The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.

The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.

The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately.

The RCE vulnerability at issue (CVE-2022-41082) is one of two so-called "ProxyNotShell" flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.

In the attack that GTSC reported, the threat actor utilized the CVE-2022-41040 SSRF vulnerability to access the Remote PowerShell service and used it to trigger the RCE flaw on affected systems. In response, Microsoft recommended that organizations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. The company claimed — and security researchers agreed — that the blocking rule would help prevent known exploit patterns against the ProxyNotShell vulnerabilities.

**Novel New Exploit Chain**

This week, however, researchers at CrowdStrike said they had observed the threat actors behind Play ransomware use a new method to exploit CVE-2022-41082 that bypasses Microsoft's mitigation measure for ProxyNotShell.

The method involves the attacker exploiting another — and little-known — SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end, instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as it has for the SSRF bug in the original ProxyNotShell exploit chain.

CVE-2020-41080 allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in exactly the same way as they could when using CVE-2022-41040, CrowdStrike said. The security vendor described the Play ransomware group's new exploit chain as a "previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint."

Because Microsoft's ProxyNotShell mitigation only blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to access the PowerShell remote service via the OWA front end will not be blocked, the security vendor explained. 

CrowdStrike has christened the new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as "OWASSRF."

**Patch Now or Disable OWA**

"Organizations should apply the Nov. 8, 2022, patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method," CrowdStrike warned. "If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied."

Microsoft did not respond immediately to a request for comment.

CrowdStrike said it discovered the new exploit chain when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers. 

However, there was no sign that they had used CVE-2022-41040 as part of the exploit chain. CrowdStrike's further investigation showed that the attackers had used CVE-2022-41080 instead.

The security vendor's recommendations to organizations for reducing their exposure to the new threat includes disabling remote PowerShell for nonadministrative users where possible and using EDR tools to detect Web services spawning PowerShell processes. The company has also provided a script that administrators can use to monitor Exchange servers for signs of exploitation.

Ransomware Attackers Bypass Microsoft's ProxyNotShell Mitigations With Fresh Exploit

**CHICAGO****,** **Dec. 21, 2022** **/PRNewswire/ --** Heartland Alliance ("Heartland"), a social justice and human rights organization headquartered in Chicago, Illinois, has experienced a data security incident that may have involved personal and protected health information belonging to employees, directors, independent contractors, and certain individuals who sought health care or participated in other Heartland programs.

Heartland is not aware of misuse of any information impacted by this incident. Nevertheless, out of an abundance of caution, beginning on December 15, 2022, Heartland provided notice of the incident to potentially affected individuals, including information about steps they can take to protect their personal and protected health information.

For context, on or around January 26, 2022, Heartland discovered a potential data security incident impacting certain systems. Upon discovering the incident, Heartland immediately secured its network and engaged cybersecurity experts to investigate. The investigation revealed that certain personal information may have been accessed without authorization. The potentially affected personal and protected health information included names, dates of birth, Social Security numbers, driver's license numbers, bank account numbers, and some pieces of medical or health information. Different information on this list may have been accessed for different people.

In addition to the notice sent to potentially affected individuals, Heartland is offering complimentary credit monitoring and identity protection services, as well as providing a toll-free call center to answer questions about the incident and address related concerns. Representatives are available Monday through Friday from 8:00 AM to 8:00 PM Central Timeat (833) 896-6542.

The privacy and security of personal and protected health information are very important to Heartland. Immediately after we learned of this incident, we enhanced our IT security by adding new threat detection software, monitoring, and sign-in protocols. We deeply regret any inconvenience or concern this incident may have caused.

SOURCE Heartland Alliance

Heartland Alliance Provides Notice of Data Security Incident

Organizations can start by integrating functions like detection, prioritization, and remediation on to a single platform.

Cloud transformation often occurs simultaneously across siloed organizational units and groups, each potentially using a different cloud for their applications and workloads. However, taking inventory of all their cloud resources and building a compliant, secure, simple, and unified strategy has become a common challenge.

It wouldn’t be surprising to see an organization with most of its workloads in AWS using Microsoft 365 and Azure Active Directory while also heavily using Google Cloud GKE and Big Query. On top of that, Oracle Cloud may also be in the mix with some autonomous database offerings. As cloud adoption matures in an organization, and as smaller cloud providers gain traction, the mix of services and cloud platforms becomes incredibly diverse and complex. In light of these challenges, organizations must still find ways to govern and secure their entire cloud infrastructure.

The answer? A framework that works across all clouds to unify detection, prioritization, and remediation of the most impactful risks facing the organization.

****Identities and Authentication Keys****

Diving into a use case around cloud identity authentication keys for access, let’s see how you can protect your organization’s crown jewels in your multicloud environment. In the cloud world, identity is perhaps the most critical cloud object to govern, monitor, detect, and remediate. Compromising a cloud identity has the largest blast radius since, frankly, the public cloud is just a bunch of public APIs that respond to authenticated requests.

Authentication keys are cryptographic entities attached to an identity that allow you to issue authenticated API requests from the Internet. Hence, these keys call for the undivided attention of any governance and security strategy. However, each cloud provider defines identity in a different way, with a completely new set of capabilities and risks.

    

The idea here is to think of an organization that wants to enforce the following policy: “Authentication keys should be rotated every 90 days, and every 30 days if they enable personally identifying information access.” This seemingly simple policy would need to take four different implementations, depending on which cloud it’s using. Additionally, the security admin would need to tailor specific policies, such as limiting the number of concurrent keys (not relevant to AWS) or enforcing expiration dates upon key creation (not relevant for secrets).

The same concept applies when an organization tries to enforce “do not allow public access to storage objects” or “only build workloads from images that are up to date.”

****Building, Securing, and Governing the Cloud****

While each cloud is unique, foundationally, they are not so different. They all have a concept of a computer instance, object and file storage, and both human and nonhuman identities, each of which can be assigned permissions. As a result, the multicloud infrastructure calls for unification between building, securing, and governing the cloud.

When building cloud deployments, organizations rely on infrastructure as code (IaC) languages like HashiCorp’s Terraform to create a unified approach to address cloud objects. Think of IaC as a higher-level language over the lower-level cloud-specific API calls.

The parallel higher-level language for securing and governing the cloud is the cloud-native application protection platform (CNAPP). CNAPP converges tools like cloud security posture management, cloud infrastructure entitlement management, cloud workload protection platform, configuration management database, and others, providing complete security for your cloud, spanning the cloud development lifecycle from build time to run time. CNAPP provides a single pane of glass for all your cloud environments.

These solutions provide a complete inventory of your cloud assets, as well as visibility into potential security gaps and risks, correlating across a broad range of signals including misconfigurations, vulnerabilities, Internet exposure, excessive permissions, and more.

Through a CNAPP, teams can enable unified detection, investigation, and enforcement of common cloud objects, as well as pitfalls such as exposed storage, unpatched compute instances, and more. Ideally, a single UI workflow allows you to enforce multicloud organization policies such as “block public access for cloud storage” or “isolate compute instances that accept traffic from the Internet and expose a service with critical vulnerabilities.”

Here are additional best practices and recommendations for securing your cloud footprint:

*   Decide whether to measure against a security framework like NIST or CIS, or your own internally developed policies. Implement these policies across the development lifecycle, with explicit definition of where to enforce action-blocking guardrails. A CNAPP can help you accomplish this.
*   Ensure your security team is diversified in terms of multicloud knowledge, e.g., AWS, Azure, and GCP.
*   Implement identity best practices, such as single sign-on and multifactor authentication, via your organization’s existing IAM provider, whenever possible. Avoid the use of cloud-specific local identities to access the cloud from the Internet.
*   Define the unified view as a prerequisite for procurement of cloud security tools. Ideally, choose tools that enable a unified approach of enforcing organizational policies across clouds.

Cloud transformation has become a vital initiative for many organizations. As you go through the cloud transformation journey, remember that your approach to security (and the tools you use) must transform as well. Whether you’re unifying siloed tools, security and DevOps teams, different cloud vendors, management, or policies and languages, bringing tools together and enforcing commonalities will benefit your organization in the long run.

Read more _Partner Perspectives_ from Zscaler.

Best Practices for Securing and Governing Your Multicloud Deployment

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

What secrets might be released with a quick peck under the combination lock? For that we need a cybersecurity-related caption. Here are four convenient ways to submit your ideas before the Jan. 11, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading December Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address_._)

**Last Month's Winner**

We had many excellent caption contenders for last month's "Fall Cleanup" contest. (Thanks to all who participated.) But since we had to pick a favorite (below), congratulations go to Dark Reading reader "Rita." A $25 gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Kiss and Tell

Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.

Google has announced Trend Micro will be joining their App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store. Trend Micro will be pre-scanning apps utilizing our Mobile App Reputation Service (MARS). We’re proud to be asked to support this alliance and join the other members who are part of this program which supports Trend Micro’s mission to make the World safe for exchanging digital information.

MARS, was initially developed and launched in 2012. protects our mobile customers by supporting a reputation service that checks any apps on their mobile devices. This uses a process whereby a query is sent by the customer to MARS, which then responds with a detection of whether the app is good, bad, or unknown. If unknown, we utilize threat intelligence to quickly make a determination. MARS received over 47 billion queries in 2021, resulting in 37 million malicious app detections. As of September 2022, MARS has received over 36 billion queries and made 27 million detections.

Trend Micro mobile researchers are regularly publishing articles and reports on mobile threats to help people better understand what this threat landscape looks like. Trend Micro will continue to invest in our research and development both in human capital and technology like artificial intelligence and machine learning to improve the mobile ecosystem. As one of the largest pure cybersecurity vendors in the world, this investment and focus allow us to protect both our partners like Google and our customers from cyber threats targeting them.

As more and more consumers rely on their mobile devices and the apps installed for everyday work and play, this partnership will ensure they are protected from malicious actors around the world. Trend Micro looks forward to a long partnership with Google.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trend Micro Joins Google’s App Defense Alliance

DoJ charges allege they hacked into the taxi dispatch system for profit, selling the ability for cab drivers to skip the line for picking up a fare at JFK terminals.

Two Americans have been indicted for hacking the New York taxi industry.

With the help of two Russian nationals, Daniel Abayev and Peter Leyman are accused by the Department of Justice and the Port Authority of New York and New Jersey of breaching the John F. Kennedy International Airport taxi dispatch system and selling slots to cabbies who wanted to skip to the head of the line to pick up the next airport fare.

New York cabs at JFK airport are required to wait in a holding lot, and line up and pick up the next fare in the order they arrive.

During their intercepted text messages with the Russian nationals, Abayev asked the hackers, "I know that the Pentagon is being hacked, so why can't we hack the taxi industry?"

The DoJ alleges the two, over the course of their fraud, used their unauthorized access to the JFK taxi dispatch to help as many as a 1,000 taxis a day skip the line.

“As alleged in the indictment, these two defendants — with the help of Russian hackers — took the Port Authority for a ride," US Attorney Damian Williams said about the indictments. "For years, the defendants' hacking kept honest cab drivers from being able to pick up fares at JFK in the order in which they arrived."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Russian Hackers' Help Fraudsters Hijack JFK Airport's Taxi Dispatch

**Woburn, MA – December 21, 2022 —** According toresults shown by the latest statistics from participantspassing Kaspersky Expert Training courses, the most desired skill IT security professionals wanted to advance in 2022 is the ability to reverse engineer malware.

According to the Burning Glass report, the number of new cybersecurity programs is rapidly growing, but demand for cyber professionals is growing faster and outstripping the supply of skilled workers, as companies now pay more attention to their cybersecurity than previously.

Kaspersky has launched Expert Training, a series of courses for those who want to advance their IT security skills and take them to the next level by learning how to identify threats quicker and with less effort.

Statistics from these training sessions reveal more than 45% of learners were interested in improving their reverse engineering skills demonstrated by beginners and advanced specialists wanting to enhance their knowledge. There was also high demand for Yara rules training, with almost 28% of students enrolled. Additionally, 27% of learners signed up for courses related to incident response, malware analysis, and product security assessment.

Kaspersky Expert Training Portfolio includes eight different programs aimed at InfoSec professionals wanting to improve their skills, and leading managers looking to invest in their SOC & incident response teams. In 2022, more than 2,000 people worldwide enrolled on Kaspersky’s courses, gaining solid knowledge and practical field experience. In total, more than 22,000 hours of hands-on training were spent in virtual skill labs.

“With a constantly evolving threat landscape, it’s vital for IT security specialists to keep their skills up-to-date,” said Victor Chebyshev, lead security researcher at Kaspersky. “Our expert course authors understand how best to handle the threats posed by the malware samples we encounter every day, and they share that knowledge with those doing battle with the evolving dangers of today’s cyber-realities. We do our best to prepare qualified specialists with high-level expertise and help companies best meet their demand for professionals with necessary credentials.”

To learn more about Kaspersky Expert Training, please visit the website.

Kaspersky Research Finds Reverse Engineering Is the Most On-Demand Skill Among InfoSec Specialists

The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated.

_Editor's note: For more tools and techniques for securing Kubernetes, read our_ _companion article_ _in the DR Tech section._

A few short years ago, not many people had heard of the word "Kubernetes." Today, the open source container tool is becoming increasingly ubiquitous, with a rapidly growing number of businesses using Kubernetes to facilitate a more streamlined and scalable application development process. But as its convenience and scalability lead to greater adoption, protecting Kubernetes environments has become a challenge. Security and IT leaders who want to keep their Kubernetes environments secure must be aware of the three primary classes of risk they face — and how to mitigate them.

**Class 1: Accidental Misconfigurations**

Thus far, accidental misconfigurations have been the most common form of Kubernetes risk — the one most security experts are likely to be familiar with. Misconfigurations can occur anytime a user does something that unintentionally introduces risk into the environment. That might mean adding a workload that grants unnecessary permissions or accidentally creating an opening for someone from the anonymous Internet to access the system. Kubernetes is still relatively new to many, which means it can be easy to make mistakes.

Fortunately, there are several ways to mitigate misconfigurations. Just about everything that happens in Kubernetes automatically produces an audit log, and security teams can monitor those logs for anomalous signs. Many businesses do this by sending the logs to a security information and event management (SIEM) platform, which can identify predetermined signs of misconfiguration. Additionally, tools (both paid and open source) are available that can be used to scan your Kubernetes environment for best practice violations. Once the problem is identified, an alert can be sent to the appropriate party and the problem triaged.

**Class 2: Software Supply Chain**

The most common way software ends up running in Kubernetes is via deployed container images. Those images are deployed to Kubernetes for distribution across the environment, which makes them an ideal target for attackers. In today's world, businesses rely heavily on third-party software with code they didn't write — and anytime a business introduces outside code into its environment, risks are involved. If a compromised image is introduced, that image may proliferate throughout the environment, distributing malicious code wherever it goes.

Thankfully, controls can help. It's always better to identify compromised code _before_ it enters the system rather than remediate it afterward, and consumers can seek out developer security platforms and other solutions capable of scanning code and images to look for signs of malicious code and prevent it from being deployed. That said, it's impossible to prevent everything, which means continuous monitoring at runtime is also important. Keeping an eye out for suspicious behavior or code that comes from an unknown source can help identify potential security threats before they have a chance to escalate.

**Class 3: Active Attacker Compromise**

This type of threat gets the most attention because it's the "flashiest," but, in reality, it's the least common. Yes,  the threat of an attacker specifically working to compromise a business' Kubernetes environment always exists. For now, these instances are rare, but that is likely to change as businesses continue to adopt Kubernetes. There are a number of ways attackers have found success targeting Kubernetes environments. Cross-site request forgery (CSRF) attacks involve convincing an application to make a request on the attacker's behalf, while remote code execution (RCE) attacks convince an application to run a command of the attacker's choice. In both cases, the target is commonly credential data, which the attacker can then use to grant themselves additional access to the environment.

Avoiding this class of risk often boils down to ensuring your software and infrastructure follow security best practices and monitoring to catch potential vulnerabilities. Developer security awareness and education are useful tools, but it's also important to reduce the opportunity for error with security controls — your environment should never be one mistake away from a serious vulnerability. Fortunately, controls are improving. Cloud security posture management (CSPM) tools and static analysis tools can help flag and prevent vulnerabilities before they are deployed. It's also crucial to have visibility and monitoring at runtime to detect issues that slip through the cracks. This can be accomplished by monitoring audit logs and installing container security solutions to detect when something goes wrong at runtime.

**Understand — and Mitigate — Kubernetes Risks**

Kubernetes is still relatively new, but its usefulness has driven rapid adoption. This is great for the developers who use it, but it poses an undeniable challenge for security and IT teams scrambling to keep up. The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated. With security lagging behind adoption, attackers are beginning to view Kubernetes as an attractive target — and businesses using Kubernetes need to avoid making themselves easy prey.

Understanding the 3 Classes of Kubernetes Risk

The open source container tool is quite popular among developers — and threat actors. Here are a few ways DevOps teams can take control.

_Editor's note: For more about the kinds of vulnerabilities Kubernetes presents and how to address them, read our_ _companion article_ _in The Edge._

Since its initial release in 2014, Kubernetes (aka K8s) has become the standard open source container tool for managing software applications. Kubernetes is cost-effective, offers autoscaling, and can run on any infrastructure. Its benefits are why 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies. On top of this, 61% of people use Kubernetes to manage their computer application deployment.

Funso Richard, information security officer at Ensemble, tells Dark Reading that "forward-thinking organizations understand the importance of leveraging containerized microservices to develop scalable and reliable applications as an essential digital transformation strategy" — and Kubernetes has become the leading tool used to achieve this strategy, he adds.

However, Kubernetes also comes with security challenges: It's susceptible to data theft, computational power theft, and denial-of-service (DoS) attacks. Kubernetes' public components (such as kubelets and API authentication) are widely exploited. And threat actors target infrastructure misconfiguration, unpatched software programs, and poor login credentials to gain unauthorized entry to Kubernetes. The vulnerabilities are also widespread. According to Red Hat's "2022 State of Kubernetes" security report, 93% of Kubernetes users experienced at least one security incident in the past 12 months.

As DevOps teams continue to grapple with rising Kubernetes security mishaps, here are a few ways to stay ahead of attackers and keep cloud-native environments secure.

**Securing Kubernetes With Tools**

Kubernetes' security vulnerability affects its efficiency. For instance, concerns over Kubernetes security caused developers to delay application rollouts in 2022, according to Red Hat. Although Kubernetes provides several benefits in application development and container orchestration, says Richard, inadequate security controls expose the open source tool to serious security concerns like misconfiguration, privilege abuse, data exfiltration, credential compromise, exploited public-facing components, and API vulnerabilities. To address these, several Kubernetes security tools have sprung up, including Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.

Kubescape is an open source security platform from ARMO to protect Kubernetes clusters with capabilities such as risk analysis, security compliance, misconfiguration scanning, CI/CD security, RBAC visualizer, and vulnerabilities scanning. One thing that sets Kubescape apart is its library of robust capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.

"As I track Kubernetes security offerings — both commercial and non-commercial offerings — I haven't come across another offering with the same exact components as Kubescape," agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.

Kubescape scans clusters, YAML files, and Helm charts for vulnerabilities either directly or via CI/CD integrations. The idea of scanning infrastructure-as-code (IaC) templates is well-popularized across the industry, says Montenegro. Most IaC scanning is done for cloud resources like Amazon's CloudFormation, HashiCorp's Terraform, and others, with Kubernetes scanning being a more specialized use case, he adds.

There are other offerings in the market — like Red Hat's StackRox (acquired in 2021), Tenable's Terrascan, and Palo Alto Networks' Checkov — offering similar capabilities as Kubernetes.

**Implementing Best Security Practices in Kubernetes**

Richard notes that adherence to cybersecurity fundamentals remains the bedrock of any security effort. While Kubescape is undoubtedly a powerful Kubernetes security tool, he believes developers can effectively secure their Kubernetes clusters by following the basics: implementing proper cluster configuration, pod security standards and policy enforcement, network segmentation, vulnerability scanning, periodic policy reviews, and security audits. "Containers should run with the least privileges and only necessary services, while role-based access controls should be in place to manage user access," Richard says.

While Montenegro says there are several Kubernetes best practices for DevOps and DevSecOps teams to follow, he notes that the following practices must be top on their priority list:

*   **Think about security early on:** Collaborate with your developers/architects to work through a proper threat modeling.
*   **Work with embedding security throughout the application lifecycle:** Security is an end-to-end process, from providing on-the-spot security advice and functionality for a developer working through the code in their development environment, through making sure security tests are part and parcel of the integration stages, then adding the necessary runtime protections to monitor workloads in production.
*   **Safely store Kubernetes secrets:** Implement features like proper namespace separation, use of role-based access control (RBAC).

As Kubernetes grows in adoption, IT teams can avoid security pitfalls by using tools like Kubescape and StackRox, as well as following the best security practices for securing their critical Kubernetes assets.

How to Run Kubernetes More Securely

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Source

DARKReading