Blog

A modified version of the WhatsApp messaging app for Android has been trojanized to intercept text messages, serve malicious payloads, display full-screen ads, and register device owners for unwanted premium subscriptions without their knowledge.

“The Triada Trojan snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 along with the adware development kit (SDK),” researchers at Russian cybersecurity firm Kaspersky said in a whitepaper published Tuesday. “This is similar to what happened with APKPure, where the only malicious code that was embedded in the application was a payload downloader.”

Modified versions of legitimate Android apps, a practice called Modding, are designed to perform functions that app developers didn’t originally envision or intended. FMWhatsApp, billed as a custom version of WhatsApp, allows users to reshape the app with different themes, customize icons and hide features like last seen views, and even disable video calling features. The application is only available through third party websites.

The manipulated variant of the application detected by Kaspersky comes equipped with capabilities to collect unique device identifiers, which are sent to a remote server that responds with a link to a payload that is subsequently downloaded, decrypted, and launched by the Triada Trojan.

The payload, meanwhile, can be used to carry out a wide range of malicious activities, ranging from downloading add-on modules and displaying full-screen ads to stealthily subscribing victims to premium services and logging into WhatsApp accounts on the device. Worse still, attackers can hijack and take control of WhatsApp accounts to carry out social engineering attacks or distribute spam messages, thus spreading the malware to other devices.

“It is worth noting that FMWhatsapp users grant the application permission to read their SMS messages, which means that the Trojan and all the additional malicious modules it loads also gain access to them,” the researchers said. “This allows attackers to automatically enroll the victim in premium subscriptions, even if a confirmation code is required to complete the process.”

Author: Ravie Lakshmanan.

Source: https: //thehackernews.com/2021/08/modified-version-of-whatsapp-for.html

A Nigerian threat actor has been observed attempting to recruit employees by offering to pay them $ 1 million in bitcoin to deploy Black Kingdom ransomware on company networks as part of an insider threat scheme.

“The sender tells the employee that if they are able to deploy ransomware on a company computer or Windows server, then they would be paid $ 1 million in bitcoin, or 40% of the presumed US $ 2 ransom, 5 million, “abnormal Security said in a report released Thursday. “The employee is told that he can initiate the ransomware physically or remotely. The sender provided two methods to contact him if the employee is interested: an Outlook email account and a Telegram username.”

Black Kingdom, also known as DemonWare and DEMON, attracted attention in early March when it was discovered that threat actors were exploiting ProxyLogon flaws affecting Microsoft Exchange servers to infect unpatched systems with the ransomware strain.

Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the attempted request by creating a fictitious persona and approached the actor on Telegram Messenger, only for the individual to inadvertently spill the modus operandi of the attack, which included two links. for an executable ransomware payload that the “employee” could download from WeTransfer or Mega.nz.

“The actor also instructed us to delete the .EXE file and remove it from the recycle bin. Based on the actor’s responses, it seems clear that 1) he expects an employee to have physical access to a server and 2) not very familiar with it. digital forensics or incident response investigations, “said Crane Hassold, director of threat intelligence for Abnormal Security.

Author: Ravie Lakshmanan.

Source: https://thehackernews.com/2021/08/cybercrime-group-asking-insiders-for.html

When COVID-19 emerged, companies in all sectors of the economy were forced to make a rapid transition to remote work. The goal was simple: ensure business continuity in the face of an unprecedented challenge, a challenge most assumed would come and go in no time.

As vaccines continue to roll out and the world finally begins to reopen more than a year later, it appears remote work is here to stay. A recent study found that only 9 percent of remote workers want to return to an office full time. Of course, this is not to say that in-person work is going to disappear completely; Apple recently announced that its employees will return to the office three days a week starting in September.

Taken together, the future of work appears to be more of a hybrid model, with some employees working remotely and others working in the office.

Unfortunately, many organizations are still operating with the same remote solutions that they implemented in March 2020. While these solutions have helped companies keep operations running during the pandemic, most were quickly assembled, with security an afterthought.

In an age where the average data breach costs $ 3.86 million and businesses can reasonably expect to have some level of distributed workforce, taking a proactive stance for security and implementing a long-term remote security strategy is critical. Failure to do so could have disastrous effects on your business.

VPNs are not enough for remote security.
Last year, most companies added or expanded VPN solutions in their technology stacks as they moved to remote work. But a VPN alone is not a panacea. When teams are working around the world, it can be difficult for security teams to manage each endpoint effectively.

The popular narrative that corporate VPNs are reliable and secure couldn’t be further from the truth. In fact, distributed endpoints tend to be some of the easiest targets for attackers. In some cases, accessing your network is as easy as an employee making an inadvertent mistake.

