A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022.
Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a long-running operation dubbed "Dream Job" that employs job recruitment lures in

A North Korean espionage group tracked as **UNC2970** has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022.

Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a long-running operation dubbed "Dream Job" that employs job recruitment lures in email messages to trigger the infection sequence.

UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka **Temp.Hermit**), and which also comprises another nascent threat cluster tracked as UNC4034.

The UNC4034 activity, as documented by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test.

"UNC2970 has a concerted effort towards obfuscation and employs multiple methods to do this throughout the entire chain of delivery and execution," Mandiant researchers said in a detailed two-part analysis, adding the effort specifically targeted security researchers.

Temp.Hermit is one of the primary hacking units associated with North Korea's Reconnaissance General Bureau (RGB) alongside Andariel and APT38 (aka BlueNoroff). All three actor sets are collectively referred to as the Lazarus Group (aka Hidden Cobra or Zinc).

"TEMP.Hermit is an actor that has been around since at least 2013," Mandiant noted in a March 2022 report. "Their operations since that time are representative of Pyongyang's efforts to collect strategic intelligence to benefit North Korean interests."

The latest set of UNC2970 attacks are characterized by initially approaching users directly on LinkedIn using "well designed and professionally curated" fake accounts posing as recruiters.

The conversation is subsequently shifted to WhatsApp, after which a phishing payload is delivered to the target under the guise of a job description.

In some instances, these attack chains have been observed to deploy trojanized versions of TightVNC (named LIDSHIFT), which is engineered to load a next-stage payload labeled as LIDSHOT that's capable of downloading and executing shellcode from a remote server.

Establishing a foothold within compromised environments is achieved by means of a C++-based backdoor known as PLANKWALK that then paves the way for the distribution of additional tooling such as -

*   **TOUCHSHIFT** - A malware dropper that loads follow-on malware ranging from keyloggers and screenshot utilities to full-featured backdoors
*   **TOUCHSHOT** - A software that's configured to take a screenshot every three seconds
*   **TOUCHKEY** - A keylogger that captures keystrokes and clipboard data
*   **HOOKSHOT** - A tunneling tool that connects over TCP to communicate with the command-and-control (C2) server
*   **TOUCHMOVE** - A loader that's designed to decrypt and execute a payload on the machine
*   **SIDESHOW** - A C/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its C2 server

UNC2970 is also said to have leveraged Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST, a C-based backdoor that communicates via HTTP.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

In what's a continuing use of the Bring Your Own Vulnerable Driver (BYOVD) technique by North Korea-aligned actors, the intrusions further employ an in-memory-only dropper called LIGHTSHIFT that facilitates the distribution of another piece of malware codenamed LIGHTSHOW.

The utility, besides taking steps to hinder dynamic and static analysis, drops a legitimate version of a driver with known vulnerabilities to perform read and write operations to kernel memory and ultimately disarm security software installed on the infected host.

"The identified malware tools highlight continued malware development and deployment of new tools by UNC2970," Mandiant said. "Although the group has previously targeted defense, media, and technology industries, the targeting of security researchers suggests a shift in strategy or an expansion of its operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean UNC2970 Hackers Expands Operations with New Malware Families

New premium service provides all-in-one personal protection beyond device security to include identity restoration and unlimited 24/7 tech support.

**TEMPE, Ariz.** **and** **PRAGUE****,** **March 9, 2023** **/PRNewswire/ --** Avast, a leading digital security and privacy brand of Gen™ (NASDAQ: GEN), today launched Avast One Platinum, the new premium tier of the award-winning Cyber Safety service, Avast One. The new Platinum offering combines the full feature set from Avast One Family with identity monitoring and protection, identity theft resolution and reimbursement\*, and premium technical support, to give people more control and reassurance over their digital lives.

"The new Avast One Platinum tier is a step-change improvement to the award-winning Avast One integrated solution," said Leena Elias, Chief Product Officer at Gen. "Platinum represents the best and most comprehensive Avast offer to date. It combines device protection, privacy, performance, and utilities capabilities and now adds identity theft protection and tech support. With greater protection from new and evolving threats and 24/7 premium technical support for IT issues around the home, every member of the family can have the confidence to embrace the digital world to the fullest."

