Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as "Log in with Facebook" or "Log in with Google." 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website's sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

"For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance," Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that's not the end of the story. 

"Just these three sites are enough for us to prove our point, and we decided to not look for additional targets," according to the report, "but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,"

**Various Ways to Misconfigure OAuth**

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

"This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts," the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn't verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user's credentials and completely take over that user's account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user's account and achieve full account takeover.

**Secure OAuth From the Start**

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

"It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine," he says. "However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

For this reason, it's essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

"Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused," he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.

In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend. 

The drop sparked a range of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.

By way of background: The main bug being used in the exploit chain exists in the Web UI of IOS XE (CVE-2023-20198). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them. 

The exploit method also involves a second zero-day (CVE-2023-20273), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.

**Sudden Decline in Compromised Systems**

And go after them they did. Security researchers using Shodan, Censys, and other tools last week reported observing what appeared to be a single threat actor infecting tens of thousands of affected Cisco IOS XE devices with an implant for arbitrary code execution. The implants are not persistent, meaning they won't survive a device reboot.

A sudden and dramatic drop over the weekend in the number of compromised systems visible to researchers caused some to speculate if an unknown grey-hat hacker was quietly removing the attacker's implant from infected systems. Others wondered if the attacker had moved to another exploit phase, or was doing some sort of clean-up operation to conceal the implant. Another theory was that the attacker was using the implant to reboot systems to get rid of the implant.

But it turns out that nearly 38,000 remain compromised via the two recently disclosed zero-day bugs in the operating system, if one knows where to look.

**Altered Cisco Implant**

"We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding," the Fox-IT researchers said on X, the platform formerly known as Twitter. "This explains the much-discussed plummet of identified compromised systems in recent days." 

By using another fingerprinting method to look for compromised systems, Fox-IT said it identified 37,890 devices with the attackers implant still on them. 

"We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the Internet to perform a forensic triage," the company added, pointing to its advisory on GitHub for identifying compromised systems.

Researchers from VulnCheck who last week reported seeing thousands of infected systems, were among those who found the compromised devices suddenly disappearing from view over the weekend. CTO Jacob Baines, who initially was among those unsure about what might have happened, says Fox-IT's take on what happened is correct.

"Over the weekend the attackers changed the way the implant is accessed so the old scanning method was no longer usable," Baines says. "We've just recently altered our scanner to use the new method demonstrated by Fox-IT, and we are seeing essentially what we saw last week: thousands of implanted devices."

Cisco updated its guidance for detecting the implant on October 23. In a statement to Dark Reading, the company said it released the new indicators of compromise after uncovering a variant of the implant that hinders the identification of compromised systems. "We strongly urge customers to implement the guidance and install the security fix outlined in Cisco’s updated security advisory and Talos blog," the company said.

**Puzzling Cyberattacker Motivations**

Baines says the attacker's motivation for altering the implant is puzzling and completely unexpected. "I think normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled."

In this case, the attacker is attempting to maintain access to implants that dozens of security companies now know exist. 

"To me, it seems like a game they can't win," Baines says. "It seems this username/password update must be a short-term fix so that they can either hold on to the systems for a few more days — and accomplish whatever goal — or just a stopgap until they can insert a more stealthy implant."

Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

Brasileiro cybercrime has been on the rise. Now, one campaign targeting bank customers has reached beyond the Americas, into Europe.

The Brazilian banking malware known as "Grandoreiro" has crossed the pond, with a new campaign from TA2725 targeting customers in Spain, as well as Brazil and Mexico. 

Dark Web activity in Latin America has surged in the last two years, and it's largely concentrated in two countries. According to SOCRadar, 360 billion attempted cyberattacks peppered the region in 2022, with 187 billion and 103 billion affecting Mexico and Brazil, respectively.

Now there's increasing evidence that Latin American cybercrime is extending outwards.

Proofpoint has tracked TA2725 since March 2022. It's been known to hide bank account and credit card-sniffing malware inside of phishing emails, primarily directed to organizations either in its home country or Mexico. And according to a new blog post by Jared Peck, senior threat researcher at Proofpoint, the group has recently upgraded its signature malware to include institutions on both sides of the Atlantic.

**Brazilian Malware in Spain**

Grandoreiro attacks begin with a malicious URL in a phishing email. Lures may come in the form of a fake shared document, utility bill, tax form, etc. The URL leads to a ZIP file containing a loader which, when run, downloads a legitimate but vulnerable application. The application is exploited with some DLL sideloading, and then comes the final payload.

Grandoreiro can harvest data via a keylogger, screen grabber, or an old-fashioned overlay on top of an online banking login page. These overlays mimic popular Brazilian and Mexican banks plus, in two campaigns observed late in August, banks located in Spain. (TA2725's phishing lures were also diversified, to mimic Spain-based organizations.)

This isn't the first time Brazilian Trojans have spanned the Atlantic. Earlier this year, for example, threat actors pulled a reverse Pedro Cabal, subjugating Portuguese bank customers in a campaign called "Operation Magalenha." This latest activity only furthers an emerging trend — that Brazilian malware is no longer contained to one continent.

**Why Brazilian Cybercrime Is Having a Moment**

Where once they seemed solely the domain of the northern hemisphere, banking trojans have thrived in Brazil in recent years. According to Peck, there are a few reasons why.

"The general population in many parts of the world, like Brazil and other parts of South America and Latin America, may not have been afforded the same access to cybersecurity education and protection technology as other parts of the world, but continue to grow their online presence. This situation leads to a lack of user awareness around phishing and malware threats, which, in turn, leads to a higher number of victims who click and are affected," he explains, adding that "this general population is upwardly mobile, leading to a larger middle class, so there is more opportunity to victimize a larger pool of a population."

According to Proofpoint, the most common malware families — including Grandoreiro but also, Casabeniero, Javali, and Mekotio — possess a shared lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations.

Organizations in affected countries can look out for suspicious programs with these same elements. Or, as Peck emphasizes, they can focus on the human side of such compromises.

"Today's cyber threats rely on human interaction, not just technical exploits, so it is essential that organizations incorporate localized user security awareness training on identifying malicious phishing and threat actor tactics, techniques, and procedures while also empowering users to feel comfortable reporting their suspicions even after they may have fallen victim to an attack," he advises.

Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers

The investigation is ongoing, and the city will contact those who may have potentially been affected by the breach, it said.

Five months after a cyber incident occurred, the city of Philadelphia is now releasing a notice regarding the investigation of a data breach, which involved personal health information.

Officials came across suspicious email activity, and after launching an investigation to determine the scope of the incident, found that a threat actor gained access to the city's email accounts between May 26 and July 28 of this year. The investigation is ongoing.

In a privacy incident notice, the city of Philadelphia wrote that "the types of information impacted vary by individual. However, the types of information impacted could include: demographic information, such as name, address, date of birth, social security number, and other contact information; medical information, such as diagnosis and other treatment related information; and limited financial information, such as claims information."

The city has reported the cyber breach to the US Department of Health and Human Services, and recommends that individuals remain vigilant by reviewing account statements, credits reports, and any unusual activity.

"Any suspicious activity should be reported promptly to your insurance company, health care provider, or applicable financial institution," the city stated in its notice. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

City of Philadelphia Releases Cyber-Breach Notice

The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

The US National Association of State Chief Information Officers (NASCIO) released its set of State CIO Top Ten Policy and Technology Priorities for 2023 back in December 2022. I'd like to examine these priorities now as they relate to developing, delivering, and securing the applications and application programming interfaces (APIs) that help make state and local governments run — as well as how the complexity of hybrid and multicloud environments factors into the priorities.

**1\. Cybersecurity and Risk Management**

Over time, infrastructure has become significantly more complex and distributed. Most enterprises, including state and local governments, are managing hybrid and multicloud environments. By exposing more touch points, these more complex environments create an expanded threat landscape. State and local governments face intense pressure to continue improving their applications and APIs. However, this fast pace of innovation opens up the potential for vulnerabilities and security issues and necessitates protecting those applications and APIs. Thus, it is no surprise that cybersecurity and risk management are this year's top priority.

**2\. Digital Government/Digital Services**

Now more than ever, state and local governments are tasked with providing digital services to their citizens. Ensuring that services are provided to the appropriate and intended individuals is of the utmost importance. So is ensuring that digital services give citizens the best possible experience. This requires simplifying and optimizing how environments in which we deploy our applications and APIs are managed, as well as having those environments perform properly. Simplifying complexity improves security by removing the potential for human error, as does ensuring that APIs are served to the right citizens in a timely manner.

**3\. Workforce**

New environments require new skills. As state and local government infrastructures have evolved, so have the skills required to manage, operate, maintain, and secure them. This means training the workforce and equipping workers for today's challenges — including securing hybrid and multicloud environments and detecting, analyzing, and responding to security incidents wherever they occur, even in one or more cloud environments.

**4\. Legacy Modernization**

The migration of some applications and APIs to hybrid and multicloud environments has become an integral part of legacy modernization. As states and local governments go through these modernization efforts, their cloud strategies have been and will remain an important piece of the overall picture. Environments will need to be properly secured as they are modernized, regardless of where those environments reside.

**5\. Identity and Access Management**

Applications and APIs connect to (and potentially expose) back-end systems and data. In many cases, they are also the public face of the enterprise. As such, properly controlling access to applications and APIs is a significant challenge for any enterprise, including state and local governments. While identity and access management (IAM) is a broad topic, it has specific applicability to applications and APIs running in hybrid and multicloud environments.

**6\. Cloud Services**

As noted above in point 4, cloud strategy is an important piece of the overall picture within state and local governments. Citizens have grown to expect services to be delivered quickly and efficiently. They also expect significant innovation. This has necessitated that state and local governments move quickly and adapt. Such nimbleness is a key component of any cloud strategy, and an organization's cloud security efforts need to be equally nimble.

**7\. Consolidation/Optimization**

Simplifying and optimizing the management, operations, maintenance, and security of a variety of environments remains an important priority for two main reasons: In many enterprises, entire teams are dedicated to operating and maintaining infrastructure, development, security, and other technology stacks at each different environment. As the number of environments grows, this approach does not scale (it is an _n_\-squared problem, for those who enjoy algorithms).

In addition, as the saying goes: Complexity is the enemy of security. The complexity that hybrid and multicloud environments introduce makes it difficult to universally and consistently apply security policies. It also opens up the potential for human error and oversights that can lead to vulnerabilities. Simplifying this complexity by consolidating and centralizing the management of different environments becomes a necessity.

**8\. Data and Information Management**

Properly securing APIs, which expose back-end systems and data, is an essential piece of protecting data. API security includes a variety of important topics, including ensuring APIs conform to security policy and schema requirements.

While API security is a big focus area, so is API discovery. After all, if an API is not known, it can't be properly inventoried, managed, and secured. When thinking about data and information management, it is important to consider the security of APIs as an important part of that.

**9\. Broadband/Wireless Connectivity**

Part of providing services to citizens involves bringing state and local networks closer to the constituents. Efforts to improve broadband and wireless connectivity have many moving parts, and cloud and edge environments play a role in these efforts. Protecting those networks from unauthorized access is paramount to security.

**10\. Customer Relationship Management**

Citizens have come to expect that state and local governments will provide services within acceptable time frames. This requires serving applications and APIs quickly and efficiently. Service-level agreements (SLAs) will need to be met. A well-designed cloud security strategy is an essential part of achieving these goals and properly managing the relationship with citizens.

**In Short: Applications Are Key**

State and local government CIOs and their teams face no shortage of challenges. Generally, there are more issues needing attention than there are resources to do them. As such, simplifying the management, operations, maintenance, and security of complex environments becomes key.

In the era of hybrid and multicloud environments, state and local governments will generally see good returns on investments by more efficiently and effectively developing, delivering, and securing the applications and APIs that help make state and local governments run.

How State and Local Governments Can Serve Citizens More Securely

Cops track down ransomware developer and seize Ragnar Locker infrastructure and data-leak site, Europol says.