This begs the question: What mechanisms do you have to protect yourself against an employee who connects to an insecure network (for example, a public Wi-Fi network), forgets to connect to your VPN, and then clicks on a malicious link? What if a team member accidentally leaves their laptop in a coffee shop or on a train?

Challenges, opportunities for IT teams in the future
If your organization still uses on-site administration techniques to manage the endpoints of a distributed team, you will struggle in today’s challenging and dynamic security landscape.
In typical environments, employees can only access networks when they are on site or logging in through the corporate VPN. But when teams are spread across the world, not everyone will connect to the VPN every day, especially when you rely on cloud-based tools like GSuite, Microsoft Office 365, and Slack. If employees can get their work done using these services, you will have unmanaged corporate endpoints, much to the delight of bad actors.

Fortunately, it is not impossible to overcome these challenges. The best way to do this is by implementing an effective distributed workforce security strategy that will not have to depend on the network to which your endpoints are connected. Instead, all endpoints should be managed as long as they are powered on. Some options for doing this include cloud-based patch management, mobile device management (MDM), endpoint and intrusion detection and response (EDR / IDR), antivirus software, endpoint encryption, and secure email gateways.

If you are truly embracing a long-term remote strategy, and you should, assuming you want to attract and retain top talent, you need to understand that local connectivity cannot be a requirement for the tools your workforce must have. productive and successful.

New solutions and strategies for remote workplaces
When it comes to implementing solutions designed specifically for distributed teams, IT leaders must consider the use cases and requirements of each department. You will need to weigh the risks of not making any changes against the potential impacts on business and customers.

First, it is important to implement strategic implementation plans to limit potential business impact. You will also need to gain leadership buy-in, which will make the change easier to sell to the rest of the team.

When you start to implement new security solutions, remember that they are only as strong as the weakest link, which, in most cases, are your end users. By investing in user education platforms, you can help your team understand common vulnerabilities and threats (for example, weak passwords), which can pay significant dividends.

And finally, in today’s evolving landscape, where new threats emerge every day, it’s likely only a matter of time before your systems are breached. Therefore, instead of thinking about what you can do to prevent a breach, you should assume that a breach will occur and implement a zero-trust architecture. By treating all vendors as potential threats and implementing least-privilege access controls to further protect your systems, you put yourself in a much stronger security position.

Looking Ahead: What Comes Next?
Over the last year, we’ve seen a huge trend in attackers targeting home networks. As teams continue to work remotely, it looks like this will be the new normal in 2021 and beyond. Then what do you do?
Again, assume that end users will always be the weakest link in your security strategy. For one thing, an employee may inadvertently forget to log into a VPN and connect to an insecure network. On the other hand, a disgruntled employee might decide to sabotage things from within.

You can solve both scenarios by following best practices and implementing zero-trust architectures, least-privilege access, and cloud-based security tools. Since the typical home environment is not well protected, security must be closer to the workload itself.
The sooner you develop and execute a long-term remote security strategy that takes all of these factors into account, the faster you get real-time information and control over your IT environment. With the right approach, you’ll have peace of mind knowing that your network is secure and that you can spend more energy on the big picture.

Author: Chris Hass is Director of Research and Information Security at Automox.

Check at: https://threatpost.com/business-long-term-remote-security-strategy/167950/

The ransomware landscape is evolving, and ransomware is now one of the most popular (for cybercriminals) and harmful types of malware. The JBS, Colonial Pipeline, and Kaseya attacks are recent high-profile examples of the impact of ransomware and the monumental consequences it can have: changes in the market, impact on infrastructure and even leading to action at the highest levels of government.

In the wake of these attacks and other events like the SolarWinds attack, the executive branch has taken action in the form of an Executive Order (EO), which covers various cybersecurity concepts. This order encourages private sector companies to follow the federal government’s lead to help minimize the impact of future incidents.

There are several different concepts outlined in the EO, so to help organizations get started, I’ve outlined some of the key concepts organizations should pay attention to now, and offer some tips on how you can get started implementing these strategies today.

1. Take a “zero security” stance towards ransomware
   One of the orders that caught my attention is the requirement to “Modernize and implement stronger cybersecurity standards in the federal government.” This is intended to drive the Federal Government to increase and adopt security best practices with zero trust security, accelerating the move towards secure cloud services and the deployment of multi-factor authentication and encryption.
   At Veritas, we advise companies to adopt what we call a “zero security” posture; it’s the mindset that even the most effective endpoint security will be breached. It is important to have a plan to be prepared for when this happens.
   
2. Be active, not passive
   Businesses need to have strong endpoint data protection and system security. This includes antivirus software and even whitelisting software where only approved applications can be accessed. Companies need both an active element of protection and a reactive element of recovery.
   
   Companies affected by a ransomware attack can spend five days or more recovering from an attack, so it is imperative that companies are actively implementing the proper backup and recovery strategies prior to a ransomware attack.
   
3. Don’t put all your eggs in one basket
   The black hats that are developing ransomware are trying to prevent any means of exit from a company from having to pay the ransom. This is why ransomware attacks target files and systems in use, as well as cloud-based data and backup systems.
   We urge organizations to implement a more comprehensive backup and recovery approach based on the National Institute of Standards and Technology (NIST) cybersecurity framework. It includes a set of best practices: use of immutable storage, which prevents ransomware from encrypting or deleting backups; implement encryption in transit and at rest to prevent bad actors from compromising your network or stealing your data; and strengthen the environment by enabling firewalls that restrict ports and processes.
4. Create a playbook for cyber incidents
   The other aspect of the EO that I wanted to address was the call to “Create a standard playbook for responding to cyber incidents.” The federal government plans to create a playbook for federal agencies that will also act as a model for the private sector, to help businesses take appropriate action to identify and mitigate a threat.
   Time is of the essence, so before looking at the federal government manual, here are some important steps organizations should think about when it comes to creating their own:
   • Digital Runbook – Having a paper plan is a start, but having a digital plan that can be easily viewed and executed with a single click is essential. The more complex the execution of a plan, the longer it will take to recover from an attack.
   • Test, Test, Test: Testing ensures that your plan will work when you need it. Initial testing is important to ensure that all aspects of the plan are working, but IT environments are constantly changing, so regular testing is critical.

• Eliminate Single Points of Failure: The 3-2-1 practice is the idea that you should have three or more copies of your data so that a single failure doesn’t derail your plan. That it has at least two different storage media so that a vulnerability in one does not compromise all its copies. At least one of these two media must be off-site or an air-gap copy so that you have options in the event that an attack wipes out an entire data center.
• Have options for rapid recovery: When recovery from an attack destroys an entire data center, recovery can slow down when dealing with compound challenges related to hardware, network, workloads, and the data itself. Having an alternative option, such as quickly installing a data center on a public cloud provider, can shorten downtime and provide alternatives to paying a ransom.

5. Remember: ransomware is an arms race
   Preparing your business for an inevitable ransomware attack is increasingly critical. The Colonial Pipeline attack has fueled new mandates for cyber resilience and, as security leaders, we play a critical role in ensuring that we are doing everything we can to protect and secure valuable and sensitive data.
   The ransomware will not “solve” itself. I see it as an arms race in which we all have to be constantly vigilant, especially around elements that are beyond our control. No single security solution or control will stop ransomware, but by taking a layered approach to security, you’ll be able to mitigate the impact and get back up and running very quickly.
   
   Author: Alex Restrepo
   
   Consult at: https://threatpost.com/improving-ransomware-resiliency/168091/

Search engine optimization (SEO) tactics direct users searching for common business forms, such as invoices, receipts, or other templates, to hacker-controlled Google-hosted domains.

Hackers are using search engine optimization (SEO) tactics to lure business users to over 100,000 malicious Google sites that appear legitimate, but instead install a remote access trojan (RAT), which is used to establish itself on a network and then infect systems with ransomware, credential thieves, banking Trojans, and other malware.

ESentire’s Threat Response Unit (TRU) discovered legions of unique and malicious web pages containing popular business terms / particular keywords, including keywords related to business forms such as template, invoice, receipt, questionnaire, and resume, researchers observed. , in a report released Wednesday.

Attackers use Google search redirection and “drive-by-download” tactics to direct unsuspecting victims to the RAT, tracked by eSentire as SolarMarker (aka Jupyter, Yellow Cockatoo, and Polazert). Typically, a person visiting the infected site simply runs a binary file disguised as PDF by clicking on a so-called “form”, thus infecting their machine.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” the researchers wrote. “Unfortunately, it reveals an obvious blind spot in the controls, allowing users to run untrusted binaries or script files.”
In fact, the campaign is not only powerful, but also sophisticated.

Common business terms serve as keywords for threat actors’ search optimization strategy, aptly convincing Google’s web crawler that the desired content meets the conditions for a high score on page rank, which means malicious sites will appear at the top of user searches. according to the report. This increases the likelihood that victims will be lured to infected sites.
“Security leaders and their teams should know that the threat group behind SolarMarker has gone to great lengths to engage business professionals, spreading a wide network and using many tactics to successfully disguise their traps,” said Spence Hutchinson. , Threat Intelligence Manager. for eSentire.

Author: Elizabeth Montalbano.