Avast One Platinum provides a comprehensive protection and restoration service which includes the following key features:

*   **Premium Tech Support**: provides personalized help and remote support for any Avast product as well as all IT issues with phones, laptops, or printers with a dedicated hotline to Avast's tech experts 24/7.
*   **Dark Web Monitoring and Alerts:** monitors for personal and financial data, such as banking information, driver's licenses, IDs, passports, and social security numbers, and notifies if information is found.
*   **Identity Theft Reimbursement:** provides coverage of up to $2 million in reimbursement\* in the event of identity theft, including recovering certain lost wages, stolen funds, and certain out-of-pocket expenses.
*   **Social Media Monitoring:** monitors for bullying and violent, profane, or scam-related posts that indicate account compromise.
*   **3 Bureau Credit Report Monitoring:** monitors credit files from three leading credit bureaus, TransUnion, Equifax, and Experian, and notifies about key changes such as new account openings, credit inquiries, exceeding credit limits, and missed payments.
*   **Lost Wallet Protection:** provides the ability to quickly cancel and replace credit, debit, and ATM cards if a wallet is lost or stolen which helps avoid incurring fraudulent charges and time spent ordering replacement cards.
*   **Restoration Support:** provides access to certified protection experts for troubleshooting and resolving identity theft issues, with assistance also available to initiate a credit freeze or dispute fraudulent credit report activity.

Following its debut in 2021, Avast One has introduced major updates on iOS, Android, Mac, and Windows platforms for both free and paid versions. These updates include Scam Protection, which identifies malicious communications, a cloud-based Email Guardian which blocks malicious links and attachments wherever an email account is accessed, Network Inspector, a home network protection tool, and Online Safety Score, all of which are included in Avast One Platinum.

Avast One Platinum is available now in the US and compatible with iOS, Android, Mac, and Windows platforms, protecting up to six family members and a total of 30 devices. Subscriptions are available for $249.99 per year. To learn more, visit https://www.avast.com/en-us/avast-one.

**About Avast:**

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through a family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

Avast Introduces Avast One Platinum

**CHICAGO****,** **March 9, 2023** **/PRNewswire/ --** March is an exciting time for diehard and casual college basketball fans alike, but anyone planning to have fun around the tournament should stay vigilant to protect their personal and financial information from cyberthreats. The tournament is an opportune time for cybercriminals to send out phishing scams, steal sensitive information, and scam you out of money. To help fans avoid becoming victims of cybercrime, Keeper Security is providing the following cybersecurity tips.

**#1 Be on the lookout for phishing scams.** Cybercriminals use phishing scams to steal your personal information. During the tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games or brackets. To avoid becoming a victim of a phishing attack, do not open attachments or click on links from unknown sources, verify that it's a trusted source requesting the information and check all links to make sure they're not leading you to a malicious site. Scammers also use social engineering to trick people into sending them money using any information they can find about you. They may impersonate a friend or family member claiming to be in urgent need of money to buy tickets or place bets on games. Scammers may even impersonate the athletes themselves or their family members with stories about needing money to get to the game. 

**#2 Create strong, unique passwords for all of your accounts.** When creating accounts to follow the games, create a bracket or take part in the fun of the tournament any other way, it may be tempting to reuse passwords. Make sure you have different, high-strength passwords for all of your accounts. This way, if one account is breached, a cybercriminal does not gain access to all of them. Passwords should be at least 12 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Also, consider using a passphrase rather than a single word. Avoid using easily guessable information such as familiar names, birthdates and addresses. A password manager can generate and securely store strong passwords, which can be especially useful for accounts that are infrequently used. Consider implementing multi-factor authentication for your accounts as an additional layer of security. 

**#3 Be wary of free sports streams.** Cord cutters and fans trying to get around regional blackouts often turn to the internet in search of free streams to watch their favorite teams, but they may end up paying the price with their security. While there are legitimate websites and apps that will stream certain games for free, the websites that host illegal streams may also host ads for questionable content or products and malicious links that could install malware that will harm your system. 

