The authentication bypass used by the Nobelium group, best known for the supply chain attack on SolarWinds, required a massive, real-time investigation to uncover, Microsoft says.

Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group. 

The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.

The eight investigators were not focused "so much \[on\] a whodunit as a how-done-it," Microsoft's Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.

"Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs)," the company stated. "Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch."

The attack underscores the increasing sophistication of APT groups, which have increasingly targeted technology supply chains, such as the SolarWinds breach, and identity systems. 

**A "Masterclass" in Cyber Chess**

MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of .NET infrastructure, Microsoft said.

MagicWeb, which Microsoft first described in August 2022, was built on previous post-exploitation tools, such as FoggyWeb, which could steal certificates from AD FS servers. Armed with these, the attackers could make their way deep into organizational infrastructure, exfiltrating data along the way, breaking into accounts, and impersonating users.

The level of effort needed to uncover the sophisticated attack tools and techniques shows that the upper echelons of attackers require companies to be playing their best defense, according to the Microsoft.

"Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess," the company stated. "In fact, Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia."

**Limit Privileges for Identity Systems**

Companies need to treat AD FS systems and all identity providers (IdPs) as privileged assets in the same protective tier (Tier 0) as domain controllers, Microsoft stated in its incident response advisory. Such measures limit who can access those hosts and what those hosts can do on other systems. 

In addition, any defensive techniques that raise the cost of operations for cyberattackers can help prevent attacks, Microsoft stated. Companies should use multifactor authentication (MFA) across all accounts throughout the organization and make sure they monitor the authentication data flows to have visibility into potential suspicious events.

MagicWeb Mystery Highlights Nobelium Attacker's Sophistication

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

Event organizers should be exercising various cyberattack scenarios to ensure they have the proper checks and balances in place to respond accordingly and maintain resilience.

When Super Bowl LVII between the Kansas City Chiefs and Philadelphia Eagles kicks off in Phoenix on Feb. 12, most everyone's eyes will be on the gridiron. But farther afield, malicious actors and cyberattackers may be looking to score their own kind of touchdown — by shutting down systems, perpetuating ransomware, or carrying out hacktivism.

The 2022 FIFA World Cup tournament held in Doha, Qatar, over the winter raised similar operational concerns, and cybersecurity experts note that large-scale events in general offer a very broad attack surface area to threat actors of all stripes, thanks to the sheer number of systems involved in carrying it off.

"The thing that's tricky for security teams is that it’s not just one entity or single network they must look after," says James Campbell, CEO and co-founder of Cado Security. "An event like the Super Bowl involves numerous suppliers, media companies, and so on, all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run."

Campbell adds that one of the biggest disruptions to the Super Bowl would be preventing it from being televised. With millions of people worldwide watching, and given the advertising and revenue generated from the Super Bowl, if a threat group wanted to get a certain point across, restricting the ability to broadcast it live would do the trick.

"That would probably have the biggest impact, other than physically ensuring the Super Bowl doesn't \[actually take place\] — a harder task," he says.

**Critical Steps for Securing the Super Bowl**

Bud Broomhead, CEO at Viakoo, points out that the large number of third parties involved in the event from a technical perspective means that ensuring that multiple networks are segmented from each other is a crucial first step in protecting the event — so that if one system is breached (Rihanna's microphones), the threat actors can't reach another system (video surveillance, for instance).  
He adds the large number of Internet of Things (IoT) devices and ad hoc networks that third parties will bring to the party — by stakeholders as varied as caterers and sound engineers — means multiple points of failure. Thus, layers of testing for worst-case scenarios will be important leading up to the event.

"There will need to be overall testing of those systems ahead of the event to ensure sufficient redundancy exists," Broomhead says. "Security for a big event like the Super Bowl must also have a focus on resiliency — if bad things happen, is there an already established plan to minimize the impact?"

Darren Guccione, CEO and co-founder at Keeper Security, notes that on the IoT front, many physical control systems are "smart" — i.e., Internet-facing; as such, they should be of particular concern.

He poses a hypothetical: The broadcast network equipment and servers sitting in the data room in the Super Bowl may be hardened with up-to-date patches, firewalls, and other defenses, but what about the building management system? This might be a separately controlled network — and not as well secured.

"Suppose threat actors attack IoT and turn off the air conditioning in the building management system," he says. "In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 20 minutes."

The scenario of an attack via the HVAC system is familiar from the infamous Target breach of 2014 — all it takes is one employee falling for a phish.

"Leading up to the big game, IT professionals should be on the lookout for phishing attacks, malware and viruses, and social engineering attacks as threat actors attempt to gain access to the computer systems used to manage the event," Guccione advises.

Despite the what-ifs, the good news is that cybersecurity is firmly on the radar screen for this upcoming weekend: In addition to preparations on the part of the event organizers and all of the third-party stakeholders involved, a variety of government organizations also have thorough cyber-defense plans in place for the event, including the Arizona Cyber Command and the Federal Aviation Administration.

Attacker Allure: A Look at the Super Bowl's Operational Cyber-Risks

Bridging the divide between developers and security can create a culture change organically.

Over the past few years, organizations have dramatically expanded their use of cloud environments by more than 25%. This expansion came as organizations shifted toward hybrid workforces, where employees needed to access business-critical applications from their kitchen, local coffee shop, or halfway across the world. There is no debate today that the majority of applications have moved to the cloud and cloud-native development will continue to gain popularity, with developers able to build and deploy new applications within minutes. In fact, Gartner estimates that by 2025, more than 95% of new cloud workloads will be deployed on cloud-native platforms, up from 30% in 2021.

However, if you ask any developer what the one aspect to application development/deployment that slows them down is, they'll give you one word: security. There has been a long-standing and well-known disconnect between application developers and security teams — a constant tug and pull where developers don't want their applications slowed down or user experience to be altered by security protocols.

Meanwhile, security teams are working to ensure these applications won't open their organizations to increased risk. According to Palo Alto Networks' 2022 What's Next In Cyber survey, 71% of chief information security officers (CISOs) agree that security slows down DevOps in their organizations. So, how do we satisfy both groups and have them work together to deliver secure applications? 

By setting and pursuing shared goals, your organization's security and DevOps teams can reinforce each other's success rather than working in silos. Here are a few ways each team can better work together to deliver secure applications that do not impact user experience or time to deployment.

**Define Your Shift-Left Security Strategy Together**

Create a mutual understanding of what shifting left means to the organization. In its simplest form, it means embedding security at the forefront of application development rather than at the end. With this approach, organizations shift from reactive to proactive, where security vulnerabilities can be addressed early on, when they are less complex and costly. This mutual understanding can mean developing a document that outlines the vision, ownership/responsibility, milestones, and metrics. This way, both security and DevOps teams commit to one another that security is not an afterthought and both are aligned to create a more holistic approach to application security.

**Understand Where and How Software Is Created in Your Organization**

One of the biggest challenges of shifting security left is understanding how and where software is created within the organization. This is shaped by various variables, including the company's size and whether the work is outsourced to multiple vendors. For example, a large organization will likely spend more than a few months digging, and require additional time to review contracts. Key items to identify are people, process, and technology: 

*   People = who is developing the code
*   Process = the flow from development laptops to production
*   Technology = systems used to enable the process

**Developer-Friendly Security Tools**

Providing and implementing developers with friendly tools from the beginning of development ensures that security teams are empowering DevOps teams with the right set of tools to take ownership for the security posture of their applications. Practical and unobtrusive security tools dramatically increase developers' willingness and ability to inject security into their pipelines. As security professionals, we must equip them with tools that do not hinder their processes but, rather, empower them to build with the confidence that their applications are secure.

Implementing these steps within your organization is the start of bridging the divide between developers and security teams. If done correctly and there is complete buy-in from both sides, a culture change will occur organically. Security teams will begin to trust developers to take ownership for security, while developers will continue to operate with speed and agility. By shifting left, both teams put themselves in a position to better protect the organization and strengthen the overall security posture.

Addressing the Elephant in the Room: Getting Developers & Security Teams to Work Together

Members of the Health-ISAC can ingest threat indicators directly into Chronicle to investigate whether the threat is present in their environment.

In a bid to help healthcare organizations defend themselves from threats, Google Cloud announced it will be integrating the healthcare threat intelligence feed with its Chronicle platform.

Healthcare and life sciences organizations connect and share threat intelligence as part of the Health Information Sharing and Analysis Center (Health-ISAC). Members share threat indicators – forensic artifacts such as suspicious files, URLs, email addresses, network addresses, sampled traffic, and activity logs – through the Health-ISAC Indicator Threat Sharing (HITS) feed. The crowd-sourced approach allows other members to use the shared information to investigate whether the same threats are present in their environment and update defenses as needed.

HITS shares cyber threat intelligence through machine-to-machine automation. Google Cloud security engineers worked with Health-ISAC Threat Operations Center to develop an open sourced integration that connects HITS directly with the Chronicle Security Operations information and event management. This way, members can ingest the shared threat indicators into Chronicle and use that information to automate threat analysis decisions. There are setup instructions for STIX/TAXII feeds on GitHub.

"The integration with Chronicle can help Health-ISAC members discover threats more rapidly, and can also assist in evicting malicious actors from their infrastructure," Taylor Lehmann, director in the Office of the CISO, and Adam Licata, a product manager, said in the announcement.

The latest Chronicle integration is part of Google Cloud's investment as an Ambassador partner – a way for non-healthcare organizations to share experts (Google Cybersecurity Action Team) and resources (Threat Horizon Report) with the members of the ISAC.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Cloud Connects Chronicle to Health ISAC Feed

Reddit code, internal documents, dashboards, and business systems were compromised in the cyberattack.

Reddit announced that its internal systems were breached on Feb. 5 as the result of an employee credential compromise.

The company said a "sophisticated and highly-targeted" phishing attack was able to trick a single employee into giving up their login information.

The cyberattackers then gained access to code and some internal data, including advertiser and employee information. Reddit user data was not affected, however, the company said.

"Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit's information has been published or distributed online," the company said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Reddit Breached With Stolen Employee Credentials

A sophisticated cyber-espionage attack against high-value targets attending a maritime technology conference in Pakistan this weekend has been in the works since last year.

A novel threat actor that researchers have dubbed "NewsPenguin" has been conducting an espionage campaign against Pakistan's military-industrial complex for months, using an advanced malware tool. 

In a blog post on Feb. 9, researchers from Blackberry revealed how this group carefully planned out a phishing campaign targeting visitors to the upcoming Pakistan International Maritime Expo & Conference (PIMEC).

PIMEC will take place over the course of this coming weekend. It is a Pakistan navy initiative that, according to a government press release, "will provide opportunities to maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level."

Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations."

**How NewsPenguin Goes Phishing for Data**

NewsPenguin attracts its victims using spear-phishing emails with an attached Word document, purporting to be an "Exhibitor Manual" for the PIMEC conference.

Though the file name was quite a red flag — "Important Document.doc" — its contents appear to be ripped straight from the actual event's materials, featuring government seals and the same aesthetic as other media published by the organizers.

The document first opens in a protected view. The victim must then click "enable content" to read the document, which triggers a remote template injection attack.

Remote template injection attacks cleverly avoid easy detection by planting malware not in a document but in its associated template. It's "a special technique that allows the attacks to fly under the radar," Dmitry Bestuzhev, threat researcher at BlackBerry explains to Dark Reading, "especially for the \[email gateways\] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective."

**NewsPenguin's Evasion Techniques**

The payload at the end of the attack flow is an executable with no differentiating name, referred to in the blog post as "updates.exe." This never-before-seen espionage tool is perhaps most notable for just how far it goes to resist detection and analysis.

For example, to avoid making any loud noises in a target network environment, the malware operates at a snail's pace, taking five minutes between each command.

"That delay is intended to not cause too much network activity," Bestuzhev explains. "It stays as silent as possible, with fewer footprints for detection systems to pick up on."

The NewsPenguin malware also performs a series of actions to check whether it's deploying in a virtual machine or sandbox. Cybersecurity professionals like to trap and analyze malware in these environments, which isolate any malicious impacts from the rest of a computer or network. Hackers, in turn, know to avoid these isolated environments if they don't want to be caught out.

The researchers counted a few different evasive methods in updates.exe, which "includes using GetTickCount" — a Windows function that reports how long it's been since the system was started up — "to identify sandboxes bypassing sleep functions, checking the hard drive size, and requiring more than 10GB of RAM," according to the report.

**The Morsels That NewsPenguin Wants**

The researchers couldn't connect NewsPenguin to any known threat actors. That said, the group has already been working for some time now.

The domains associated with the campaign were registered all the way back in June and October of last year, despite PIMEC only occurring this weekend.

"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization," the authors of the report observed. "This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while."

In that time, the authors added, NewsPenguin has been "continuously improving its tools to infiltrate victim systems."

Between the premeditated nature of the attack, and the profile of the victims, the bigger picture starts to become clear. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."

NewsPenguin Goes Phishing for Maritime & Military Secrets

As evolving cyber threats force security teams to adopt AI to automate workflows, we ask how the relationship between humans and AI will pan out.

The scale of cyberattacks that organizations face today means autonomous systems are becoming a critical component of cybersecurity. This forces us to question the ideal relationship between human security teams and artificial intelligence (AI): What level of trust should be granted to an AI program, and at what point do security teams intervene in its decision-making?

With autonomous systems in cybersecurity, human operators are raising the bar of their decision-making. Instead of making an increasingly unmanageable number of "microdecisions" themselves, they now establish the constraints and guiderails that AI machines should adhere to when making millions of granular microdecisions at scale. As a result, humans no longer manage at a micro level but at a macro level: Their day-to-day tasks become higher-level and more strategic, and they are brought in only for the most essential requests for input or action.

But what will the relationship between humans and AI look like? Below, we dissect four scenarios outlined by the Harvard Business Review that set forth possibilities for varied interaction between humans and machines, and explore what this will look like in the cyber realm.

**Human in the Loop (HitL)**

In this scenario, the human is, in effect, doing the decision-making and the machine is providing only recommendations of actions, as well as the context and supporting evidence behind those decisions to reduce time-to-meaning and time-to-action for that human operator.

Under this configuration, the human security team has complete autonomy over how the machine does and does not act.

For this approach to be effective in the long-term, sufficient human resources are required. Often this would far exceed what is realistic for an organization. Yet for organizations coming to grips with the technology, this stage represents an important steppingstone in building trust in the AI autonomous response engine.

**Human in the Loop for Exceptions (HitLfE)**

Most decisions are made autonomously in this model, and the human only handles exceptions, where the AI requests some judgment or input from the human before it can make the decision.

Humans control the logic to determine which exceptions are flagged for review, and with increasingly diverse and bespoke digital systems, different levels of autonomy can be set for different needs and use cases.

This means that the majority of events will be actioned autonomously and immediately by the AI-powered autonomous response but the organization stays "in the loop" for special cases, with flexibility over when and where those special cases arise. They can intervene, as necessary, but will want to remain cautious in overriding or declining the AI's recommended action without careful review.

**Human on the Loop (HotL)**

In this case, the machine takes all actions, and the human operator can review the outcomes of those actions to understand the context around these actions. In the case of an emerging security incident, this arrangement allows AI to contain an attack, while indicating to a human operator that a device or account needs support, and this is where they are brought in to remediate the incident. Additional forensic work may be required, and if the compromise was in multiple places, the AI may escalate or broaden its response.

For many, this represents the optimal security arrangement. Given the complexity of data and scale of decisions that need to be made, it is simply not practical to have the human in the loop (HitL) for every event and every potential vulnerability.

With this arrangement, humans retain full control over when, where, and to what level the system acts, but when events do occur, these millions of microdecisions are left to the machine.

**Human out of the Loop (HootL)**

In this model, the machine makes every decision, and the process of improvement is _also_ an automated closed loop. This results in a self-healing, self-improving feedback loop where each component of the AI feeds into and improves the next, elevating the optimal security state.

This represents the ultimate hands-off approach to security. It is unlikely human security operators will ever want autonomous systems to be a "black box" – operating entirely independently, without the ability for security teams to even have an overview of the actions it's taking, or why. Even if a human is confident that they will never have to intervene with the system, they will still always want oversight. Consequently, as autonomous systems improve over time, an emphasis on transparency will be important. This has led to a recent drive in explainable artificial intelligence (XAI) that uses natural language processing to explain to a human operator, in basic everyday language, _why_ the machine has taken the action it has.

These four models all have their own unique use cases, so no matter what a company's security maturity is, the CISO and the security team can feel confident leveraging a system's recommendations, knowing it makes these recommendations and decisions based on microanalysis that goes far beyond the scale any single individual or team can expect of a human in the hours they have available. In this way, organizations of any type and size, with any use case or business need, will be able to leverage AI decision-making in a way that suits them, while autonomously detecting and responding to cyberattacks and preventing the disruption they cause.

**About the Author**

    

As VP of Product at Darktrace, Dan Fein has helped customers quickly achieve a complete and granular understanding of Darktrace's product suite. Dan has a particular focus on Darktrace email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a bachelor's degree in computer science from New York University.

4 Ways to Handle AI Decision-Making in Cybersecurity

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Avast Threat Report: Consumers Plagued With Refund Fraud, Tech Support Scams, and Adware

From shadow data to misconfigurations, and overpermissioning to multicloud sprawl, Dark Reading's cloud security slideshow helps security pros understand the threat horizon.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading