The campaign shrouds the commodity infostealer in OpenAI files in a play that aims to take advantage of the growing public interest in AI-based chatbots.

Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages, which promise free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, users download the well-known, info-stealing malware called RedLine Stealer, the researchers have found.

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment-card details, as well as taking a system inventory to assess the attack surface for performing further attacks. It also can perform other malicious functions besides just info stealing, such as uploading and downloading files, and executing commands. This gives attackers, even with limited sophistication, various options for performing a range of cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the growing popularity of emerging AI platforms, according to a report published April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files," Veriti researchers wrote in the report. "However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user's device."

The commodity malware is an inspired choice for the campaign considering it costs only $100 to $150 to buy it on the Dark Web, which gives attackers a significant return on investment (ROI) for their cybercriminal activity, the researchers said.

"In addition, by exploiting Facebook business accounts and their exposed passwords, the attackers were able to target a vast number of users and potentially gain access to sensitive information at a relatively low cost," the Veriti research team tells Dark Reading.

**Dangers of Trojanized AI Apps **

Soon after the AI-based chatbot ChatGPT came on the scene in November, the chatter began about the various ways attackers can exploit it for malicious purposes. While some believe that this threat is being overhyped, the RedLine campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots themselves, the attackers here take advantage of recent developments in the ability to package the AI in various forms, opening the door for creating trojanized downloads. 

"One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source), which creates the perfect excuse for malicious actors to trick naïve downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard downloadable file, leading unsuspecting users to download the malware instead of the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal confidential data, compromise financial accounts, or even disrupt critical infrastructure," they wrote in the report. "Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been hijacked for the purpose of distributing RedLine Stealer through the malicious posts, the researchers said. Greece is the country where attackers reach the highest number of Facebook users, followed by India, the US, Mexico, and Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where 77% of them occurred, according to the report. The country with the next-highest percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India (4%), and Portugal (2%).

**Protecting the Enterprise From Malicious Downloads**

Veriti recommends a "comprehensive approach to cybersecurity" that includes educating employees on the risk of downloading and opening files from unknown sources, alongside "robust security configurations" to help avoid compromising enterprise systems if users inadvertently install an infostealer, such as Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before it is downloaded, the researchers said. "This can significantly reduce the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies around files downloaded from the Internet "should complement an organization's existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks."

Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

Password managers aren't foolproof, but they do help mitigate risks from weak credentials and password reuse. Following best practices can contribute to a company's defenses.

Over the past few months, several leading password managers have been victims of hacking and data breaches. For instance, LastPass, which experienced a massive breach last year, recently announced again that the company's password vault has been stolen. And thanks to the bad practice of reusing passwords too often, Norton LifeLock also reported compromises to its password manager.

Why are password managers so attractive to cybercriminals? It's simple. Password managers hold the "keys to the castle." If a password manager gets compromised, attackers gain access to all stored passwords at once, which means they can walk into any secured environment or impersonate any user, circumventing all cybersecurity defenses. The market for password managers is growing rapidly, and attackers will target anything that can get more bang for their buck.

**Attractive Targets**

Some of the most common ways password managers are being hacked include:

**1\. Malware-Targeting Password Managers**

Malware programs have been targeting password managers for the last several years. In 2014, malware called Citadel, designed to target password managers, became notorious for having compromised one in 500 PCs worldwide. However, back then, only a small number of users used a password manager. Today, the average person needs to remember upward of 100 passwords, which is why the market for password managers and the malware market for targeting them are both growing.

For example, the attack on the Solana blockchain last year that resulted in a $7 million heist was caused by malware that targeted crypto wallets and password managers called Luca Stealer; another Trojan, dubbed StealC, specifically targets browser extensions and authenticators by password managers; password stealers targeting Web browsers have also been around for decades.

**2\. Phishing Attacks Against Password Managers**

Phishing attacks targeting password managers are on the rise. For example, in January 2023, researchers came across Google Ads that were redirecting victims to fake Bitwarden and 1Password pages, trying to steal their master credentials. What's more, customers of password managers such as LastPass, who have already had their credentials exposed in an earlier data leak, are at an increased risk of scams and phishing attacks. Attackers know their email addresses, phone numbers, and the online services they use, and therefore they can be easily targeted using a variety of phishing techniques.

**3\. Software Vulnerabilities in Password Managers**

Just like all other forms of software, password managers are prone to vulnerabilities. Recently, researchers reported a vulnerability in KeePass that could allow attackers to export all usernames and passwords in clear text. Earlier this year, Google discovered that popular password managers such as Dashlane, Bitwarden, and Apple's Safari browser password manager can all be manipulated into auto-filling passwords on untrusted pages.