**#4 Don't fall for fake ticket sales or fake brackets.** Fake tickets are abundant during any major sporting event, but if the deal seems too good to be true, it probably is. Only buy tickets from reputable sellers that offer a secure payment system and recourse if the tickets don't come through. The tournament is also a time when more fans are trying to win money on the games, and scammers are ready to take advantage. They may create fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, though, they disappear and the winners never receive their prizes. 

**#5 Be cautious when using public WiFi.** If you're going to watch the tournament at a venue offering WiFi, think twice before connecting. Public WiFi is a key battleground for cybercriminals. Thus, without proper protections, you may be vulnerable to both a cyberattack and eavesdropping. Open public WiFi should not be used to send any personal or financial information. The use of public computers should be avoided for the same reason. Use a trusted network with a strong WiFi password, a VPN when possible, and ensure your home router's software is up to date.

To avoid falling victim to sports-related scams, always be cautious of unsolicited messages or offers, double-check the authenticity of the sender or the website, and never provide personal information or payment without verifying the legitimacy of a transaction. By following these simple tips, fans will be far less likely to fall victim to cybercrime this March.

**About Keeper** 

Keeper Security is transforming how people secure their passwords and confidential information against growing online threats. Forgot your password? That'll never happen again with Keeper's easy-to-use password manager that saves you time, increases your security and streamlines your online experience. Built to the highest zero-trust and zero-knowledge standards, Keeper protects you and your family on every device. Keeper is trusted by millions of people globally with more than 230,000 5-star reviews in the app stores, and is recognized by publications including PCMag and U.S. News & World Report as the leader for password storage, secure sharing and encrypted messaging. Learn more at KeeperSecurity.com.

Keeper Security Issues Top 5 Cybersecurity Tips for 2023 College Basketball Tournament

IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved.

In recent weeks, hackers have been deploying the "IceFire" ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

A report from SentinelOne published today suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because "in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale," Alex Delamotte, security researcher at SentinelOne, tells Dark Reading.

But why, if Linux makes their job more difficult, would ransomware actors be moving increasingly toward it?

**The IceFire M.O.**

IceFire, first discovered last March, is standard-fare ransomware aligned with other "'big-game hunting' (BGH) ransomware families," Delamotte wrote. BGH ransomware is characterized by "double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files."

But where IceFire was once an exclusively Windows-based malware, its recent attacks have taken place against Linux-based enterprise networks.

The attack flow is straightforward. Having breached a target network, the IceFire attackers steal copies of any valuable or otherwise interesting data on target machines. Only then comes the encryption. What IceFire primarily looks for are user and shared directories, as these are important yet "unprotected parts of the file system that do not require elevated privileges to write or modify," Delamotte explained.

The attackers are careful, though. "IceFire ransomware doesn't encrypt all files on Linux: It avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational."

IceFire tags encrypted files with an ".ifire" extension, as many IT admin have since discovered for themselves. It also automatically drops a no-frills ransom note — "All your important files have been encrypted. Any attempts to restore your files...." The note includes a unique hardcoded username and password the victim can use to log into the attackers' Tor-based ransom payment portal. Once the job is complete, IceFire deletes itself.

Source: SentinelOne

**How IceFire Is Changing**

Most of these details have remained consistent since IceFire's first entry onto the scene. However, some important details have changed in recent weeks, including the victimology.

Where IceFire was once primarily used in campaigns against the healthcare, education, and technology sectors, recent attacks have focused around entertainment and media organizations, primarily in Middle Eastern countries — Iran, Pakistan, Turkey, the United Arab Emirates, and so on.

Other changes to IceFire's M.O. derive from its operating system shift towards Linux. For example, SentinelOne has noted in the past that cyberattackers would distribute IceFire via phishing and spear-phishing emails, then use third-party, pen-test tools like Metasploit and Cobalt Strike to help it spread.

But "many Linux systems are servers," Delamotte points out, "so typical infection vectors like phishing or drive-by download are less effective." So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

**Why Hackers Are Targeting Linux**

Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, "Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user."

A second factor, she guesses, "is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment."

Finally, "the prevalence of containerization and virtualization technologies in enterprise environments has expanded the potential attack surface for ransomware actors," she says. Many of these technologies are Linux-based, so "as ransomware groups exhaust the supply of 'low-hanging fruit,' they will likely prioritize these higher effort targets."

Whatever the primary motive, if more threat actors follow in this same path, enterprises running Linux-based systems need to be ready.

Defending against ransomware requires "a multi-faceted approach," Delamotte says, prioritizing visibility, education, insurance, multi-layered security, and patching, all at once.

"By taking a proactive approach to cybersecurity," she says, "enterprises can increase their chances of successfully defending against ransomware attacks."

IceFire Ransomware Portends a Broader Shift From Windows to Linux

Don't expect AI to suddenly start stealing jobs or making malware more powerful.

Thursday, March 9, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.

It’s the talk of SEO managers everywhere who can’t wait to find a way to work “ChatGPT” into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.

The biggest issue I’m seeing with that is these tools aren’t that smart.

Other writers have done a far more eloquent and interesting job than I can in a few dozen words here about how bad these models are at writing creatively or interpreting human emotion, but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.

First, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can’t produce something on Talos’ behalf, it did start to compile a list of “the top stories we’re following this week.”

These headlines included an update on the Cring malware that seems to be referencing a campaign from November 2021, a 16-month-old CVE from Microsoft and a story about money laundering in “Fortnite” that broke in January 2019.

Then I decided to ask it about wrestling, mainly because I was fresh off watching AEW: Revolution this weekend, about who will eventually beat Maxwell Jacob Friedman for the company’s title. The information it provided was shockingly lackluster considering a quick Google provided more accurate details.

One of the examples it floated was that Bryan Danielson could eventually dethrone MJF, and that “if” they two were to face, it’d be a “must see” match. Problem is, the two did literally face off Sunday night and Danielson lost. Another option, CM Punk, would create a “huge moment” for the company if he won the AEW titles, something he’s already done twice (he also may never appear on TV again, but that’s a long story for not this newsletter).

These are two incredibly specific examples, but I felt like it was cathartic for me to see this in action so I didn’t have to lose any sleep over thinking ChatGPT or another AI was going to take my job from me next week, or my wrestling fandom for that matter.

**The one big thing**

U.S. President Joe Biden’s administration released its new National Cybersecurity Strategy on March 2, outlining steps the federal government plans to take to combat cyber criminals, defend critical infrastructure and enforce security regulations in oft-targeted industries. The administration said it will pursue laws to hold software companies liable if they sell technology that lacks proper cybersecurity protections, and use "national powers” to disrupt state-sponsored actors.

**Why do I care?**

This is the first new cybersecurity policy from the U.S. government in five years, outlining how the next few years of cybersecurity policy may look and what other goals would look like in a hypothetical second term for Biden. If the desired laws eventually pass and are enforced, they would represent a major shift in the way we view digital service providers and reframes how government and private entities should look at cybersecurity.

**So now what?**

The strategy doesn’t mean much for the average user right now, but it does mean there will be heavy debates in the near future about regulating the software-as-a-service industry and the monetary investment needed to address many of the issues the Biden administration outlined.

**Top security headlines of the week**

Meta, Google and other social media sites are **sharing user data and chat logs to prosecute individuals in states where abortion is illegal.** Since the Supreme Court overturned U.S. national abortion law last year, there have been several cases where prosecutors have relied on data collected by online pharmacies, social media posts, and user data requests to charge women who were seeking an abortion. Online pharmacies that sell abortion medication share sensitive information with Google and other third-party sites, including users' web addresses, relative location and search data, which the third parties may eventually be asked to turn over to law enforcement. The large companies who manage this data rarely turn down law enforcement requests for data. (Insider, Mashable)

After the one-year anniversary of Russia’s invasion of Ukraine, experts are looking at how **this has become one of the world’s first hybrid wars**, including Russia’s many cyber weapons its deployed against Ukraine over the past year. Other countries who feel they may be vulnerable to large-scale cyber attacks from nation-states (such as Taiwan against China) can learn quite a bit from how Ukraine has responded so far to Russian attacks. A new deep-dive report also outlines how crucial a cyber attack against the Viasat satellite network helped Russia prepare for its ground invasion just a few days prior. (NPR, Bloomberg)

Password management company **LastPass said attackers accessed a decrypted vault available to only a handful of company developers by hacking an employee’s home computer** in August. The new details add on to a data breach the company first disclosed several months ago. LastPass said an unknown threat actor stole valid login credentials from a senior DevOps engineer and accessed the contents of a LastPass data vault. That vault contained access to a shared cloud storage environment that included encryption keys for customers’ vault backups stored on Amazon S3 buckets. The attackers reportedly exploited a flaw in Plex, a media-sharing software, to access the user’s home device in the first place. Plex disclosed its own data breach in late August. (Ars Technica, Wired)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 24 - March 3

*   Talos Takes Ep. #129: The benefits of taking an active approach to threat defense
*   The role of cyber weapons in Russia's war on Ukraine

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT

Unmanaged devices pose a significant challenge and risk for many organizations. Here are the five reasons you should care about unmanaged devices and assets.

Unmanaged devices pose a significant challenge for many organizations. These devices can be anything connected to a network but not actively managed by IT or security. These assets usually aren't captured in an asset inventory and can take many forms, such as shadow IT, rogue assets, and orphaned assets. Because security teams struggle to discover them, these devices fly under the radar and create potential footholds into a network.

What could happen if these devices are left unmanaged? Let's take a look at five reasons why you should care about unmanaged devices.

**Reason 1: Unmanaged devices are often the first foothold for attackers.**

Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These outliers are great entry points for an attack because they tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don't have anybody managing them. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.

**Reason 2: Unmanaged devices hinder incident investigations.**

Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. There was a case where an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command-and-control (C2) server. However, the SIEM and CMDB didn't have any record of the IP on the network, nor did the vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With an asset inventory that tracks Internet of Things (IoT) devices, the analyst would have quickly resolved this incident. They could have also found other devices that share the same make and model to see if they were using default credentials.

**Reason 3: Accidental network bridges bypass firewalls.**

In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn't identified ahead of time.

**Reason 4: Rogue devices complicate governance of security controls.**

Proper governance dictates that every device has security controls. It's impossible to figure out coverage gaps without knowing all of the devices on the network. To zero in on your gaps, you need to start with a full asset inventory. Then, you can overlay data from security controls and look for gaps in the inventory. Some common things to look for are Windows machines missing CrowdStrike (or EDR agents).

**Reason 5: End-of-life devices are potentially vulnerable.**

Manufacturers often no longer provide functional and security fixes for these end-of-life (EOL) devices, making them much riskier and more difficult to secure if something goes wrong. If unmanaged devices are not inventoried, security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.

**Solving for Unmanaged Devices**

Solving for unmanaged devices starts with a full asset inventory that delivers in-depth details about every asset on your network, including managed and unmanaged ones. Full asset inventory requires active, unauthenticated discovery, which doesn't assume any prior knowledge of network-connected devices, such as credentials to authenticate into devices and endpoints. Instead, it focuses on discovery capabilities that are research-driven to find and surface every network-connected asset, whether managed or unmanaged. This approach can be complemented through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.

Getting a handle on unmanaged assets is critical for any security program, and with a solution built around active, unauthenticated discovery, finding your unmanaged assets will finally be possible.

    

**About the Author**

Chris Kirsch started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and social engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world's largest hacker conference. Currently, Chris is the CEO of runZero (www.runzero.com), a cyber-asset management company he co-founded with Metasploit creator HD Moore.

5 Reasons You Should Care About Unmanaged Assets

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau of Investigation (FBI). While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.

A Croatian national has been arrested for allegedly operating **NetWire**, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the **U.S. Federal Bureau of Investigation** (FBI). While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.

Typically installed by booby-trapped Microsoft Office documents and distributed via email, **NetWire** is a multi-platform threat that is capable of targeting not only **Microsoft Windows** machines but also **Android**, **Linux** and **Mac** systems.

NetWire’s reliability and relatively low cost ($80-$140 depending on features) has made it an extremely popular RAT on the cybercrime forums for years, and NetWire infections consistently rank among the top 10 most active RATs in use.

NetWire has been sold openly on the same website since 2012: **worldwiredlabs\[.\]com**. That website now features a seizure notice from the **U.S. Department of Justice**, which says the domain was taken as part of “a coordinated law enforcement action taken against the NetWire Remote Access Trojan.”

“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the **U.S. Department of Justice** today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”

Neither the DOJ’s statement nor a press release on the operation published by Croatian authorities mentioned the name of the accused. But it’s fairly remarkable that it has taken so long for authorities in the United States and elsewhere to move against NetWire and its alleged proprietor, given that the RAT’s author apparently did very little to hide his real-life identity.

The WorldWiredLabs website first came online in February 2012 using a dedicated host with no other domains. The site’s true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in historical Domain Name System (DNS) records for WorldWiredLabs that point in the same direction.

In October 2012, the WorldWiredLabs domain moved to another dedicated server at the Internet address 198.91.90.7, which was home to just one other domain: **printschoolmedia\[.\]org**, also registered in 2012.

According to DomainTools.com, printschoolmedia\[.\]org was registered to a **Mario Zanko** in Zapresic, Croatia, and to the email address **zankomario@gmail.com**. DomainTools further shows this email address was used to register one other domain in 2012: **wwlabshosting\[.\]com**, also registered to Mario Zanko from Croatia.

A review of DNS records for both printschoolmedia\[.\]org and wwlabshosting\[.\]com shows that while these domains were online they both used the DNS name server **ns1.worldwiredlabs\[.\]com**. No other domains have been recorded using that same name server.

The WorldWiredLabs website, in 2013. Source: Archive.org.

DNS records for worldwiredlabs\[.\]com also show the site forwarded incoming email to the address **tommaloney@ruggedinbox.com**. Constella Intelligence, a service that indexes information exposed by public database leaks, shows this email address was used to register an account at the clothing retailer romwe.com, using the password “**123456xx**.”

Running a reverse search on this password in Constella Intelligence shows there are more than 450 email addresses known to have used this credential, and two of those are **zankomario@gmail.com** and **zankomario@yahoo.com**.

A search on zankomario@gmail.com in **Skype** returns three results, including the account name “Netwire” and the username “**Dugidox**,” and another for a Mario Zanko (username zanko.mario).

Dugidox corresponds to the hacker handle most frequently associated with NetWire sales and support discussion threads on multiple cybercrime forums over the years.

Constella ties dugidox@gmail.com to a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, and to IP addresses in Croatia for both. Constella also shows the email address zankomario@gmail.com used the password “dugidox2407.”

In 2010, someone using the email address dugidox@gmail.com registered the domain **dugidox\[.\]com**. The WHOIS registration records for that domain list a “Senela Eanko” as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia\[.\]org, which is registered in Mr. Zanco’s name.

Prior to the demise of **Google+**, the email address dugidox@gmail.com mapped to an account with the nickname “**Netwire wwl**.” The dugidox email also was tied to a Facebook account (**mario.zanko3**), which featured check-ins and photos from various places in Croatia.

That Facebook profile is no longer active, but back in January 2017, the administrator of WorldWiredLabs posted that he was considering adding certain Android mobile functionality to his service. Three days after that, the Mario.Zank3 profile posted a photo saying he was selected for an Android instruction course — with his dugidox email in the photo, naturally.

Incorporation records from the U.K.’s Companies House show that in 2017 Mr. Zanko became an officer in a company called **Godbex Solutions LTD**. A Youtube video invoking this corporate name describes Godbex as a “next generation platform” for exchanging gold and cryptocurrencies.

The U.K. Companies House records show Godbex was dissolved in 2020. It also says Mr. Zanko was born in July 1983, and lists his occupation as “electrical engineer.”

Mr. Zanko did not respond to multiple requests for comment.

Who’s Behind the NetWire Remote Access Trojan?

More than five out of every 1,000 commits to GitHub included a software secret, half again the rate in 2021, putting applications and businesses at risk.

The rate at which developers leaked critical software secrets, such as passwords and API keys, jumped by half to reach 5.5 out of every 1,000 commits to GitHub repositories.

That's according to a report published by secrets-management firm GitGuardian this week. Though the percentage seems small, overall, the firm detected at least 10 million instances of secrets leaking to a public repository, accounting for more than 3 million unique secrets in total, the company stated in its "2022 State of Secrets Sprawl" report. 

While generic passwords accounted for the majority (56%) of secrets, more than a third (38%) involved a high-entropy secret that includes API keys, random number generator seeds, and other sensitive strings.

As more companies move their application infrastructure and operations to the cloud, API keys, credentials, and other software secrets have become critical to the security of their business. When those secrets leak, the results can be devastating, or at the very least, expensive.

"Secrets are the crown jewels of any business or organization — they really can grant access into all of your systems and infrastructure," says Mackenzie Jackson, security and developer advocate at GitGuardian. "The risk can be anything, from complete system takeovers, to small data exposures, or various other things."

    

Environment files (env) typically contain the most sensitive data. Source: GitGuardian

"Millions of such keys accumulate every year, not only in public spaces, such as code-sharing platforms, but especially in closed spaces such as private repositories or corporate IT assets," GitGuardian stated in its "2022 State of Secrets Sprawl" report.

And even those private spaces can be vulnerable. In January, for instance, collaboration and messaging platform Slack warned users that a "limited number of Slack employee tokens" had been stolen by a threat actor, who then downloaded private code repositories. Last May, cloud application platform provider Heroku, a subsidiary of Salesforce, acknowledged that an attacker had stolen a database of hashed and salted password after gaining access to the OAuth tokens used to integrate with GitHub.

**Infrastructure — as ... Whoops!**

Part of the reason for the increase in leaking secrets is because infrastructure-as-code (IaC) has become much more popular. IaC is the managing and provisioning of infrastructure through code instead of through manual processes, and in 2022, the number of IaC-related files and artifacts pushed to GitHub repositories increased by 28%. The vast majority (83%) of files consisting of configuration files for Docker, Kubernetes, or Terraform, according to GitGuardian.

IaC allows developers to specify the configuration of the infrastructure used by their application, including servers, databases, and software-defined networking. To control all those components, secrets are often necessary, Jackson says.

"The attack surface keeps expanding," he says. "Infrastructure-as-code has become this new thing and it's exploded with popularity, and infrastructure needs secrets, so infrastructure-as-code \[files\] often contains secrets."

In addition, three filetypes commonly used as caches for sensitive application information — .env, .key, and .pem — are considered the most sensitive, defined as having the most secrets per file. Developers should almost always avoid publishing those files to a public repository, Jackson says.

"If one of these files is in your Git repository, then you know you have holes in your security," he says. "Even if the file doesn't contain secrets, they just should never be there. You should have prevention in place to make sure that they're not there and alerting in place to know when they are there."

For that reason, companies should continuously scan systems and files for secrets, gaining visibility and ability to block potential dangerous files, Jackson adds.

"You want to scan all of your infrastructure to make sure you have visibility" he says. "And then the next steps include implementing tools to check engineers and developers ... to detect any secrets when they slip out."

Inside Threat: Developers Leaked 10M Credentials, Passwords in 2022

By Deeba Ahmed
The researchers have been tracking the malware campaign since November 2020.
This is a post from HackRead.com Read the original post: Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

****For now, SYS01 stealer is targeting Facebook accounts of employees working for manufacturing companies, critical government infrastructures, and other sensitive industries.****

The cybersecurity researchers at Morphisec have revealed details of an advanced **information-stealing malware** campaign which they began tracking in November 2022. They dubbed the malware SYS01 Stealer.

Researchers noted that SYS01 Stealer has been targeting critical government infrastructure and manufacturing firms’ employees. The attackers are targeting Facebook business accounts of their targets through Google ads and **fake Facebook profiles**, which promote games, cracked software, and adult content to compel their victims into downloading a malicious ZIP file.

The malicious use of Google Ads should not come as a surprise, since crooks have been abusing Google’s Ad Ecosystem for some years now. Just **a couple of weeks ago**, Google Ads were found to be spreading malware in fake messenger and browser apps.

The malware is executed on the target’s machine through DLL side-loading. The campaign was first noticed in May 2022, when it was attributed to **Zscaler’s Ducktail operation**, which was later rendered incorrect.

**Detailed analysis**

In a **blog post**, Morphisec researchers wrote that the archive has a legitimate application as a loader, which is vulnerable to DLL side-loading, and a malicious library, which drops the Inno-Setup installer through side-loading. In turn, the final payload is deployed as a PHP application, which actually contains malicious scripts that perform data exfiltration. Archive persistence is ensured through a PHP script.

It performs this task by setting a scheduled task. The main stealer script supports numerous other tasks, including letting the attacker check whether the victim is logged in and has a **Facebook account**.

Furthermore, this script also supports the downloading and execution of files from a certain URL and can upload files to the C2 server. It may also execute commands.

**What’s the Objective?**

This campaign is designed to steal sensitive details from the victims’ devices, such as cookies, login data, and personal and **business Facebook account information**. The attacker has included Rust, PHP, Python, and advanced PHP encoders to advance the delivery chain, which has helped them evade security vendors successfully for the past five months.

Infection chain

**SYS01 Similarities with other Infostealer?**

Morphisec analysis revealed that SYS01 uses the same loading techniques and lures as the **S1deload infostealer** (PDF) discovered by Bitdefender. However, it is worth noting that the final payload isn’t the same.

You can stay protected from SYS01 stealer by implementing a zero-trust policy and restricting users’ rights to download and install programs. Since this campaign is based on social engineering, users should be aware of the tricks adversaries can use against them.

**Protect Yourself**

If you are an employee at a government or critical infrastructure organization, you should watch out for malware attacks, especially on social media sites. Here are some steps on how to do so:

*   Be wary of unsolicited messages, friend requests, and links from unknown sources on social media platforms like Facebook.
*   Verify the identity of the sender before clicking on any links or downloading any attachments.
*   Install and update anti-virus software and firewalls on your device and make sure they are up-to-date with the latest security patches.
*   Use strong and unique passwords for your social media accounts and avoid reusing passwords across different accounts.
*   Enable two-factor authentication (2FA) to provide an extra layer of protection for your accounts.
*   Avoid using public Wi-Fi networks, especially when accessing sensitive information or logging into social media accounts.
*   Regularly back up important data to an external hard drive or cloud storage service.
*   Report any suspicious activity, messages or links to your organization’s IT department immediately.
*   Stay informed about the latest malware and cyber security trends by attending regular training sessions and seminars.
*   Follow your organization’s security policies and procedures, including those for social media use.

1.  **Crooks using Messenger chatbots to steal login data**
2.  **Fake Brave browser dropped malware from Google Ads**
3.  **Schoolyard Bully malware stealing Facebook credentials**
4.  **Google Ads malware wipes NFT influencer’s crypto wallet**
5.  **Mandrake Android malware stealing Facebook, crypto data**

Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to

Linux / Endpoint Security

A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.

The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to cybersecurity company SentinelOne.

"This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems," Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News.

A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews.

IceFire was first detected in March 2022 by the MalwareHunterTeam, but it wasn't until August 2022 that victims were publicized via its dark web leak site, according to GuidePoint Security, Malwarebytes, and NCC Group.

The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that's installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software.

It's also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale," Delamotte said. "Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities."

The development comes as Fortinet FortiGuard Labs disclosed a new LockBit ransomware campaign employing "evasive tradecraft" to avoid detection through .IMG containers that bypass Mark of The Web (MotW) protections.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac