Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.

Source: Zoonar Gmbh via Alamy Stock Photo

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions. 

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky. 

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says. 

**The Appeal of LockBit 3.0 to Attackers**

Since it was leaked in 2022, attackers have continued actively using LockBit 3.0 builder to create customized versions and variants. "This opens up numerous possibilities for malicious actors to make their attacks more effective since it is possible to configure network spread options and defense-killing functionality," according to a research brief on the attack and a detailed description of the variant posted by Kaspersky. "It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure."

According to a recent Trend Micro report, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has hit thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it doesn't require advanced programming skills.

In February 2024, the Cronos Group, an international law-enforcement group, claimed that it had taken down the group's infrastructure, but less than a week later, LockBit responded that it had recovered and was back in business.

**Protecting Against LockBit Attacks**

As the debate continues over whether LockBit will remain the pervasive force in waging ransomware attacks, Kaspersky advises that organizations take the same steps they would undertake to prevent an attack from any group. Those steps include using properly configured antimalware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration tests, and performing and testing backups of critical data.

Further, Sousa recommends network administrators employ network segmentation, enforce multifactor authentication (MFA), whitelist permitted applications, "and have a well-defined incident response plan."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

The scam is spreading across the US and impersonates the specific toll-collection services of each state in malicious SMS messages.

Source: Mira via Alamy Stock Photo

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

**Old Social Engineering Trick Remains Effective**

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

**Toll Scam Spreads Across US**

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA\_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

**Stay Vigilant**

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

Cyberattacks tripled over the past year in Israel, making it the most targeted nation in 2023, as cyber operations become a standard part of military conflicts and global protests.

Source: Ruma Aktar via Alamy Stock Photo

As tensions in the Middle East continue to escalate, cyberattacks and operations have become a standard part of the fabric of the geopolitical conflict.

Last week, the head of Israel's National Cyber Directorate blamed Iran and Hezbollah for "around the clock" cyberattacks against the country's networks, government agencies, and businesses, tripling in intensity as Israel's military operations continued against Hamas in Gaza. Following Quds Day — Iran's commemoration of its pro-Palestinian Jerusalem Day on April 5 — dozens of denial-of-service attacks disrupted Israeli targets, according to data from cybersecurity firm Radware.

While the volume of cyberattacks are running at a lower level so far this year, renewed tensions between Israel, Iran, and Lebanon could easily lead to more cyber activity, says Pascal Geenens, director of threat research for Tel Aviv-based Radware, a maker of cloud security solutions.

"There are two planes that we need to consider here," Geenens says. "One is more nation-state aligned, meaning purposely doing attacks against another nation, while the other is all the hacktivist activity — they just want to share their message \[and\] show that they're not happy with the situation."

Overall, Israel should be ready for more destructive cyberattacks, as Iran and other regional cyber groups have shown little restraint in such attacks, Google conclude in its "Tool of First Resort: Israel-Hamas War in Cyber" report, published in February. As Iran and Hezbollah appear ready to use destructive cyberattacks against both Israel and the United States, Israeli-linked groups likely will continue to target Iran, and hacktivists will likely target any organization they deem associated with their perceived enemies, the report stated.

"We assess with high confidence that Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, which may include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen," the company stated in the report.

**Not Your Father's Cyber Conflict**

When Russia invaded Ukraine, the Russian military used cyberattacks to target Ukraine prior to the invasion and during the invasion, and widely attacked the US and Ukraine's allies in Europe in the two years since the start of the war.

A significant spike in cyberattacks came prior to and after Oct. 7, while much more modest levels of activity targeted Israel this year. Source: Radware

For the Middle East, the cyber conflict has a different character. On one hand, the participants in the conflict have different strengths and limitations, which are affecting their options and making the cyber conflict more asymmetrical. Where the Russian government has a unity of purpose, Iran and Hamas are more opportunistic adversaries. Where Russia and Ukraine have similar cyber capabilities, Israel's military operations have limited Hamas' ability to respond, and the country has the most sophisticated cyber-offensive capabilities in the region, says Ben Read, head of cyber espionage analysis for Google Cloud's Mandiant incident-response group.

"Iran is very opposed to Israel, but aren't a direct party to the conflict, so their goals aren't necessarily about supporting the seizure of territory in the same sort of way as Russia," he says. "Because conventional weapons are not \[currently\] an outcome acceptable to Iran, they are using cyber to do some destructive \[operations\]. ... Cyber can be an easier tool to reach for there."

Iran is not the only anti-Israeli actor in the region. Google has observed cyber operations by groups linked to Hezbollah, a Lebanese Islamist political party and militant group aligned with Iran.

Iran has also been the target of disruptive cyber operations in the context of the conflict, says Kirsten Dennesen, reporting analyst with Google's Threat Analysis Group (TAG). Several disruptive attacks on the nation's infrastructure have been attributed to Predatory Sparrow, which reappeared in October and attacked Iranian gas stations in December, and which some analysts have linked to Israel.

"Telegraphing intent and demonstrating involvement in the conflict without escalating or directly taking part in on-the-ground confrontation ... limits potential blowback while also giving regional players the opportunity to project power through the cyber domain," she says. "Moreover, cyber capabilities can be quickly deployed at minimal cost by actors who may wish to avoid armed conflict."

**Resurgence in Hacktivism**

Nation-states are not the only actors involved in the conflict. In the past year, hacktivism has taken off as technologically savvy protesters react to the Russia-Ukraine war and the conflict between Israel and Hamas. Much of the increase in attack activity in Israel is due to hacktivism, as is demonstrated by sharp upticks in denial-of-service attacks, says Radware's Geenens.

"It's not like it did not exist before, but before they were much less organized, and now they have like this ability to gather on Telegram," he says. "They all started to communicate with each other through hashtags. They find each other much more easy, so they come together and create alliances to perform attacks."

In the past, the groups banded together under the Anonymous name, claiming the monicker for their own and attempting to get other groups to sign up. Today, they use operation-specific hashtags on Telegram to gain like-minded collaborators, a much more efficient method of operation, Geenens says.

Hacktivism likely will continue to fuel attacks against not only Israel, but other countries as well, he says. Attacks are more likely to ramp up quickly as nation-states develop standard techniques and hacktivists are able to collaborate more efficiently.

"Anything that happens in the future," Geenens says, "whether it be a military operation or an outcome of an election that they don't like or somebody says something that that they don't like — they will be there and there will be a wave of DDoS attacks."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cyber Operations Intensify in Middle East, With Israel the Main Target

PRESS RELEASE

WEST LAFAYETTE, Ind. — Hiccups and failures of consumer cyber-physical systems like smart gadgets and appliances are inconvenient and annoying. But in mission-critical applications for the Department of Defense, any system weakness or flaw could have serious consequences, such as disruption, damage or even loss of life.

To help mitigate the problem, a group of Purdue University researchers has launched a multidisciplinary project to model, simulate and analyze cyber-physical systems (CPS), with the goal of rendering such systems more robust and making analysis of the systems more scalable and effective. Code named FIREFLY, the multiphase $6.5 million project is sponsored by the Defense Advanced Research Projects Agency under its FIRE program (Faithful Integrated Reverse-engineering and Exploitation). 

A technically intriguing aspect of the research is that, for a CPS with multiple cyber and physical components, the individual components may not appear faulty or vulnerable. But when the components start to interact, weaknesses or vulnerabilities may occur in unexpected ways: “When it comes to the security of system components and of the overall system, one-plus-one may be less than two. And we are particularly interested in exposing and analyzing such system-of-systems weaknesses,” says Dongyan Xu, the Samuel Conte Professor of Computer Science and the principal investigator of the FIREFLY project. 

Read more about the research at the Purdue Office of Research website.

Defense Award Launches Purdue Project to Strengthen Cyber-Physical Systems

A third-party telephony service provider for Cisco Duo falls prey to social engineering, and the company advises customer vigilance against subsequent phishing attacks.

Source: olga Yastremska via Alamy Stock Photo

A third-party provider that handles telephony for Cisco's Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Now Cisco Duo customers have been warned to be on alert for follow-on phishing schemes.

Customers were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The threat actors reportedly used compromised employee credentials. Once inside the service provider's systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said.

Cisco Duo did not identify the compromised telephony provider in its advisory.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," Cisco said in its customer advisory. "The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)."

Cisco advised impacted users to notify anyone whose information was exposed, and to remain vigilant against additional phishing attacks using the stolen data.

This breach follows two specific trends, according to Jeff Margolies, chief product and strategy officer at Saviynt — social engineering cyberattack success, and a focus on identity security providers.

“There have been a number of public attacks on identity security providers, such as Okta and Microsoft, over the past few years," Margolies says. "You can also go back as far as the RSA SecurID Token attack back in 2011 to see how far back these sorts of attacks go."

In addition to the critical need for identity security providers to do more to secure their systems, Margolies adds enterprise teams need to assess what a breach of these services could mean to their own cybersecurity posture.

"It is also important for companies to understand the reliance they have on third-party identity security companies, how an attack on those companies would impact them, and what mitigating controls are in place to detect and respond to events with their Identity security providers," he explains.

Cisco Duo's Multifactor Authentication Service Breached

Roku assures customers that no financial information was stolen and that any purchases made through user accounts have been reimbursed.

Source: Marvin Tolentino via Alamy Stock Photo

Roku is now making two-factor authentication (2FA) mandatory for its users after two separate incidents in which customer accounts were compromised.

Roughly 591,000 customers were affected earlier this year — the first instance, limited to 15,363 accounts, prompted Roku to keep a closer watch on customer account activity, which led to discovery of another incident affecting around 576,000 accounts. 

For around 400 customers, their accounts were reportedly used to purchase streaming subscriptions and Roku hardware using financial credentials stored in their accounts. These customers have been reimbursed for these charges, according to Roku, and the threat actors were not able to glean any sensitive financial information such as full credit card numbers. Social Security numbers, dates of birth, and other information also were not accessed, according to the data breach notice letter sent out. 

Roku stated in its blog post that it believes the attack occurred through the use of credential stuffing and said it has reset the passwords for affected accounts, in addition to mandating 2FA for all its users. 

According to Roku's blog post, "The next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account."

**About the Author(s)**

Roku Mandates 2FA for Customers After Credential-Stuffing Compromise

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS

Handala threat group claims to have hacked radar systems in Israel as tensions rise between the two nations.

Source: BUSINESS, MONEY and IT via Alamy Stock Photo

Israeli citizens received threatening text messages purportedly from an Iranian-backed hacking team warning that it has hijacked the nation's radar systems, stating: "You have only a few hours to fix the systems."

The so-called Handala threat group alleged in a message on Telegram that it sent 500,000 text message warnings to Israeli citizens, which contains anti-Israeli government rhetoric, according to a report in The Jerusalem Times.

"People will pay for the crimes and foolishness of your leaders. There is no doubt that your leaders will regret these foolish ventures. Evacuate the cities; perhaps you will see less damage!" the message reads. "Do not hesitate and do not sleep; the chance to escape is less than ten seconds, and perhaps your city will be chosen."

Israeli officials had not verified the group's claims, which came amid Iran's drone and missile attacks on Israel over the weekend.

**About the Author(s)**

Iran-Backed Hackers Blast Out Threatening Texts to Israelis

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

But just how the government differentiates its platform from similar private-sector options remains to be seen.

Source: Bits And Splits via Shutterstock

The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.

The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.

The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.

"Our new automated system enables CISA's cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners," said Eric Goldstein, CISA's executive assistant director for cybersecurity, in a prepared statement. "It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure."

Since CISA rolled out the platform last October, some 400 registered users from various US federal, state, local, tribal, and territorial government agencies have submitted samples for analysis to Malware Next-Gen. Of the more than 1,600 files that users have submitted so far, CISA identified about 200 as suspicious files or URLs.

With CISA's move this week to make the platform available to everyone, any organization, security researcher, or individual can submit malicious files and other artifacts for analysis and reporting. CISA will provide analysis only to registered users on the platform.

Jason Soroko, senior vice president of product at certificate lifecycle management vendor Sectigo, says the promise of CISA's Malware Next-Generation Analysis platform lies in the insight it can potentially provide. "Other systems concentrate on answering the question 'has this been seen before and is it malicious'," he notes. "CISA's approach might end up being prioritized differently to become 'is this sample malicious, what does it do, and has this been seen before'."

Several platforms — VirusTotal is the most widely known — are currently available that use multiple antivirus scanners and static and dynamic analysis tools to analyze files and URLs for malware and other malicious content. Such platforms serve as a sort of centralized resource for known malware samples and associated behavior that security researchers and teams can use to identify and assess risk associated with new malware.

How different CISA's Malware Next-Gen will be from these offerings remains unknown.

"At this time, the US government has not detailed what makes this different from other open source sandbox analysis options that are available," Soroko says. The access that registered users will get to analysis of malware targeted at US government agencies could be valuable, he says. "Getting access to CISA's in-depth analysis would be the reason to participate. It remains to be seen for those of us outside of the US government if this is better or the same as other open source sandbox analysis environments."

**Making a Difference**

Callie Guenther, senior manager, cyber threat research at Critical Start, says it's possible that some organizations might initially be a bit cautious about contributing samples and other artifacts to a government-run platform because of data confidentiality and compliance issues. But the potential upside from a threat intelligence standpoint could encourage participation, Guenther notes. "The decision to share with CISA will likely consider the balance between enhancing collective security and safeguarding sensitive information."

CISA can differentiate its platform and deliver more value by investing in capabilities that enable it to detect sandbox-evading malware samples, says Saumitra Das, vice president of engineering at Qualys. "CISA should try to invest in both AI-based classification of malware samples as well as tamper-resistant dynamic analysis techniques … that could better uncover \[indicators of compromise\]," he says.

A larger focus on malware targeting Linux systems would also be a big improvement, Das says. "A lot of the current focus is on Windows samples from EDR use cases but with \[Kubernetes\] and cloud-native migration happening, Linux malware is on the rise and are quite different in their structure," from Windows malware, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading