Author: hello@alienvault.com

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cyber attacks are common occurrences that often make headlines, but the leakage of personal information, particularly credit card data, can have severe consequences for individuals. It is essential to understand the techniques employed by cyber criminals to steal this sensitive information.

Credit card fraud in the United States has been on the rise, with total losses reaching approximately $12.16 billion in 2021, according to Insider Intelligence. Card-Not-Present (CNP) fraud constituted 72% of these losses, with a substantial portion attributed to Chinese fraudsters.

This article discusses the tactics employed by Chinese cyber actors in committing CNP fraud and their value chain.

Chinese fraudsters primarily target the United States for two reasons: the large population makes phishing attacks more effective, and credit card limits in the country are higher compared to other nations. These factors make the US an attractive market for card fraudsters.

Common methods for acquiring card information include phishing, JavaScript injection through website tampering, and stealing data via Trojan horse infections. Phishing is the most prevalent method, and this analysis will focus on phishing tactics and the monetization value chain of stolen credit card information.

Chinese fraudsters have developed extensive ecosystems for their operations. In a card fraud community targeting Japan and the US, over 96,000 users have joined. For 3,000 Chinese yuan in Bitcoin, individuals can enroll in a bootcamp to learn phishing techniques through recorded videos and access resources for creating phishing sites and profiting from stolen credit cards.

According to the community leader, more than 500 students enrolled in the first half of 2022 alone. This leader has made significant profits, receiving 56 BTC over the past three years.

Chinese fraudster ecosystem: actor’s value chain

The value chain of Card Non-present fraud is shown as the following picture.

To carry out these activities, Chinese fraudsters establish a value chain for CNP fraud, starting with setting up a secure environment. They anonymize IDs, falsify IP addresses, change time zones and language settings, alter MAC addresses and device IDs, modify user agents, and clear cookies to evade detection by security researchers and bypass various security measures.

Fraudsters also use residential proxies, which are infected domestic devices, to access targeted websites indirectly and avoid tracking. These proxies can be purchased from online providers, with payments made via stolen credit cards or bitcoin. By selecting the desired IP address, users can access the target site with a fake IP address, making it difficult to trace their activities.

One residential proxy service popular among Chinese fraudsters is “911,” which is built using software distributed under the guise of a free VPN service. Once installed, users are unknowingly transformed into valuable residential proxies for fraudsters without their consent. The service offers locations at city granularity to match the target user's geographic location.

Additionally, fraudsters can select ISP and device fingerprints, such as browser version, operating system, and screen size. This information is usually acquired through phishing, and fraudsters select the ones used by the victims to imitate each victim's user behavior.

Researchers at Sherbrooke University in Canada recently published an analysis of the “911” service and found that about 120,000 PCs are rented through the service, with the largest number located in the United States. More information about the research can be found at https://gric.recherche.usherbrooke.ca/rpaas/.

Although the “911” service was shut down in July 2022, many new residential proxy providers have emerged, which are now used by Chinese fraudsters.

In-depth analysis: evasion techniques in anti-fraud systems to elude detection

To set up phishing sites, several elements must be in place, including an email database to disseminate phishing emails and a phishing kit to create the phishing site. These elements can be acquired online through various channels. There are two methods to create phishing sites: by tampering with an existing website or by using rented servers or virtual private servers (VPS). The former has the advantage of a high reputation but is often detected and removed quickly. The latter method involves using the server and templates included in the phishing kit to impersonate various companies and brands.

Phishing kit templates are also available on the dark web, covering card companies, payment services, and online banking. These phishing kits incorporate various measures to avoid detection, such as blocking bot access and preparing a blacklist to prevent access from security companies and researchers. Additionally, these phishing kits also attempt to obtain the actual IP addresses of individuals accessing them through proxies, check their geolocation information, and return errors for access from outside China and the US.

Chinese fraudsters use elaborate phishing infrastructures and kits to create phishing sites and deceive users who access them via emails. To avoid being blocked by spam filters or reputation-based blocks, they continuously improve their content and environment. They change their IP addresses while maintaining a clean state and use multiple domain names to spread their risk, ensuring that they can continue phishing even if one domain is blocked.

Moreover, these fraudsters use URL redirect tools to show high-reputation URLs and disguise their phishing URLs as normal ones. If a phishing URL is blocked by email filters, they can use a different URL to continue phishing.

In summary, Chinese fraudsters use sophisticated phishing kits to evade tracking and detection. These phishing kits include anti-fraud features to counteract security researchers and organizations. They continuously improve their content and environment to avoid being blocked by spam filters and reputation-based blocks. They use multiple domain names and change their IP addresses to spread their risk, and they use URL redirect tools to disguise their phishing URLs as normal ones.

Cashing out through popular platforms: TikTok and NFT exploitation

Chinese fraudsters have a value chain that extends from the setup and misuse of cards to the cashing out stage, where they obtain unjust gains.

There are various methods of cashing out. One method is to directly purchase cryptocurrency or gift cards through websites using stolen credit card information, which is popular for U.S. cards.

Another method is to purchase products on an eCommerce site using stolen credit card information and have a domestic collaborator receive the products. The domestic collaborator then sends the purchased goods to China and obtains money, which is commonly used in Japan and other Asian countries that are geographically close to China.

In the monetization stage, fraudsters prefer products that can be easily resold, such as home appliances, brand bags, mobile phones, and gift cards.

In the past three years, new methods using TikTok and NFTs have emerged. One method involves purchasing TikTok coins with stolen card information and donating them to malicious influencers. In some cases, the fraudster and the influencer may be the same person, or another person may receive a commission fee. Additionally, NFTs and eBooks are also suitable for money laundering.

It is challenging to distinguish whether the credit card abuser is a fraudster or simply someone who wants to donate to a favorite influencer when donations are made on TikTok.

As a preliminary step to cashing out, fraudsters confirm the credit card limit. They may use methods such as pretending to be the rightful owner (social engineering) and calling the card company's call center to confirm the limit, disabling the one-time password authentication required for card use, or using other social engineering tactics. However, due to the language barrier, Chinese fraudsters don't often use this method.

Preventing fraud at the monetization stage: Enhancing security measures

In the value chain of fraud, actors' roles are divided into three categories: phishers, credit card misusers who misuse credit card information, and monetization dealers who monetize the stolen information. By dividing the roles, they can concentrate on their area of expertise, and even if they are investigated by the police, they can avoid legal sanctions by stating that they merely received something from their friends and are unaware of what is happening.

Dealing with CNP fraud is difficult when focusing on upstream. It is critical to prevent misuse at the monetization process. Nowadays, man-in-the-middle attack phishing techniques have become the mainstream, and one-time-password (OTP) authentication is insufficient to defend against these attacks anymore. More advanced authentication methods, such as FIDO or passkeys, and more sophisticated machine learning models, will be indispensable soon.

The post Chinese fraudsters: evading detection and monetizing stolen credit card information appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a highly connected, internet-powered world, transactions take place online, in person, and even somewhere in between. Given the frequency of digital information exchange on our devices, including smartphones and smart home gadgets, cybersecurity has never been more important for protecting sensitive customer information. In response, the US Federal Trade Commission has rolled out updated measures to ensure that customers’ details are fully protected. 

Due to supply chain issues and qualified employee shortages, however, the FTC has granted a six-month extension on the original deadline, so businesses and financial institutions now have more time to complete the required changes. This article will look at the updated federal data security measures and how they will impact businesses. 

Updated federal data security measures

In November, the United States Federal Trade Commission announced that it would grant a six-month extension for companies that have yet to update their security measures in compliance with updated FTC standards. 

The new deadline for businesses and financial institutions to implement the required changes will be June 9, 2023. By that point, all businesses must have updated their policies and procedures in keeping with the Financial Data Security Rule, also known as the Safeguards Rule.

Initial changes to the Safeguards Rule

Initially, the Federal Trade Commission approved changes to the Safeguards Rule in October 2021. These changes included updated criteria for financial institutions, providing more specific requirements about which safeguards they must include in their information security programs. 

Some of these updates to the Safeguards Rule were implemented 30 days after the rule was published in the Federal Register, while other specific criteria were on track to be implemented on December 9, 2022. 

Why has the deadline been extended?

The deadline has been extended to June 2023 due to reports presenting compelling arguments for postponing the required implementation. The Small Business Administration’s Office of Advocacy, for example, filed a letter addressed to the FTC. The letter stated that several factors would bar companies from effectively implementing these updated security requirements in the allotted time. 

Between supply chain issues that could cause delays in transporting essential equipment for the requisite security system upgrades, and a widespread shortage of qualified information security experts who could implement the changes on time, the letter from the SBA convincingly spelled out why businesses would need more time to complete the security system upgrades in compliance with FTC rules. 

The global COVID-19 pandemic further exacerbated these issues, making it difficult for small-scale businesses and financial institutions to meet the deadlines. The FTC voted unanimously to approve this deadline extension.

Reasons for FTC data security rule updates

The changes to the Financial Data Security Rule are meant to ensure that financial institutions put sufficient security measures in place to keep their customers’ personal information safe from any hacking attempts. Boosting the data security of financial institutions is vital to strengthening the overall cybersecurity of the country’s interconnected financial networks. 

Given the increasing rates of identity theft and financial fraud attempts, this is an essential form of protection. In 2021, for instance, the FTC encountered almost 390,000 reports of credit card fraud alone, making this the most common type of financial fraud in the United States. Since credit card fraud can often be enacted during unsecured store transactions, the FTC is determined to bolster security measures at every level. 

The FTC Safeguards Rule updates apply to in-person businesses, financial institutions, and online platforms, including the more recent cryptocurrency industry. Since 2009, more than 6,600 distinct cryptocurrencies have been released. With such a sustained influx of different cryptocurrencies, regulations have been slow to catch up in comparison to other trading platforms such as forex or options trading. Now the FTC is working to ensure that online and cryptocurrency transactions are sufficiently secure. 

What does this mean for businesses?

Businesses and financial institutions will need to get busy implementing the necessary changes. For example, companies may need to update their software to remain in compliance with the updated FTC rules. 

This process can take time, as companies will need to search for highly capable technical writers to document the software adjustments. According to Shaun Connell, technical writers and documentation creators must be involved in the software update project from the start. So to meet the June deadline, businesses will need to make this security update a top priority. 

Who does it affect?

Banks are not affected by The Safeguards Rule, but any other non-banking financial institutions, including motor vehicle dealers, payday lenders, and mortgage brokers, will need to update their security protocols by the deadline. 

Depending on the specific institution and its pre-existing security setup, businesses may need to create, enact, and upkeep a strong security system that will protect their customers’ sensitive information, such as financial details, home address, personal preferences, and even name, age, and gender. 

Cybercriminals can use any and all of this information to steal customers’ identities, so setting up a comprehensive security protocol will ensure that customers’ details are safe throughout every transaction.

Specific provisions under the extended deadline

Not all the updated criteria of the Safeguards Rule are affected by this six-month-long extended deadline. The specific provisions that businesses and financial institutions must enact by June 9, 2023, are as follows:

• Appoint a highly qualified individual to oversee the new information security program.
• Encrypt all sensitive information that passes through a business’s servers and systems. 
• Appoint and train security personnel who can manage and oversee the updated security systems and enact any security protocols in case of a cybersecurity breach. 
• Craft an incident response plan so that clear protocols are established. 
• Write a comprehensive risk assessment of their current security system. 
• Enact ongoing monitoring of who has access to sensitive customer details within the company.
• Limit who has access to sensitive customer details within the company. 
• Set up multi-factor authentication for any company member who attempts to access customer data. Or, instead of multi-factor authentication, another authentication system that provides equal protection can be implemented. 
• Conduct periodic assessments of the security practices used by their service providers to ensure added layers of security between businesses as well. 

These measures may require significant lead times to be well-established and running effectively by the June deadline. But once they are set up, they should provide significant additional security for all business-to-customer interactions. 

Government policies to prevent cybersecurity threats

At the core of these required security protocol updates is protection for customers. These necessary government policies have individual consumers’ security in mind and rely on multiple layers of cooperation and adjustment to keep sensitive data safe. Businesses and financial institutions will have to cooperate with the widespread Safeguards Rule implementation to fulfill federal trade commission standards designed to prevent cybersecurity threats from taking effect.

The post FTC extends deadline by six months for compliance with some changes to financial data security rules appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Mobile device management (MDM) refers to a type of software that allows businesses to manage, configure and secure mobile devices used by their employees. Companies use MDM solutions to maintain a secure environment across all the mobile devices they own or have access to, as well as provide features such as remote wipe, password policies, application management and data protection. This helps them ensure security while providing their employees with access to the applications and data they need.

An increasing number of businesses are either accepting that they need MDM or realising that what they have in place is not sufficient. With that in mind, below are ten reasons why MDM is an integral part of doing business in the 21st century.

1. Enhanced security

MDM technology provides an extra layer of security for businesses, protecting them from breaches and data loss. MDM solutions enable secure authentication, access control and encryption for devices, applications and data, which in turn helps to keep sensitive corporate information safe. ESIMs, or embedded SIM cards can enhance the security of mobile devices even further by allowing businesses to remotely manage and secure their devices.

Improved security is one of the most important reasons why businesses need MDM solutions. With an ever-increasing number of cyber threats, it is essential for companies to take steps to keep their data and systems secure. MDM can help with this.

2. Increased productivity

MDM makes it easier for employees to access the applications and data they need, increasing their productivity and efficiency. By providing them with secure access to the resources they need, MDM solutions help remove the frustration of not being able to do their job due to technical issues or security policies.

The ability to securely access corporate resources from anywhere, at any time, helps boost employee productivity and gives them the freedom they need to work more flexibly.

3. Reduced costs

MDM solutions can help reduce costs in several ways. They enable companies to better manage their mobile devices and applications, which ensures that they are up-to-date with the latest security patches and features. This helps reduce maintenance costs associated with managing outdated equipment.

MDM solutions also make it easier for businesses to deploy new applications, as they don’t have to worry about manually configuring each device. This reduces expensive install times and makes it easier for employees to get started quickly.

4. Improved compliance

MDM solutions help businesses comply with industry standards and regulations. They enable companies to configure devices to meet specific security requirements, as well as monitor and manage mobile devices so that they adhere to corporate policies.

By ensuring that all company devices are configured securely, MDM solutions reduce the risk of data breaches and fines associated with non-compliance. What's more, they can help identify areas where businesses need to improve their compliance processes.

5. Easier troubleshooting

MDM solutions can make it easier for IT administrators to troubleshoot issues on mobile devices. As they give IT teams a centralized view of all connected devices, it’s simple for them to identify any problems quickly and take appropriate action.

This ability to easily monitor employee mobile devices also makes it easier for IT teams to provide support and help employees get back to work faster. Not only does this help reduce the time IT teams need to spend troubleshooting, but it also improves employee satisfaction.

6. Improved user experience

MDM solutions can improve the user experience by providing users with fast, secure access to the applications and data they need. This helps reduce frustration and makes it easier for employees to do their job, which in turn boosts productivity.

MDM solutions also make it easy for companies to deploy new apps and updates remotely, meaning that users always have access to the latest software versions. This ensures that all mobile devices are running optimally and delivers a better overall user experience.

7. Device optimization

MDM solutions enable businesses to optimize individual mobile devices for specific tasks. For example, corporate-owned devices can be configured with the exact set of features needed for each employee’s role, improving their efficiency and reducing costs associated with managing unnecessary features.

Furthermore, MDM solutions can also be used to remotely configure devices for different network settings or regions. This allows businesses to easily manage a fleet of mobile devices in different locations, ensuring that each device is optimized for its specific use case.

8. Improved customer service

MDM solutions can help improve customer service by providing employees with secure access to the applications and data they need when interacting with customers. This helps ensure that customer queries are dealt with promptly and accurately, improving overall customer satisfaction.

The ability to remotely monitor mobile devices also makes it easier for IT teams to proactively identify any issues before they become major problems, further enhancing customer service.

9. Increased visibility and control

MDM solutions enable businesses to gain greater visibility over their mobile devices, allowing them to quickly identify which devices are connected, what applications they’re running, and how they’re being used.

This, in turn, gives IT teams greater control over their deployments, ensuring that all company-owned devices are used for appropriate purposes and helping to reduce the risk of data breaches.

10. Reduced costs associated with lost or stolen devices

By using MDM solutions, businesses can remotely lock down or wipe any device that is lost or stolen. This prevents unauthorized access to sensitive business data, reducing the cost of potential data breaches or fines associated with non-compliance.

What's more, MDM solutions can also help businesses save money by allowing them to manage and monitor their mobile devices remotely, reducing the need for costly onsite visits. This helps make sure that all devices are kept up-to-date with the latest software versions, helping to reduce repair costs in the long run.

Conclusion

In summary, MDM solutions provide a range of benefits to businesses. From improved compliance and customer service to increased visibility and reduced costs associated with lost or stolen devices, they are an invaluable tool for any business looking to improve its MDM strategies.

The post 10 Reasons why businesses need mobile device management (MDM) appeared first on Cybersecurity Insiders.

AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.

Key takeaways:

• BlackGuard steals user sensitive information from a wide range of applications and browsers.
• The malware can hijack crypto wallets copied to clipboard.
• The new variant is trying to propagate through removable media and shared devices.

Background

BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.

In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)

Figure 1. Announcement of new malware version in its Telegram channel.

Analysis

When executed, BlackGuard first checks if another instance is running by creating a Mutex.

Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it's running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)

Figure 2. Malware will avoid execution if running under specific user names.

Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)

Figure 3. BlackGuard main folder with stolen data divided into folders.

When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)

Figure 4. Zipping exfiltrated data with password and uploading to command & control.

Browser stealth

Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)

 

Figure 5. Collecting browser information.

Below is the list of browsers BlackGuard is looking for:

Chromium	Chrome	ChromePlus
Iridium	7Star	CentBrowser
Chedot	Vivaldi	Kometa
Elements Browser	Epic Privacy Browser	uCozMedia
Sleipnir5	Citrio	Coowon
liebao	QIP Surf	Orbitum
Comodo Dragon	Amigo	Torch
Comodo	360Browser	Maxthon3
K-Melon	Sputnik	Nichrome
CocCoc	Uran	Chromodo
Opera	Brave-Browser	Edge
Edge Beta	OperaGX	CryptoTab browser

 

In addition, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto currency addons data. It supports the addons listed below by looking for their hardcoded installation folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For example, the specific folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard looks for Edge/EdgeBeta addons listed below:

Auvitas	Math	Metamask
MTV	Rabet	Ronin
Yoroi	Zilpay	Exodus
Terra Station	Jaxx

 

For Chrome it looks for those addons:

Binance	Bitapp	Coin98
Equal	Guild	Iconex
Math	Mobox	Phantom
Tron	XinPay	Ton
Metamask	Sollet	Slope
Starcoin	Swash	Finnie
Keplr	Crocobit	Oxygen
Nifty	Keplr	Forbole X
Slope Wallet	Nabox Wallet	ONTO Wallet
Goby	FINX	Ale
Sender Wallet	Leap Wallet	Infinity Wallet
Zecrey	Maiar Wallet	Flint Wallet
Liquality

 

Cryptocurrency

The malware also steals cryptocurrency wallets. It copies the wallet directory for each of the following crypto wallets below and sends them to its command & control.