Consult at: https://threatpost.com/google-sites-solarmarket-rat/165396/

A Google browser update that fixes the flaw is expected to be released on Tuesday.

A researcher has removed the working exploit code for a zero-day Remote Code Execution (RCE) vulnerability on Twitter, which he said affects current versions of Google Chrome and potentially other browsers, such as Microsoft Edge. that use the Chromium framework.
Security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code, the result of the Pwn2Own ethical hacking contest conducted online last week, on Monday.
“Just here to drop a Chrome 0day,” Agarwal wrote in his tweet. “Yes, you read that right.”

Author: Elizabeth Montalbano

Consult at: https://threatpost.com/chrome-zero-day-exploit-twitter/165363/

Hank Schless, senior manager of security solutions at Lookout, discusses how to protect remote work via mobile devices.

After embarking on an unplanned second year of massive remote work, now everyone is accessing corporate resources through the cloud. To help enable this, organizations are introducing new technologies into their standard workflows. The COVID-19 pandemic introduced a new realm of unmarked territory, as companies quickly, and almost randomly, moved all employees off-site. Corporate networks were unprepared to handle this new caliber of remote access, and significant security breaches were created along the way. However, individual and organizational data access to personal and corporate information began to evolve long before the pandemic.

We want to have access to anything, from anywhere, on any device. To securely enable that desire, security teams already needed visibility into every device accessing their corporate data and infrastructure. However, the pandemic catapulted this need to the top of the minds of all business leaders, and the ability to block harmful devices that put an organization’s security at risk has never been more necessary. Now, with operations almost completely shifting to the cloud for many, mobile workers have access to much more than just email. However, this access carries significant risks.

Zero trust, which is based on the idea that no device is secure until proven otherwise, has become a widely accepted technical framework as companies strive to monitor and maintain the health of endpoint networks. widely distributed. This philosophy should apply to any device that interacts with your network, the most precarious of which are our mobile phones and tablets. With work increasingly being done outside the reach of legacy edge systems, there is no effective way to determine who or which device you can trust.

To implement an effective zero trust strategy, organizations must first accept three key factors:

1. Your network is now in all home offices
2. Traditional and legacy security technologies do not apply.
3. Mobile devices cannot be trusted.
   
   
   Author: Hank Schless
   Check at: https://threatpost.com/zero-trust-mobile-dimension/165349/

Attackers are completing and submitting web-based “contact us” forms, thereby circumventing spam filters.

Google’s website contact forms and URLs are being used to spread the IcedID Trojan, according to Microsoft researchers.

Attackers are using “contact us” forms on websites to send emails targeting organizations with fabricated legal threats, the researchers said. The messages constantly mention a copyright infringement by a photographer, illustrator or designer, and contain a link to alleged “evidence” of these legal infringements. But the link actually leads to a Google page that downloads IcedID (aka BokBot), which is an information stealer and uploader of other malware.

“As the attackers complete and submit the web-based form, an email message is generated for the recipient of the associated contact form or the target company, containing the message generated by the attacker,” according to the recent post by Microsoft. “The message uses strong and urgent language (‘Download it right now and see for yourself’), and puts pressure on the recipient to act immediately, ultimately forcing recipients to click on the links to avoid alleged legal action “.

Author: Stamps of Tara.

Consult at: https://threatpost.com/icedid-web-forms-google-urls/165347/

The FBI says the Conti ransomware gang has affected 16 US health and emergency networks.

The Federal Bureau of Investigation said the same group of online extortionists accused of attacking the Irish healthcare system last week also targeted at least 16 US medical and first responder networks in the past year.

In an alert released Thursday by the American Hospital Association, the FBI said that cybercriminals using malicious software called ‘Conti’ have targeted law enforcement, emergency medical services, dispatch centers and municipalities.

The alert did not name the victims or elaborate on the nature or severity of the violations, saying only that they were among the more than 400 organizations worldwide targeted by “Conti actors.”

The FBI did not immediately return a message seeking more details about the advisory, which was first reported by TI’s security news site Bleeping Computer.

Ireland’s Health Services Executive shut down its networks last Friday after an attack linked to Conti.

The rescue attack has paralyzed diagnostic services, disrupted testing for COVID-19 and forcing hospitals to cancel appointments. The Irish minister responsible for e-government, Ossian Smyth, described it as possibly the most significant cybercrime to hit the Irish state.

The Irish government said it had not paid and would not pay any ransom in exchange for the alleged key.

The Conti hackers have not responded to messages from Reuters seeking comment.

Author: Raphael Satter

Consult at: https://www.reuters.com/technology/fbi-says-conti-ransomware-gang-has-hit-16-us-health-emergency-networks-2021-05-21/?&web_view=true