Posted in Commentary with tags ESET on March 21, 2023 by itnerd
ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers — a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time ESET Research had seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.
Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them.
The threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirected the viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shuttered them all.
“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanized apps.
Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. The analyzed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.
In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker’s server.
ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers, but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.
“Install apps only from trustworthy and reliable sources, such as the Google Play store, and do not store unencrypted pictures or screenshots containing sensitive information on your device. If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play or directly from the legitimate website,” advises Štefanko. “For Windows, if you suspect that your Telegram app is malicious, use a security solution to detect the threat and remove it for you. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”
For more technical information about the clippers built into instant messaging apps, check out the blog post “Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets” on WeLiveSecurity.
Approov, the end-to-end mobile app security provider, today named Pearce Erensel vice president of sales, reporting to Approov’s CEO Ted Miracco.
Erensel will have responsibility for Approov’s global sales and support. His focus will be on increasing Approov’s footprint in the mobile app security market by leading a professional sales and business development organization and driving customer-facing processes.
Pearce Erensel is an experienced sales and business development executive noted for meeting or exceeding revenue targets. Most recently, he was employed by Zimperium in its London office after serving as an account executive for whiteCryption, a company acquired by Zimperium. At Zimperium, he was a product expert for its mobile app protection suite working alongside EMEA account executives and training application engineers. At Intertrust Technologies Corporation, a software technology company specializing in trusted distributed computing, Erensel worked as a business development manager and account executive. He began his career in New York City working as a corporate sales trainer for advertising services firm First Reaction Inc.
Erensel is a graduate of Dickinson College in Pennsylvania with a Bachelor of Arts degree in Environmental Studies. He holds a Master of Arts degree in Global Policy from the University of Maine School of Policy and International Affairs (SPIA) in Orono, Maine.
With the world of work being reshaped, employers are now rethinking everything including what they look for in candidates, where they find them, and how they attract and retain them. Now more than ever companies need more guidance.
LinkedIn recently released a data report sharing 17 predictions for the future of recruiting, based on dozens of interviews with global talent leaders, surveys of thousands of recruiting pros, and analysis of billions of data points generated on LinkedIn.
The data and insights center around five key themes ranging from internal mobility to skills-first hiring to employers remaining committed to DEI despite the current economic uncertainty.
Key Global Findings Include:
Three-out-of-four of recruiter respondents are saying that DEI hiring is being prioritized.
Recruiters are 25% more likely to search for candidates based on skills than they were just three years ago. And more than 50% of recruiters are more likely to search for skills than by years of experience.
Employees who work at companies with a high internal mobility tend to stay 60% longer than those at companies with a lower internal mobility.
Google has suspended the Chinese shopping app Pinduoduo after discovering that versions of the app not in the Play Store have been found to contain malware and the current version is “not compliant with Google’s Policy”. With approximately 900 million users, Pinduoduo is one of China’s most popular e-commerce platforms.
“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” Ed Fernandez, a Google spokesperson said.
Google Play Protect scans for malicious apps installed on Android phones and will recommend that users uninstall them. Play Protect currently prevents users from installing the Pinduoduo app.
Furthermore, a Pinduoduo spokesperson said in a statement to CNN, “We are communicating with Google for more information. We have been told that there are several other apps that have been suspended as well.”
In a later statement Pinduoduo said it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google.”
It reiterated that “there are several apps that have been suspended from Google Play at the same time.”
Google Play has yet to confirm other suspended apps and has asked users with off-store, which is another way of saying side loading, versions to uninstall it.
“Mobile attestation is the process involved in verifying that the app was signed by a trusted party and has not been modified since it was signed. If mobile app developers use Google Play Integrity for the attestation process involved, they leave substantial end-users out of the process as both Huawei and Xiaomi smartphones typically do not have access to Google Play attestation capabilities and many Samsung devices support app attestation through their own Samsung Knox (a mobile security platform that provide security features, including app attestation).
“It is incumbent on developers to ensure that only genuine apps can access the APIs, otherwise they are opening up their users to the possibilities of malware or credentials being stolen from the app. Attestation across all mobile platforms is both necessary to protect APIs and to ensure the safety of the end users.”
I didn’t see a mention of the Apple versions of this app in the CNN story. I am guessing that because it’s much harder (but not impossible) to slip such code into apps on Apple’s App Store. And apps on that platform need to be signed. Plus side loading isn’t a thing on iOS. Some clarification on that would be handy. But if that’s the case, then as stated above, Google needs to move towards that sort of model as that will keep people safer.
