In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts.

A highly effective malware campaign

Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that the accounts were performing malicious activities.

By targeting users who wanted to increase their followers on YouTube, Twitch and Instagram, the ghost accounts distributed malicious links through Discord channels to the GitHub repositories. Because the malicious links go to content that is starred and verified, other users assume that the repositories are legitimate. However, the high number of stars is what tipped off Check Point researchers that the accounts were suspicious.

“In a short period of monitoring, we discovered more than 2,200 malicious repositories where ‘ghost’ activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personally identifiable information (PII). This campaign was highly effective, as in less than four days, more than 1,300 victims were infected with Atlantida stealer,” wrote Antonis Terefos in the Check Point Research report.

By using three GitHub accounts working together, Stargazers Ghost Network manages to avoid detection by GitHub. The attack begins when a threat actor attaches a README.md file containing a phishing download link to an external repository’s release. One account serves the phishing repository template, while another account provides the phishing image template. The third account then serves the malware as a password-protected archive in a release, which is sometimes where the attack is detected, and then the third account is banned by GitHub. If that happens, then the threat actor starts the attack again with a new link in the first account.

Dark web payouts

As part of the investigation, Terefos also discovered another part of the scheme — using the ghost accounts to make money on the dark web. CheckPoint estimates that malicious activity between mid-May and mid-June 2024 earned the Stargazers Ghost Network approximately $8,000. Over its entire lifespan, Check Point estimates the scheme brought in around $100,000.

On July 8, 2023, Terefos’s team discovered that the Stargazers Ghost Network had taken out a banner advertisement on the dark web. Cyber criminals could “hire” the ghost account for a wide range of services on GitHub, including starring, following, forking and watching both accounts and repositories. The prices for these services varied, such as $10 for starring 100 accounts and $2 to provide a trusted account with an “aged” repository. In addition to ad banners, the cyber criminals also used another typical marketing tactic: discounting. Threat actors who spend over $500 with Stargazers Ghost Network can get a discount on the services.

GitHub takes action

After learning about the 3,000 ghost accounts, GitHub took action to stop the spread of malware. “We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” Alexis Wales, Vice President of Security Operations at GitHub, told Wired. “We have teams dedicated to detecting, analyzing and removing content and accounts that violate these policies.”

However, Check Point researchers believe that they have just uncovered the beginning of the operations for Stargazer Goblin, which is the group organizing the network. The report explains that they think the universe of ghost accounts operates across many other platforms, including YouTube, Discord, Instagram and Facebook. Because these channels can also be used to distribute links and malware through posts, repositories, videos and tweets, Check Point thinks that these accounts are operating like the GitHub scheme, meaning that this is likely just the beginning of a new tactic.

“Future ghost accounts could potentially utilize artificial intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material,” concluded the Check Point report.

The post 3,000 “ghost accounts” on GitHub spreading malware appeared first on Security Intelligence.

Phishing attacks in the wake of a service, system or network outage are always a danger. For example, during the massive PlayStation Network outage in 2011, phishers took advantage of user confusion and frustration. Intruders sent phishing emails pretending to be from Sony, offering solutions or compensation to resolve outage problems. These emails contained links to rogue websites designed to steal login credentials and other personal information.

Year after year, threat actors continue to take advantage of outages to deploy malware via phishing attacks. The IBM X-Force Threat Intelligence Index 2024 revealed that, overall, phishing was the top initial access vector of 30% of cases in 2023. Also, 92% of organizations fell victim to a successful phishing attack in their Microsoft 365 environment in 2023.

This scenario continues to play out after the most recent outage that occurred with Microsoft Windows, which impacted 8.5 million systems. So, if you get an email advising you to update your systems due to an outage, be wary. And the plot thickens from there considerably.

Multi-headed phishing problem

In the aftermath of the latest Microsoft-related attack, reports have surfaced about a malware campaign targeting BBVA bank customers, where a fake update installs the Remcos RAT. This bogus update was promoted through a phishing site, portalintranetgrupobbva[.]com, masquerading as a BBVA Intranet portal.

The malicious archive included instructions for employees and partners to install the update to prevent errors when connecting to the company’s internal network. The “instrucciones.txt” file, written in Spanish, read, “Mandatory update to avoid connection and synchronization errors to the company’s internal network.”

In a separate warning, AnyRun highlighted another campaign in which attackers distributed a data wiper disguised as an update. “It decimates the system by overwriting files with zero bytes and then reports it over #Telegram,” AnyRun stated. The wiper attack was attributed to the pro-Iranian hacktivist group Handala, who allegedly claimed responsibility for the malicious activity on Twitter.

More system headaches

As if that wasn’t bad enough, new Windows threats were also reported during July that require immediate protection. And many millions of PCs remain at risk.

On July 9, Check Point issued a warning that attackers are using special Windows Internet Shortcut files. When these files are clicked, they trigger the retired Internet Explorer (IE) to visit attacker-controlled URLs. By using IE instead of more secure browsers like Chrome or Edge on Windows, attackers gained significant advantages in exploiting victims’ computers, even if they were running modern operating systems like Windows 10/11.

Just days later, Trend Micro provided more threat intelligence, revealing that the vulnerability was being used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML. This allowed attackers to infect victim machines with the Atlantida info-stealer, which targets system information and sensitive data such as passwords and cookies from various applications.

Following Check Point’s disclosure, the U.S. government added the vulnerability to its Known Exploit Vulnerability catalog. They warned users about a spoofing vulnerability in Windows that poses a high risk to confidentiality, integrity and availability.

Although the vulnerability has been patched, users need to ensure their Windows PCs are updated. CISA has mandated that U.S. federal employees apply the update by July 30 or stop using their PCs. All other organizations — and even home users — are strongly advised to follow update recommendations as well. According to Check Point, Trend Micro and CISA, this vulnerability has been exploited in the wild, with attacks ongoing for more than 12 months.

Breaking the vicious cyber cycle

With the myriad of phishing attacks occurring but with actual system updates required, many might be confused about what to do. Or maybe an email paranoia might set in, where everything seems suspicious, even legitimate update advice. The best practice is to check directly with official channels and representatives about updates. And think two (or three) times before you click.

The post The cyberattack cycle: First comes outage, next comes phishing appeared first on Security Intelligence.

We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files.

What is ransomware over browsers?

Researchers at Florida International University worked with Google to identify a new threat — ransomware over browser, which is malware embedded in a browser. This type of threat is not specific to a certain browser type or version. Because many browsers now contain many advanced functions in addition to letting us surf the web, the tools are now more vulnerable from a cybersecurity perspective. And cyber criminals have started using these vulnerabilities to deploy ransomware into browsers.

When you begin uploading a file using your browser, part of the process is selecting a drive on your network or hard drive. The File System Access API allows browsers to call this API, and then users can select the files to upload within the browser. Cyber criminals embed ransomware into this API so that when you select a file, the ransomware automatically encrypts all the files in the folder that you open — and all its subfolders. After the malware is deployed, you can no longer access these files.

The cyber criminals then demand a ransom payment for you or your company to regain access to the files. In the best scenario, you have a recent backup of the files that you can quickly restore and get back to work. IBM does not recommend making ransomware payments to cyber criminals in exchange for the return of the files because the cyber criminals often take the payment and do not return the files.

Lack of payloads makes detection challenging

As part of the study into ransomware over browsers, the researchers created their own ransomware (named RøB). Through numerous hands-on tests using different browsers and operating systems, the researchers realized what makes this type of threat so challenging and potentially damaging. Antivirus software looks for malicious payloads when scanning for viruses. However, the ransomware in this type of attack is not embedded in the payload, as it runs inside the existing browser.

Because traditional prevention and detection methods do not work, researchers discovered that new methods of defense are needed for browser-based ransomware. The researchers learned that a strategy using the following steps is effective in defending against ransomware over browsers:

1. Temporarily halt the web application to find encrypted files.
2. Identify potential ransomware based on monitoring the web application.
3. Warn users of upload risks through a dialog box.

Preventing and reducing browser-based ransomware

According to the 2024 IBM Threat Intelligence Index, the top “action on” objective was deploying ransomware. The index found that 20% of all total cybersecurity incidents were ransomware cases. On a positive note, the index showed an 11% decrease in ransomware attacks.

These tips help to prevent or reduce the damage of a browser-based ransomware attack:

• Install all browser updates and patches. Cyber criminals often exploit known vulnerabilities. By making sure your browser is the latest version, you can reduce your risk of ransomware on browser attacks.
• Ensure that all tools used for uploading are legitimate. By making sure you only download browser-based tools (such as photo editors and video players) from legitimate sites, you can reduce the risk of browser-based ransomware attacks.
• Backup all files and store them in an offsite location. Keep local backups that are archived to removable media, such as tapes, optical disks or removable hard disks, and to cloud-based resources. If you can quickly restore your data, you can get back online quickly without business disruption.
• If a system is infected, hibernate it and disconnect it from the network immediately. If you reboot or restart an infected system, the attack and damage will become worse. Be sure to notify your IT security staff right away.

As browsers continue to evolve, cyber criminals will develop more elaborate and effective attacks. By staying up to date on the latest techniques and taking precautions, you can reduce your risk of these newest types of attacks.

To learn more about how to reduce the risks of ransomware, read the Definitive Guide to Ransomware from the IBM X-Force team.

The post New ransomware over browser threat targets uploaded files appeared first on Security Intelligence.

The proliferation of generative artificial intelligence (gen AI) email assistants such as OpenAI’s GPT-3 and Google’s Smart Compose has revolutionized communication workflows. Unfortunately, it has also introduced novel attack vectors for cyber criminals.

Leveraging recent advancements in AI and natural language processing, malicious actors can exploit vulnerabilities in gen AI systems to orchestrate sophisticated cyberattacks with far-reaching consequences. Recent studies have uncovered the insidious capabilities of self-replicating malware, exemplified by the “Morris II” strain created by researchers.

How the Morris II malware strain works

Building upon the legacy of the infamous Morris worm, this modern variant employs advanced techniques to compromise gen AI email assistants without requiring user interaction. For instance, researchers have demonstrated how crafted email content can deceive AI assistants into executing malicious commands, leading to data exfiltration, email account hijacking and automated malware propagation across interconnected systems.

The exploitation of gen AI email assistants typically involves manipulating the natural language processing capabilities to bypass security measures and execute unauthorized actions. In a recent incident, researchers showcased how a carefully crafted email containing innocuous-sounding prompts could trigger an AI assistant to execute malicious commands, resulting in unauthorized access to sensitive data and dissemination of malware-laden emails to unsuspecting recipients.

Analysis of Morris II malware

Morris II is designed to exploit gen AI components through the use of adversarial self-replicating prompts. Here’s an overview of its techniques and attack vectors:

Adversarial self-replicating prompts

Morris II leverages specially crafted inputs called adversarial self-replicating prompts. These prompts are designed to manipulate gen AI models into replicating the input as output.

When processed by gen AI models, these prompts trigger the model to autonomously generate content that mirrors the input itself. This replication behavior is a crucial part of the worm’s strategy.

Exploiting connectivity within gen AI ecosystems

Gen AI ecosystems consist of interconnected agents powered by gen AI services. These semi- and fully autonomous applications communicate with each other.

Morris II exploits this connectivity by compelling the infected agent to propagate the adversarial prompts to new agents within the ecosystem. The worm spreads like wildfire, infiltrating multiple agents and potentially affecting the entire gen AI ecosystem.

Spamming and malicious payloads

Morris II can flood gen AI-powered email assistants with spam messages, disrupting communication channels. By crafting prompts that extract personal data, the worm can compromise user privacy and exfiltrate data. The adversarial prompts serve as payloads. They can be tailored for various malicious activities.

The worm’s ability to autonomously generate content allows it to execute these payloads without human intervention.

Testing against gen AI models

Morris II has been tested against three different gen AI models:

• Gemini Pro
• ChatGPT 4.0
• LLaVA

The study evaluated factors such as propagation rate, replication behavior and overall malicious activity.

Mitigation strategies and future directions

To mitigate the risks posed by self-replicating malware targeting gen AI email assistants, a multi-faceted approach is required. This includes implementing robust security measures such as content filtering, anomaly detection and user authentication to thwart malicious activities. Additionally, ongoing research and development efforts are necessary to enhance the resilience of gen AI systems against evolving cyber threats, such as the integration of adversarial training techniques to bolster AI defenses against manipulation attempts.

Overcoming the threat of self-replicating malware targeting gen AI email assistants requires a multi-layered approach that combines technical solutions, user education and proactive cybersecurity measures.

Here are several strategies to mitigate this threat:

Enhanced security protocols

Implement robust security protocols within gen AI email assistants to detect and prevent malicious activities. This includes incorporating advanced anomaly detection algorithms, content filtering mechanisms and user authentication protocols to identify and block suspicious commands and email content.

Regular software updates

Ensure that gen AI email assistants are regularly updated with the latest security patches and fixes to address known vulnerabilities and exploits. Promptly apply software updates provided by the vendors to mitigate the risk of exploitation by self-replicating malware.

Behavioral analysis

Deploy behavioral analysis techniques to monitor the interactions between users and gen AI email assistants in real time. By analyzing user input patterns and identifying deviations from normal behavior, organizations can detect and mitigate potential security threats, including attempts by malware to manipulate AI assistants.

User education and training

Educate users about the risks associated with interacting with email content and prompts generated by gen AI assistants. Provide training sessions to teach users how to recognize and avoid suspicious emails, attachments and commands that may indicate malware activity. Encourage users to report any unusual behavior or security incidents promptly.

Multi-factor authentication (MFA)

Implement multi-factor authentication mechanisms to add an extra layer of security to gen AI email assistants. Require users to authenticate their identity using multiple factors such as passwords, biometrics or hardware tokens before accessing sensitive functionalities or executing commands within the AI system.

Isolation and segmentation

Isolate gen AI email assistants from critical systems and networks to limit the potential impact of malware infections. Segment the network architecture to prevent lateral movement of malware between different components and restrict access privileges of AI systems to minimize the attack surface.

Collaborative defense

Foster collaboration and information sharing among cybersecurity professionals, industry partners and academic institutions to collectively identify, analyze and mitigate emerging threats targeting gen AI email assistants. Participate in threat intelligence sharing programs and forums to stay informed about the latest developments and best practices in cybersecurity.

Continuous monitoring and incident response

Implement continuous monitoring and incident response capabilities to detect, contain and mitigate security incidents in real-time. Establish a robust incident response plan that outlines the procedures for responding to malware outbreaks, including isolating infected systems, restoring backups and conducting forensic investigations to identify the root cause of the attack.

By adopting a proactive and comprehensive approach to cybersecurity, organizations can effectively mitigate the risks posed by self-replicating malware targeting gen AI email assistants and enhance their resilience against evolving cyber threats.

Self-replicating malware threats looking forward

Morris II represents a significant advancement in cyberattacks. The emergence of self-replicating malware targeting gen AI email assistants underscores the need for proactive cybersecurity measures and ongoing research to safeguard against evolving cyber threats. By leveraging insights from recent studies and real-world examples, organizations can better understand the intricacies of AI vulnerabilities and implement effective strategies to protect against malicious exploitation.

As AI continues to permeate various facets of our digital lives, we must remain vigilant and proactive in fortifying our defenses against emerging cyber threats.

The post Self-replicating Morris II worm targets AI email assistants appeared first on Security Intelligence.

One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience.

In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the private sector.

What is Malware Next-Gen Analysis?

Malware Next-Gen allows any organization to submit malware samples and other suspicious artifacts for analysis.

Knowing how a malware attack works is crucial for security teams to conduct potential cyber incident response and/or threat hunts. And CISA’s Malware Next-Gen provides advanced and reliable malware analysis on a scalable platform. The integrated system provides CISA analysts with multilevel containment capabilities for in-depth analysis of potentially malicious files or URLs.

“Effective and efficient malware analysis helps security professionals detect and prevent malicious software from enabling adversary access to persistence within an organization. Malware Next-Gen is a significant leap forward in CISA’s commitment to enhancing national cybersecurity,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein.

The platform enables “analysts to better analyze, correlate, enrich data and share cyber threat insights with partners,” as per Goldstein.

How does Malware Next-Gen work?

Malware Next-Gen Analysis was previously only available for all U.S. federal, state, local, tribal and territorial government agencies. Now, it is available for the private sector.

Malware Next-Gen works like this:

1. Registration: Users must create a login.gov account and complete a one-time registration to access the system.
2. Submission: After registration, users can submit suspicious files and URLs for analysis.
3. Analysis: CISA analysts employ a combination of static and dynamic analysis tools in a secure environment to examine the submitted artifacts.
4. Results: Analysis results are provided in PDF and STIX 2.1 data formats, enabling users to understand the nature of the threats they face.

For users who wish to remain anonymous, there’s also an option to submit malware samples through a portal for unregistered users. However, anonymous users can’t access any analysis results.

Advanced malware analysis available for all

CISA’s decision to make Malware Next-Gen publicly available is good news for small and medium-sized enterprises (SMEs) that may struggle to implement effective cybersecurity measures due to limited resources. With Next-Gen, anyone can access sophisticated analyses of malware content.

Furthermore, CISA recently updated its Malware Next-Gen platform to include enhanced capabilities for automated malware analysis, expanded support for multiple file types and updated tactics and techniques for analyzing malware.

How fast is CISA’s Malware Next-Gen?

While CISA does not provide a specific time frame, there are reports that the platform does not provide rapid results. If you need something faster, commercially available malware analysis is your best bet.

Betting on collaboration

As cyber threats continue to get more sophisticated, collaboration and information sharing become more crucial for an effective defense strategy. By opening Malware Next-Gen to the public, CISA remains true to its goal to foster a more collaborative environment. When threat intelligence is shared, it can be leveraged by organizations of all sizes to bolster overall cyber resilience.

With AI security threats and machine learning techniques, cyber groups will only create even more dangerous malware to bypass security systems in the future. This makes tools like Malware Next-Gen even more vital. Given the level of threats involved, a more inclusive and accessible cybersecurity ecosystem might be the only way to stay ahead of intruders.

The post CISA Malware Next-Gen Analysis now available to public sector appeared first on Security Intelligence.

Researchers have created a new, never-seen-before kind of malware they call the “Morris II” worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.

The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.

New worm utilizes adversarial self-replicating prompt

The researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s called an “adversarial self-replicating prompt” to create the worm. This is a prompt that, when fed into a large language model (LLM) (they tested it on OpenAI’s ChatGPT, Google’s Gemini and the open-source LLaVA model developed by researchers from the University of Wisconsin-Madison, Microsoft Research and Columbia University), tricks the model into creating an additional prompt. It triggers the chatbot into generating its own malicious prompts, which it then responds to by carrying out those instructions (similar to SQL injection and buffer overflow attacks).

The worm has two main capabilities:

1. Data exfiltration: The worm can extract sensitive personal data from infected systems’ email, including names, phone numbers, credit card details and social security numbers.

2. Spam propagation: The worm can generate and send spam and other malicious emails through compromised AI-powered email assistants, helping it spread to infect other systems.

The researchers successfully demonstrated these capabilities in a controlled environment, showing how the worm could burrow into generative AI ecosystems and steal data or distribute malware. The “Morris II” AI worm has not been seen in the wild, and the researchers did not test it on a publicly available email assistant.

They found they could use self-replicating prompts in both text prompts and embedded prompts in image files.

Poisoned AI databases

In demonstrating the text prompt approach, the researchers wrote an email that included the adversarial text prompt, “poisoning” the database of the AI email assistant using retrieval-augmented generation (RAG), which enables the LLM to grab external data. The RAG got the email and sent it to the LLM provider, which generated a response that jailbroke the AI service, stole data from the emails and then infected new hosts when the LLM was used to reply to an email sent by another client.

When using an image, the researchers encoded the self-replicating prompt into the image, causing the email assistant to forward the message to other email addresses. The image serves as both the content (spam, scams, propaganda, disinformation or abuse material) and the activation payload that spreads the worm.

However, researchers say it represents a new type of cybersecurity threat as AI systems become more advanced and interconnected. The lab-created malware is just the latest event in the exposure of LLM-based chatbot services that reveals their vulnerability to being exploited for malicious cyberattacks.

OpenAI has acknowledged the vulnerability and says it’s working on making its systems resistant to this kind of attack.

The future of AI cybersecurity

As generative AI becomes more ubiquitous, malicious actors could leverage similar techniques to steal data, spread misinformation or disrupt systems on a larger scale. It could also be used by foreign state actors to interfere in elections or foment social divisions.

We’re clearly entering into an era where AI cybersecurity tools (AI threat detection and other cybersecurity AI) have become a core and vital part of protecting systems and data from cyberattacks, while they also pose a risk when used by cyber attackers.

The time is now to embrace AI cybersecurity tools and secure the AI tools that could be used for cyberattacks.

The post Researchers develop malicious AI ‘worm’ targeting generative AI systems appeared first on Security Intelligence.

A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?

In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.

NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit that harvested user passwords from Windows machines.

The malware was designed to infect without user action, move laterally inside networks and spread very fast, sometimes taking down networks in less than a minute. Once executed, it would overwrite the master boot record, preventing it from booting.

A ransom note demanded payment for decryption. But there was no mechanism or plan for doing so. Its purpose was to convince victims they were hit by ransomware. In fact, NotPetya existed only to destroy data without a path to recovery.

Merck v. Ace American

Merck estimated that the attack cost $1.4 billion. Those costs included a temporary loss of production capacity, as well as the cost of equipment and new IT hiring necessary to recover.

The company had a $1.75 billion “all-risk” insurance policy with Ace American. But the company rejected their claim, saying that because NotPetya started in the Russia/Ukraine war, the “Acts of War” exclusion clause meant they didn’t have to pay.

Merck sued Ace American in November 2019. Their case centered mainly on the argument that the attack was not the result of an official state action and that Merck was a mere bystander outside the theater of conflict. New Jersey Superior Court judge Thomas J. Walsh found for Merck.

Ace American appealed, and the state appellate court in the case found that the war exclusion clause provision in insurance policies — which excludes coverage for losses caused by hostile or warlike actions by governments — did not apply in the case.

The two parties reached a confidential settlement with insurers on January 5, 2024.

Other major companies went through similar legal scenarios and also settled, albeit likely for smaller amounts.

The battle over war exclusions

The outcome of the case was neither entirely predictable nor necessarily intuitive. NotPetya itself is widely believed to have begun in a war — attributed to the Russian government (specifically the Sandworm hacking group within Russian military intelligence) and initiated in Ukraine for the assumed purpose of furthering Russia’s aims in that conflict.

Though probably an act of cyber war, the attack then spread outside Ukraine to machines globally, causing what might be described as collateral damage.

Cyber insurance policies typically contain war exclusion clauses. For example, The Lloyd’s Market Association (LMA) published guidance for cyber war exclusion clauses. They recommend that exclusion won’t apply to cyber operations conducted by nation-states outside an actual hot war under certain circumstances. For example, if the cyberattack took place outside the theater of conflict or if the business wasn’t the intended target.

The court’s ruling was consistent with Lloyd’s guidance, finding that the war exclusion clause did not apply to the circumstances of the NotPetya attack.

Still, the ruling was significant. Some of the most sophisticated and damaging cyberattacks are the result of actions by nation-states to attack rivals or enemies. If insurance companies can’t use standard war exclusion clauses for these damaging, state-sponsored cyberattacks, they’ll need to adjust policies, raise prices or both going forward.

The latest change in a fast-changing industry

The cyber insurance landscape has been in flux for at least a decade. As a result of increasingly costly cyberattacks, insurance customers have been hit with rising premiums, stricter underwriting requirements and narrowed coverage.

These changes have come about because of a wide variety of trends in the cyberattack landscape, including the ransomware trends of a few years ago.

Global cyber insurance premiums have risen from under $5 billion in 2018 to an estimated $18 billion this year, according to the Swiss Re Institute.

Companies have been required to get their cybersecurity houses in order under increasingly strict guidelines just to get coverage at all. Insurance companies are taking longer to approve who they cover and are becoming more selective.

Coverage is narrowing in part through a rising number of exclusions that void coverage under certain circumstances (and the “war exclusion” was a big one).

The Merck settlement has focused industry attention on the challenges of defining war exclusions in cyber insurance policies. Insurance companies are likely to further tighten language, especially for war exclusion — a trend that had already begun in 2022.

And it’s shifted attention among buyers of insurance as well. Companies will need to take a hard look at exclusions, waiting periods, policy limits and other factors when considering an insurance provider. Another important element is to estimate whether a company might be victimized or targeted as the result of geopolitical events and consider how exclusions may leave them without payouts should serious state-sponsored cyberattacks occur.

And above all, focus on actual cybersecurity — especially automation tools and AI.

While Merck and related lawsuits and settlements are likely to make a material contribution to changes in the costs, policies, exclusions and limits of cybersecurity insurance, the greater contributing factor is the increasing sophistication and costliness of cyberattacks generally.

The post How will the Merck settlement affect the insurance industry? appeared first on Security Intelligence.

Critical infrastructure is under attack in almost every country, but especially in the United Kingdom. The UK was the most attacked country in Europe, which is already the region most impacted by cyber incidents. The energy industry is taking the brunt of those cyberattacks, according to IBM’s X-Force Threat Intelligence Index 2024.

The energy sector is a favorite target for threat actors. The complexity of systems and the reliance on legacy OT systems make them easy prey. Because of the critical nature of these systems, threat actors know that ransoms will be paid to keep downtime to a minimum.

A changing threat landscape

Ransomware is the top threat to the UK’s critical infrastructure, according to the National Cyber Security Centre (NCSC). While some companies are hit with malware attacks directly, there is increasing risk to the OT supply chain, as suppliers and smaller companies that support energy and utilities are more likely to be victims of a cyberattack. These suppliers often lack good cybersecurity programs, making them an easy target for infiltrating larger critical infrastructure organizations.

The war in Ukraine has elevated the risk to the UK’s energy industry. The conflict has emboldened state-related threat actors, and the NCSC warned that the most significant threat to the critical infrastructure is malware launched by nation-state groups. The goal of these threat actors is disruption of operation, which can have a severe impact on the populations that critical infrastructure serves.

Why the UK is Europe’s top target

The UK is the headquarters of several of the world’s biggest energy companies and is considered a major operations point for many more. These companies include:

• British Petroleum (BP)
• Royal Dutch Shell
• Chevron
• TotalEnergies
• NationalGrid
• Drax Group
• Energy One.

An attack on any of these companies could have a national or global impact. For example, when Australian company Energy One was hit with a cyberattack last year, it also impacted systems across the UK. NationalGrid has reported several near misses — cyberattacks that could have done serious damage to the electric grid, but either cyber criminals missed their mark or the cybersecurity systems did their job to keep the lights on in the UK.

However, threat actors are busy. UK intelligence agencies have discovered active forums and dark web sites sharing information on how to access organizations across the energy and utilities industry. While some are looking at how to get into corporate systems, a growing number of cyber criminals are more interested in accessing the OT systems of the energy sector.

How OT impacts cybersecurity

OT presents a different cybersecurity challenge from IT systems. Traditionally, most OT systems across the energy industry were stand-alone, unconnected from the internet and other systems. However, as infrastructure grows more complex, vulnerabilities are increasing and adding new threat layers —  particularly in the software supply chain. Adding to the problem are the legacy systems in OT, with firmware that can’t be updated or hardware that can’t be replaced without reducing efficiency.

As a result, this sets up a catch-22 for the energy industry: How do you continue to use legacy systems while cybersecurity threats against the energy sector are on the rise?

It starts with knowing your exposure, according to the IBM report. Implementing zero trust and least privilege frameworks will limit access and misuse of credentials. But chances are there are credentials already available on the dark web, so it is necessary to use dark web capabilities to find credentials at risk, identify leaked identities and check social media networks sharing unauthorized information.

Most importantly, the energy industry needs to prioritize cybersecurity across critical systems. Threat actors will continue to take advantage of weak OT systems and an uncertain global outlook, especially as war rages in Europe. Nation-state actors want to take down the critical infrastructure in the countries they see as enemies, and as the UK is home to many of the world’s largest and most important energy companies, it will remain at high risk.

The post The UK energy sector faces an expanding OT threat landscape appeared first on Security Intelligence.

The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.

In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.

Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.

CISA takes systems offline

Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.

According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS).

CISA declined to confirm or deny which of their systems were taken offline.

Ongoing Ivanti vulnerabilities

In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.

Other guidance for exposed agencies included continued threat hunting, authentication and identity management services monitoring, potentially infected system isolation and ongoing privilege level access accounts auditing.

Back in August 2023, a CISA alert stated that a vulnerability discovered in Ivanti Endpoint Manager Mobile allows unauthenticated access to specific API paths. This enables attackers to access personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on a vulnerable system. Hackers can also execute other configuration changes, such as installing software and modifying security profiles on registered devices.

CISA attack authors unidentified

Although the recent CISA incident has not been attributed to any group or nation-state, reports surfaced earlier that hackers suspected of working for the Chinese government were responsible for exploiting Ivanti product vulnerabilities.

Research evidence suggests that the culprits infecting the devices are motivated by espionage objectives, according to security firms Volexity and Mandiant. Volexity discovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Volexity researchers also report that the threat actor, tracked as UTA0178, is suspected to be a “Chinese nation-state-level threat actor.”

Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.

Bringing Ivanti products back online

Ivanti has released an official security advisory and a knowledge base article that includes mitigation instructions that should be applied immediately. However, mitigation does not resolve a past or ongoing compromise. Therefore, security teams should thoroughly analyze systems and be on the lookout for signs of a breach.

Meanwhile, a CISA spokesperson said the agency continues to “upgrade and modernize our systems.” In short, that sums up what all organizations should be doing in the wake of news about these ongoing attacks.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post CISA hit by hackers, key systems taken offline appeared first on Security Intelligence.

Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme.

PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil.

A hidden threat

Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google.

To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.

PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.

PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities:

• Manipulating and controlling other applications
• Keylogging
• Collecting a list of apps installed on the device
• Installing and removing apps from the infected device
• Locking and unlocking device screen
• Accessing registered phone accounts
• Accessing contact list and ongoing calls
• Pinpointing device location
• Anti-virtual machine (VM) and anti-debug capabilities
• Persistence after reboot
• Spreading through WhatsApp
• Reading, editing and deleting SMS messages
• Anti-removal and disabling Google Play Protect

Thanks to its RAT capabilities, PixPirate can perform on-device fraud (ODF) and execute the fraud from the victim’s device to avoid detection by the bank’s security and fraud detection systems.

PixPirate infection flow

Most financial malware comprises one main Android Package (APK) file. This is not the case for PixPirate, which is built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a financial attack is not new; however, unlike most financial malware today that uses a downloader as a service, both the droppee and the downloader for PixPirate were created by the same actor.

In addition, the PixPirate downloader role in the infection flow of the malware is different from other financial malware. Usually, the downloader is used to download and install the dropped, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant. In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.

Usually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent to them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to download the downloader, which impersonates a legitimate authentication app associated with the bank. Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the actual PixPirate malware (the droppee). After the victim approves this update, the downloader either installs the droppee embedded in its APK or downloads it directly from the PixPirate command and control (C2) server. If the droppee is embedded in the downloader’s APK file, it is encrypted and encoded in the downloader “/assets/” folder, masquerading as a jpeg file to lower suspicion.

Next, the downloader sends a command to the PixPirate droppee to activate and execute it. On the first run, the droppee prompts the victim to allow its accessibility service to run. In the next stage, PixPirate abuses the accessibility service to grant itself all the necessary permissions it needs to run and successfully perform financial fraud.

After the malware gets all the necessary permissions it needs to run, it collects some information and data regarding the infected device to decide if this is a legitimate device and a good candidate for fraud (anti-VM/anti-emulator, which bank apps are installed on the device and so on) and then sends all this data to the PixPirate C2.

New hiding technique in the wild

Malware has always tried to hide and conceal itself from its intended victim. The most obvious and effective way is to hide the launcher icon of the malicious APK because most users do not look at the app settings screen to check which apps are installed, so they won’t notice the malicious app and will not try to remove it.

Traditionally, financial malware hides the launcher icon using the “SetComponentEnabledSetting” API. This technique does not require any permission to be granted by the victim. However, from Android 10, this technique became ineffective for malware and could not be used anymore. We will explain how the technique works using the FakeChat malware that also uses this technique.

The malware declares in the manifest the MainActivity that will be executed once the victim launches it by pressing its icon on the home screen of the mobile device.

In the following image, we can see in the FakeChat manifest the malware’s app tag and the path of the app icon in the icon value. Also, the manifest contains the MainActivity with the name “com.eg.android.AlipayGphone.MainActivity” with the action “android.intent.action.Main” and the category “android.intent.category.LANUCHER.” This activity will be run and executed once the user presses the app’s icon and launches the app.

In the first run of the malware, it makes the launcher icon disappear by calling the Android API “SetComponentEnabledSetting” with the following parameters:

• ComponentName: the component that represents the MainActivity related to the icon for launching the app.
• NewState: the new state of the component. In this case, the malware specifies the state “COMPONENT_ENABLED_STATE_DISABLED” to disable and hide the APK icon.
• Flags (optional): Value is either 0 or a combination of DONT_KILL_APP and SYNCHRONOUS.

In the following image, we can see how it is done programmatically:

From Android 10, all app icons are visible in the launcher unless it is a system app or it does not ask for any permission at all (look at the documentation and the guide). Those limitations made this technique irrelevant for malware from Android 10 and later. Therefore, malware could no longer hide its launcher icon and its existence.

PixPirate’s new innovative hiding technique

When examining PixPirate, IBM Trusteer detected a new technique to achieve the same goal that works in all Android versions to date. To accomplish the goal of hiding malware from the victim, the PixPirate droppee does not have a main activity; that is, it does not have an activity with the action “android.intent.action.MAIN” and category “android.intent.category.LANUCHER.” This change in behavior means that the app’s icon does not exist on the home screen of the victim’s device at all. However, this also presents a new problem. If the droppee’s icon does not exist on the victim’s home screen, how will the victim launch the app in the first place?

The new technique requires the malware to have two applications: in this case, the downloader and the droppee that operate together. The downloader is the app that runs. The downloader then runs the droppee, which would not be executed otherwise since its icon does not exist.

How the droppee runs

So, how does the droppee run? PixPirate built a mechanism that triggers the droppee to run when different events occur on the device.

In the following image, we can see the service used to launch the droppee replacing the activity (“MainActivity”) used in other apps and APKs. The service is exported and can be run by other processes running on the device. This service has a custom-made action triggered by binding to this specific service. The downloader uses this to create and bind to this service and run the droppee every time it is required.

The method works as follows:

• The droppee has a service called “com.companian.date.sepherd” exported and holds an intent-filter with the custom action “com.ticket.stage.Service.”
• When the downloader wants to run the droppee, it creates and binds to this droppee service using the API “BindService” with the flag “BIND_AUTO_CREATE” that creates and runs the droppee service.
• After the creation and binding of the droppee service, the droppee APK is launched and starts to operate.

The BindService API has the following parameters:

• The service intent “com.ticket.stage.Service”
• The flag “BIND_AUTO_CREATE” (0x01) that creates and binds to the service (if the service does not exist)
• ServiceConnection object that connects to the droppee service and consists of an interface to monitor the state of the application service

In this way, the downloader succeeds in triggering the droppee to run. The ServiceConnection object is used as an interface to maintain communications between the downloader and the droppee and allows them to send messages between themselves and communicate through this interface.

In the following image, we see the code from the downloader APK that creates and binds to the exported service of the droppee APK, which we saw in the previous image, to trigger the droppee to run and send it commands to execute.

This code must run at the first running and execution of the droppee, just after the downloader installs the droppee. Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered. The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.

This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device. PixPirate malware is the first financial malware observed by IBM Trusteer researchers that uses this technique to hide itself and its launcher icon so that victims won’t notice that malware is installed and running on the device.

Fraud modus operandi

PixPirate campaigns mostly target customers of banks in Brazil. It mainly attacks the Brazilian payment service called Pix, the standard instant payment platform in Brazil. Most of the banks in Brazil implement the Pix API to support Pix transactions from within the banking app itself.

What is Pix?

Pix is an instant payment platform that enables the quick execution of payments and transfers between bank accounts. Customers receive a Pix string or QR code that contains the amount to pay for services or goods to complete a transaction. Then, customers pay the Pix payment using their bank apps or through internet banking. They can pay or transfer money using Pix through their banking app.

The Pix payment service launched in November 2020 was heavily adopted by users and businesses in Brazil and broke records in the number of users, financial transactions, and volumes. In the following graph, we can see the number of Pix transactions (in thousands). In March 2023, it reached 3 billion transactions in a single month.

Financial transaction volume reached 1,250,000,000,000 Brazilian reals in March 2023, which is about $250 billion. By May 2023, the number of Pix users reached 140 million.

Pix fraud MO

PixPirate Pix fraud occurs by initiating a new Pix transaction from the victim to the fraudster’s Pix account or by changing the Pix details of the receiver of a legitimate Pix transaction initiated by the victim to the fraudster’s Pix details.

Technically, Pix fraud is performed thanks to PixPirate RAT capabilities gained by abusing the Android accessibility service. The malware monitors the victim’s activities on the device and waits for the user to launch a targeted banking application. On each accessibility event, it checks the type of event that occurred. If the event type is “TYPE_WINDOW_STATE_CHANGED,” it retrieves the name of the package of the app from the window. If the app is in the target list, the malware can start its malicious activities.

When the victim launches their bank app, the malware grabs and collects the user credentials and account info while the user enters their credentials to log in. The malware sends the stolen info and credentials to the attacker’s C2 server. The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the malware hides itself and operates in the background.

When the malware decides to carry out the fraud, it pops up a new screen on top of the current screen of the device that hides the malware’s malicious activities from the victim. The malware launches the bank app (if it’s not running yet) and goes to the Pix page by pressing the app buttons programmatically. Once on the Pix transfer/payment page, the malware executes the Pix money transfer.

In the following image, we can see the different functions the malware calls to enter the relevant details and execute the money transfer (Pix details, amount, password and so on).

The main function responsible for the fraud is “strictPay_js.action.transfer,” which automatically executes the fraud. First, it calls SendPageNode(1) with the argument “1”. This function navigates to the Pix page in the banking application. The next function is sendBalance(), which consists of three subfunctions:

• inputPix(): Enters the Pix details for executing the Pix money transfer
• continue2Password(): The malware enters the stolen victim’s credentials
• waitUntilPassword(): Waits until the Pix money transfer is completed and validates that it was successfully executed

The same technique is used by PixPirate for the second Pix attack MO of intercepting the victim operations and changing the Pix details while the victim transfers the money without the victim knowing. PixPirate can manipulate both the target account and the Pix transaction amount.

If 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives from the bank.

Automatic fraud capabilities

PixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required to complete Pix fraud — log in, enter Pix details, enter credentials, confirm and more. PixPirate is not only an automated attack tool, but it also has the capability of becoming a manually operated remote control attack tool. This capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail because the user interface of the banking app changes or if a new lucrative target presents itself.

The manual fraud is initiated by popping up an overlay screen on the victim’s device and disabling the user control on the infected device to hide the fraudster’s activities in the background. Next, the malware connects to the C2 and receives commands from the fraudster to be executed. This remote-control capability gives the fraudster control of the victim’s device, including accessing private information and manipulating applications on the victim’s device.

Stay up to date on PixPirate’s capabilities

With nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new threat on the malware playing field. We will discuss more on PixPirate’s functionality, capabilities and commands it can receive from the C2 server in part two of our PixPirate blog.

PixPirate IOCs:
Downloader: 019a5c8c724e490df29020c1854c5b015413c9f39af640f7b34190fd4c989e81
Droppee: 9360f2ee1db89f9bac13f8de427a7b89c24919361dcd004c40c95859c8ce6a79

The post PixPirate: The Brazilian financial malware you can’t see appeared first on Security Intelligence.