The IT Nerd

ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been ongoing since the start of this year. Malicious spyware apps are distributed through a fake SecureVPN website that provides only trojanized Android apps to download. This website has no association whatsoever with the legitimate, multiplatform SecureVPN software and service. Malicious apps used in this campaign are able to exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram. ESET researchers discovered at least eight versions of the Bahamut spyware, which could mean the campaign is well-maintained. The malicious apps were never available for download from Google Play. 

All exfiltrated data is stored in a local database and then sent to the Command and Control (C&C) server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.

If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage. By misusing accessibility services, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps, such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

The Bahamut APT group typically uses spearphishing messages and fake applications as the initial attack vector, against entities and individuals in the Middle East and South Asia. Bahamut specializes in cyberespionage, and ESET Research believes that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.

For more technical information about the latest Bahamut APT group campaign, check out the blog post “Bahamut cybermercenary group targets Android users with fake VPN apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Amidst the work-from-home mandates throughout the past two years of the COVID-19 pandemic, ESET moved its Canadian headquarters from downtown Toronto to Commerce Valley Drive West in Thornhill. As staff begin returning to in-office work, ESET Canada will mark the official opening of its new location on April 11^th with a private event for team members from across the country.

The new location is part of the second-largest tech hub in Canada, offers more square footage to accommodate a growing ESET Canada team and is accessible with both public transit and major arterial roads. 

Regardless of its physical location, ESET remains committed to providing the expertise and products that help people and organizations stay safe in the cyberworld.

The move also coincides with a brand refresh for ESET, which represents the role it has played in the progress that digital technology has enabled – in short, a force for progress. 

For more than 30 years, ESET has been providing digital protection as technology has advanced and progressed to change people’s lives, day-to-day activities and the way we do business. Progress in technology means the potential for a better world and society, but it is not without risk. As technology progresses, so too do those with malicious intentions; with every innovation comes someone who wants to exploit it for nefarious means.

For more than 30 years, ESET — a global digital security company — has been watching technology progress, change people’s lives and transform the way people do business every day. 

And for more than 30 years, ESET has been protecting it.

ESET announced today the launch of its new visual identity and tagline to represent the role it has played in the progress that digital technology has enabled – in short, a force for progress. That is why ESET is refreshing its brand and tagline to Progress. Protected. 

With progress in technology come new threats, and every bit of innovation creates new opportunities for those with malicious intent.ESET protects against those malicious intentions so that progressions in technology can help companies become smarter, more profitable and more efficient.

As part of its brand refresh, ESET has chosen a handful of thought leaders whose expertise is unique and directly linked to progress and technology, and highly regarded in their fields of expertise. 

These thought leaders provide their own take and insights on what progress in technology means and will contribute to ESET’s narrative about progress and its impact on business, society, culture and the environment. These thought leaders include:

• Chris Hadfield, astronaut, engineer, pilot, and author of four international bestsellers– for his work in promoting technological progress and innovation via collaboration, and his unique perspective on our world. Read more here.
• Dr. Mimi Ito, cultural anthropologist, Professor in Residence at the Humanities Research Institute at the University of California – for her research into and promotion of youth enablement in technology for a safe and progressive future.
• Dr. Ayana Elizabeth Johnson, marine biologist, co-founder of the non-profit think tank Urban Ocean Lab, co-founder of the climate initiative The All We Can Save Project and co-creator of the podcast How to Save a Planet – for her work in ocean conservation and raising awareness of climate solutions to secure the future of our planet. 
• Steven Johnson, author of thirteen books focusing on the intersection of science, technology and personal experience, and host of the PBS/BBC series How We Got To Now and Extra Life – for his research into the history of transformative ideas and the role diversity plays in creating the most innovative solutions for the present and future. 

Visit https://www.eset.com/ca/progress-protected/ to learn more.

ESET, a global leader in Internet security, is now offering its business-focused protection bundles on the Ingram Micro Cloud Marketplace.  

The ESET PROTECT Cloud series helps businesses of all sizes protect their sensitive information and data, with a cloud-based console for managing ESET security solutions deployed in a network with real-time visibility into both on-premises and off-premises endpoints.  

The console allows IT administrators to deploy ESET security solutions, execute tasks, enforce security policies, monitor system status and quickly respond to problems or detections on managed endpoints across all platforms, including desktops, servers, virtual machines and even mobile devices. In addition to integration for security information and event management (SIEM) tools, comprehensive reporting, and a fully customizable notification system, ESET PROTECT Cloud allows IT administrators to take immediate action against incidents. 

To ensure businesses of all sizes are equipped with the right solutions, ESET PROTECT offers a selection of subscriptions tailored to the specific business needs of home offices, small- and medium-sized businesses (SMBs), managed services providers (MSPs) and enterprises. These cloud-based security bundles include: 

• ESET PROTECT Entry — An endpoint protection platform for file servers, desktops, laptops and mobile devices.  
• ESET PROTECT Advanced — A bundle that includes endpoint protection, a cloud sandbox and full disk encryption.  
• ESET PROTECT Complete — It includes all that is in the Advanced bundle, plus cloud applications protection.  
• ESET PROTECT Mail Plus — Protection for email and a cloud sandbox.  
• ESET Dynamic Threat Defense — An add-on cloud sandbox available to all ESET Endpoint customers to protect against ransomware, targeted attacks, advanced persistent threats, zero-day attacks and other sophisticated malware schemes.  
• ESET Cloud Office Security — Advanced protection for Microsoft 365 applications, including spam filtering, anti-malware scanning and anti-phishing.  
• ESET Enterprise Inspector — An add-on Endpoint Detection and Response (EDR) available for all ESET Endpoint customers that detects advanced persistent threats, stops fileless attacks, blocks zero-day threats, protects against ransomware and prevents company policy violations.  
• ESET Secure Authentication — A multi-factor authentication (MFA) tool.  
• ESET Full Disk Encryption — Encryption system for disks, partitions and entire drives.  
• ESET Mail Security for Linux Server — Blocks all spam and malware at the server level before they reach users’ mailboxes. 
• ESET Security for Microsoft Sharepoint Server — Available per user or per server, it offers protection for all Microsoft Sharepoint products.

All business subscriptions include either an on-premises endpoint management solution (ESET PROTECT; formerly ESET Security Management Center) or a cloud-based one (ESET PROTECT Cloud), along with ESET Endpoint Security by default. For customers looking only for email security, ESET also offers an ESET PROTECT Mail Plus subscription.  

The ESET PROTECT Advanced subscription was designed with the needs of SMBs and also MSPs in mind, while the ESET PROTECT Enterprise subscription is geared toward large organizations, where deep visibility and rigorous security requirements are essential. The subscription offers the highest value for mature enterprise customers with one of the most powerful endpoint detection and response solutions on the market – ESET Enterprise Inspector, currently manageable only from ESET PROTECT.  

By providing rule-based detection of suspicious events happening on endpoints, as well as threat hunting and remediation capabilities, this subscription ensures that emerging threats, risky employee behavior and unwanted applications are not putting organizations at risk. 

The shift to the hybrid work model has blurred the lines between home and office devices. Although the flexibility comes with many benefits, it has also opened opportunities for cybercriminals to take advantage of unsuspecting and hard-working employees. 

ESET’s 2021 Threat Report found a rise in threats targeting employees who work remotely, and as we continue to see employees blend remote work with office hours, these threats won’t go away anytime soon. In fact, with more time spent traveling and in public places, hybrid work could leave us even more vulnerable to potential risks as devices are being used outside of their intended environments.

This is one of the reasons why ESET has launched a new version of its consumer offering, including ESET Smart Security® Premium, which boasts a host of new features and improved protection for home users. The foremost among these is LiveGuard, which provides an additional proactive layer of protection against new and unknown threats cropping up in the ever-changing landscape.

Not only does LiveGuard, and its cloud sandbox, lower the risk of becoming the employee who brings malware to work, but ESET Smart Security Premium also has a number of other new features and practical benefits, including: 

• Mobile Security – Employees use smartphones not only for personal use but also for work-related tasks. Our mobile phones are our wallets, calendars and digital filing cabinets. Housed on them can be anything from health records to travel documents to sensitive financial details. With this one  device playing such a crucial role in our lives, it is essential that modern cybersecurity solutions are mobile compatible, and that users are protected and able to manage their security on the go.
• Banking and Payment Protection – Banking and Payment Protection recognizes and mitigates these risks, safeguarding your financial data during online transactions. Newly upgraded, this feature now offers the option of running a browser in secured mode by default, encrypting communications between the keyboard and the browser when accessing Internet banking sites or web-based cryptocurrency wallets. Banking and Payment Protection also defends against keylogging attacks from cybercriminals attempting to steal login credentials to hack into accounts. 
• Password Manager – Having unique, complex passwords for every account is one of the central principles of good cybersecurity, but it can be a headache to manage what often feels like an endless list of logins. To make this less of a hassle, Password Manager has been completely redesigned for improved security and ease of use. Not only does this feature store and organize your passwords seamlessly, but it can also generate strong passwords for new accounts. Available as both a browser extension on Windows devices and an app on Android and iOS devices, Password Manager enables users to keep track of their account credentials however is most convenient for them.

For more information on ESET solutions and ESET Smart Security Premium, or to sign up for a 30-Day full-feature free trial, click here.

Technology moves at a fast pace, and when the next generation hits the market the masses get excited at what it has in store.

When Microsoft launched its laptops equipped with ARM processors, the chatter was dominated by the LTE connectivity — including 5G — and very long battery life. The safety and security of these ARM-based devices was, sadly, often an afterthought for consumers, and not wholly without reason. Not only were many antivirus solutions incompatable, the ability to run large applications remained a challenge, as speed was compromised and performance was downgraded.

But as with any connected device, there is always a need for protection from malware and cyberattacks.

Don’t be fooled into thinking new technology is immune to malware or cyberattacks. Malware authors are adept and can easily recompile their scripts for ARM-based devices, and many are no doubt ready to take a stab at the new ARM64.

There are also a slew of malicious websites, spam, phishing and scams that don’t care about the operating system or hardware platform used by potential victims.

To learn more about ESET’s ESET Endpoint Antivirus for Windows ARM devices, or to sign up for a free Beta license, click here.

The number of groups exploiting the latest Microsoft Exchange vulnerabilities continues to grow, with more than 5,000 email servers in 115 countries affected

ESET researchers in Canada have discovered a potential threat to 5,000 Microsoft Exchange business and government email servers around the world.

Although the exact number of those affected by the vulnerability is unknown, ESET researchers estimate the number could reach hundreds of thousands of compromised servers globally. According to public sources, several important organizations, including the European Banking Authority, have suffered from this attack.

The threat comes from 10 different groups that were exploiting vulnerabilities in Microsoft Exchange to allow the cyberattacker to take over any reachable Exchange server, without the need to know any valid account credentials, making Internet-connected Exchange servers especially vulnerable. Microsoft has been alerted about the compromise and has since released patches to address and correct the vulnerabilities for Exchange Server 2013, 2016 and 2019. 

“The early action of several threat actors using these vulnerabilities suggests these groups had access to the details of the vulnerabilities before the release,” says Matthieu Faou, Malware Researcher who is leading ESET’s research effort into the recent Exchange vulnerability chain. “Although it is unclear how the distribution of knowledge regarding the exploit happened, it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

ESET has identified more than 10 different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organization.

The identified threat groups and behavior clusters are:

• Tick – Compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.

• LuckyMouse – Compromised the email server of a governmental entity in the Middle East. This group likely had an exploit at least one day before the patches were released, when it was still a zero day.

• Calypso – Compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe.

• Websiic – Targeted seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. ESET named this new cluster of activity as Websiic.

• Winnti Group – Compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.

• Tonto Team – Compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.

• ShadowPad activity – Compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.

• The “Opera” Cobalt Strike – Targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.

• IIS backdoors – ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy. 

• Mikroceen – Compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.

• DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.

With these risks identified, Faou suggests patching all Microsoft Exchange servers as soon as possible, including those not directly exposed to the Internet. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.

“The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the Internet,” advises Faou.

For more technical details about these attacks exploiting the recent Exchange vulnerabilities, read the blogpost “Exchange servers under siege from at least 10 APT groups” on ESET’s WeLiveSecurity blog.

In the age of the Internet of Things, safe sex means more than just taking measures to protect yourself from STDs.

It also means ensuring your connected sex toys are protected from cyberattack, and that you are wary of scammers who have no concerns about taking advantage of people using online sites to find a love connection. More and more items from our everyday lives are being connected and automated — from kitchen appliances to lights to home entertainment to doorbells to vacuums, and now adult toys for the bedroom. 

In a time when pandemics and stay-at-home orders are keeping people apart, more are engaging in remote sexual engagements that take advantage of the technology. But be aware — if you are using a sex toy that is considered an Internet of Things device or uses Bluetooth technology, it can be hacked.

“There are literally thousands of connected sex toys in the market right now, but not all of them are safe,” says Tony Anscombe, Chief Security Evangelist with ESET Canada. “It is important that consumers understand that some things you maybe don’t consider IoT or Smart Home can have vulnerability or privacy issues. We should be cautious about everything we connect to the Internet, especially devices that are very personal and may be sharing extremely sensitive personal information.” 

ESET Latin America researchers Denise Giusto Bilic and Cecilia Pastorino investigated security flaws in sex toys, and discovered disturbing findings, including vulnerabilities to a so-called “Man-in-the-Middle” attack where an uninvited third party hijacks a Bluetooth signal to take control of a device, and storage of personal information — name and location, contact details, photos, videos, sexual preferences and perhaps financial data — that could be subject to a security breach.

The possibility of a stranger taking control of a remote sex toy also creates a new form of sexual assault as they are making unwanted intrusions into one’s sexual activities.

However, just like a condom can help stop the spread of STDs, there are protective measures people can take to ensure their sexual experiences stay between them and their partner.

• Clandestine Account Information — Be sly when entering information to register and create an account. Use a fantasy name and create a new email address that cannot identify you. 
• Be Discreet — If you are going to share images or videos, avoid sharing content where your face or unique markings can make you easily identifiable. And do not post remote control tokens on the Internet.
• Keep it Updated — This goes for all of your Internet of Things devices, but ensure the firmware is updated. These updates often fix bugs and vulnerabilities to ensure the most current version is the safest. Many of th4se devices also connect though an app, which should be updated as well. 
• Stay Close to Home — It is advisable to use connected sex toys in a protected environment — like your home where your personal network can provide an extra layer of defence against intruders. Public places like a bar or nightclub or areas where a lot of people are passing through — like hotels — are a big risk for unwanted exposure.
• Test it Out — Before buying a connected sex toy, get on a search engine and see if it has been subject to security concerns in the past. It is also advised to download the app that operates the toy to get an idea of how it operates, what kind of information it collects and if it is secure. 
• Authenticate — When researching your purchase, see if there is an authentication step. This will greatly enhance the cybersafety of the toy.
• Provide your own Protection — Just like wearing a condom, provide your own protection when engaging with a connected sex toy by ensuring your smartphone is fully updated and has a security solution installed. Protect your home WiFi network with strong passwords, securely encrypted algorithms and regular updating of the router’s firmware.
• Read the Fine Print — We know the tendency for everybody is to skim through any terms of agreement to get to the “Agree” button, but when it comes to connected sex toys, take the time to read the privacy policy. This should tell you what personal data is being collected, shared and stored.

“If you share something on one of these sex toy apps, at some stage it might become public,” says Tony. “So make sure it can’t be traced back to you in any way. The only safety you should be worried about is a safe word.”

ESET Research discovered another supply-chain attack in Asia, this time on the website of the Vietnam Government Certification Authority (VGCA). The attackers modified two of the software installers available for download on this website by adding a backdoor in order to compromise users of the legitimate application. Supply-chain attacks appear to be a quite common compromise vector for cyberespionage groups. Cybercrime operation SignSight leverages malware known as PhantomNet or Smanager.

“In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforceability as wet signatures. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures,” explains Matthieu Faou, one of ESET’s researchers investigating the SignSight operation.

The PhantomNet backdoor is quite simple and is able to collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. These additional and more complex plugins are probably only deployed on a few selected machines. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by end users.

ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website ceased delivering compromised software installers at the end of August 2020. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.

ESET has seen victims in the Philippines in addition to Vietnam.

For more technical details about operation SignSight, read the blog post “Operation SignSight: Supply- chain attack against a certification authority in Southeast Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.