Phishing attacks remain a significant threat to organizations. According to the data presented by the Atlas VPN team, based on the survey conducted by Egress with 500 cybersecurity leaders, 92% of organizations were victims of phishing in the past 12 months, and 86% experienced negative consequences as a result.
The most commonly reported fallout from phishing attacks was financial losses from customer churn. Overall, 54% of surveyed organization leaders said they lost customers and revenue due to successful phishing attacks.
A company’s reputation, which may have taken years or even decades to build, can be irreparably damaged in just seconds due to a single security breach. Reputational damagewas reported by 47% of organizations that were impacted by phishing attacks in the last 12 months.
Moreover, over a fourth (27%) of organizations underwent lengthy remediations, while nearly a tenth (9%) faced legal repercussions.
However, phishing incidents did not only have repercussions for the victim organizations but also for the employees involved. In 30% of cases, the employees were disciplined as a result of the successful phishing event, while 22% of organizations reported that the employee was dismissed. In 18% of instances, employees left voluntarily.
72% of cybersecurity leaders express concern over AI’s use in phishing emails
Phishing has become an increasingly sophisticated cyber threat as cybercriminals continue to evolve their tactics. With the advancement of AI technology, there are concerns it may be misused to create more sophisticated cyberattacks.
Specifically, 72% of cybersecurity leaders are expressing worries about the use of AI in email phishing attacks. Cybersecurity leaders within financial organizations are the most alert about AI’s use to craft phishing campaigns — 80% showed concern.
These concerns arise from the potential for AI to automate the phishing process, which can make attacks more efficient and scalable. Additionally, AI can create highly sophisticated and personalized phishing emails that are difficult to detect using traditional security systems. The use of deepfake technology to add video and voice capabilities to phishing attacks can make them even more dangerous.
Telstra has appointed Nitin Tikku as Vice President of Global Business Development for Telstra Americas, responsible for leading the company’s strategic business development and growth initiatives across the region and beyond.
Tikku brings more than 20 years of experience to his new role, with a successful record of driving revenue growth, leading sales teams, managing strategic relationships and identifying high-potential new business opportunities.
Prior to joining Telstra, Tikku held technical and sales leadership roles where he successfully designed, secured and managed multi-million-dollar contracts with U.S. federal government agencies, global system integrators and Fortune 500 companies. Most recently, he held the position of Senior Director of Sales at AT&T, responsible for the business management and growth of one of AT&T’s largest customers, a global system integrator.
Tikku holds a bachelor’s degree in electrical engineering from Drexel University, and a master’s degree in management of information technology from the University of Virginia.
Commvault, an enterprise data protection leader for the complex and mission critical hybrid environments of today’s global businesses, today announced that Allan Timchuk has joined the company as Area Vice President, Americas Sales.
At Commvault, Timchuk will be responsible for the go-to-market strategy, customer engagements, and partner alignment in Canada and Latin America (LATAM). He will report to David Boyle, Senior Vice President, Americas Sales.
Timchuk brings a wealth of experience in executive sales leadership, global sales operations, and strategy within technology and security organizations, having worked in enterprise, commercial, government, and international markets. He has led teams helping customers use technology solutions to drive business value for more than two decades. He is committed to leveraging his creativity and transformational technology expertise to resolve customers’ business challenges.
Most recently, Timchuk was responsible for overseeing sales, customer engagement, and go-to-market for the Security Business Practice at VMware Canada. Prior to that, he held the role of COO for the Americas at Dell EMC Technologies Modern Data Center. In addition, Timchuk was the Director of Sales for government markets at SAS Canada for over five years, and had an 11-year tenure at EMC Corporation, responsible for sales and go-to-market strategy for government, commercial, and enterprise businesses for Eastern Canada.
Timchuk studied Industrial Design at Carleton University and is based in Ottawa, Ont.
The folks at TechCrunch are reporting the following:
Twitter appears to be testing a new verification process for Twitter Blue subscribers that would involve submitting a government ID. Code-level insights reveal a process for sending in a photo of the user’s ID, both front and back, along with a selfie photo to verify their Twitter account. The feature is listed alongside others only available to Twitter Blue subscribers, like support for editing tweets, uploading longer videos, organizing bookmarks with folders and other paid subscription perks.
The ID upload feature was uncovered in Twitter’s code last week by product intelligence firm Watchful.ai, but it’s unclear for now if it’s being tested externally. The firm told TechCrunch it believes the feature is in testing in the U.S., where it was found in the Android version of the Twitter app. However, it doesn’t know how many (or if any) Twitter users are actually seeing the feature as of yet.
Seeing as the launch of Twitter Blue has been a train wreck next to a dumpster fire to say the least, and very few Twitter users have signed up for it, I guess that Elon was forced to come up with something that makes it less likely to be a train wreck next to a dumpster fire as this will stop the impersonations and the other stuff that happened when Twitter Blue first launched. As for getting people to sign up for Twitter Blue, I have to assume that this is one piece of a bigger puzzle to encourage Twitter users to sign up for Twitter Blue. And we’ll have to wait to see what those other pieces are.
Posted in Commentary with tags Hacked on March 21, 2023 by itnerd
Hitachi Energy disclosed a data breach Friday which occurred after the Cl0p ransomware gang targeted a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT). The data breach allowed for unauthorized access to employees’ data in some countries:
Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.
According to our latest information, our network operations or security of customer data have not been compromised. We will continue to update relevant parties as the investigation progresses.
Sylvain Cortes, VP of Strategy, Hackuity had this to say:
“There are 198,000 known CVEs, and this ransomware gang just needed one to compromise Hitachi’s employee data. The scariest part? They didn’t even have to breach Hitachi’s internal systems. While the victim has since disconnected the compromised third party, this is yet another wake-up call: organizations’ attack surfaces extend far beyond the “surface”. Vulnerability Management has never needed reinventing more than in 2023.”
I have a feeling that there’s more to come from this breach disclosure. I’d not only recommend watching this space, but companies need to learn from this event so that they don’t become the next victim.
Posted in Commentary with tags Hacked on March 21, 2023 by itnerd
From the “I didn’t think I would be typing this” department comes this disclosure by supercar maker Ferrari that they have had a “cyber incident”, which is code for the fact that they got pwned. And the statement is very interesting:
Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details. Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.
As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.
Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.
Ferrari takes the confidentiality of our clients very seriously and understands the significance of this incident. We have worked with third party experts to further reinforce our systems and are confident in their resilience. We can also confirm the breach has had no impact on the operational functions of our company.
So let’s pick this apart. First is someone stole some client details. Which I am guessing is valuable to the threat actors as their clientele isn’t exactly poor, and some may not want their names out there. Though you gotta wonder if you’re paid for a Ferrari, you’re going to drive it. Thus your name is going to get out there regardless. But I digress. Next is that they will not pay the ransom. And that as far as I am concerns is good as paying ransoms only encourages threat actors. I did a quick check of the dark web last night and I did not see any evidence of the data the threat actors stole being shopped around. But that could change in the next day or two. It is also unknown who the threat actor is. And it is unknown if this is related to the situation that had Ferrari being pwned by RansomExx last year. So this is in short a fluid situation that will likely get updated in the days ahead as more details come to light.
UPDATE: Jason Middaugh, CISO, Inversion6 Had this comment:
This is Ferrari’s second cyber incident recently, and it’s never a good day when you suffer a data breach, but Ferrari couldn’t have handled the situation any better. Getting out in front of a breach and letting your customers know about the situation was text-book perfect. Also, not paying the ransom was another great call by their cybersecurity and executive management team. Paying a ransom for data that’s already been exfiltrated is a bad idea, especially since there’s no guarantee that after the ransom is paid the attackers just won’t release the data anyway. Post-incident, I expect Ferrari to put the pedal to the floor on their cyber program to reduce the risk of another data breach.
Guest Post: ESET Research discovers trojanized WhatsApp and Telegram applications stealing crypto funds and with new functionalities
Posted in Commentary with tags ESET on March 21, 2023 by itnerdESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers — a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time ESET Research had seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.
Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them.
The threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirected the viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shuttered them all.
“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanized apps.
Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. The analyzed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.
In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker’s server.
ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers, but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.
“Install apps only from trustworthy and reliable sources, such as the Google Play store, and do not store unencrypted pictures or screenshots containing sensitive information on your device. If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play or directly from the legitimate website,” advises Štefanko. “For Windows, if you suspect that your Telegram app is malicious, use a security solution to detect the threat and remove it for you. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”
For more technical information about the clippers built into instant messaging apps, check out the blog post “Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets” on WeLiveSecurity.
Leave a comment »