Law enforcement agencies have arrested the suspected developer of the Ragnar Locker ransomware group, tracking the person down in Paris.

The arrest is part of a coordinated policing effort from 11 separate countries. Agents swarmed on operators of the prolific group, seizing its cybercrime infrastructure.

Europol released some details of the takedown on Oct. 20 after Ragnar Locker's Tor data-leak site was replaced with a vague notice of a "coordinated international law enforcement action" just days earlier; now, more details are forthcoming.

The person arrested is identified by Europol as the "main perpetrator suspected of being a developer of the Ragnar group." Five additional suspects were interviewed in Spain and Latvia, the statement added.

Ragnar Locker ransomware group has been active since 2019, targeting infrastructure including the energy sector, hospitals, airports, and more.

The group often used double extortion tactics, mounting pressure on victims to pay ransoms, Europol pointed out in its announcement, which added "The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure."

The following countries cooperated in the operation: Czech Republic, France, Germany, Italy, Japan, Latvia, Netherlands, Spain, Sweden, Ukraine, and the United States, Europol said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ragnar Locker Ransomware Boss Arrested in Paris

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

Organizations should be careful that the workers they hire on a freelance and temporary basis are not operatives working to funnel money to North Korea's WMD program, US DOJ says.

US organizations that hire freelance and temporary IT workers should be sure they are not signing up individuals working on behalf of the North Korean government.

In recent years, the Democratic People's Republic of Korea has flooded the freelance market with thousands of skilled IT workers who are quietly directing their earnings to the sanctions-ridden nation's nuclear weapons program. The workers primarily reside in Russia and China and use a medley of pseudonymous email and social media accounts, false websites, proxy computers, and other mechanisms to hide their true identities and locations when applying to work on a freelance basis for US and other firms worldwide.

**Seizure of Web Domains and Cash**

Last week, the US Department of Justice released details of the massive scam in announcing court-authorized seizures of 17 domains and some $1.7 million in revenues associated with the operation.

"The Democratic People's Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program," Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in a statement last week. "This scheme is so prevalent that companies must be vigilant to verify whom they're hiring."

The DOJ described the 17 domains it seized as being used by some North Korean IT workers to apply for remote work in the US and elsewhere. The websites appeared to be the domains of legitimate US-based IT services companies. In reality, however, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.

The North Korean IT workers at these companies used various online payment services and Chinese bank accounts to funnel earnings from their work as freelance IT workers back to North Korea. Each year, the workers have been generating millions of dollars for entities like North Korea's Ministry of Defense and other agencies tied to the country's WMD programs, the DoJ said.

**Previous Warning**

This is not the first time that the DoJ has warned US organizations of the scam. In a May 2022 advisory, the US government issued a similar warning about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.

The advisory also provided specific guidance that hiring managers and other decision-makers could use when contracting for work with a freelancer. Some red flags: multiple logins into one account from various IP addresses in a short period; IP addresses associated with different countries; frequent money transfers through payment platforms, especially in China; and requests for payment in cryptocurrencies, the DoJ had noted.

The DoJ also urged US organizations to be on the lookout for other potential signs including inconsistencies in name spellings, claimed work location, contact information, and details about their education and work history across social media profiles, professional websites, and payment profiles. An inability by a freelancer to work during required business hours or any difficulty reaching the worker in a timely fashion are also factors to consider, the DoJ said.

**Camera Shy**

Last week's advisory provided updated advice for US organizations on how to spot a potential North Korean IT worker. Red flags include an unwillingness or inability by the freelance worker to come on camera or do video interviews and conferences, inconsistencies such as time of day and location, when they do appear on camera. Other giveaways include signs of cheating on coding tests or interviews — such as excessive pausing, stalling and eye scanning movements; repeated requests for prepayment and threats to release source code if payment is not made.

The advisory provided organizations with a list of things they can do to minimize risk including requesting documentation of background checks when using a third-party staffing firm; conducting due-diligence checks on individuals that a third-party firm might provide for freelance work; and not accepting background checks from unknown firms.

"These kinds of threats are incredibly challenging and costly to manage at a corporate level," said Andrew Barrett, vice president at Coalfire, in a statement. "Freelancers and contractors are an integral part of many businesses and entire companies have spun up, such as Fiverr, to help create a marketplace for them."

Detecting fake identities can be hugely challenging using typical background checks when dealing with state-sponsored fake identities, Barrett said.

Freelance Market Flooded With North Korean IT Actors

To protect themselves from threats, companies also need proactive cybersecurity.

The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting companies consider cyber insurance as a means of resilience against cyberattacks. While essential, merely suggesting cyber insurance isn't enough. The government must ensure its availability and affordability, especially for small businesses. Businesses must also take other steps to prevent cyber-risks and keep policies affordable. 

The digital age brings immense benefits, but with it comes increased cyber threats to businesses. The solution isn't just insurance — it's proactive cybersecurity.

Businesses should consider cyber insurance a risk management tool, but it's not a comprehensive solution to all cybersecurity challenges. It also may be beyond some small businesses' financial means, and the cost is increasing. According to NAIC, cyber-insurance premiums grew 61% in 2021 alone, when the average annual cost for cyber insurance for a business with $1 million in revenue to have $1 million in coverage (with a $10,000 deductible) was $1,485. The prices have since increased, and some businesses find insurers unwilling to renew policies or even cancelling them. 

Even for businesses that can get — and afford — cyber insurance, it isn't comprehensive and doesn't cover every possible type of security breach. Instead, policies cover a set of named perils. An inexperienced buyer may not realize the protection limitations, given the variety of coverages, exceptions, and exclusions in policies. Policies, for example, may not cover cyber terrorism, state-sponsored attacks, contractual liabilities, or intellectual property infringement, and may have exclusions for war, terrorism, bodily injury, and property damage. Policies may also have deductibles, co-payments, and sublimits that reduce the amount of coverage. 

**How Agencies Can Help**

A recommendation to invest in cyber insurance is excellent, even if it doesn't protect against all threats. However, businesses must be able to afford and obtain it to follow the recommendation. Agencies can increase and expedite cyber-insurance adoption — and general business cyber protection — by implementing a holistic approach that supports businesses' use of proactive cybersecurity measures, provides education, and encourages industry and policy cost subsidization.

The cyber-insurance market lacks standardization, with companies offering policies that cannot be readily compared. This creates challenges for consumers and brokers alike when trying to evaluate policies. A standardized format for presenting policies, perhaps patterned on the 100/300/100 approach used for auto insurance or the energy facts labels used on appliances, could aid consumers in making informed purchase decisions. Agencies can offer incentives to encourage industry self-regulation to promote consistent policy presentation and clarity. This can benefit insurers, underwriters, brokers, and policyholders alike.

**Government Should Subsidize Cyber Insurance**

The government can also aid in cyber-insurance uptake through targeted subsidization. Uninsured businesses create harms that are transferred to the public if they fail after an incident. Companies are also faced with threats from state actors and state-affiliated attackers, which are, rightly, costs borne by the government. Agencies can promote cyber insurance and offer incentives, such as tax credits, for purchasing it. Federal and state governments can aid in policy affordability by creating a backstop fund to cover catastrophic cyber-incident costs, which may cause insurers to fail, and incidents attributable to state actors and state-affiliated attackers. State-backed models exist for other catastrophic risks, like hurricanes and floods. The federal government has also provided airlines with terrorism coverage after incidents. 

Government outreach to businesses can help them understand the importance and implementation of good cybersecurity practices. This will help keep losses and, in turn, policy premiums low. It also prevents incidents from occurring, benefiting society at large. 

Regulators can increase market efficiency by ensuring policies provide the implied coverage. Existing fair-trading authorities can be leveraged to this end. Common policy benefits presentation, and ensuring its accurate translation into policy language facilitates competition and reduces the effort required to compare and purchase policies. Agencies can enable this by developing curriculum and licensing practices targeted at cyber-insurance providers and resellers. 

Government agencies can aid insurance uptake through targeted actions and provide public benefit. Implementing these actions should be a top priority for relevant agencies.

Source

DARKReading