Zcash	Armory	Jaxx Liberty
Exodus	Ethereum	Electrum
Atomic	Guarda	Zap
Binance	Atomic	Frame
Solar wallet	Token Pocket	Infinity

 

It will also query the registry for the installation path of “Dash” and “Litecoin” keys and do the same.

Messaging and gaming applications:

BlackGuard supports the stealing of a wide range of messaging applications. For some of the applications such as Telegram, Discord and Pidgin, the malware has a specific handler for each. For example, for Discord, it copies all data for the following folders in the Application Data folder which stored the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. In addition, it copies all strings in files with the extension of “.txt” and “.ldb” if they match Discord’s token regular expression. (Figure 6)

Figure 6. Stealing Discord’s tokens and data.

Below is the list of messaging applications the malware looking to steal sensitive information from:

Discord	Telegram	Tox
Element	Miranda NG	Signal
Adamant-IM	Wire	WhatsApp
Vipole	Proxifier	Steam
Pdgin	Battlet net

 

Outlook, FTP, VPN, and other applications

BlackGuard steals login data and other sensitive information from additional communication programs. For email applications, the malware queries specific Outlook registry keys under the CURRENT_USER hive to extract user, password and server information. (Figure 7)

Figure 7. Exfiltration of Outlook stored information.

The malware also handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware will search the application’s folder and if found, it parses all user.config files to extract the users and passwords. (Figure 8)

Figure 8. Exfiltrating NordVPN information.

In addition to Outlook and NordVPN, BlackGuard also steals information from WinSCP, FileZilla, OpenVPN, ProtonVPN and Total Commander.

Other data collected      

Additionally, the malware also collects information from the machine such as anti-virus software installed on the machine, external IP address, localization, file system information, OS and more.

New BlackGuard features

Crypto wallet hijacking

In addition to stealing crypto wallets saved/installed on the infected machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (such as CTRL+C) and replacing them with the threat actor’s address. This can cause a victim to send crypto assets to the attacker without noticing it when trying to transfer/pay to other wallets. This is done by tracking any content copied to the clipboard and matching it to relative different crypto wallets’ regex. (Figure 9)

Figure 9. Specific regex to search in clipboard for listed coins.

Once there is a match, the malware will query its command and control for the alternative wallet and replace it in the clipboard instead of the one that was copied by the user. The malware supports stealing the popular crypto assets below:

BTC (Bitcoin)	ETH (Ethereum)	XMR (Monero)
XLM (Stellar)	XRP (Ripple)	LTC (Litecoin)
NEC (Nectar)	BCH (Bitcoin Cash)	DASH

 

Propagate through shared / removable devices

Although this feature was limited since Windows 7 to be used only for CDROM, the malware copies itself to each available drive with an “autorun.inf” file that points to the malware to execute it automatically. This includes removable and shared devices. For example, if a USB device is connected to an old version of Windows, the malware will be executed automatically and infect the machine. (Figure 10)

Figure 10. Propagate to all available drives.

Download and execute additional malware with process injection

The new variant of BlackGuard downloads and executes additional malware from its command & control. The newly downloaded malware is injected and executed using the “Process Hollowing” method. With that the malware will be running under legitimate/whitelisted processes and can make more detection more difficult. (Figure 11)

Figure 11. Download and execute additional malware using process injection.

The targeted process is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)

Massive malware duplication

The malware copies itself to every folder in C: drive recursively, each folder the malware generates a random name to be copied to. This feature is not common for malware, and this is mostly annoying, as the malware gains no advantage from that.

Persistence
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12)

Figure 12. Setting registry persistence.

Documents – stealth activity

The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed

2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
IP ADDRESS	http://23[.]83.114.131	Malware command & control
SHA256	88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3	Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1091: Replication Through Removable Media
• TA0002: Execution
  • T1106: Native API
  • T1047: Windows Management Instrumentation
• TA0003: Persistence
  • T1547.001: Registry Run Keys / Startup Folder
• TA0005: Defense Evasion
  • T1027: Obfuscated Files or Information
• TA0006: Credential Access
  • T1003: OS Credential Dumping
  • T1539: Steal Web Session Cookie
  • T1528: Steal Application Access Token
  • T1552: Unsecured Credentials
    • .001: Credentials In Files
    • .002: Credentials In Files
• TA0007: Discovery
  • T1010: Application Window Discovery
  • T1622: Debugger Evasion
  • T1083: File and Directory Discovery
  • T1057: Process Discovery
  • T1012: Query Registry
  • T1082: System Information Discovery
  • T1497: Virtualization/Sandbox Evasion
• TA0008: Lateral Movement
  • T1091: Replication Through Removable Media
• TA0009: Collection
  • T1115: Clipboard Data
  • T1213: Data from Information Repositories
  • T1005: Data from Local System
• TA0011: Command and Control
  • T1071: Application Layer Protocol
  • T1105: Ingress Tool Transfer
• TA0010: Exfiltration
  • T1020: Automated Exfiltration

The post BlackGuard stealer extends its capabilities in new variant appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

News broke in early February that the ACN, Italy’s National Cybersecurity Agency, issued a warning regarding a VMware vulnerability discovered two years ago. Many organizations hadn’t yet patched the issue and became the victims of a new ransomware called ZCryptor. The malicious software wreaked havoc on Italian and European businesses by encrypting users’ files and demanding payment for the data to be unencrypted. 

The ACN urges VMware users to ensure their systems are backed up and updated with the most recent security patches available. With ransomware on the rise, it’s crucial that businesses take the necessary steps to protect their data and applications. 

ESXiArgs ransomware attacks

Ransomware is a type of malware or malicious software that enables unauthorized users to restrict access to an organization’s files, systems, and networks. But it doesn’t stop there. In exchange for the keys to the kingdom, attackers will typically require a large sum in the form of cryptocurrency. 

There are many ways that ransomware is executed on a target system. In this case, the attacker infiltrated VMware’s ESXi hypervisor code and held entire servers for ransom. According to reports most victims were required to pay almost $50,000 USD in Bitcoin to restore access to entire business systems. 

The nature of these attacks lead experts to believe that this is not the work of ransomware gangs, and is more likely being executed by a smaller group of threat actors. But that doesn’t mean the damage was any less alarming. 

Exploiting known vulnerabilities

Hackers were able to infect over 2000 machines in only twenty-four hours on a Friday afternoon before the start of the weekend. But how were they able to work so fast?

As soon as software developers and providers publish fixes for specific vulnerabilities, threat actors are already beginning their plan of attack. Fortunately, the ESXiArgs vulnerability was patched two years ago (CVE-2021-21974.) 

Organizations that have not run this patch are at risk of becoming a victim of the latest ransomware. Unfortunately, Florida’s Supreme Court, the Georgia Institute of Technology, Rice University, and many schools across Hungary and Slovakia have also become victims of this newest ransomware attack. 

CISA guidance for affected systems

The US Cybersecurity and Infrastructure Security Agency (CISA) issued recovery guidance for the 3,800 servers around the world affected by the ESXiArgs ransomware attacks: 

• Immediately update all servers to the latest VMware ESXi version. 
• Disable Service Location Protocol (SLP) to harden the hypervisor.
• Make sure the ESXi hypervisor is never exposed to the public internet. 

The CISA also offers a script on its GitHub page to reconstruct virtual machine metadata from unaffected virtual disks. 

What organizations can learn from this attack

It can happen to anyone. Malware and ransomware attacks are a popular way to exploit organizations and no business, big or small, is off-limits. The software development industry is now worth over a trillion dollars due to the ever-increasing demand for new applications to meet the various needs of individuals and organizations. 

The average organization uses 110 applications to keep operations running smoothly. Each application requires routine maintenance to keep systems secure, and running updates plays a major role in protecting systems from ransomware. 

Another key takeaway from this attack is to keep vital systems far away from the public internet. Any file, system, or application that touches it can easily be infiltrated by skilled hackers. And since VMware ESXi is still vulnerable, companies should not expose the interface to the world. 

How to improve patch management and avoid ransomware attacks

There are several issues that contribute to the complexity of patch management, making it difficult for companies to stay on track. For example, as the number of software services increases, so does the number of CVEs. That means more patches to manage, track, and run before attackers discover how to exploit known vulnerabilities. 

In addition to large amounts of software, there is also a large amount of data that companies have to manage. For example, companies generate dark data on an ongoing basis through ordinary business transactions. User behaviors, orchestrations, and other datasets are increasing rapidly as more organizations make data-driven decisions to boost their success. 

This amount of data is very difficult to process and inspect, leaving vulnerabilities in hiding where hackers can exploit them. Without visibility, any patching strategy will be ineffective. Complete visibility enables teams to prioritize assets and software that need to be updated. 

Here is how to overcome these common patch management issues and avoid costly ransomware attacks: 

Test every patch

Patches must be thoroughly tested before being introduced into your systems. Patching is necessary to ensure that applications stay secure and up-to-date, but it can cause issues if something goes wrong. Each patch should be tested to avoid misconfigurations and other problems that can do more harm than good. 

Apply patches ASAP

Time is not on your side when it comes to patch management. After patches have been tested, apply them as soon as possible. The faster, the better. As soon as updates are released, hackers are hard at work to exploit as many users as possible before they have a chance to run the patch. 

Phase out deprecated devices and applications

Sometimes there isn’t anything left to do but retire a program or device. When software is deprecated, there won’t be additional patches released, so there is no way to know of any new vulnerabilities. Plus, security becomes an issue with out-of-date software as it often is phased out due to security concerns. Get rid of any applications and devices that have reached the end of life.

Automate patch management

Utilize automation to streamline patch management. Keeping track of each application’s maintenance schedule and regularly testing and patching software is time-consuming. Patch management automation or partnering with a managed service provider might be the most effective way to keep applications and endpoints up to date. 

Final thoughts

Ransomware attacks are not going away anytime soon. The latest ransomware warning out of Italy is now affecting thousands of systems globally due to unpatched software that should have been updated two years ago. Businesses that might be affected by the ESXiArgs ransomware should follow CISA guidance to prevent damage and recover what data might be lost. 

The best way to prevent ransomware threats is to be proactive with running patches and updates. Test every patch to ensure that it’s safe for your systems, apply changes as soon as possible, replace deprecated software, and automate patch management for optimal efficiency and security.

The post Italian agency warns ransomware targets known VMware vulnerability appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Mobile security refers to the technologies and processes that are used to protect mobile devices from malicious attacks, data breaches, and other forms of cybercrime. It also includes measures taken to safeguard personal information stored on these devices, as well as protecting them from physical damage or theft. Mobile security is becoming increasingly important due to the rapid proliferation of smartphones and tablets being used for business purposes around the world.

Businesses need to take steps to ensure their data remains secure when accessing company networks via mobile devices, including implementing a few key measures. Below are ten ways B2B companies can do better mobile security.

1. Use a secure email provider

A secure domain email address is one of the most important ways to ensure that company emails and other sensitive data remain safe. Email providers such as Google, Microsoft, Zoho, and Postale offer secure domain email addresses which encrypt all emails sent and received in transit. This makes it more difficult for hackers to gain access to confidential information or launch attacks on vulnerable systems.

Using a secure email provider is essential for any organization looking to maximize its data protection efforts. By taking advantage of these services, businesses can rest assured knowing their emails are secure and protected from malicious actors.

2. Implement strong authentication

Strong authentication refers to the use of two or more forms of authentication to authenticate a user's identity. This could include using a one-time password for each login, biometric factors such as fingerprints, or utilizing an encrypted token. Strong authentication ensures that only authorized users can access company networks and confidential data.

Having strong authentication measures in place is an essential step in protecting data, as it helps to prevent unauthorized access and keeps sensitive information secure.

3. Install mobile security software

Mobile security software (also known as mobile device management or MDM) can help protect devices from malicious attacks. Mobile security software can be installed on all company-owned devices, providing a layer of protection by scanning for and blocking malicious applications. It can also offer additional layers of protection such as remote wiping capability, encryption, and the ability to remotely lock lost or stolen devices.

4. Enforce use policies

By having clear use policies in place, businesses can ensure their employees understand the importance of mobile security and that they are adhering to the established rules. These policies should include restrictions on downloading or installing unapproved apps, accessing unknown or suspicious websites, or sharing confidential information with unauthorized personnel.

Enforcing use policies is essential for keeping company networks and data secure. By ensuring that all employees abide by the same set of rules, businesses can greatly reduce their risk of a data breach or other malicious attack.

5. Utilize cloud storage

Cloud storage provides an effective way to store business data securely off-site. Data stored in the cloud is encrypted and kept safe from physical damage or theft. It also eliminates the need for large servers and other physical infrastructure, reducing both costs and the potential risk of data breaches. Additionally, cloud storage allows employees to access their data from any device, anytime and anywhere.

Utilizing cloud storage is an efficient way to keep sensitive information secure while still providing easy access for authorized users.

6. Use virtual private networks (VPNs)

A virtual private network (VPN) provides an extra layer of security by encrypting all traffic between two devices. This means that even if an unauthorized user were to intercept the data transmitted over the connection, they would be unable to read it due to the encryption. VPNs are especially useful for businesses that need to securely access company networks when using public Wi-Fi or other shared networks.

Using a VPN is an important step in protecting data from malicious attacks, as it ensures that all traffic is securely encrypted and less susceptible to being accessed by unauthorized parties.

7. Educate employees about the latest cybersecurity threats

Even with good policies and procedures in place, your employees still represent a vulnerable point in your data security. That’s why it’s important to regularly educate them about the latest cybersecurity threats and how they can avoid falling victim to them. This could include information on phishing scams, malware infections, mobile device security, and more.

By providing employees with the knowledge needed to recognize potential threats and take the necessary measures to protect themselves and their organization from attackers, businesses can greatly reduce their risk of suffering a data breach or other malicious attack.

8. Use two-factor authentication

Two-factor authentication (2FA) is an extra layer of security that requires users to provide two pieces of evidence when logging into an account or system. Typically, this consists of something that you know (such as a password), and something that you have (such as a mobile device). By requiring two different pieces of evidence, it makes it much more difficult for unauthorized parties to gain access to confidential data.

By implementing 2FA on all accounts and systems, businesses can greatly reduce their risk of suffering a data breach or other malicious attack. Doing so will ensure that only authorized users are able to access sensitive information, which helps keep confidential data always secure.

9. Monitor user activity

User activity monitoring is an important step in protecting your organization from malicious actors. By tracking user activities such as logins, downloads, file transfers and other system changes, businesses can detect suspicious activity in real-time and respond quickly to mitigate any potential damage.

By monitoring user activity on a regular basis, businesses can greatly reduce their risk of suffering a data breach or other malicious attack. Doing so will help ensure that all systems always remain secure and confidential information remains protected from unauthorized access.

10. Regularly back up your data

Backing up your data on a regular basis is an important step in protecting it from malicious actors. By having multiple copies of your files stored in separate locations, you can recover them quickly in the event of a data loss or system failure. This ensures that sensitive data remains safe and secure even if one copy is compromised by an attacker.

Using an automated backup system is a great way to ensure that your data remains protected and secure. Your IT department can set up an automated backup process that regularly creates backups of all company files on an external drive or in the cloud, ensuring that your data will always be available when needed.

Conclusion

By following these ten tips, B2B companies can greatly reduce their risk of suffering a data breach or other malicious attack. By taking the necessary steps to maximize their data protection efforts, businesses can ensure that confidential information remains secure at all times.

The post 10 Ways B2B companies can improve mobile security appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his book, “Cyber Warfare – Truth, Tactics, and Strategies,” seems a fitting way to begin the topic of cybersecurity battlegrounds.

Regardless of the techniques used, going big, expensive, and glossy – while potentially useful – doesn’t replace the need for a well-reasoned approach to securing assets founded on traditional activities and principles. Innumerable assets are housed behind APIs, and the widespread use of APIs means they are high-profile targets. Securing them is of the utmost importance.

Two historical books came to mind for this topic:

• Art of War, by Sun Tzu
• Book of Five Rings, by Miyamoto Musashi

I chose these two due to their applicability to the topic (oddly enough because they are less specific to modern security – something about their antiquity allows for a broader application).

After revisiting the books, I decided to take Musashi’s five (5) principles (scrolls; Earth, Water, Fire, Wind, and Void) and match them as best as possible with 5 of the numerous teachings from Sun Tzu. I then applied them to securing APIs in the growing cybersecurity arena where there are an increasing number of threat actors.

Musashi’s focus in the Earth Scroll is seeing the bigger picture. Practitioners need to know the landscape or the 30,000 ft view. Sun Tzu said, “The supreme art of war is to subdue the enemy without fighting.”

One needs to understand the nature of API attacks and attackers in securing APIs. One example of a common exploit category is Security Misconfiguration.

Some fundamental API security activities that can prevent attacks before they even get started including following an SDLC, implementing access control, deploying some form of edge protection, using continuous monitoring and alerting, and using appropriate architecture and design patterns.

API attackers are ruthless and relentless. Most criminals want an easy win and using good defense will fend off a high percentage of attacks.

Encryption is a must, both in transit and at rest. The enemy can be thwarted by not being able to use what was stolen.

It’s important to be experienced and flexible – or fluid – on an individual level, and that includes one’s role in the company. Sun Tzu said, “Be flexible.”

Gathering cyber threat intelligence (CTI) makes it possible to adapt to changing threats in real time. Intelligence gathering, even using Contextual Machine Learning (CML), means that one doesn’t depend on past information, hearsay, rumors, or peer information. Rely on as much clear, relevant, and current information as possible about threats and risks for one’s own company.

In addition to CTI, focus on a well-designed and tested incident response plan.

Intelligence and responding to incidents go a long way toward making company security agile and adaptable.

The Fire aspect is about the actual use of the weapons (tools) on the battlefield. Sun Tzu said, “The enlightened ruler lays his plans well ahead; the good general cultivates his resources.”

Now that the proper foundations have been built, it’s time to use the API tools that have been implemented.

Manage and maintain the API resources and identify the strengths and weaknesses of the API system, Ensuring secure authentication and authorization methods for API access.

Also, set fire to vulnerabilities through regular security testing. This should include vulnerability scanning and pentesting, if not red/blue/purple teaming, or even something like Chaos Monkey to test uptime (an oft-overlooked aspect of API security).

This is also interpreted as “Style.” Here, the goal is to study (not just passively observe) opponents. Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

For the modern day, we’ll expand this to studying how other companies have dealt with cybercrime and cyberattacks. One will improve by studying others based on facets such as industry, regulations, and org size.

It's easy for a company to a) think it's alone or b) believe it does better than anyone. This can lead to isolation. Org leaders have every reason to set their org apart – distinction is a major component in having a chance at creating a profitable, if not lasting, business. But there aren't all that many ways to uniquely secure a business – phishing is phishing whether against an international enterprise or a local coffee shop; an API for a fintech org is much the same as an API for ice cream shop (the architectures available are only in a few flavors) – many people can use it and abuse it.

Intelligence sharing with other companies can be helpful in creating a secure community.

The idea here – also called Emptiness, is understood as “no mind.” This doesn’t mean that no brain activity is involved, but points more to intuition, awareness, and acting on instinct. Action doesn’t always require thinking things through, getting input from others, and planning something. Some things – whether by natural inclination or by training – are just second nature.

Sun Tzu said, “Utilize your strengths.”

Play to your strengths: individual, departmental, corporate. There’s no one else like you or your company.

Leverage the strengths of your API resources to enhance security. Make sure you know your tools in and out. Often, they’re expensive and very likely, they’re not used to full capacity.

Focus on continuous learning and improvement. This requires a team of individuals who work well together and are independently passionate about defending data.

This intuitiveness is not based on industry, spreadsheets, or data analysis but depends on relevant stakeholders' individual and collective expertise. Often, it will be addressing many fronts at once, such as improved IR, developer training, choosing a platform that provides numerous API protections (while also avoiding a single point of failure), getting legal and compliance teams to determine next steps in the privacy regulation landscape, and performing regular incident response and disaster recovery exercises.

To paraphrase the classic ending of many of Musashi’s teachings, these ideas should be given careful and thorough reflection.

The post API security: the new security battleground appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. ​

According to the Open Web Application Security Project (OWASP, 2019), broken object-level authorization (BOLA) is the most significant vulnerability confronting modern application programming interfaces (APIs). It can be exciting to pursue innovations in the API area, but while doing so, programmers must ensure that they are adequately attentive to security concerns and that they develop protocols that can address such concerns. This article will describe the problem of BOLA and its consequences, and then it will present potential actions that can be taken to solve the problem.

The problem

​OWASP (2019) indicates the following regarding BOLA: “Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request” (para. 1). For example, a hacker may access information regarding how various shops make requests to an e-commerce platform. The hacker may then observe that a certain pattern exists in the codes for these requests. If the hacker can gain access to the codes and has the authorization to manipulate them, then they could establish a different endpoint in the code and thereby redirect all the data to themselves.

The exploitation of BOLA vulnerabilities is very common because, without the implementation of an authorization protocol, APIs essentially have no protection whatsoever against hackers. To attack this kind of APIs, the hacker only needs the capability to access request code systems and intercept data by manipulating the codes, which can be done rather easily by anyone who has the requisite skills and resources (Viriya & Muliono, 2021). APIs that do not have security measures in place are thus simply hoping that no one will know how to conduct such an attack or have the desire to do so. Once a willing hacker enters the picture, however, the APIs would have no actual protections to stop the hacker from gaining access to the system and all the data contained within it and transmitted across it.

The consequences

​BOLA attacks have significant consequences in terms of data security: “Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access can also lead to full account takeover” (OWASP, 2019, para. 3). In short, BOLA attacks produce data breaches. Stories about data breaches are all too common in the news, with a very recent one involving a healthcare organization in Texas (Marfin, 2022). While not all data breaches are the result of BOLA attacks, many of them are, given that BOLA is a very common vulnerability in APIs. The specific consequences of a successful BOLA attack, as well as the magnitude of those consequences, would depend on the target of the attack.

For example, if the target is a healthcare organization, then the data breach could lead to hackers gaining access to patients' private health insurance. If the target is a bank, then the hackers would likely be able to access customers’ social security numbers. If the target is an e-commerce website, then data regarding customers’ credit card numbers and home addresses would be compromised. In all cases, the central consequence of a BOLA attack is that hackers can gain access to personal information due to a lack of adequate security measures within the APIs in question.

The solution

​The solution to BOLA is for programmers to implement authorization protocols for accessing any data or codes within an API. As OWASP (2019) indicates, prevention of BOLA will require the implementation of “an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses input from the client to access a record in the database” (para. 9).

BOLA vulnerability essentially has to do with APIs and assuming that if a user has access to the information required to make a request, then they must automatically be authorized to make that request. This assumption is obviously fallacious since hackers can gain access to the information and then use it to manipulate the API even though they have no actual authorization to do so.

Therefore, preventing BOLA vulnerability requires a system that not only responds to the user’s inputs but is also able to verify whether the user is authorized to perform the desired actions (Blokdyk, 2022). For example, the system may require an external password that a hacker would not be able to find simply by perusing data and information within the API itself.

The solution to BOLA, then, is straightforward one. APIs currently focus on object IDs for authenticating requests, which is altogether inadequate from a data security standpoint. To prevent BOLA, APIs must track the users themselves and focus on ensuring that users are properly authorized to make requests, take actions, and provide inputs within the system. The BOLA vulnerability is based entirely on the fact that programmers often fail to implement such a protocol. Such implementation would eliminate the entirety of the vulnerability insofar as hackers will then not be able to access and manipulate target APIs.

Perhaps BOLA is thus a case study in humility. As programmers explore new frontiers of modern APIs, they must also ensure that they do not neglect the basics. The implementation of user authorization protocols to prevent BOLA vulnerability must be understood as a foundational element for any sound API, and doing so will address a key OWASP priority. 

References

Blokdyk, G. (2022). User authentication and authorization. 5STARCooks.

Marfin, C. (2022, July 12). Tenet Healthcare faces lawsuit after data breach affects 1.2 million ​patients. Dallas Morning News. ​​https://www.dallasnews.com/news/courts/2022/07/12/tenet-healthcare-faces-lawsuit-after-data-breach-affects-12-million-patients/

Open Web Application Security Project. (2019). API2:2019 broken object level authorization. ​GitHub. https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-​object-level-authorization.md

Viriya, A., & Muliono, Y. (2021). Peeking and testing broken object level authorization ​vulnerability onto e-commerce and e-banking mobile applications. Procedia Computer ​Science, 179, 962-965.

The post Broken Object Level Authorization: API security’s worst enemy appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Introduction:

Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers.

The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The malware then uses web injections to steal financial information from the victim.

One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered.

In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include:

• Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive.
•  Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software.
•  Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is.

Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve.

Recent infection on Macs:

The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The variant overwrites document files to carry Dridex's malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won't run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it's possible that the attackers will make further modifications to make it compatible with MacOS in the future.

Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not.

The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry.

How it works:

Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim's system.

Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing screenshots, and stealing login credentials. The malware can also be used to create a botnet, allowing the attackers to remotely control the infected systems.

Dridex uses web injects, which are modules that can inject HTML or JavaScript code into a web page before it is rendered. This allows the malware to manipulate the appearance of web pages and trick the user into entering sensitive information, such as login credentials or credit card numbers. The malware can then send this information to its command and control (C2) server.

Dridex uses a variety of techniques to evade detection and maintain persistence on an infected system. These include using code injection to infect other processes, using named pipes to communicate with other processes, and using anti-debugging and anti-virtualization techniques to evade analysis.

In addition, Dridex uses a technique called “Heaven's Gate” to bypass Windows' WoW64 (Windows 32-bit on Windows 64-bit) layer, allowing it to execute 64-bit code on a 32-bit system. This technique involves using a feature in Windows that allows 32-bit applications to call 64-bit functions. By running malware code in a 64-bit environment, Dridex evades detection and anti-analysis by security tools that are not designed to detect 64-bit malware on 32-bit systems.

Remediation:

1. Isolate and remove the malware: Identify and isolate any infected systems and remove the malware using reputable anti-virus software.

2. Change all passwords: Dridex malware is known to steal login credentials, so it is important to change all passwords on the affected systems.

3. Patch the system: Ensure that all systems are fully patched and updated with the latest security fixes.

4. Use endpoint protection: Implement endpoint protection software to detect and block Dridex malware and other malicious software.

5. Monitor network traffic: Monitor network traffic for suspicious activity and use intrusion detection systems (IDS) to detect and block malicious traffic.

6. Employee education: Educate employees on how to identify and avoid phishing scams, and to be cautious when opening email attachments or clicking on links.

7. Regular backups: Regularly backup important data and keep backups in a secure location.

8. Use a firewall: Use a firewall to block incoming and outgoing connections from known malicious IP addresses.

Conclusion:

In conclusion, Dridex is a well-known banking trojan that has been active since 2012, targeting financial institutions and their customers. The malware is typically distributed through phishing email campaigns, using attachments or links that lead to the downloading of the malware. Once on a system, Dridex can use various techniques to steal sensitive information and uses a technique called web injection to manipulate web pages and steal credentials. Remediation efforts should include monitoring for suspicious activity, blocking known malicious IPs and domains, keeping software updated, and educating users on how to identify and avoid phishing attempts. Additionally, monitoring for known indicators of compromise and inspecting processes and dll files that are known to be targeted by Dridex can help detect and prevent Dridex infections.

The post Dridex malware, the banking trojan appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Customers’ willingness to give you their personal data begins with the experience they receive. Convincing them requires the right tone, an outlook of what they’ll get in return, and most importantly, a high level of trust. But while companies depend on customer data to unlock growth, user-centric data collection can be tricky.

43% of U.S. consumers say they would not allow companies to collect personal data, even to accommodate more personalized, customized experiences, while 88% will give you their data if they trust your brand.

With this in mind, how do you meet customer expectations and proactively build consumer trust throughout the entire customer lifecycle? Effective user journey orchestration, supported by a robust Customer Identity & Access Management (CIAM) solution, can help you balance security, privacy, and convenience, resulting in a trust-worthy digital experience.

5 ways CIAM safely orchestrates your customers’ journey

CIAM is an effective solution for hassle-free and secure logins that enables you to retain more customers with seamless access across various digital channels. This is how CIAM safely orchestrates your customers’ journey.

1. Capture and manage customer identities to remove friction at registration and login

Businesses spend a lot to acquire new customers but tend to invest less in the experience once acquired. Meanwhile, providing a seamless and convenient experience is what eventually brings loyalty – and thus, the base to harness true ROI.

With CIAM, you no longer need to push every customer through the same rigid authentication processes when they visit your site. Put simply, CIAM ensures customers are always met at the digital front door, conveniently and without friction.  

For example, if customers are registering for the first time, you don't need to ask them to enter all their personal data immediately. Ask your customer for only needed information, at the right point in their journey. This will allow them to focus on their shopping experience or the task at hand rather than filling in forms.

When an existing customer wants to log into your site, you can make smarter decisions about how many authentication hoops you should make them jump through. For example, suppose the risk environment remains unchanged, and their behavioral context is the same as before. You might decide they don't need to enter their password again or authenticate using MFA.

CIAM allows you to adjust your authentication experience's friction level to make your customers' experience seamless.

2. Build robust customer profiles based on first-party, consent-based data

CIAM captures the personal data that the customer has released to your brand. This first-party data, which is based on consumer consent, enables your business to compile comprehensive client profiles by collecting and combining data from multiple channels. The data produced can assist your company in achieving a unified customer experience as your consumer engages with various business divisions.

First-party data is essential as third-party cookies are being blocked from browsers, and businesses need to invest in privacy-friendly ways to gather data for profiling their prospective customers. Besides from harnessing the value of data, consent-based data collection is a demonstration of respecting your customer’s privacy – a building block to achieving customers’ trust.

3. Orchestrate customer profiles in near real-time to other engagement solutions to deliver personalized experiences

Storing your customers' profile data in a single platform allows you to make timely and data-informed decisions furthering engagement with your customer with other solutions.

Take, for example, the way Spotify works. When you search for your favorite artist, the platform suggests other artists with the same style. These suggestions allow you to listen to more of your favorite music and offer an impeccable personalized experience. Wouldn’t you like your brand to treat your customers the same way?

If you get to know your customers better by building rich user profiles, you can use these profiles to tailor experiences across every digital property. And your customer will keep coming back to you for more.

4. Drive the adaptive authentication experience to limit burden and enhance security

Requiring your customers to provide an additional authentication factor by implementing MFA is one of the simplest ways to increase the security of the login flow. Email is an option that is often easier to implement, but it can increase customers’ effort at the authentication flow, and building frustration might cause them to opt for a competitor.

With CIAM, you can choose the authentication options, i.e., biometrics, that will be easiest or most secure for your customers without any additional worry about how difficult they might be to integrate and maintain within your application.

A customer identity platform only asks for the authentication you need and always asks for it when you need it, providing two sides of the same coin. If you can prove to customers that the friction added to the experience is always proportionate to the situation, you'll find it much easier to win their trust.

5. Adopt progressive profiling

A customer's introduction to your application is often a registration process, and you need to ensure that the process is efficient, seamless, and secure so that you don't lose the customer's attention along the way. This might mean primarily collecting only the minimum amount of information you require from your users. A 'just in time' and 'just enough' approach to data collection is the best strategy for building a frictionless and secure prospect-to-customer journey that leads to better conversion rates.

A CIAM solution can be configured to require as many or as few pieces of information about your customers as you wish to gather. This information can be stored centrally so that you can utilize the CIAM solution as the source of truth regarding customer personal information and be assured that this data is always secured. 

The main advantage of effective user journey orchestration

A significant benefit of deploying a cloud identity platform, and thereby adopting a user journey orchestration process, is that it helps establish the trust needed to build long-lasting relationships with your customers.

Businesses can acquire more customers by using CIAM and progressive profiling to streamline the registration process and asking for information over time rather than forcing new customers to fill out a long sign-up form at the very beginning. Also, reducing friction during login when existing customers return to any digital property can help your business retain customers.

By enforcing appropriate security measures in every situation, CIAM shows your customers that you are a trustworthy steward of their accounts and personal data. This increases the likelihood of repeat business, reduces the risk of account abandonment, and acts as a disincentive for churn.

The post How CIAM safely orchestrates your customers’ journey and its benefits  appeared first on Cybersecurity Insiders.