In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as "Wazawaka," a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

In January 2022, KrebsOnSecurity identified a Russian man named **Mikhail Matveev** as “**Wazawaka**,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

An FBI wanted poster for Matveev.

Matveev, a.k.a. “Wazawaka” and “**Boriselcin**” worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.

Russia’s interior ministry last week issued a statement saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn’t name the accused, but the Russian state news agency _RIA Novosti_ cited anonymous sources saying the man detained is Matveev.

Matveev did not respond to requests for comment. **Daryna Antoniuk** at _TheRecord_ reports that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he’d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.

Matveev’s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after being identified as Wazawaka by KrebsOnSecurity in 2022, Matveev published multiple selfie videos on Twitter/X where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev’s X profile (@ransomboris) posted a picture of a t-shirt that features the U.S. government’s “Wanted” poster for him.

An image tweeted by Matveev showing the Justice Department’s wanted poster for him on a t-shirt. image: x.com/vxunderground

The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. “Mother Russia will help you. Love your country, and you will always get away with everything.”

Still, Wazawaka may not have always stuck to that rule. At several points throughout his career, Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars.

Cyber intelligence firm Intel 471 said Matveev’s arrest raises more questions than answers, and that Russia’s motivation here likely goes beyond what’s happening on the surface.

“It’s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,” Intel 471 wrote in an analysis published Dec. 2. “The country’s ingrained, institutional corruption dictates that if dues aren’t paid, trouble will come knocking. But it’s usually a problem money can fix.

Intel 471 says while Russia’s court system is opaque, Matveev will likely be open about the proceedings, particularly if he pays a toll and is granted passage to continue his destructive actions.

“Unfortunately, none of this would mark meaningful progress against ransomware,” they concluded.

Although Russia traditionally hasn’t put a lot of effort into going after cybercriminals within its borders, it has brought a series of charges against alleged ransomware actors this year. In January, four men tied to the REvil ransomware group were sentenced to lengthy prison terms. The men were among 14 suspected REvil members rounded up by Russia in the weeks before Russia invaded Ukraine in 2022.

Earlier this year, Russian authorities arrested at least two men for allegedly operating the short-lived **Sugarlocker** ransomware program in 2021. **Aleksandr Ermakov** and **Mikhail Shefel** (now legally **Mikhail Lenin**) ran a security consulting business called **Shtazi-IT**. Shortly before his arrest, Ermakov became the first ever cybercriminal sanctioned by Australia, which alleged he stole and leaked data on nearly 10 million customers of the Australian health giant Medibank.

In December 2023, KrebsOnSecurity identified Lenin as “**Rescator**,” the nickname used by the cybercriminal responsible for selling more than 100 million payment cards stolen from customers of Target and Home Depot in 2013 and 2014. Last month, Shefel admitted in an interview with KrebsOnSecurity that he was Rescator, and claimed his arrest in the Sugarlocker case was payback for reporting the son of his former boss to the police.

Ermakov was sentenced to two years probation. But on the same day my interview with Lenin was published here, a Moscow court declared him insane, and ordered him to undergo compulsory medical treatment, The Record’s Antoniuk notes.

U.S. Offered $10M for Hacker Just Arrested by Russia

Proposals from Google and Apple drastically reduce the life cycle of certificates, which should mean more oversight — and hopefully better control.

Source: ArtemisDiana via Alamy Stock Photo

Shortening the life cycle of Transport Layer Security (TLS) certificates can significantly reduce the vulnerability of websites and hardware devices that require these certificates. TLS certificates are exchanged between Web server and Web client (or server to server) to establish a secure connection and safeguard sensitive data. The majority of today's digital certificates have a time-to-live of 398 days — that's a 365-day certificate with a 33-day grace period, equaling 398 actual days before the certificate expires. If the proposals from Google and Apple are approved, however, that life cycle could drop to 100 days (90 days plus a grace period) or even 47 days (30 days plus a grace period).

It is not unusual to find certificates as short as 10 days or less in DevOps environments, says Jason Soroko, a senior fellow and CTO at Sectigo. Shorter lives are set because the number of days a certificate is live increases the possibility that data will be lost if the certificate is compromised. An expired certificate can lead to denying a browser connection, effectively interrupting the breach and stopping data exfiltration.

**Automated Updates Make Change Easier**

Despite the marked change in how often digital certificates will renew, not much will change operationally for organizations that currently rely on security information and event management (SIEM); security orchestration, automation, and response (SOAR); or some other method for automating the renewal of such certificates, a common setup. In fact, Soroko says, certificate life cycle management (CLM) logs feed into the organization's SIEM and SOAR systems to ensure that the certificates are updated before they expire, which creates business continuity.

Many small to midsize businesses (SMBs) that employ a service provider to manage their networks and network security might already be getting automated certificate updates through CLM services. Organizations using managed service providers or managed security service providers should ask them whether such updates are in place. CLM manages contracts from initiation through renewal. Using CLM software to automate processes can help limit organizational liability and improve compliance with legal requirements.

The only groups that could be significantly affected operationally are those that still manually update certificates. Each time a certificate needs manual updating, errors could be introduced, Soroko says. Instead of the annual updates done today, a 30-day certificate (plus its proposed 17-day grace period) would require 12 updates annually, a multiplier of 12 in introducing errors and increasing risk.

"For smaller companies that don't have unlimited resources to manage their infrastructure, it's going to be quite a wake-up call," says Arvid Vermote, GlobalSign's worldwide CIO and CISO, a Brussels-based certificate and identification authority. "In the past, \[certificate authorities\] have been advocating automation. They have been providing the tools. But why change if it's not needed?"

As the certificates' time to live gradually shrinks, companies doing a manual process will soon realize that automation is not only a quicker way but also a more reliable way to renew certificates.

Updating certificates manually is not easy, Soroko notes.

"It's a very technical task, and it's not difficult to fat-finger it and make an error that takes a website down," he says, adding that most larger enterprises could not afford to have downtime on their Web assets, so they started to deploy CLM rather than manual updates years ago.

Regardless of the size of the company, Soroko says, the organization should automate updates. The technology is "ideally suited for everyone, and not just handing you a cert, but handing you visibility, automation, and discovery of \[digital\] certificates you don't even know you have," he says.

**CLM Casts Light on Shadow IT**

The frequent rotation of certificates means the CLM system will be scanning your environment often for certificates to update — possibly even finding digital certificates the IT department did not have on record, Soroko adds. This happens sometimes when enterprise department heads with signing authority to purchase services acquire software-as-a-service applications and Web services to address operational needs but do not report these services to the IT team.

With rogue applications running on virtual machines, Web servers, load balancers, and other hardware, it can be difficult to identify all elements of shadow IT. However, having the CLM systems constantly monitoring certificates can help identify new hardware, virtual servers, and cloud instances requiring digital certificates that might have been overlooked in the past. A certificate on an unknown device or virtual machine might be identified as an unauthorized connection or breach in progress.

The change in certificate life cycles likely will affect SMBs the most, Vermote says. In fact, this could be a good time for the CISO to go to the board and request funding for automation if they do not already have it.

"\[The\] CISO only gets money from the board if there is an incident," Vermote notes. "CIOs only get money from the board when systems are unavailable. In this case, it's both, because if the board doesn't give them the funding to properly automate and inventories of certificates expire, websites \[and\] legitimate services provided to customers, internal or external, will become unavailable."

Justin Lam, an analyst with 451 Research, says enterprises need to look at digital certificates from a proactive risk management perspective rather than a reactive compliance perspective. While certificates with a longer life always could be revoked in the case of a breach or incident, shorter life cycles mean there is more oversight — and hopefully better control — of certificates that IT might not have been made aware of.

"Many security professionals do not actually own the environments where these things are protected," Lam says.

And while managing all of the tools for cloud security posture management, zero trust, cloud-native application protection, and other security tools falls under the auspices of the CISO, many CISOs do not know when cloud sessions that require digital certificates are spun up. They have the responsibility to defend their networks but not necessarily the visibility into those networks — or the funding to protect everything.

**About the Author**

Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Digital Certificates With Shorter Lifespans Reduce Security Vulnerabilities

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using […]

**About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability.** It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to **Medium Integrity** level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

👾 There is a backdoor code on GitHub that exploits this vulnerability.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

The vulnerability was first identified in 2014.

****SUMMARY:****

*   **Critical Patch Alert:** Cisco ASA users must urgently address a 10-year-old WebVPN vulnerability (CVE-2014-2120) that attackers are now actively exploiting.

