will make phishing better is still a question for some, but the risk of making more effective links seems to outweigh any benefit of the domains, says Erich Kron, security awareness advocate at phishing and security education firm KnowBe4.

"It's the 'why are we doing this?' that kind of gets me, and frankly, it's just a bad idea, right?" he says. "Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with \[legitimate files\] ... we are really opening the doors to some some very easy trickery here."

**No Active Phishing Attacks so Far**

The domain names have already led to some mistakes, and not just on the part of humans. Some tools, such as Google's own malware identification service VirusTotal, are confusing filenames with the .zip extension with URLs with the .zip TLD, according to Johannes Ullrich, dean of research for education organization SANS Technology Institute. Ullrich is in the process of surveying existing .zip domains to see which are malicious.

He has found that evidence of in-the-wild campaigns is scant so far. "This opens up new avenues for more convincing phishing attacks," Ullrich said, with a caveat: "However, there are already many ways to create convincing phishing attacks, so the risk is more incremental."

The good news is that attackers have not yet picked up the technique en masse for real-world attacks, Trend Micro stated in its advisory.

"As of today, Trend Micro has not yet received URLs related to these new TLDs from internal and customer cases," the company stated. "However, we will continue to monitor any related URLs we come across and block them as needed in preparation for potential phishing campaigns."

At this point, the biggest "attack" so far involves "rickrolling" and parked domains, Ullrich says: At least 48 domains have been registered by people who then posted a video of singer Rick Astley and his song, "Never Gonna Give You Up."

**Awareness, Best Security Practices Remain Top Advice**

The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.

However, much will still rely on users, who should be careful about checking links, and companies, which can restrict new domain names until cybersecurity providers can assign them a reputation, DomainTools' Helming says.

"There are ways for very savvy users to spot these file paths visually," he adds, "but the most effective defenses are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains — in any TLD — and updated user awareness training."

_With reporting by Jaikumar Vijayan_

Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

Incident response playbooks and frameworks are leaving defenders ill-equipped to recover from the increasing number of successful cyberattacks. Developments in AI offer a new way for stretched teams to manage security incidents and heal swiftly.

The number of successful cyberattacks impacting organizations continues to increase, with recent high-profile breaches such as UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million.

Generative AI is allowing attackers to innovate and escalate their approach. Darktrace researchers observed a 135% increase in "novel social engineering attacks" across thousands of active customers from January to February 2023 (based on the average change in email attacks detected across Darktrace customers' email deployments). With that in mind, organizations should focus more than ever on their cyber resilience — namely, their ability to withstand, adapt, and recover from cyberattacks that have achieved initial access. Yet the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen.

Within this context, security teams need help to prepare, recover, and adapt confidently to cyber incidents, and new developments in AI are offering promising signs that they can do so.

**Evaluating the Current Picture**

With a growing skills shortage in the industry, it has become more and more difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.

Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident.

Published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes — often lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.

Similarly, tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. But they are time-intensive and will not test many of the technical tools and processes used in a real-world response.

**Moving From a Reactive to an Adaptive Approach**

Introducing self-learning artificial intelligence (AI) into incident management can allow teams to engage an incident in more detail and at an earlier stage than they currently can, minimizing disruption to the business.

One of the more challenging security tasks is dedicating time to continuously evaluate readiness to handle an incident, which could occur at any time. AI can add value here by combining a deep understanding of every internal asset and continuous evaluation of coverage and functionality of the recovery stack to assess: _How prepared are you for defeating a cyberattack?_

During an incident, especially if on a larger scale, AI-powered systems offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it. By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details. It can also prioritize assets for remediation based on its deep understanding of that asset's function and role within the incident and the business.

But AI assistance doesn't have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten the time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision making when it counts.

Time savings from AI can extend to record keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they've done about it, and what further actions they are planning to take.

Critically, incident management needs to interact with detection, immediate response, and preventative measures across the rest of the cybersecurity ecosystem. In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.

The reality is that cyber incidents are a question of _when_ and not _if_, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.

**About the Author**

    

Matt Bovbjerg joined Darktrace in 2015, specializing in strategic customer deployment architecture and operationalizing Darktrace within large security stacks, before becoming the Vice President of Integrations Architecture. Matt works closely with Darktrace R&D, Technology Alliance Partners, and customers to develop use case-driven third-party integrations, ensuring organizations get the most out of their security investments. Matt holds a Bachelor’s degree in Industrial and Operations Engineering from the University of Michigan.

Tag

#intel