**4\. Credential-Stuffing Attacks Using Leaked Credentials**

Credential-stuffing attacks are becoming increasingly common. This is a type of attack where threat actors leverage previously leaked credentials (nearly 25 billion of these are for sale on underground marketplaces) to gain unauthorized access into websites, applications, and networks. Most password managers have a "master password" to access all credentials, and since 65% of users reuse their passwords across different websites, it's possible that attackers use brute-force techniques or make educated guesses on the possible password combinations. Late last year, LastPass confirmed a credential-stuffing attack against some of its users.

**Do Password Managers Make Sense in 2023?**

The benefits of having a password manager far outweigh the risks. Password managers help mitigate two of the biggest risks for users and businesses — weak credentials and password reuse. Yes, attacks on password managers are on the rise, but the probability of a business being attacked due to poor credentials or password reuse is much higher than the likelihood of a password manager getting hacked.

There are a number of things organizations can do to mitigate the risks of password managers:

*   **Security-train employees:** Most password-stealing malware gets installed when users get phished or social engineered — users download, click, or open something they shouldn't have. This is why it is extremely important for organizations to instill secure behavior in employees (alertness, strong passwords, safe browsing, responsible use of social media, not trusting anything at face value, etc.) so they don't fall victim to a phishing attack.
*   **Patch regularly:** Make sure you patch all your software and systems regularly. Unpatched software is the second-biggest reason password-stealing Trojans get installed on computers. Ensure you check and install all critical patches, especially the ones that are featured on CISA's Known Exploited Vulnerability Catalog.
*   **Use phishing-resistant multifactor authentication:** Use phishing-resistant MFA or passwordless options wherever you can. Not just to protect the master password on your password manager, but also on all of your critical websites, applications, and services.
*   **Check password-dump websites for leaked credentials:** Check online leaked-password websites (such as haveibeenpwned.com) or take breach password tests to ascertain if any of your credentials are floating around in online databases.
*   **Use a good password manager:** Use password managers that deploy strong encryption; that follow secure development life cycle (SDLC) programming; are responsive, transparent, and responsible to their customers; and that promote security features such as MFA, passwordless options, contextual features (user gets locked out if it's an unknown device or location), and phishing-detection capabilities.

Are password managers foolproof? Nope. But nothing is these days. The operating systems we use, the devices and applications we use — everything is hackable. Password managers come with some great benefits — they can tell you if your password is strong or not, they prevent you from reusing your password, some can stop you from entering credentials into bogus URLs, and some will even alert you when a website gets compromised.

As long as organizations follow the above tips and best practices, password managers can prove to be a vital tool in the defense arsenal of any organization.

How Password Managers Can Get Hacked

The gap between permissions granted and permissions used exposes organizations to increased risk. (Part two of a two-part series.)

Did you know that 86% of businesses plan to increase their investment in hybrid or multicloud technology? And yet 73% of those same companies find it challenging to manage multicloud environments.

In part, this is because managing identities and their related access permissions is more complicated when you're dealing with a multicloud environment. Digital sprawl has led to an explosion in permissions across multicloud environments, and we lack a consistent oversight solution.

To date, as many as 99% of current cloud permissions are going unused. This gap between permissions granted and permissions used represents a significant concern for enterprise businesses, as it opens them up to an increased risk of both accidental and malicious insider threats. Read on to learn how you can evolve your identity and permissions management by implementing cloud infrastructure entitlement management (CIEM) solutions into your own operations.

**How Does CIEM Work?**

One issue with overpermissioned multicloud environments is that they're very difficult for security teams to monitor. Various cloud platforms don't always interact well with one another, and that can make it challenging for security teams to have full visibility across the entire multicloud environment. Identities have also expanded beyond employees and customers to encompass developers, third-party contractors, and even workload identities like web apps, virtual machines, containers, scripts, serverless functions, and more.

Attackers can exploit the misconfigured permissions of these identities to access critical cloud infrastructure. The permissions gap can be reduced by implementing least privilege access and working toward a zero-trust security model, but it's very difficult to do manually and at a cloud scale. That's where CIEM comes in.

As we learned in Part 1 of this series, CIEM was first coined by Gartner as a way to address the identity and permissions challenges posed by cloud technology. CIEM acts as a cloud-native, scalable, and extensible way to automate the continuous management of permissions in the cloud because it is built on a continuous, activity-based model. This allows organizations to keep pace with rapid cloud growth while also scaling their security infrastructure.

CIEM is made up of seven core pillars: account and entitlements discovery, cross-cloud entitlements correlation, entitlements visualization, entitlements optimization, entitlements protection, entitlements detection, and entitlements remediation. Essentially, it works by allowing organizations to understand what permissions currently exist within their environments and how various identities are using those permissions.

CIEM can even help organizations understand how they should change their current identity management to follow the principles of least privilege access and how to best protect their environments moving forward.

**How To Implement CIEM In Your Own Organization**

Cloud technology has become table stakes for many organizations, and the move to shift workloads into the cloud isn't likely to slow down anytime soon. This means that cloud providers will continue to add new capabilities and services, generating tens of thousands of permissions and growing the number of identities — both human and workload — in the process.

That's why we recommend taking a life cycle approach to CIEM. This empowers organizations to continuously discover, remediate, and monitor the activity of every unique user and workload identity that's operating in their cloud environment. It also has the benefit of alerting security and infrastructure teams to unexpected or excessive risks in cloud environments so they can respond accordingly.

The first step is the discovery phase. This involves creating individual usage profiles for each human or workload identity to understand how they typically operate in your environment and assess whether permissions granted in the past are still needed today.

Next is the remediation phase. A core attribute of CIEM is that it enables companies to look at usage data to see which permissions each identity is actually using. Based on this insight, security teams can then revoke permissions that aren't being used or that aren't necessary for that person or workload's function.

Finally, we have the monitoring phase. Thousands of identities can be active across cloud environments at any given time. So it's critical for CIEM solutions to provide robust monitoring and alerting capabilities. This monitoring should be customizable by both identity and activity, and your CIEM solution should be able to send automated alerts to the appropriate security team.

Strong cloud security ultimately hinges on an organization's ability to control the level of access that human and workload identities have to their infrastructure. Something like CIEM can help secure these identities at scale.

How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments

Israel's National Cyber Defense is warning of increased cyberattacks by anti-Israel groups during the month of Ramadan.

On April 5, the Israel Post fell victim to a cyberattack, forcing the mail service to shut down some services. Just two days later, farmers missed scheduled irrigation times when water controllers in the Jordan Valley were hijacked with displays that read, "You Have been hacked, Down with Israel _(sic)_."

These recent cyberattacks are part of a predictable wave of increased, malicious cyber activity that Israeli organizations have come to expect during the month of Ramadan, according to the Israel National Cyber Directorate, which recently issued a warning about a spike in anti-Israel hacktivist activity.

"Each year during this period, attacks such as website defacement, distribution of phishing messages, social media hacking, DDoS attacks, intrusion into company websites, and information leaks are observed — alongside publications boasting cyberattacks that did not necessarily take place," the INCD warning said. "Additional, common attacks are on website storage and building companies, in an attempt to create a wider attack that will increase awareness. It is estimated that similar attempts will take place this year as well, using simple means and exploiting common weaknesses in the cyber sphere."

The National Cyber Directorate and the Ministry of Agriculture are investigating the breaches of the Israel Post and the irrigation system, according to reports. Other Israeli organizations breached in recent weeks include websites for Israel Railways, airlines, universities, and more, all part of the "OPIsrael" campaign waged each year, reports added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Israeli Irrigation Water Controllers & Postal Service Breached

In three separate incidents, engineers at the Korean electronics giant reportedly shared sensitive corporate data with the AI-powered chatbot.

Recent reports about engineers at Samsung Electronics inadvertently leaking sensitive company information via ChatGPT in three separate incidents highlight why policies governing employee use of AI services in the workplace are quickly becoming a must for enterprise organizations.

The Economist Korea, one of the first to report on the data leaks, described the first incident as involving an engineer who pasted buggy source code from a semiconductor database into ChatGPT, with a prompt to the chatbot to fix the errors. In the second instance, an employee wanting to optimize code for identifying defects in certain Samsung equipment pasted that code into ChatGPT. The third leak resulted when an employee asked ChatGPT to generate the minutes of an internal meeting at Samsung.

The incidents played out exactly the same way that researchers have been warning that they could, since OpenAI made ChatGPT publicly available in November. Security analysts have noted how, in all instances where users share data with ChatGPT, the information ends up as training data for the machine learning/large language model (ML/LLM). They have noted how someone could later retrieve the data using the right prompts. 

ChatGPT creator, OpenAI, itself has warned users on the risk: "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations," OpenAI's user guide notes.

**Samsung Enacts Emergency Anti-ChatGPT Measures**

The situation has apparently prompted a rethink of ChatGPT use at Samsung after the third incident, just barely three weeks after the South Korean electronics giant allowed employees access to the generative AI tool. The company had initially banned the technology over security and privacy concerns before relenting.

The Economist reported Samsung's emergency measures to limit ChatGPT use internally as including restricting employees from asking questions of ChatGPT that were larger than 1,024 bytes and considering disciplinary action against employees who share corporate data with LLMs such as ChatGPT.

Samsung did not respond to a Dark Reading request seeking clarification on the three incidents and the company's response to them. Security researchers, however, have been warning that such leaks could become common as employees begin leveraging ChatGPT for various use cases within the enterprise.

A study that Cyberhaven conducted earlier this year found many workers at client companies pasting source code, client data, regulated information, and other confidential data into ChatGPT. Examples included an executive who pasted his company's 2023 strategy document into the chatbot so it could generate a PowerPoint slide presentation, and a doctor who entered a patient's name and medical diagnosis so ChatGPT could generate a letter to the patient's insurance company.

**AI: A Risk vs. Benefit Gamble for Enterprises**

"From an employee's perspective, ChatGPT-like tools offer the potential to be exponentially more productive, making them hard to ignore," says Krishna Vishnubhotla, vice president of product strategy at Zimperium. However, it's important to consider the risks vs. rewards equation, which will vary depending on specific roles and responsibilities, he notes. For instance, employees working with intellectual property would require more guidance and precautions on how to use tools like ChatGPT he says: "It is crucial for organizations to understand how productivity will look and where it will come from before they embrace this opportunity."

Michael Rinehart, vice president of artificial intelligence at Securiti, says it's important to remember that advanced Generative AI tools such as ChatGPT cannot distinguish between what they should and should not memorize during training. So, organizations that want to harness them for different use cases should consider using tools for classifying, masking, or tokenizing personal and other sensitive data.

Or "a second approach is the use of differential privacy. Differential privacy offers provable protection of individuals in structured data," Rinehart says.

**Differential Privacy**

Rinehart describes differential privacy as a technique for protecting data in a dataset. "It involves adding noise — or error — to real data," he says. The synthetic data will have many of the important characteristics of real-world data without exposing the individuals in the dataset. "If used properly, even if the synthetic dataset were leaked, privacy would still be protected. Enterprise-grade synthetic data generators with differential privacy are now available," he says.

Rinehart perceives attempts by organizations to ban ChatGPT use in the workplace as ill conceived and unlikely to work. "A consistent story in the field of security is that it may be better to offer a secure path to using a tool than to block it," he says. "If a tool offers incredibly high benefits, people may attempt to circumvent blocks to take advantage of it."

Melissa Bischoping, director of endpoint security at Tanium, says the issue with sharing data to ChatGPT lies in the fact that the creators can see the data and use it to understand how the model continues to train and grow. Once a user shares information with ChatGPT, that information becomes part of the next model. 

"As organizations want to enable use of powerful tools like ChatGPT, they should explore options that allow them to leverage a privately trained model so their valuable data is only used by their model and not leveraged by iterations on training for the next publicly available model."

Samsung Engineers Feed Sensitive Data to ChatGPT, Sparking Workplace AI Warnings

Microsoft and others are doubling down on incident response, adding services and integrating programs to make security analysts and incident response engagements more efficient.

Incident response is shifting from a service that organizations hope they never need to a capability that every business aims to have, and a variety of companies — from consulting firms to insurance companies to cloud providers — are preparing to take advantage of the trend.

In late March, Microsoft announced that the company would focus its generative AI offering, Copilot, on helping companies triage and respond to incidents, with an aim toward bolstering organizations' incident-response capabilities. The company also announced that it would start offering incident response services and consulting on cybersecurity posture as a retainer to companies upon request.

The announcement marks a significant change at Microsoft. In 2019, Microsoft labeled its incident response team — known then as the Detection and Response Team (DART) — as the "cybersecurity team we hope you never meet." Now the team hopes to meet clients on a regular basis.

The moves are about offering the right services to improve incident response capabilities across the board, says Ping Look, director of the Microsoft Incident Response Team.

"We intend to build our customer base and give our customers more flexibility," she says. "Really, I think it's a growth inflection point."

**Building IR Relationships**

Microsoft is not alone. Incident response services have taken off, and the companies that offer them are looking to build relationships rather than one-off engagements. Google bought incident response bellwether Mandiant in 2022, adding to its other incident response-focused acquisitions of Siemplify and Chronicle and its security advisory services. Consulting firms Deloitte, Booz Allen, Kroll, and PricewaterhouseCoopers have long offered incident response, while managed service firms such as CrowdStrike and Secureworks have focused expertise. Large business-technology and service firms — such as IBM, AT&T, Verizon, and Palo Alto Networks — have also long been players in the incident response space.

Even with the extensive list of players, however, the demand for services continues to skyrocket, says Jurgen Kutscher, executive vice president for services at Mandiant.

"The demand always seems to outpace the supply, so I do believe there's plenty of work for all of these organizations because the threats keep changing," he says. "The organizations that are being targeted, especially when you look at much more opportunistic attacks, like ransomware and similar types of attacks — anybody could be a target."

**Incidents Extend into the Cloud**

Microsoft and Google are well-positioned because more attacks are impacting assets in the cloud — in an area where both companies have significant expertise — in part because business infrastructure and data have sprawled out into the cloud, or usually multiple clouds.

A few years ago, for example, a quarter of the attacks investigated by Palo Alto Networks, a network security and incident response provider, involved cloud assets; now, approximately half are cloud-related, says Sam Rubin, vice president of Palo Alto Networks' Unit 42 threat intelligence and incident response group. The company collects more than 500 billion security events per day from endpoint agents, network appliances, and cloud telemetry, he says.

Rubin does not expect that trend to slow, which can make incident response a challenge.

"It's very hard for organizations to only live and operate in one cloud environment, and even if most of your workloads are in the cloud, there are still systems at headquarters, there's still users with endpoints," he says. "We believe that having somebody who can cut across the entire environment, the headquarters, the remote users, and the cloud — whatever the case may be — that is going to remain an important strategy for securing the enterprise."

While Microsoft and other companies aim to use generative AI to process incidents faster and present incident responders with analyses in near real time, the efforts are largely aspirational at this point. Handling that data with large language models (LLMs) and other forms of advanced machine learning will require a great deal of development and learning, says Pete Shoard, vice president at business intelligence firm Gartner.

"Automated response for complex security incidents is absolutely a long, long way out," he says. "Where AI will help greatly is in that area of task-based automation, finding the right kind of information quickly, and providing a lot more information for the humans to be able to do their job more efficiently and effectively."

**Insurance and Legal Remain Driving Forces**

Corporate legal requirements and cyber-insurance policies have an outsized impact on incident response. Often, the first call for an engagement comes not from a company executive, but from an outside counsel hired to handle the crisis (often because attorney-client privilege shields a company from legal discovery). In other cases, an insurance company would bring in incident responders to help reduce the cost of recovering from a breach and to assess the security of a policyholder.

Legal counsel and insurance firms will likely continue to push for incident response retainers as a way to make sure that companies are doing a base level of training and preparation every year. That can create a net benefit, says Jess Burn, a security analyst with Forrester Research.

"Insurance firms are asking if you're doing incident readiness and incident preparedness exercises as part of your application or policy," she says. "Those same incident response firms can do assessments and tabletop exercises at the technical and executive level — and all of those things can help them, and you, really understand your environment."

Overall, companies that have incident response team and a tested incident-response plan save an average of 58% of the costs of mitigating a data breach, or about $2.6 million for large companies, compared with companies that have neither a team nor a well-tested plan, according to IBM's "2022 Cost of a Data Breach" report.

In the end, everyone can save when the incident response firm and the clients have an ongoing relationship, says Mandiant's Kutscher.

"Having organizations consulting with business partners and with cyber-insurance companies so that they don't just put out the fire, but then working with the organization to reduce the risk of having a similar event happen again, is very, very critical," he says. "That's something that the cyber-insurance industry is definitely driving toward."

**The Future Is Pre-Crime (Pre-Incident, That Is)**

Another benefit from the ongoing relationship with an incident response vendor is that companies will know what they need to have in place for effective incident response. With ongoing advice and expertise from incident response firms, when an attack happens, the incident response firm will know the company has retained the right data, which helps immeasurably in the investigation.

"When they do need us for incident response, we are not coming in cold and coming up to speed in a live-fire situation," Palo Alto's Rubin says.

Even companies with their own security operations center, which would not have qualified for Microsoft's DART services, will now be able to put the incident response group on a retainer, says Microsoft's Look.

"We want to be able to take care of our customers, even if they're not using our Microsoft security staff," she says. "Because that's where we primarily deliver our investigations from, using telemetry that comes in through that. But we're expanding well beyond that too — not as fast as I would like, but we're getting there."

Renewed Focus on Incident Response Brings New Competitors and Partnerships

The marketplace for malicious Google Play applications and app-takeover tools is thriving, thanks to novel hacking techniques and lax enterprise security.

Cybercriminals are finding ways around the official Google Play app store's security, developing tools for trojanizing existing Android applications and selling their malicious wares for up to $20,000 a piece on cybercrime markets.

In an April 10 blog post, researchers from Kaspersky published the results of a broad study of nine of the most popular Dark Web forums. Tracking activity from 2019 and 2023, they found a thriving marketplace of buyers and sellers trading access to app developer accounts, botnets, and malicious Android applications, sometimes for thousands of dollars at a time.

In some cases, particularly useful wares — like source code that can burrow you into an existing cryptocurrency or dating app on Google Play — are going for multiple thousands of dollars.

"It's an infinite cat and mouse game," Kaspersky researcher Georgy Kucherin says of Google's app security. "The attackers find a way to bypass security scanners. Then the people developing the security scanners deploy patches to ensure that doesn't happen again. Then the attackers find new flaws. And it goes on and on."

A Google spokesperson tells Dark Reading, “Google Play has policies in place to keep users safe that all apps must adhere to. All Android apps undergo security testing before appearing in Google Play. We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. Users are also protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices.”

**The Marketplace for Google Play Hacks**

Any software uploaded to Apple's or Google's app stores is subject to rigorous vetting.

"But just like any security solution that exists in the world, it's not 100% effective,” according to the Kaspersky researchers. "Every scanner contains flaws that threat actors exploit to upload malware to Google Play."

Generally speaking, there are two common ways to sneak malware onto an app store.

Method number one involves uploading a perfectly harmless app to the marketplace. Then, after it's approved — or, even better, after it's accrued a substantial-enough audience — hackers push an update containing malicious code.

Alternatively, hackers might compromise legitimate app developers, latching onto their accounts to upload malware to existing apps. App developer accounts can be cracked more easily without strong password policies and two-factor authentication in place. In some cases, credential leaks can do most of the job for the hackers, providing the logins necessary for breaching accounts and sensitive corporate development systems.

Depending on the developer, access to a "GP" (Google Play) account might only cost as little as $60, as seen in the example Dark Web listing below. But other, more useful accounts, tools, and services come with much higher price tags.

For instance, because of the power they afford, loaders — the software necessary to deploy malicious code into an Android app — can go for big money on the cybercrime underground. This listing offered loaders for rent or development for up to $5,000 each.

Source: Kaspersky’s Securelist blog

Well-resourced criminals might shell out for a premium package, like the source code for a loader.

"You can do whatever you want with that — deploy it to as many apps as you want," Kucherin explains. "You can modify the code as much as you want, adapting it to your needs. And the original developer of the code may even provide support, like updates for the code, and maybe new ways to bypass security measures."

This full-service Google Play hacking suite can run you up to $20,000.

**How Businesses Can Protect Against Google Play Threats**

The threats in Google Play are of particular concern to organizations with weak enterprise security. Kucherin points out that many businesses still have lax bring-your-own-device arrangements in place, which extend the security perimeter beyond corporate networks and into the hands of employees, literally.

"Say an employee installs a malicious app on the phone," Kucherin posits. "If this app turns out to be a stealer, cybercriminals can get access to, for example, corporate emails or sensitive corporate data, then they can upload it to their servers and sell it on the Dark Web. Or even worse: An employee might keep their passwords in, for example, their phone's notes app. Then hackers can steal those notes and get access to corporate infrastructure."

There are two simple ways to prevent such an outcome, he adds.

For one "you can teach the employees cyber-hygiene principles, like to not download apps that are not trusted," Kucherin says.

That may not be enough, though, so "another thing you can do — though it's more expensive — is give your employees a separate phone, which they will use only for purposes of work. Those devices will contain a limited number of apps — just the essentials like email, phone, no other apps allowed."

Just as it is for the cybercriminals, you have to pay more to get more, he notes: "Using dedicated work devices is more effective, but more expensive."

Apps for Sale: Cybercriminals Sell Android Hacks for Up to $20K a Pop

Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.

On April 7, Apple released two security updates warning about two zero-day vulnerabilities under active exploit in the wild. By April 10, those were added to the Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerabilities (KEV) list.

The impact of the two vulnerabilities is widespread, affecting macOS Ventura 13.3.1 for Apple Macs, in addition to the iOS 16.4.1 and iPadOS 16.4.1 operating systems used to run iPhones and iPads, according to Apple.

The first bug, CVE-2023-28205, is a flaw in Apple iOS, iPad OS, macOS, and Safari WebKit that could lead to code injection while processing malicious Web content, CISA explained. The second, CVE-2023-28206, affects Apple iOS, iPadOS, and macOS IOSurfaceAccelerator that, worryingly, could allow a malicious app to execute code with kernel privileges, CISA said.

Apple has issued updates for iOS 16 and iPad OS 16. Other macOS versions including Big Sur Monterey, and Ventura have patches that need to be installed, and as Sophos pointed out in a separate advisory, it's still unclear whether the bugs will impact iOS 15 users with older devices.

Both issues were reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab, giving cybersecurity experts reason to believe the flaws are being exploited by state actors to deploy spyware.

"It is interesting that Amnesty International's Security Lab was one of the organizations involved in finding reporting the issue," Mike Parkin, senior technical engineer with Vulcan Cyber explained in a statement provided to Dark Reading. "While Apple hasn't said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors."

Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly

When ransomware strikes, how much should you gamble on your resources and opponents' intentions? Here's how to deal yourself a rational, informed way to weigh your options after an attack.

When it comes to the ransomware game, it's worth comparing it to another high-stakes activity, poker. It's important for organizations to understand what they're gambling with when they decide whether or not to "negotiate with terrorists."

There's still a certain secrecy or even shame attached if an organization decides to pay the ransom to unlock systems and files — which can cost anywhere from thousands to millions of dollars. However, there shouldn't be, according to Brandon Clark, CEO and founder of cybersecurity consulting firm Triton Tech Consulting. 

He should know, as his security strategy and compliance practice — with expertise in business continuity and disaster recovery — often deals with clients who have to clean up the mess that ransomware attacks leave behind.

"Let's say if you have a hardware failure and a vendor comes in and says, 'We can get you back up and running for a grand total of a million dollars,'" he says, referring to ransomware negotiation services. "It would be unfortunate — and that would be bad press and nobody wants to see that — but there would also be a fair amount of, 'Yeah, that happens.'"

Ransomware also happens, to organizations both large and small. They're then faced with a complex dilemma encompassing not only practical, logistical, and business consequences, but also emotional ones — especially if reputations (or even lives, in healthcare settings) are at stake, when systems go down.

**Ransomware Response: Know When to Fold 'Em

"There is a lot of moral ambiguity," says Clark, who plans to present a session at this month's RSA Conference 2023 that lays out a rational strategy for navigating ransomware response. 

When ransomware actors target hospitals with potentially life-threatening attacks, for example, "what's the moral obligation we have to our customers to get our customers back up and running?" he asks. "If systems are down with ransomware and a patient dies, should they have paid the ransom just to have their systems back?"

    

Triton Tech's Brandon Clark will discuss ransomware response and poker at RSAC 2023.

And while poker and ransomware may not seem to have much in common, they are both activities in which a lot of money can be won or lost, Clark says. Just like each poker player and game is unique, so is every ransomware scenario, which means there is no one-size-fits-all solution for every organization.

Deciding whether or not to pay a ransom, then, must be an informed decision that takes various factors into account without the knee-jerk response of balking at giving attackers what they want purely because it's not seen as the right thing to do, he says.

****Know Who's at the Poker Table & When They Bluff**

When deciding whether or not to pay a ransom, an organization should take a similar approach to a poker player sitting at a table, Clark says. That is, it should have an idea of with whom it is playing, along with a knowledge of the typical aspects of the game, such as how much money is at stake.

"When you're at a poker table, the cards are important, but the person sitting across from you is even more important," he says. "We need to be making an informed decision about who we are playing against."

Thus, threat intelligence is a key aspect of this, he says, because you need to know if your opponent could be bluffing. For instance, if the ransomware attacker involved has a reputation for claiming to have exfiltrated data when it hasn't, or if it is known for not unlocking files even after a ransom is paid, those are things to take into consideration.

"\[Companies ask\], 'if we pay the ransom, how do I know if they're going to lock us out again?'" Clark notes. "The answer is: You don't. That's when the threat intelligence piece is super important."

Organizations also need to know what's at stake — such as knowing what your system resiliencies are, what it's going to cost if something is not available — as well as what resources they have available to recover systems on their own, such as if they have good backups and segmentation tools, he says: "All of that goes in together to help you make an informed business decision."

For example, if a ransomware attacker is asking for $5 million but it's going to cost a company $70 million or $100 million to recover its data on its own, the question becomes, "Why aren't we paying that?" Clark says. "On the flip side, if it's only going to cost us $5,000, why would we pay that $5 million?"

Ultimately, it's up to the organization involved to decide, based on multiple factors, which route to take to recover from a ransomware attack — just as a poker player can go in several directions once a hand is dealt, Clark says.

"You can say, 'do I raise,' that is, are we are going to go this alone — and that's what a lot of companies do," he says. A company can also do the poker equivalent of folding by giving in and deciding that the data kept in some lost systems is not worth the cost to recover them, and thus rebuild them from scratch, Clark says.

**Upping the Ante on Cyber Defense**

In the meantime, there are a number of ways a company can put itself in a more empowering position to negotiate — or not — before a ransomware attack even happens, Clark says. Some of the advice is obvious, such as implementing secure passwords and multifactor authentication (MFA), so systems aren't breached in the first place, he says.

And in many instances, phishing remains the primary way that attackers gain access to user credentials and thus enterprise systems, so "making sure you have strong controls around that" in the form of email filtering and security awareness "is incredibly helpful," Clark says.

One recommendation that he says many organizations don't implement very often yet is to have "some sort of Dark Web scanning or threat intelligence" in place to identify when credentials for an enterprise user have been compromised, he says.

Organizations also should engage in ransomware-impact analysis using a ransomware simulation tool that they can develop alongside security consulting experts, he explains. This can help them understand better how to react if the situation arises, as there is not a lot of time to do a risk assessment in the immediate aftermath of an attack.

Regarding backups, which organizations cite as a surefire way to recover systems on their when they lose data to ransomware, Clark advises that organizations take a cautious approach to betting too much on them, versus paying a ransom or another alternative solution.

"According to some of the research we've seen, most of the attackers are in the environment up to 10 months before they detonate," he says. This means that's there's a good chance there is already malware in an organization's backups, Clark adds.

"You need to make sure you're working with a forensics team when you restore," he advises, "so you don't end up redeploying malware from seven months ago."

High-Stakes Ransomware Response: Know What Cards You Hold

A hacktivist group working with Russia claims it breached DELTA, the Ukrainian battlefield management system (BMS).

The Joker DPR threat group has been around and functioning as an arm of the Russian state since 2019, largely focused on spreading disinformation and leaking sensitive Ukrainian government and military secrets stolen by insiders friendly to Russia. Its goal is undermining people's confidence in the country's institutions, but no one should be fooled into thinking Joker DPR is a sophisticated group of super-hackers — it's not.

In its own words, Joker DPR wants to "destroy the clowns" running Ukraine's government ("DPR" is the English acronym for a separatist group in eastern Ukraine called Donetsk People's Republic). And in November, it made a startling claim that would seem to further that agenda — that it had real-time access to DELTA, the Ukraine military's battlefield management system (BMS). If true, this would have given the group insights into military planning for the Armed Forces of Ukraine (AFU).

However, according to new analysis from Recorded Future, that claim was vastly exaggerated.

**Exaggerated Access to Ukraine's Troop Movement Data**

Recorded Future and other cybersecurity experts were dubious about the hacktivist group's allegations and found after analysis of Joker DPR's "proof" of compromise that instead of gaining full access, the threat group is far more likely to have access to an individual user account.

The distinction hardly mattered to Joker DPR, since Russian media quickly picked up the story and proclaimed that the Russians had a full backdoor into Ukraine's DELTA system.

After the claim of compromise, AFU commanders might choose not to use the sophisticated system on the battlefield — a win for Russia. The Recorded Future researchers said they have sources which show that this tactic was effective.

"Given that the breach was unlikely to have occurred in the manner Joker DPR described, in real terms, the greatest damage Joker DPR could have inflicted was through the assertion of the breach's existence," the Recorded Future researchers added. "Joker DPR was essentially claiming that it had real-time access to the BMS."

The report added that the fact that Russian media was so eager to pick up the story further signals Joker DPR didn't actually have the access to DELTA as claimed. If it had real-time intel into the AFU's movements, Russia would not be so quick to give away their advantage, Recorded Future's research explained.

**Don't Believe the Hacker Hype**

Although the group wants to give the impression of being a band of super hackers, in reality, the group hasn't displayed dazzling hacking abilities, according to Recorded Future's analysis.

"Put simply, the group does not appear to specialize in hacking, and it will 'take what it can get' to support its information agenda," a researcher who prefers to remain anonymous from Recorded Future tells Dark Reading. "Joker DPR first and foremost specializes in information operations, and any cyber activity that occurs within the umbrella of the group is only meant to support those operations."

That makes it tricky to try and predict Joker DPR's next target.

"Joker DPR's activities suggest the group is more opportunistic with its cyber activity, using its platform to amplify news of compromises in an effort to undermine the credibility of the Ukrainian government and military," Recorded Future's researcher says. "This is in contrast to groups like Killnet that display consistency in their tactics, techniques, and procedures (TTP) and targets."

The likelihood of international law enforcement reaching Joker DPR in Russia is small, but Recorded Futures' analysis hopes to raise the group's profile to help protect Ukraine's forces from Russian-aligned groups, as well as push pack against ongoing Russian disinformation campaigns.

Source

DARKReading