*   **XSS Risk Identified:** The flaw allows unauthenticated attackers to perform cross-site scripting (XSS) attacks via malicious links, potentially compromising sensitive data and injecting malware.

*   **Active Exploitation:** Recent reports highlight that malware like AndroxGh0st is leveraging CVE-2014-2120, prompting Cisco to update its advisory in November 2024.

*   **Government Action Required:** CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, mandating federal agencies to patch it by December 3, 2024.

*   **No Workaround Available:** Upgrading the Cisco ASA software to a patched version is the only solution—reach out to Cisco support or service providers to secure your network.

If you are using a Cisco Adaptive Security Appliance (ASA) for your network security, it is time to patch a critical vulnerability that’s been around, surprisingly, for ten years.

Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA.

This vulnerability, tracked as CVE-2014-2120, is a medium-severity vulnerability caused due to insufficient input validation of a parameter, which could be exploited by convincing a user to access a malicious link. Clicking this link can force them into giving away sensitive information, hijacking browsing sessions, or even injecting malware. 

The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. 

In November 2024, the Cisco Product Security Incident Response Team (PSIRT) identified this emerging pattern of new exploitation attempts. This coincides with a report from security firm CloudSEK, which revealed that malware called AndroxGh0st is using CVE-2014-2120 (among others) to spread.

It is worth noting that CISA added CVE-2014-2120 to its KEV (Known Exploited Vulnerabilities) catalogue on November 12, requiring government agencies to address it by December 3, 2024.

The re-exploitation of this flaw shows the need for timely software updates and security patches. Unfortunately, there’s no quick fix or workaround for this vulnerability. Your only protection is to upgrade your Cisco ASA software to a version that includes a patch. Don’t wait – contact your Cisco support channel and get the update process rolling. Upgrading is crucial to ensure your network remains secure. 

Customers with Cisco products that are provided or maintained through agreements with third-party support organizations like Cisco Partner/resellers/service providers should consult their service providers to identify the best workaround or fix for their networks before deployment.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed in on the situation stating, _“_These attacks highlight how technical debt and low cybersecurity maturity can compound risk. Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats._“_

_“_If adversaries can exploit older flaws, they will. Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make,_”_ Jason explained.

1.  **Decade Old Software Bug Sets 3000 US Prisoners Free**
2.  **Goldoon Botnet Exploits 9-Year-Old Flaw on D-Link Devices**
3.  **7-Year-Old Pre-Installed Google Pixel App Flaw Risks Millions**
4.  **Intel Broker Cisco Breach: Selling Stolen Data from Major Firms**
5.  **Cisco Web UI Flaw Exploited Massly, Impacting Over 40K Devices  
    **

Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability

Europol on Tuesday announced the takedown of an invite-only encrypted messaging service called MATRIX that's created by criminals for criminal purposes.
The joint operation, conducted by French and Dutch authorities under the moniker Passionflower, comes in the aftermath of an investigation that was launched in 2021 after the messaging service was discovered on the phone of a criminal convicted

Europol Dismantles Criminal Messaging Service MATRIX in Major Global Takedown

Another day, another cybercrime operation shut down - this time, Europol has dismantled the MATRIX encrypted messaging service.

****SUMMARY****

*   **MATRIX Encrypted Platform Shut Down**: Authorities dismantled MATRIX, an encrypted messaging service used by criminals.

*   **Millions of Messages Intercepted**: Over 2.3 million encrypted messages were decrypted, exposing serious crimes.

*   **International Raid**: Arrests and server seizures occurred across France, Spain, Germany, and Lithuania.

*   **Sophisticated Criminal Tool**: MATRIX operated on 40+ servers and required invitation-only access.

*   **Big Win for Law Enforcement**: The takedown disrupts organized crime and aids ongoing investigations.

Authorities have dismantled MATRIX, a highly notorious encrypted messaging platform used by criminals for drug trafficking, arms deals, money laundering, and other illicit activities. The operation was carried out by Dutch and French agencies, with support from Europol and Eurojust.

****MATRIX, a Platform Built for Crime****

MATRIX first emerged during the investigation into the 2021 murder of a Dutch journalist. Authorities discovered the platform on the phone of a convicted criminal, initiating a thorough investigation.

According to investigators, MATRIX was explicitly created for criminal use, providing a hidden communication channel for illegal activities on an international scale. The platform’s technical sophistication and customized features made it a go-to tool among organized crime networks.

MATRIX was far more complex than previous encrypted messaging platforms such as Sky ECC and EncroChat. Its creators promoted the service as more secure, requiring invitation-only access and operating through a network of 40 servers spread across multiple countries, including France and Germany.

****MATRIX Goes Down****

According to Europol’s press release, authorities managed to intercept and monitor MATRIX for three months, collecting over 2.3 million messages in 33 languages. These messages revealed a network engaged in serious crimes, including international drug and arms trafficking, as well as money laundering.

On December 3rd, a coordinated operation led to the takedown of MATRIX servers in France and Germany, arrests in Spain and France, and searches in Lithuania. Users logging into the service are now met with a splash page alerting them to the law enforcement intervention.

Jake Moore, Global Cybersecurity Advisor at ESET, praised the operation, telling Hackread.com that the operation highlights law enforcement’s ongoing efforts to combat crime in digital spaces. While obtaining admissible evidence remains a challenge, the disruption caused by the takedown will severely impact criminal networks relying on MATRIX.

“Criminals flourish on hidden and secure communication channels, so for an encrypted service used for illicit means to be shut down is both significant and impressive,” Jake explained. “Capturing evidence will still remain at the heart of the investigation as few prosecutions in cybercrime make it to a court hearing.”

MATRIX’s takedown is the latest in a series of disruptions targeting encrypted platforms used by criminals. Previous operations brought down services like Sky ECC, EncroChat, Exclu, and Ghost, forcing criminal networks to adopt less reliable or custom-built tools.

1.  **Europe’s largest known illegal IPTV op dismantled by police**
2.  **Europol takes down VPNLab used by ransomware operators**
3.  **Europol nabs 106 criminals involved in SIM swapping scams**
4.  **Europol Busts Major Online CSAM Racket in Western Balkans**
5.  **Telegram Founder Pavel Durov Reportedly Arrested in France**

Authorities Take Down Criminal Encrypted Messaging Platform MATRIX

A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.
The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.
IdentityIQ "allows

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

Source: Andrey Suslov via Alamy Stock Photo

NEWS BRIEF

In an effort to convince consumers that it's safe to answer their phones, root of trust provider SecureG has partnered with CTIA, a trade association that represents the wireless communications industry, on an initiative intended to deliver a secure branded call experience for businesses.

Branded Calling ID (BCID) is an industry-led, standards-based Rich Call Data project to create a secure, interoperable ecosystem in which businesses can embed information like their logos and reason for calling when they reach out to consumers by phone. BCID digital signatures are secured by SecureG's public key infrastructure (PKI) solutions. 

"No one wants to answer their phone because of all the spam and scams, and it is only getting worse now that AI-generated voices can impersonate people and businesses," said Todd Warble, CTO of SecureG, in a statement. BCID has a secure-by-design foundation that enables consumers to trust the authenticity of the brands and intentions of the caller, Warble said.

To secure the caller's brand identity, SecureG provides high-assurance operations of the CTIA Secure Telephone Identity Certification Authority (CTIA STI-CA), Intermediate Certification Authority, and the Certificate Repository. The SecureG trust anchors, secured in hardened concrete bunkers, give BDIC the ability to authenticate participants to sign calls. The BCID system is designed to work across networks and mobile phones, and enterprise customers pay only for branded calls that are confirmed delivered. 

BCID allows businesses to brand their calls while preventing scammers and spammers from gaining access to NCID signing certificate. BCID is designed to work seamlessly across networks and mobile phones, so enterprise businesses can deliver trusted, branded calls to their consumers.

The initiative is aimed at reducing the risk of fraud and spam calls from bad actors who impersonate real businesses. A recent survey found that three-quarters of respondents would answer a call if the caller was authenticated by a name, logo, or reason for the call, the company said in a statement. BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

SecureG, CTIA Project Secures Business Phone Calls

SUMMARY Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report…

****SUMMARY****

*   **SpyLoan Rise:** SpyLoan apps have increased by 75% between Q2 and Q3 2024, targeting users globally.

*   **Play Store Threat:** 15 malicious loan apps on Google Play have been downloaded over 8 million times.

*   **How They Work:** These apps lure users with fake loan offers, harvest sensitive data, and exploit victims financially.

*   **Global Impact:** High prevalence reported in India, Mexico, the Philippines, Kenya, and seven other countries.

*   **Staying Safe:** Users should research apps, avoid granting excessive permissions, and use antivirus software.

Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report a whopping 75% rise in SpyLoan apps and infected devices between Q2 and Q3 of 2024. These apps lure users with promises of quick, hassle-free loans but are designed to harvest sensitive data, resulting in extortion, harassment, and financial losses.

This increase can be understood by the fact that researchers spotted 15 such apps on the official Google Play Store with over 8 million installations worldwide. These apps, especially targeting users in South America, Southern Asia, and Africa, use social engineering tactics to trick users into providing sensitive information and granting excessive permissions.

Malicious apps (Credit: McAfee)

Here’s a list of malicious PayLoan apps found on the Google Play Store:

1.  **Préstamo Seguro-Rápido, seguro** – Downloads 1M, Country: Mexico – Deleted
2.  **Préstamo Rápido-Credit Easy** – Downloads 1M, Country: Colombia – Available
3.  **ได้บาทง่ายๆ-สินเชื่อด่วน** – Downloads: 1M, Country: Senegal – Available
4.  **RupiahKilat-Dana cair** – Downloads: 1M, Country: Senegal – Available
5.  **ยืมอย่างมีความสุข – เงินกู้** – Downloads: 1M, Country: Thailand – Deleted
6.  **เงินมีความสุข – สินเชื่อด่วน** – Downloads: 1M, Country: Thailand – Deleted
7.  **KreditKu-Uang Online** – Downloads: 500K, Country: Indonesia – Deleted
8.  **Dana Kilat-Pinjaman kecil** – Downloads: 500K, Country: Indonesia – Available
9.  **Cash Loan-Vay tiền** – Downloads: 100K, Country: Vietnam – Available
10.  **RapidFinance** – Downloads: 100K, Country: Tanzania – Deleted
11.  **PrêtPourVous** – Downloads: 100K, Country: Senegal – Deleted
12.  **Huayna Money – Préstamo Rápido** – Downloads: 100K, Country: Peru – Deleted
13.  **IPréstamos: Rápido Crédito** – Downloads: 100K, Country: Chile – Available
14.  **ConseguirSol-Dinero Rápido** – Downloads: 100K, Country: Peru – Deleted
15.  **ÉcoPrêt Prêt En Ligne** – Downloads: 50K, Country: Thailand – Available

****How SpyLoan Apps Work****

These apps operate by using a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server. They often use deceptive marketing, mimicking reputable financial institutions, and are promoted through social media ads. Once installed, they request unnecessary permissions, such as access to contacts, SMS, storage, and even a microphone or camera.

The apps then use a similar onboarding process, including a countdown timer to create a sense of urgency and require users to provide sensitive identification documents and personal information. This data is then exfiltrated and used for financial exploitation, including hidden fees and high interest rates, as well as privacy violations, such as data misuse and harassment.

The consequences of using these apps can be devastating. Users have reported receiving threatening calls and death threats, having personal photos and IDs misused, and experiencing emotional and psychological distress. In some cases, victims have even reported suicidal thoughts.

The threat of SpyLoan apps is not limited to a single region. They have been reported globally, with localized adaptations. India, Mexico, Philippines, Indonesia, Thailand, Kenya, Colombia, Vietnam, Chile, and Nigeria are among the top 10 countries with the highest prevalence of fake loan apps.

****Law Enforcement Actions****

While law enforcement agencies have taken action against some of these operations, the threat persists. In Peru, authorities raided a call center engaged in extortion and fake loan app operations, detaining over 300 individuals. In Chile, the commission for the financial market has highlighted tens of fraudulent credit applications distributed on Google Play.

****Protecting Yourself****

To avoid falling victim to these predatory loan apps, users must be cautious when downloading financial apps. Here are some tips:

*   Read reviews and check ratings
*   Research the app and its developer thoroughly
*   Be wary of apps that request excessive permissions
*   Use reputable antivirus software to detect and block malicious apps
*   Never provide sensitive information without verifying the app’s legitimacy

1.  New Tool DVa Detects and Removes Android Malware
2.  Scammers Using Fake Loan Apps for Money Laundering
3.  These 8 Apps on Play Store Contain Android/FakeApp Trojan
4.  “Scary” FakeCall Android Malware Captures Photos and OTPs
5.  Octo2 Android Malware Uses Fake NordVPN App to Infect Phones

15 SpyLoan Apps Found on Play Store Targeting Millions

Organizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.

Source: ArtemisDiana via Shutterstock

Many organizations using Web application firewall (WAF) services from content delivery network (CDN) providers may be inadvertently leaving their back-end servers open to direct attacks over the Internet because of a common configuration error.

The problem is so pervasive that it affects nearly 40% of Fortune 100 companies leveraging their CDN providers for WAF services, according to researchers at Zafran who studied the cause and scope of the problem recently. Among the organizations that the researchers found susceptible to attacks included recognizable brands, including Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.

**Pervasive Issue**

WAFs act as intermediaries between users and Web applications. They inspect traffic for a range of threats and block or filter anything deemed suspicious or matching known patterns of malicious activity. Many organizations have deployed WAFs in recent years to protect Web applications against vulnerabilities they haven't had time to patch.

Organizations have multiple options for deploying WAFs, including on-premises in the form of physical or virtual appliances. There are also cloud- and host-based WAFs.

In total, Zafran found some 2,028 domains belonging to 135 companies among the Fortune 1000 that contain at least one supposedly WAF-protected server that an attacker could directly access over the Internet to launch denial-of-service (DoS) attacks, distribute ransomware, and execute other malicious activities.

"The responsibility \[for\] the misconfiguration lies primarily \[with\] the customers of CDN/WAF providers," says Ben Seri, chief technology officer of Zafran. But CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place, he says. 

The problem, as Seri explains it, has to do with organizations not adequately validating Web requests to back-end origin servers that host the actual content, applications, or data that users are trying to access.

**A Failure to Follow Best Practices**

With a CDN-integrated WAF service, the CDN provider — like a Cloudflare or an Akamai — provides the WAF as part of its edge infrastructure. All incoming traffic to an organization's Web applications is routed through the CDN's WAF — a reverse proxy server within the vendor's edge network. The reverse proxy identifies which back-end server or resource a particular Web request is intended for and then routes it there in an encrypted fashion. "This means that when a CDN service is used as a WAF, the web application it protects is open to Internet traffic and is expected to validate that it responds only to web traffic that originates from and by the CDN service," according to the Zafran blog post.

If the customer is using best practices, the IP address of the back-end server is something that only the customer and CDN provider would know. CDN providers also recommend that organizations add IP filtering mechanisms to ensure that only requests from the CDN provider's IP address range are permitted access to back-end servers. Other recommendations include using pre-shared digital secrets known only to the CDN provider and the back-end server as a validation mechanism, and using what is known as mutual TLS authentication to validate both the origin server and the CDN provider's proxy server.

These measures are effective in protecting back-end servers when implemented correctly. But what Zafran discovered was that many organizations have not adopted any of these recommended validation precautions, thereby leaving back-end servers directly accessible over the Internet. "It is a lack of validation in Web applications that are designed to be protected by a CDN/WAF that leaves them open to all Internet traffic," Seri says. "It is like having a private S3 bucket left open to the Internet as a public bucket. Only in this case, it is protected Web applications that are left open to the Internet, instead of allowing only inbound traffic from the CDN provider."

**Easy to Find**

Exacerbating the situation is the fact that the IP addresses of enterprise origin services are not as private as many assume, Zafran's researchers found. The security vendor pointed to certificate transparency (CT) logs as one example of a relatively easy place for attackers and researchers to discover all domains belonging to a specific organization. CT logs provide a publicly accessible record of all SSL/TLS certificates that certificate authorities issue to website operators and are meant to improve trust and accountability around certificate issuance. Unfortunately, they also provide a starting point for attackers to gather detailed information on all the domains and subdomains belonging to an organization, including those associated with critical back-end servers and services.

"The issue was discovered to be extremely widespread," Seri says. "From a random sample of Internet servers that were designed to be protected by Cloudflare, 13% were found to suffer from this misconfiguration. This means that, potentially, 13% of all domains protected by Cloudflare can be directly attacked." Unfortunately, CDN/WAF providers require the cooperation of their customers, who control their own load balancers and Web applications, to mitigate this threat, he adds. Zafran is contacting affected companies as well as impacted CDN/WAF providers to help them quickly identify the full extent of this misconfiguration and address it, Seri says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth